Description
SailPoint® is excited to announce the launch of AWS Regional Collection capability for our SailPoint Cloud Infrastructure Entitlement Management (CIEM) product!
CIEM AWS Regional Collection is a solution designed to meet customer demands for region-specific control over data collection.
Understanding the Basics
AWS operates through physical data centers known as AWS Regions, supporting both global and regional services. While global services (e.g., IAM) apply universally, regional cloud services allow customers to select specific AWS regions for deploying resources. This flexibility is vital for scenarios requiring compliance, tailored deployment close to users, or limiting operations to a particular geographic area.
Recognizing the significance of this, customers requested an alignment between CIEM and the AWS Regional capability. They needed CIEM to collect data only within specified regions, citing reasons like:
-
Avoiding unnecessary data collection in test regions
-
Adhering to compliance and regulatory requirements
-
Following corporate policies
-
Firewall rule violations generated by CIEM data collection creating unnecessary “chatter.”
The Problem at Hand
Traditionally, CIEM collected data across global resources and all regions where customers deployed resources. However, this approach had limitations:
-
No inclusion/exclusion settings: Customers couldn’t configure CIEM to target specific regions.
-
Manual exclusion methods: Customers resorted to manually excluding CIEM permissions with network configuration on unwanted regions, leading to unwanted logging noise when CIEM attempted to access those regions’ APIs.
This lack of control created inefficiencies and compliance challenges for our customers, especially those operating under strict regulatory or policy constraints.
Introducing the Solution
The CIEM AWS Connector now includes AWS Regions Configuration. Here’s how it works:
-
Customers can now edit the CIEM AWS source configuration to select specific regions for data collection.
-
By default, new connections will automatically collect data only in the AWS region where Identity Security Cloud is deployed, reducing noise and ensuring targeted operations.
-
While regional configurations provide granular control, CIEM will continue to collect global resources data to maintain operational consistency.
This enhancement empowers customers to prevent CIEM from engaging with excluded regions, ensuring cleaner audit logs and greater operational efficiency.
CIEM AWS Regional Collection Demo:
Final Thoughts
The introduction of CIEM AWS Regional Collection is a significant step forward in aligning cloud services with customer demands for control and customization. By enabling region-specific data collection, this feature not only addresses current limitations but also sets the stage for more robust and compliant cloud operations.
Stay ahead with CIEM’s evolving capabilities—because in the modern cloud era, precision and control are key.
Who is affected?
All SailPoint® CIEM customers will now have the AWS regional collection feature on the CIEM AWS connector.
Action Required
Customers should remove any regions that they wish to exclude from SailPoint® CIEM data collection.
Important Dates
This feature goes live the week of December 16.