Identity

Prerequisites

AWS

When your AWS accounts are successfully connected to Sysdig Secure with CIEM, Sysdig detects and analyzes the policies, roles, users, and groups you’ve configured in AWS for identity and access weak points and proposes remediation steps.

• Connect a Cloud Account for AWS

  • Installed with Terraform or CloudFormation Template

    • These enable Threat Detection for Cloudtrail, which is required for CIEM to work with AWS

  • Either installation automatically creates a required Identity Access Management (IAM) role, which gives Sysdig read-only access to your AWS resources.

    • Terraform role name: sfc-cloudbench
    • CFT role name: SysdigComplianceAgentlessRole
• Adequate AWS permissions to read policies related to users, roles, and access.

GCP

When your GCP accounts are successfully connected to Sysdig Secure with CIEM, the policies, roles, users, groups, and service accounts you’ve configured in GCP are detected and analyzed for identity and access weak points, and Sysdig proposes remediation steps.

See Connect a Cloud Account for GCP.

Azure

When your Azure accounts are successfully connected to Sysdig Secure with CIEM, the users, roles, policies, groups, and service accounts you’ve configured in Azure are detected and analyzed for identity and access weak points, and Sysdig proposes remediation steps.

See Connect a Cloud Account for Azure.

Understand Identity

In Sysdig Secure, Identity works together with Compliance to highlight user-focused and resource-focused risks.

The interfaces highlight risk from different focal points:

• IAM Policies: (AWS only) This page highlights critical risks organized by IAM policies. The detail drawers recommend policy optimizations to remove those risks. Optimization affects the entire policy.
• Users: This page highlights critical risks organized by individual users, focusing on unused permissions and inactive users. The detail drawers suggest remediation strategies, such as removing an inactive user, and present policy optimization changes. Optimization affects only the targeted user.
• Roles: This page highlights critical risks organized by role, focusing on unused permissions and unused roles. The detail drawers suggest remediation strategies for inactive or over-privileged roles, and present policy optimization changes. Optimization affects only the targeted role.
• Groups: This page highlights critical risks organized by group, focusing on unused permissions and unused groups. The detail drawers suggest remediation strategies, such as removal, for inactive groups and present policy optimization changes. Optimization only affects the targeted group.
• Service Identities This page highlights the risks associated with your GCP service accounts and Azure service principals. The detail drawers offer remediation strategies and show connected IAM resources.

Use the Details Drawer

In any of the Identity pages, select an entity to open the details drawer on the right. Here, you will find key information about the entity. To learn more, navigate the available tabs:

• Summary: Key information about the entity, such as the associated account ID, and an overview of its permission criticality. You can also view risky permissions, identified on the basis of their potential for misuse if an identity is compromised.
• Remediation Strategies: View and apply suggestions to reduce the permission criticality of an entity. Possible actions might be to reduce the number of permissions granted to an inactive user or group.
• Connected IAM Resources: View other IAM Resources, such as users, groups and roles, that are connected to the entity you are examining.
• Configuration: (Only available in the IAM Policies page) View, copy or download the policy configuration in JSON.

Understanding Permission Criticality Scoring

Permissions are the primary determinant of Permission Criticality in IAM. If no permissions are tracked, the value for Unused Permission Criticality is n/a. Permission Criticality Scores range in the following order of severity: Critical, High, Medium, Low.

Permission Criticality Scores

Permission Criticality Scores for Permission Criticality are determined by the most critical permissions given by a policy. For example, a policy with at least one permission allowing a Critical action is given a Critical Permission Criticality Score.

Unused Permission Criticality

Unused Permission Criticality focuses on unused permissions, while Permission Criticality looks at all permissions. Unused Permission Criticality is designed to help you achieve the least permissive access.

Note: The Unused Permission Criticality and Permission Criticality scores can differ if there are Used permissions with higher scores than Unused.

Understand the Suggested Policy Changes

The Sysdig CIEM may prompt you to optimize policies in different ways.

• Optimize an AWS Policy Globally: You can create an optimized policy to replace an existing policy. This “global” change affects all associated IAM entities (users, roles, groups).

  Use the Optimize IAM Policy button on an IAM Policy tab or page. See example.

• Create Entity-Specific Optimized Policy: You can create a new, entity-specific policy that applies only to a user, role, or group. This “local” change affects the policies the IAM entity is associated with but does not replace the original policy.

  Use the Optimize IAM Policy button on a User, Role, or Group Detail Overview. See an example.

• Delete: Sysdig may detect a policy that has not been used by any IAM entity. It will recommend removing this policy from your AWS environment.

Understand Highest Access

Highest Access offers a quick way to filter by Access Category. It shows this identity entity’s highest level of access according to all of its permissions. The categories are:

• Admin: Actions that match certain patterns related to permissions or administrative controls, such as account/organization management, are categorized as Admin.
• Write: Actions that modify data are categorized as Write. This includes subcategories like Write/Delete,Write/Create.
• Read: Actions that allow one to view data are categorized as Read. This includes subcategories like List, Read, Action, Tagging.
• Empty Access: Either no policies are attached, or a policy is attached with zero permissions.

Understand Risky Permissions

The Identity detail drawer highlights permissions flagged as risky by the Sysdig Threat Research team. Risky permissions are identified based on their potential for misuse if an identity is compromised.

Each flagged permission is accompanied by usage insights and links to relevant sources, such as associated Policies or Roles, making it easier to investigate and act. Open the detail drawer, hover over the Source column, and click Owner to examine the specific role in question. In the new Owner detail drawer that opens, you will see options for remediation actions. To proceed, click the Remediation Strategies tab in the Owner detail drawer."

Understand Remediation Strategies

The Sysdig CIEM offers the following remediation strategies:

• Detach the role: All the roles that are totally unused by the selected identity will get this recommendation. If there are multiple unused roles, they are sorted by greatest reduction in unused permissions.
• Consolidate and Reduce Permissions: This recommendation is aimed at consolidating and reducing permissions associated with an identity. Sysdig evaluates all actions taken by the identity across their roles and consolidates them into a single, group-specific custom role. Only one custom role suggestion is provided per identity.
• Reduce Permissions with Existing Roles: You will receive recommendations corresponding to the number of attached roles. If an existing role encompasses all the permissions of the current role but has fewer total permissions, the user will be advised to replace it. If the users haven’t utilized any permissions, they will only receive a recommendation to detach the role. In cases where multiple replacement recommendations exist, they will be sorted by the greatest reduction in unused permissions.