Automate identity and access management evidence for AWS SSO. Track user provisioning, permission sets, group memberships, and authentication logs for SOC 2, ISO 27001, HIPAA, and FedRAMP compliance.
Continuous AWS SSO directory and access evidence collection with zero manual exports
Simple IAM role configuration with read-only permissions
In AWS Console, create a read-only IAM role with Identity Store permissions. Attach the managed policy "AWSSSOMasterAccountAdministrator" with read-only custom policy restrictions, or use our provided CloudFormation template for automated setup.
Ensure CloudTrail is enabled in your AWS Organization management account with Identity Store event logging. Configure S3 bucket access for LowerPlane to read Identity Store API events, user authentication logs, and permission changes.
In LowerPlane, enter your AWS account ID, IAM role ARN, and Identity Store ID. Click "Test Connection" to verify access, then enable automated evidence collection. Initial sync completes within 5 minutes for typical directories.
LowerPlane requires read-only IAM permissions and cannot modify your AWS Identity Store configuration, users, or permission sets. All credentials are encrypted at rest using AES-256 and access is logged for audit purposes. The IAM role uses external ID for secure cross-account access and can be revoked at any time.
Real-time AWS SSO directory and access evidence mapped directly to compliance controls
| Control | Evidence Type | Service | Frequency |
|---|---|---|---|
User DirectorySOC 2 | Complete user list with status | Identity Store API | Daily |
MFA EnforcementISO 27001 | MFA device configuration | Identity Store API | Daily |
Permission Set AssignmentsFedRAMP | Account access mappings | SSO Admin API | Daily |
Group MembershipsSOC 2 | User-to-group assignments | Identity Store API | Daily |
Access LogsHIPAA | Authentication events | CloudTrail | Continuous |
Policy ChangesISO 27001 | Permission set modifications | CloudTrail | Continuous |
Supporting AWS SSO user directory, authentication, and multi-account access management
View complete evidence documentationAWS Identity Store integration satisfies identity and access controls across multiple compliance frameworks
AWS Identity Store integration covers 10 critical SOC 2 controls focused on centralized identity management, SSO authentication, and multi-account access governance.
35% of our customers use AWS Identity Store for centralized identity management
"AWS Identity Store integration eliminated manual SSO access reviews entirely. Instead of manually exporting permission sets and cross-referencing account assignments across 12 AWS accounts, LowerPlane tracks everything automatically. Our FedRAMP auditors were impressed by the real-time visibility."
Everything you need to know about AWS Identity Store integration
Still have questions?
Contact our security teamBuild comprehensive identity and access security coverage across cloud providers
Monitor security posture, IAM policies, CloudTrail logs, and compliance evidence from AWS services.
Track user provisioning, MFA enforcement, SSO configuration, and authentication logs from Okta.
Automate evidence from Azure Active Directory including user management, conditional access, and audit logs.
Connect your AWS SSO directory in 3 minutes and start tracking identity evidence automatically
No credit card required • 14-day free trial • Setup in 3 minutes