Onboarding AWS S3 with SailPoint File Access Manager: Step-by-Step Guide

Introduction Onboard AWS S3 in SailPoint File Access Manager

FAM enables organizations to track, analyze, and protect access to sensitive information stored on multiple platforms—such as cloud storage like AWS S3. To be able to monitor and classify your S3 buckets, you must onboard AWS S3 correctly into FAM. This sets up the proper permissions, roles, and connections so that FAM can securely read from your environment.

Prerequisites

• Supported Software:

  • Latest ASP.NET Core 3.1.x Hosting Bundle installed on your host.

  • File Access Manager server installed and running.

• AWS Permissions Configurations:

  • Decide if you will use an EC2 Instance Role (recommended) or a Dedicated IAM User.

• AWS Account Access:

  • Administrative access to AWS Console for creating roles, users, and policies.

Onboarding Steps (EC2 Instance Method — Recommended)

1. Create Assume Role Policy in AWS

   • Go to AWS IAM → Policies → Create policy.

   • Use the content from IdentityIQ_FileAccessManager_AssumeRolePolicy.json:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "VisualEditor0",

            "Effect": "Allow",

            "Action": "sts:AssumeRole",

            "Resource": "arn:aws:iam::*:role/IdentityIQ_FileAccessManagerRole"

        }

    ]

}

2. Create a Role for EC2

• In AWS IAM → Roles → Create role → Choose EC2 as trusted entity.

• Attach the FileAccessManager_AssumeRolePolicy you created above.

• Name it (example): FileAccessManager_EC2_Role.

3. Attach the Role to the EC2 Host

• Attach the above IAM Role to the EC2 instance running File Access Manager.

4. In Each Target AWS Account (Organization):

• Create S3 Read-Only Access Policy:
  Use the full permissions from IdentityIQ_FileAccessManager_S3IAMReadOnlyAccessPolicy.json as provided in the documentation.

• Create FileAccessManagerRole:

  • In IAM → Roles → Create role.

  • Select “Another AWS Account” and enter the account ID of the managing account.

  • Attach the S3 Read-Only Access Policy.

  • Name the role FileAccessManagerRole.

• Edit Trust Relationship:
  In Trust Relationship, set "Principal" to the EC2 role:

"AWS": "arn:aws:iam::{EC2 instance account Id}:assumed-role/{EC2 instance role name}/{EC2 instance Id}"

Onboarding Using Dedicated IAM User

1. Create an IAM Policy (AssumeRolePolicy) for the User
   Same as above, but the principal in the trust policy changes to "user/{FAM IAM User username}".

2. Create IAM User

   • Programmatic access (generates Access Key and Secret).

   • Attach AssumeRolePolicy.

3. On Each Account:

   • Create S3 Read-Only Policy and Role (IdentityIQ_FileAccessManagerRole) as above.

   • Edit the trust policy principal to reference the FAM IAM User.

   • Save Access Key and Secret Key securely.

File Access Manager Setup

1. Admin > Applications → Add New → AWS S3

2. Connection Details:

• For EC2: Provide appropriate Role/Account identifiers.

• For User: Enter Access Key and Secret Key.

3. Configure Crawler and Permission Collection

• Scope, schedule, and inclusion/exclusion (via lists or regex).

• Choose resource paths and scheduling frequency as per your requirements.

4. Install/Verify Services

• Ensure “Central Permissions Collection” service is running for the application in Windows services.

• Install “Activity Monitor” and/or “Permission Collector” if desired.

5. Run Initial Crawl and Permission Tasks

• Go to Settings > Task Management > Scheduled Tasks.

• Monitor for success, and verify resources appear in Admin > Applications > Manage Resources.

Conclusion

After completing these steps, your AWS S3 buckets will be connected to SailPoint File Access Manager. FAM can now scan your S3 data, collect permissions, and show who has access. With ongoing monitoring and classification, it helps keep your sensitive data secure and supports compliance