000036380 - Managing Amazon Web Service (AWS) accounts using the Access Fulfillment Express (AFX) AWS Connector in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 13, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036380
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.0 and above
IssueThe out of the box Amazon Web Services (AWS)  Connector in the RSA Identity Governance & Lifecycle Access Fulfillment  Express (AFX) module requires the Access Key ID and Secret Access Key for an AWS account.
AWS Connector settings

However, in a company, many employees may have an AWS account.  Common questions are:
  • To use the AWS Account and Group capabilities, do many AWS Connectors need to be created, one for each employee with an AWS account?
  • Does the AWS Connector support AWS Organizations?
  • Only one AWS Connector needs to be created.  This is because Amazon Web Services has an AWS account root user, that then creates an Administrator User.  This Administrator User can then be used for the Access Key ID and Secret Access Key in the AWS Connector Authentication Details (as above).  Any other AWS users the customer has, and any AWS Groups they have created, should be administered by the Administrator User.  These AWS Users and Groups can then be maintained by RSA Identity Governance & Lifecycle using the AWS Connector.  For more information on the AWS Admin User and Groups, please consult the following Amazon Web Services documentation:

  • With regards to AWS Organizations, the AWS Connector only maintains AWS Users, Groups and Policies; it does not maintain AWS Organizations.  Given that Amazon Web Services and AWS Organizations are a third-party service, RSA does not provide documentation on their use.
NotesPlease refer to the: RSA Identity Governance and Lifecycle Amazon AWS Connector Datasheet where it lists the following capabilities:


  • Create an Amazon AWS Account 
  • Delete an Amazon AWS Account 


  • Create an Amazon AWS Group 
  • Add an Amazon AWS account to a group 
  • Remove an Amazon AWS account from a group 
  • Delete an Amazon AWS Group 

Policy (aka, permissions) 

  • Remove a Policy Associated with an Amazon AWS Account 
  • Remove a Policy associated with an Amazon AWS group