Documentation Index
Fetch the complete documentation index at: https://conductorone-docs-ad-account-provisioning-setup.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Before you begin
To complete this guide, you’ll need:
- C1 Super Administrator role
- AWS with Identity Center configured
- Ability to setup an AWS role trust
Estimated time: 30 minutes
Step 1: Integrate your AWS instance
Integrate your AWS instance with C1. Follow our instructions to set up the AWS v2 connector.
Make sure to select these configuration options on the connector setup screen:
- Enable support for AWS Organizations
- Enable support for AWS IAM Identity Center
Once connected, C1 ingests all of the resources and entitlements for AWS. This includes accounts, roles within accounts, identity center users, identity center groups, and permission sets. You can see all the resources and entitlements by going to Apps > AWS and clicking Entitlements.
Now that AWS is hooked up to C1, set AWS accounts as available for just-in-time access. To do this, we’ll configure entitlement management rules for each of the AWS accounts.
Navigate to the Apps page, then select the “AWS” application that was created from Step 1.
In the Entitlement management section, click Edit next to Default config rules.
In the configuration rules pane, click the toggle to Enable configuration rules.
Select the account resource type.
In the Access profiles field, search for and select an access profile. For example, select Everyone to make the entitlements requestable by all users.
Finally, check the box at the bottom of the screen and click Apply.
Don’t worry, you can change who can request access, for how long, and the policy for approving access later.
Step 3: Request JIT access
Let’s go request AWS JIT access!
In C1, click Requests and make sure that App catalog is selected.
Click AWS. A panel opens with the account resources available for you to request.
Click the account you want access to, then click Request on a specific entitlement (such as a permission set).
On the New request form that is shown, select the length of time you want access for.
Success!
The request policy routes the request through the approval process. The new access will be automatically provisioned by the AWS connector, and then automatically removed upon expiration.
If you prefer working from the command line, you can also request and use AWS access directly from the AWS CLI using Cone. See Use Cone with AWS SSO. 
