Skip to main content

AWS (Amazon Web Services)

Description

The AWS connector uses the AWS IAM REST API to discover IAM users, groups, roles, and group memberships within an AWS account. It uses AWS Signature Version 4 (SigV4) request signing to authenticate directly with the IAM service without requiring any AWS SDK installation on the OrbisID server.

System Type Classification

FieldValue
System TypeInfrastructure
Default Scan Priority500

Version Support

OrbisID EditionSupported
CommunityNo
ProYes
EnterpriseYes

AWS scanning requires a Pro or Enterprise licence.

Supported Protocol

ProtocolPortNotes
AWS IAM REST API (HTTPS + SigV4)443 TCPGlobal IAM endpoint: iam.amazonaws.com

What OrbisID Discovers

DataSource
IAM usersListUsers (paginated via Marker)
IAM groupsListGroups (paginated via Marker)
IAM rolesListRoles (paginated via Marker)
Group membershipsGetGroup per group
Attached managed policiesListAttachedUserPolicies / ListAttachedRolePolicies per user/role
User status (active/inactive)Derived from access key and login profile existence

Roles are discovered as accounts alongside users — AWS roles are non-human, assumed-by-entities accounts rather than something assigned to a user directly, and are relevant to PAM reconciliation for service accounts that use role-based access.

Privileged Classification

Each attached managed policy becomes an entitlement (AWS_IAM_POLICY). A user or role is flagged privileged if it has one of the following AWS managed policies attached directly:

AdministratorAccess, PowerUserAccess, IAMFullAccess, SecurityAudit, AWSSecurityHubFullAccess, AWSOrganizationsFullAccess, AWSDirectoryServiceFullAccess, AWSAccountManagementFullAccess

Only directly attached policies are evaluated — permissions granted transitively through a group's own attached policies are not currently rolled up into an individual member's privileged flag.

Connection Requirements

AWS IAM User (Scanning Identity)

OrbisID authenticates using an IAM user with an access key. The IAM user should be a dedicated service account for OrbisID with read-only IAM permissions.

Recommended IAM policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OrbisIDIAMReadOnly",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:GetGroup",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies"
],
"Resource": "*"
}
]
}

Attach this policy to the dedicated IAM user and generate an Access Key ID and Secret Access Key.

Credential Mapping

OrbisID FieldAWS Value
credential.usernameIAM Access Key ID (e.g., AKIAIOSFODNN7EXAMPLE)
credential.passwordIAM Secret Access Key

System Attributes

AttributeRequiredDefaultDescription
awsRegionNous-east-1AWS region for the IAM endpoint (IAM is global, but region is used for SigV4 signing)
awsAccountIdNoAWS account ID (12-digit) — stored for reference in scan results

Network Requirements

RequirementDetail
Outbound HTTPSOrbisID server (or On-Premise Agent) must reach iam.amazonaws.com on port 443

Configuration Steps

  1. Create a dedicated IAM user (e.g., orbisid-scanner) in the AWS account
  2. Attach the recommended IAM read-only policy
  3. Generate an Access Key for the IAM user — note the Access Key ID and Secret Access Key
  4. Create a Credential in OrbisID:
    • Username: Access Key ID
    • Password: Secret Access Key
  5. Navigate to Systems → Add System
  6. Fill in the fields:
FieldValue
NameDescriptive name (e.g., AWS – Production Account)
Hostname / IP Addressiam.amazonaws.com — pre-filled and locked; AWS IAM is a fixed global endpoint, not something you configure per system
OS TypeAWS
System TypeInfrastructure
CredentialThe IAM user credential created above
  1. Optionally, in the Connection Attributes section, set AWS Account ID (awsAccountId) for reference
  2. Click Test Connection — this calls iam:GetUser with the configured access key to confirm the credential actually authenticates, not just that the network path is reachable
  3. Click Save
Multiple AWS Accounts

To scan multiple AWS accounts, add a separate OrbisID target system for each account with its own dedicated IAM user and access key.

Access Key Security

Store the IAM Secret Access Key only in OrbisID's encrypted credential store. Do not share it across systems. Rotate access keys regularly and use a dedicated scanning-only IAM user with minimal permissions.

Troubleshooting

SymptomLikely CauseResolution
InvalidClientTokenIdAccess Key ID is invalid or deletedVerify the access key exists and is active in the AWS console
SignatureDoesNotMatchSecret Access Key is incorrectRegenerate or verify the secret access key
AccessDeniedMissing IAM permissionsAttach the recommended policy; verify iam:ListUsers, iam:ListGroups, iam:ListRoles, iam:GetGroup are allowed
Connection refused / timeoutNetwork path to iam.amazonaws.com blockedCheck outbound firewall rules on port 443 from the OrbisID server or agent
No groups or users returnedAccount has no IAM entitiesVerify the correct AWS account is being scanned; check the access key belongs to the intended account
certificate_unknown / "No subject alternative DNS name matching iam.amazonaws.com found"A TLS-inspecting proxy, firewall, or VPN on the network path between the OrbisID server (or agent) and AWS is intercepting the connection and presenting its own certificate instead of Amazon'sConfirm what certificate is actually being served: openssl s_client -connect iam.amazonaws.com:443 -servername iam.amazonaws.com | openssl x509 -noout -subject -issuer -ext subjectAltName from the exact host/container running the scan. If the issuer isn't Amazon, work with network/security teams to exempt iam.amazonaws.com from TLS inspection, or route the scan through an On-Premise Agent on a network with a clean egress path