AWS (Amazon Web Services)
Description
The AWS connector uses the AWS IAM REST API to discover IAM users, groups, roles, and group memberships within an AWS account. It uses AWS Signature Version 4 (SigV4) request signing to authenticate directly with the IAM service without requiring any AWS SDK installation on the OrbisID server.
System Type Classification
| Field | Value |
|---|---|
| System Type | Infrastructure |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
AWS scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| AWS IAM REST API (HTTPS + SigV4) | 443 TCP | Global IAM endpoint: iam.amazonaws.com |
What OrbisID Discovers
| Data | Source |
|---|---|
| IAM users | ListUsers (paginated via Marker) |
| IAM groups | ListGroups (paginated via Marker) |
| IAM roles | ListRoles (paginated via Marker) |
| Group memberships | GetGroup per group |
| User status (active/inactive) | Derived from access key and login profile existence |
Roles are enumerated but not mapped to users — AWS roles are assumed by entities rather than assigned to users directly. Role discovery supports PAM reconciliation for service accounts that use role-based access.
Connection Requirements
AWS IAM User (Scanning Identity)
OrbisID authenticates using an IAM user with an access key. The IAM user should be a dedicated service account for OrbisID with read-only IAM permissions.
Recommended IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OrbisIDIAMReadOnly",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:GetGroup"
],
"Resource": "*"
}
]
}
Attach this policy to the dedicated IAM user and generate an Access Key ID and Secret Access Key.
Credential Mapping
| OrbisID Field | AWS Value |
|---|---|
credential.username | IAM Access Key ID (e.g., AKIAIOSFODNN7EXAMPLE) |
credential.password | IAM Secret Access Key |
System Attributes
| Attribute | Required | Default | Description |
|---|---|---|---|
awsRegion | No | us-east-1 | AWS region for the IAM endpoint (IAM is global, but region is used for SigV4 signing) |
awsAccountId | No | — | AWS account ID (12-digit) — stored for reference in scan results |
Network Requirements
| Requirement | Detail |
|---|---|
| Outbound HTTPS | OrbisID server (or On-Premise Agent) must reach iam.amazonaws.com on port 443 |
Configuration Steps
- Create a dedicated IAM user (e.g.,
orbisid-scanner) in the AWS account - Attach the recommended IAM read-only policy
- Generate an Access Key for the IAM user — note the Access Key ID and Secret Access Key
- Create a Credential in OrbisID:
- Username: Access Key ID
- Password: Secret Access Key
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| Name | Descriptive name (e.g., AWS – Production Account) |
| Hostname | iam.amazonaws.com (used for reference) |
| OS Type | AWS |
| System Type | Infrastructure |
| Credential | The IAM user credential created above |
- Optionally, set
awsAccountIdin system attributes for reference - Click Test Connection to verify IAM access
- Click Save
To scan multiple AWS accounts, add a separate OrbisID target system for each account with its own dedicated IAM user and access key.
Store the IAM Secret Access Key only in OrbisID's encrypted credential store. Do not share it across systems. Rotate access keys regularly and use a dedicated scanning-only IAM user with minimal permissions.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
InvalidClientTokenId | Access Key ID is invalid or deleted | Verify the access key exists and is active in the AWS console |
SignatureDoesNotMatch | Secret Access Key is incorrect | Regenerate or verify the secret access key |
AccessDenied | Missing IAM permissions | Attach the recommended policy; verify iam:ListUsers, iam:ListGroups, iam:ListRoles, iam:GetGroup are allowed |
| Connection refused / timeout | Network path to iam.amazonaws.com blocked | Check outbound firewall rules on port 443 from the OrbisID server or agent |
| No groups or users returned | Account has no IAM entities | Verify the correct AWS account is being scanned; check the access key belongs to the intended account |