AWS SSO user Synced trigger

To trigger a Lambda function when a new user is synced to AWS IAM Identity Center (formerly AWS SSO), you can use Amazon EventBridge (formerly CloudWatch Events) to monitor and respond to these events.

You can set up an EventBridge rule with a pattern that specifically targets user creation events in IAM Identity Center. Here's how you can configure it:

1. Create an EventBridge rule with the following event pattern:

{
"source": ["aws.sso"],
"detail-type": ["AWS API Call via CloudTrail"],
"detail": {
"eventSource": ["sso.amazonaws.com", "sso-directory.amazonaws.com"],
"eventName": ["CreateUser"]
}
}

2. Set your Lambda function as the target for this EventBridge rule.

3. Ensure that CloudTrail is properly configured to log these events.

This setup will trigger your Lambda function whenever a new user is created in IAM Identity Center, allowing you to programmatically create permission sets for the new user.

Note that if you're using an external identity provider like Active Directory, the event will be generated when the user is synced to IAM Identity Center, not when you add the user to AD. The 40-minute sync delay you mentioned is the time it takes for AD changes to propagate to IAM Identity Center, and the EventBridge rule will trigger after this synchronization completes.

Also, be aware that if your identity source is configured as "SCIM" for automatic provisioning, user management happens through your external identity provider, and you'll need to ensure your EventBridge rule is properly capturing these provisioning events.
Sources
Need some help with my setting(EventBridge) | AWS re:Post
AWS SSO - Manage Users | AWS re:Post