> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-docs-mcp-bridge-private-server.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# 📜 Amazon Web Services (AWS) integration
> C1 provides identity governance for AWS. Integrate your AWS instance with C1 to run user access reviews (UARs) and enable just-in-time (JIT) access requests.
**A newer version of this connector is available.** If you're setting up an AWS connector with C1 for the first time, use the [v2 version](/baton/aws).
## Availability
**An updated version of this integration is available.** This version of the connector is no longer available for installation. If you're integrating AWS for the first time, use the [updated version](/baton/aws).
## Capabilities
* Sync user identities from AWS IAM Users to C1
* Federated users authorization mapping
* Provisioning supported:
* Groups
* Permission sets for Identity Center users
### Known limitations
* Cross-account Assume Role is not currently supported
## Set up the AWS integration
This task requires either the **Connector Administrator** or **Super Administrator** role in C1.
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
If this is your first AWS integration, the integration form opens automatically. Otherwise, click **Add connector**.
Choose whether to add the new AWS connector as a data source as a data source to an existing application (and select the app of your choice) or to create a new application.
**Do you SSO into AWS using your identity provider (IdP)?** If so, make sure to add the connector to the AWS app that was created automatically when you integrated your IdP with C1, rather than creating a new app.
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
The AWS connector owner must have the following permissions:
* **Connector Administrator** or **Super Administrator** role in C1
* **Ability to create an IAM Role** in AWS
C1 uses an IAM Trust relationship between your AWS Account and C1's Service AWS Account.
This is the [AWS recommended method of sharing access to AWS Accounts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html). C1 has a specially created and isolated AWS Account dedicated to the AWS integration.
For advanced configurations, the only trusted entity should be the following ARN: `arn:aws:iam::765656841499:role/ConductorOneService`
Click **Next**.
### Next steps
* **If you are the integration owner**, proceed to [Integrate your AWS instance](/baton/v1/aws#integrate-your-aws-instance) for instructions on integrating AWS with C1.
* **If someone else is the integration owner**, C1 will notify them by email that their help is needed to complete the setup process.
## Integrate your AWS instance
A user with the **Connector Administrator** or **Super Administrator** role in C1 and the **ability to create an IAM Role** in AWS must perform this task.
### Step 1: Get C1-provided External ID for AWS IAM Role
Navigate to the C1 **Integrations** page and click **AWS**.
In the list of connectors, locate and click on the name of the connector with the **Not connected** label.
Find the **Settings** area of the page and click **Edit**.
Copy and save the External ID populated in the **External ID** field. We'll use this in Step 2.
### Step 2: Create an AWS IAM Role for C1 to use
In a new browser tab, sign in to your AWS Account using your existing credentials or SSO.
**To support use of AWS Organizations:** You must create this IAM Role in the management (formerly called master) account of the AWS Organization.
Navigate to the [IAM Dashboard](https://us-east-1.console.aws.amazon.com/iamv2/home?) and select **Roles** > **Create Role**.
Select **Custom Trust Policy** and paste the following into the Trust Policy JSON editor, replacing `EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE` with the value from Step 1.
```json theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::765656841499:role/ConductorOneService"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE"
}
}
}
]
}
```
Click **Next**.
*Skip* **Add permissions** and click **Next**.
Give the role a name, such as **C1Integration**.
Add any Tags relevant to your Organization and click **Create Role**.
Find the newly created role, and click on it to view the role details page.
Under **Permissions Policies**, click **Add Permissions** and select **Create Inline Policy**.
Switch to the JSON Editor tab and paste the following policy into the editor:
```json expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{
"Statement": [
{
"Action": [
"iam:GetGroup",
"iam:ListAccountAliases",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers",
"identitystore:ListGroupMemberships",
"identitystore:ListGroups",
"identitystore:ListUsers",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "ConductorOneReadAccess"
}
],
"Version": "2012-10-17"
}
```
Click **Review Policy**.
Give the Policy a name, such as **C1Permissions** and click **Create Policy**.
Copy the **Role ARN** for the Role we created, it should look like: `arn:aws:iam::NNNNNNNNNN:role/ConductorOneIntegration` (we'll use this in Step 3).
### Step 3: Integrate C1 to your AWS instance
Return to C1 and paste the AWS Role ARN you generated in Step 2 into the **Role ARN** field.
**Optional.** Click the checkbox to **Enable support for AWS Organizations**.
If support for AWS Organizations is enabled, the IAM Role (as described in Step 2) must be created in the management (formerly called master) account of the AWS Organization. If the IAM Role is created on a member account and support for AWS Organizations is enabled, the integration will return a 400 error.
**Optional.** Click the checkbox to **Enable support for AWS IAM Identity Center** and select the region for AWS IAM Identity Center from the dropdown.
**Optional.** Click the checkbox to **Enable usage of the AWS IAM Identity Center SCIM API** and enter the SCIM endpoint and access token in the relevant fields.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your AWS connector is now pulling access data into C1.
## Integrate using Terraform
As an alternative to the instructions above, use the following Terraform script to integrate your AWS instance with C1.
### Step 1: Get C1-provided External ID for AWS IAM Role
Log into [C1](https://accounts.conductor.one/accounts).
Navigate to **Integrations** > **Connectors** > **AWS Connector**.
Copy and save the **External ID** populated in the **External ID** field (we'll use this in Step 2.
### Step 2: Use a Terraform script to set up the AWS integration
```hcl expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
variable "EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE" {
description = "ConductorOne-provided External ID for AWS IAM Role from Step 1"
type = string
}
resource "aws_iam_role" "ConductorOneIntegration" {
name = "ConductorOneIntegration"
assume_role_policy = jsonencode(
{
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : "arn:aws:iam::765656841499:role/ConductorOneService"
},
"Action" : "sts:AssumeRole",
"Condition" : {
"StringEquals" : {
"sts:ExternalId" : var.EXTERNAL_ID_FROM_C1_INTEGRATIONS_PAGE
}
}
}
]
})
inline_policy {
name = "ConductorOnePermissions"
policy = jsonencode({
"Statement" : [
{
"Action" : [
"iam:GetGroup",
"iam:ListAccountAliases",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers",
"identitystore:ListGroupMemberships",
"identitystore:ListGroups",
"identitystore:ListUsers",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount"
],
"Effect" : "Allow",
"Resource" : "*",
"Sid" : "ConductorOneReadAccess"
}
],
"Version" : "2012-10-17"
}
)
}
}
```