Identity and Access

As cloud services proliferate, so do user access policies, and a majority of enterprises use overly permissive policies that create large attack surfaces and significant security risks. With Sysdig’s Identity and Access module (I&A) for cloud accounts, you can review and mitigate these risks in minutes.

Understanding Identity and Access

In Sysdig Secure for cloud, Identity and Access work together with Compliance and Benchmark tools under the Posture navigation tab in the Sysdig Secure menu.

Analysis: From this interface you can quickly acertain risks from two different angles:

User-Focused Risks

  • Users and roles with excessive permissions
  • Inactive users that can be removed
  • Unnecessary permissions

Resource-focused Risks

  • Who can access a resource
  • Any suspicious cloud resource activity from a user with excessive permissions
  • Recent permissions changes

Remediation: From there, the tool can suggest an improved policy, based on users’ actual activity, which you can immediately paste into your AWS policy in the linked AWS console.

Understanding the Suggested Policy Changes

When you find a user or a policy with excessive permissions, there are two suggested types of remediations:

  • Global Policy Change: In this case, you click a targeted policy (e.g. AdministratorAccess) from either:

    • The policy link on a user’s panel, or
    • The Optimize Policy button on a policy panel

    A revised policy is suggested based on the activities of all users in the system that have been granted this entitlement.

    You would copy the suggested code into your existing policy in the AWS console.

  • User-Specific Policy: In this case, when investigating an individual user entry, you click Generate User-Specific Policy and a policy is suggested based on a combination of all policies and activities detected for that user.

    You would copy the suggested code into a new user policy in your AWS console.

Understanding the Wildcard Warnings

The Policies list page flags policies that include wildcards for Action or Resource. By default, all recommended or optimized policies from Sysdig will remove the Action wildcards.

Because Sysdig cannot detect the Resources deployed, it cannot automatically remediate Resource wildcards in policy code.

Understanding Learning Mode and Disconnected States

Sysdig’s IAM page shows helpful information about cloud accounts and indicates several states for each registered account:

  • Learning Mode: A cloud account is in learning mode when the account was connected less than 90 days prior. This ensures that the user activity has been profiled for a meaningful amount of time.

  • Disconnected: A cloud account is in disconnected state if either of these events occur:

    • Cloud-Connector stops sending events. The timestamp shows the time the last events were received
    • The role provisioned on the customer’s AWS account cannot be impersonated


  • Sysdig Secure for cloud for AWS

    • Can be installed with Terraform or CloudFormation Template
    • These will enable Threat Detection for Cloudtrail, which is required for CIEM to work
    • Either installation automatically creates a required IAM role which gives Sysdig read-only access to your AWS resources.
      • Terraform role name: sfc-cloudbench
      • CFT role name: SysdigComplianceAgentlessRole
  • Adequate AWS permissions to edit policies related to users, roles, and access


  • Currently only the identity-based policies (managed, inline, and group policies) are considered for permission calculation. Resource-based, permission boundaries, organization SCPs, ACLs, and Session policies are not yet accounted for during permission calculations.

    More details on these policies here.

  • Two notes about the data displayed:

    • AWS Last seen timeis based on GetServiceLastAccessedDetails. For more information, see Amazon’s documentation.
    • The AWS permissions used by IAM identities is based on user activity observed in Cloudtrail logs. Currently, permissions used after assuming roles is not taken into account.

Access the Overview

  1. Log in to Sysdig Secure.
  2. Select Posture >Identity and Access|Overview.
  3. Review the global Permissions posture from the various panels and use the filtered links to access the Users and Policies subpages as needed.

Filter by Account

On each page in the I&A section, all users and resources are listed by default. If desired, you can focus on a single cloud account, using the Accounts drop-down at the top of the page.

Review Unused Permissions

Total Permissions Usage

See at a glance the number of permissions that have been granted vs those that have actually been used. Click on the Used and Given links to see the related Policies list and remediate those with the highest number of unused permissions.


See at a glance the number of active vs inactive users. Clicked on the Active and Inactive links to see the related Users and Roles lists and to remediate.

Average Permissions Per Policy

See at a glance the average number of permissions granted per policy. per account, and click into the Policies list to remediate.

Average Policies Per User

See at a glance the average number of policies a user is associated with, per account and click into the Users and Roles list to remediate.

Policies with Unused Permissions

The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.

Users and Roles with Unused Permissions

The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.

Users and Roles

The Identity and Access| Users and Roles page provides numerous ways to sort, filter, and rank the detected user and role information and to quickly remediate permissions in policies.

Filter and Sort

Available filters:

  • By account, by just users, by just roles
  • By unused permissions vs inactive users and roles

Each column in the table can be sorted to help target, for example, the users with the highest number of granted permissions or the highest percentage of unused permissions.

Analyze and Remediate

To reduce the entitlements for a particular user or role:

  1. Click on a user or role to open the detail pane.

    In the screenshot example above, the user has actually triggered only 1 of the 10,471 permissions issued, and is associated with five different policies. Full AdministratorAccess has not been needed for the job the user has been performing.

  2. Decide whether to Generate a User-Specific policy that takes into account all the policies and permissions this users has employed, or whether to use the Suggested Policy for e.g., AdministratorAccess, globally. See: Understanding the Suggested Policy Changes.

  3. Copy the generated policy and paste it into a policy in your AWS console.


The Identity and Access| Policies page currently displays AWS policies only. Other cloud vendors will be added over time.

Filter and Sort

As with the Users and Roles page, you can filter by account, and each column in the table is sortable.

The most common sorting priorities are:

  • By Unused % or Unused Permissions: Immediately target the policies with the greatest exposure and refine them according to the suggestions

  • By Shared Policy (# of Users): Focus on the policies affecting the greatest number of users and make a global policy change

  • By Wildcard warning: The Policies list specifically calls out the security risks posed by policies containing Resource or Action Wildcards. The suggested policies eliminate Action wildcards.

    See also: Understanding the Wildcard Warnings.

Analyze and Remediate

To reduce the entitlements globally for a particular policy:

  1. Click on a policy name to open the detail pane.

  2. Click Optimize Policy and review the proposed code.

  3. You can copy (then paste), download (then upload), or open the adjusted policy directly in the AWS console and save.

Posture Resources

The Resources page will be further developed in future releases.

At this time, you can use the S3 Bucket information to see all the S3 buckets currently set to Public and switch them to Private in the AWS console as needed. Similarly, the Lambdas are displayed with their public/private setttings.

Download CSV

Each page of the Identity and Access module has a Download CSV button for retrieving the page data in a spreadsheet.

Note: If your Chrome browser is set to disallow downloading multiple files from a site, you may only get one CSV download and then a “blocked” message in the Chrome address bar. You can click the message to access and change that browser setting, if desired.


Check read Access

Sysdig’s Identity and Access feature needs read access for specific resources such as IAM, S3 buckets, and Lambda functions to function. Certain AWS policies block Sysdig from reading data:

  • SCP

    • Ensure there are no restrictions on read access to IAM, S3, or lambdas
  • Resource level policy set on certain S3 buckets or lambdas

  • Certain region level policies which restricts everything to be read from that specific region

Check Role Provisioning

Verify the role provisioned for Sysdig is correct with this API.

Check Health of cloud-connector

Verify the cloud-connector component is healthy by following these steps:

  1. Within the Sysdig Secure UI, navigate to Posture → Identity and Access → Overview

  2. Click on Learning in the top right corner.

Your connected cloud accounts will be shown with the status of the cloud-connector and the last time Sysdig received an event listed.

If cloud-connector is disconnected and the(Last Event Sent timestamp is older than a few hours, user activity will not be monitored. Please check logs and contact Sysdig support to help resolve the issue.