Correlating AWS accounts into Identity Security Cloud using tagKey

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi:
We are trying to onboard AWS onto IdentityNow and we have a problem correlating the AWS accounts with the identities. The common attribute that can be used would be employee number but we can get it from AWS only as a Tag kEY value pair. Is there a way to pull one of the key value pairs to use as part of the correlation key? For the AWS Connector we cant use any build map rule. Any pointers in this will be very helpful.

Thanks - Anita

2

how about using correlation rule

Correlation Rule | SailPoint Developer Community

3

Sharing my observations and thoughts—this might not be the perfect solution, but I hope it helps or leads to a better one
You’re right—SailPoint IdentityNow (ISC) AWS connector has some limitations when it comes to attribute mapping and transformation flexibility compared to IdentityIQ, especially since buildMap rules are not supported.

However, you can still achieve identity correlation using a tag key-value pair (like employeeNumber) from AWS by following these pointers:

Recommended Approach to Correlate AWS Accounts via Tag Key (e.g., employeeNumber)

  1. Ensure AWS Tag Exists and Is Readable:

    • Make sure every AWS user/account has the tag employeeNumber assigned.
    • The AWS connector should be configured to import user tags.
    • You might need to enable tag-based attribute collection by customizing the connector’s source schema.

  2. Customize the Schema in IdentityNow:

    • Go to Admin → IdentityNow → Identity Management → Sources → AWS Source → Schema.
    • In the Account Schema, find if the AWS user tags are being pulled.
    • If tags are bundled under a JSON or nested attribute (like tags or metadata), and if employeeNumber is present, proceed to use a transformation.

  3. Create a Transformation to Extract Tag Value:

    • Use a Get Value From JSON transformation to extract the tag value from the nested structure.

    Example:

    {
  "name": "awsEmployeeNumber",
  "type": "getValueFromJSON",
  "attributes": {
    "jsonPath": "$.tags.employeeNumber"
  },
  "sourceName": "AWS Connector Source Name"
}

    Replace $.tags.employeeNumber with the correct JSONPath expression depending on how tags appear in the raw identity data.

  4. Use the Transformation in Correlation:

    • After the transformation is created, configure the Account Correlation Rule or mapping to match:
      • Identity Attribute = employeeNumber
      • Account Attribute (Transformed) = awsEmployeeNumber

  5. Test with Sample Data:

    • Perform a test aggregation and validate if awsEmployeeNumber is populated correctly.
    • If yes, check if the correlation is matching the identities properly.
4

@narayanag - Thank you for your reply. if I look at your step 3, how can we extract this employee number tag key value from the aggregated data without correlating the AWS Account first?
@sunnyajmera - Yes, correlation rule could be an answer, but is there anything we can do without deploying cloud rules?