--- title: Onboarding Amazon Web Services (AWS) accounts description: When you add an AWS account to PingOne Privilege, its resources are discovered automatically and can be managed for just-in-time (JIT) developer access. component: privilege page_id: privilege:configuration:cloud-accounts/aws canonical_url: https://docs.pingidentity.com/privilege/configuration/cloud-accounts/aws.html revdate: May 4, 2026 section_ids: step-1-start-the-add-account-wizard: "Step 1: Start the Add Account wizard" step-2-deploy-the-cloudformation-template-in-aws: "Step 2: Deploy the CloudFormation template in AWS" step-3-complete-the-configuration-in-pingone-privilege: "Step 3: Complete the configuration in PingOne Privilege" result: Result validation: Validation --- # Onboarding Amazon Web Services (AWS) accounts When you add an AWS account to PingOne Privilege, its resources are automatically discovered and can be managed for just-in-time (JIT) access. You can onboard either a single AWS account or an entire AWS Organization Unit (OU). ## Step 1: Start the Add Account wizard 1. In the PingOne Privilege admin console, go to **Cloud > Clouds**. 2. Click **Add Account Wizard**. 3. In the **Add Account** modal, ensure the AWS icon is selected. 4. Enter a **Name** and **Description** for the connection. Click **Next**. 5. When asked if you are onboarding an Organization Unit (OU), select **Yes** or **No**. Click **Next**. ## Step 2: Deploy the CloudFormation template in AWS 1. Copy the provided CloudFormation (CFN) template or click **Open CF Template** to open it in your AWS account. 2. In your AWS management account, deploy the CloudFormation template. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must have sufficient IAM permissions to create the required resources. During deployment, provide the following parameters when prompted:- **ExternalID**: Enter a unique, memorable string that acts as a shared secret. You can copy this value directly from the PingOne Privilege UI. - **OrgID** (OU Only): Enter the ID of the AWS Organization Unit you are onboarding. | 3. After the CloudFormation stack is successfully created, go to its **Outputs** tab and copy the generated values. ## Step 3: Complete the configuration in PingOne Privilege 1. In the PingOne Privilege admin console, return to the **Add Account** wizard. 2. Enter the values you copied from the CloudFormation stack outputs: * **Cross Account Role ARN**: The ARN of the role created by the template. * **Organization Unit (OU) ID** (For OUs only): The ID of the onboarded OU. * **Advanced Discovery TAGS** (Optional): Limit discovery to resources with matching tags. * **Advanced Discovery REGION** (Optional): By default, all enabled regions are scanned. Select specific regions to limit the discovery scope. 3. Click **Verify & Add Account**. ## Result The AWS account or OU will now appear in the Cloud Accounts list. ## Validation To ensure the onboarding process was successful: 1. Sign in to the AWS console for the onboarded account. 2. Go to the **IAM** service. 3. Select **Identity providers**. 4. Verify that an identity provider exists with the name `Procyon--`, where `` is your PingOne Privilege tenant name and `` is the name you provided in the wizard.