I am trying to figure out the benefit of the AWS connector. Perhaps I am not using correctly? I think it is useful for one kind of use case–IAM users are used for Identity.
IAM framework is that we want this mapping Identity => Account => Entitlement
But in AWS you have IAM User authentication and you have IAM Role authentication. The wrench is the Role authentication. A role can operate like an identity with access to different resources and a user can assume the role identity. Here is a deeper wrench, the user does not have to be an AWS user. AWS completely trusts the IDP identity, it does not check if it has a local user identity that correlates.
So an org user is a member of an IDP group which is assigned to the IDP’s AWS SSO config. That IDP group is mapped to a permission set in AWS and so allows its members to log into AWS. That permission set is then mapped to a Role in AWS. So when you login its your SSO instance that is getting all the entitlements via your proxy membership of the IDP group.
And so you could say that user does not “show up” in AWS except in the SSO logs where you can see the identifier in the sso instance. Kind of reminds me of when people use shared accounts in PAM tools and one has to jump through multiple hoops to find out the identity of who is doing what.
And so the OOB AWS connector brings in no data that can be correlated. I cannot also provision a new user (since its a proxy identity). So my question is what is benefit of the connector for this sort of use case? Do I have to build a custom connector?