IAM Policies
Filter and Sort
Sortable Columns
Actionable Risk
Values: Critical, High, Medium, Low`
Actionable Risk focuses on unused permissions, while Risk looks at all permissions. Actionable Risk is designed to help you achieve Least Permissive access.
Risk
Values: Critical, High, Medium, Low`
This is a calculation of risk based on all permissions. See also: Understanding Risk Scoring.
% of Unused Permissions
This shows the number of unused permissions per total permissions, shown as a percentage graph.
When remediating, immediately target the policies with the greatest exposure and refine them according to the suggestions.
Additional information in the Detail Drawers.
Policy Type
These reflect the policy types from AWS. See also the AWS documentation of policy types.
- AWS Managed: A standalone policy that is created and administered by AWS.
- Customer: Customer-managed standalone policies in the user’s own AWS account that the user can attach to principal entities, and change and update freely.
- Inline: An AWS policy created for a single IAM identity (a user, group, or role). Inline policies maintain a strict one-to-one relationship between a policy and an identity.
Shared
The number of IAM entities (users, roles, and/or groups) assigned to a policy. When remediating, focus on the policies affecting the greatest number of entities and make a global policy change.
Highest Access
See also: Understand Highest Access
Values:
- Admin: Admin access granted
- Write: Write access granted
- Read: Read access granted
- Empty Access: No permissions are granted at all
Findings
Policies can be listed as Unused on this page. It is recommended to delete Unused policies if possible.
Available Filters
- Search: Free text search on terms in the resource name
- Actionable Risks: By severity
- Cloud Accounts: Account name/number by the cloud provider (e.g.
AWS
) - Access Categories:
Admin
,Write
,Read
, orEmpty Access
- Policy Types:
AWS-Managed
,Customer
,Inline
- Findings:
Unused
indicates unused policies
Analyze and Remediate
To reduce the entitlements globally for a particular policy:
Click on a policy name to open the detail drawer and open subtabs as needed.
You may be prompted to consider removing an inactive user or unused policy altogether.
Click Optimize IAM Policy and review the proposed code to resolve critical permissions issues on the policy.
See also: Understand the Suggested Policy Changes
You can copy (then paste), download (then upload), or open the adjusted policy directly in the AWS console and save.
If you have configured the Jira Ticketing integration with Sysdig Secure, you can also open a Jira ticket to optimize the policy code.
See also: Jira Ticketing integration
Detail Drawers
The IAM Policies page organizes everything around the policy. Click on a policy name to open the details drawer and subtabs.
- Overview: Displays the critical permissions issues detected on the IAM Policy, sorted by Risk and Actionable Risk.
- Attached Users: Displays the users attached to the policy.
- Attached Roles: Displays the roles attached to the policy.
- Attached Groups: Displays the groups attached to the policy.
- Policy Details: Displays the current policy code, which can be replaced by suggested updates when you select Optimize IAM Policy.
Optimize a Policy Globally
Sysdig may suggest that you Optimize an IAM Policy on the IAM Policy page or subtab. If you click the button and download the proposed policy, it should be used to replace the existing policy in your AWS Console. It will affect all entities (users, roles, groups) associated with the policy.
In the example below, the Policy risk is Critical. There are 24 IAM entities listed in the Shared column, which are divided between Assigned Users, Groups, and Roles. (Open the subtabs to see the entity lists.) A number of the Attached Users are Inactive.
- Click Optimize IAM Policy for a streamlined policy suggestion that considers the attached entities. In this case, it reduces the permissions from 15,521 to 505.
- Upload this policy to your AWS Console and associate with appropriate users, roles, and/or groups.
- Recommended: Deactivate the old policy and potentially remove the detected inactive users in AWS.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.