Identity and Access (CIEM)
As cloud services proliferate, so do user access policies, and a majority of enterprises use overly permissive policies that create large attack surfaces and significant security risks. With Sysdig’s Identity and Access module for cloud accounts (also known as CIEM), you can review and mitigate these risks in minutes.
This topic includes the following high-level sections:
- Prerequisites
- Introduction (concepts)
- Overview page
- Users
- Roles
- Groups
- AWS IAM Policies
- Download CSV
- Troubleshooting
- Limitations
Prerequisites
- Connect Cloud Account for AWS
- Can be installed with Terraform or CloudFormation Template
- These will enable Threat Detection for Cloudtrail, which is required for CIEM to work
- Either installation automatically creates a required IAM role which gives Sysdig read-only access to your AWS resources.
- Terraform role name:
sfc-cloudbench
- CFT role name:
SysdigComplianceAgentlessRole
- Terraform role name:
- Adequate AWS permissions to read policies related to users, roles, and access
Introduction
Understanding Identity and Access
In Sysdig Secure for cloud, Identity and Access work together with Compliance and Benchmark tools under the Posture navigation tab in the Sysdig Secure menu.
Analysis: From this interface you can quickly acertain risks from two different angles:
User-Focused Risks
- Users and roles with excessive permissions
- Inactive users that can be removed
- Unnecessary permissions
Resource-focused Risks
- Who can access a resource
- Any suspicious cloud resource activity from a user with excessive permissions
- Recent permissions changes
Remediation: From there, the tool can suggest an improved policy, based on users’ actual activity, which you can immediately paste into your AWS policy in the linked AWS console.
Understanding the Suggested Policy Changes
When you find a user or a policy with excessive permissions, there are two suggested types of remediations:
Global Policy Change: In this case, you click a targeted policy (e.g.
AdministratorAccess
) from either:- The policy link on a user’s panel, or
- The
Optimize IAM Policy
button on a policy panel
A revised policy is suggested based on the activities of all users in the system that have been granted this entitlement.
You would copy the suggested code into your existing policy in the AWS console.
User-Specific or Role-Specific Policy: In this case, when investigating an individual user or role entry, you click
Optimize IAM Policy
and a policy is suggested based on a combination of all policies and activities detected for that user or role.You would copy the suggested code into a new user policy in your AWS console.
Understanding Risk Scoring
Risk in Identity and Access Management (IAM) is primarily determined by IAM permissions.
Each IAM action maps to a Risk Score, which corresponds to one of the following Risk labels: Critical
, High
, Medium
, Low
.
Risk Scores are determined by the worst permissions given by a policy. For example, a policy with a Critical
Risk Score has at least one permission allowing a Critical
action.
Actionable Risk focuses on unused permissions, while Risk looks at looks at all permissions. Actionable Risk is designed to help you achieve Least Permissive access.
Note: It’s possible for the Actionable Risk and Risk scores to differ if there are Used permissions with higher scores than Unused.
Understanding Learning Mode and Disconnected States
Sysdig’s IAM page shows helpful information about cloud accounts and indicates several states for each registered account:
Learning Mode: A cloud account is in
learning
mode when the account was connected less than 90 days prior. This ensures that the user activity has been profiled for a meaningful amount of time.Disconnected: A cloud account is in
disconnected
state if either of these events occur:- Cloud-Connector stops sending events. The timestamp shows the time the last events were received
- The role provisioned on the customer’s AWS account cannot be impersonated
Understanding Highest Access
Highest Access offers a quick way to filter by Access Category. It shows the highest level of access that this identity entity has according to all of their permissions. The categories are:
Read
No write permissions
Write
No * anywhere, but there is write permissions attached in at least one policy
Admin
At least one admin privilege (*) for a service
Global Admin
Full Admin privileges (* : *)
Overview
Access the Overview
- Log in to Sysdig Secure.
- Select
Posture >Identity and Access|Overview
. - Review the global Permissions posture from the various panels and use the filtered links to access the Users and Policies subpages as needed.
Filter by Account
On each page in the Identity and Access section, all users and resources are listed by default. If desired, you can focus on a single cloud account, using the Accounts drop-down at the top of the page.
Review Unused Permissions
Total Permissions Usage
See at a glance the number of permissions that have been granted vs those that have actually been used. Click on the Used and Given links to see the related Policies list and remediate those with the highest number of unused permissions.
Users
See at a glance the number of active vs inactive users. Clicked on the Active and Inactive links to see the related Users and Roles lists and to remediate.
Average Permissions Per Policy
See at a glance the average number of permissions granted per policy. per account, and click into the Policies list to remediate.
Average Policies Per User
See at a glance the average number of policies a user is associated with, per account and click into the Users and Roles list to remediate.
Policies with Unused Permissions
The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.
Users and Roles with Unused Permissions
The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.
Users
The AWS IAM Users page provides numerous ways to sort, filter, and rank the detected user information to quickly remediate identity risks associated with users and their policies.
Filter and Sort
Available filters:
- By Actionable Risk
- By Account
- By User Attributes
- Root User
- No MFA
- Inactive
- Admin
- Multiple Access Keys Active
- Access Key Not Rotated
Each column in the table can be sorted to help target, for example, the users with the highest number of granted permissions or the highest percentage of unused permissions.
Analyze and Remediate
To reduce the entitlements for a particular user or role:
Click on a user or role to open the detail pane.
In the screenshot example above, the user has not triggered all of the permissions issued, and is associated with two different policies. Full
AdministratorAccess
has not been needed for the job the user has been performing.Decide whether to
Optimize IAM Policy
, taking into account all the policies and permissions this user has employed, or whether to use theSuggested Policy
for e.g.,AdministratorAccess
, globally. See: Understanding the Suggested Policy Changes.Copy the generated policy and paste it into a policy in your AWS console.
Roles
The AWS IAM Roles page provides numerous ways to sort, filter, and rank the detected role information to quickly remediate identity risks associated with roles and their policies.
Filter and Sort
Available Filters:
- By Actionable Risk
- By Account
- By Role Attributes
- Inactive
- Admin
Analyze and Remediate
To reduce the entitlements for a particular role:
Click on a role to open the detail pane:
In the screenshot example above, the role has actually triggered only 1 of the 60 permissions issued, and is associated with two different policies.
Decide whether to
Optimize IAM Policy
, taking into account all the policies and permissions this role has employed, or whether to use the Suggested Policy for e.g.,AmazonEKSClusterPolicy
, globally. See: Understanding the Suggested Policy Changes.Copy the generated policy and paste it into a policy in your AWS console.
Groups
The Groups page provides numerous ways to sort, filter, and rank the detected AWS IAM User group information to quickly remediate identity risks associated with the group’s users and policies.
Filter and Sort
Available filters are by:
- Actionable Risk: Critical, High, Medium, Low
- Account: Detected and displayed in the drop-down
- Access Levels: Global, Admin, Write, Read
- Group Attribute: Admin (all members of a group have admin permissions) and Inactive ( all members of a group are inactive)
Each column in the table can be sorted to help target, for example, the group with the highest risk score or highest access category.
Analyze and Remediate
To reduce the entitlements for a particular group:
Click on a group to open the detail pane.
Decide whether to
Optimize IAM Policy
, by taking Sysdig’sLeast Permissive
suggestion to optimize the policy. This takes into account:- All the policies attached to this group
- Permissions the users of the group have used
and narrows the scope of permissions to only what was actually used.
Copy the generated policy and paste it into a policy in your AWS console.
AWS IAM Policies
The Identity and Access|AWS IAM Policies page currently displays AWS policies only. Other cloud vendors will be added over time.
Filter and Sort
As with the Users and Roles page, you can filter by account, and each column in the table is sortable.
Available filters:
- By Actionable Risk
- By Account
- By Policy Attributes (Unused)
- By Policy Type
- AWS Managed
- Customer
- Inline
Each column in the table can be sorted. The most common sorting priorities are:
- By Unused % or Unused Permissions: Immediately target the policies with the greatest exposure and refine them according to the suggestions
- By Shared Policy (# of Users): Focus on the policies affecting the greatest number of users and make a global policy change
Analyze and Remediate
To reduce the entitlements globally for a particular policy:
Click on a policy name to open the detail pane.
Click
Optimize IAM Policy
and review the proposed code.You can copy (then paste), download (then upload), or open the adjusted policy directly in the AWS console and save.
Download CSV
Each page of the Identity and Access module has a Download CSV
button for retrieving the page data in a spreadsheet.
Note: If your Chrome browser is set to disallow downloading multiple files from a site, you may only get one CSV download and then a “blocked” message in the Chrome address bar. You can click the message to access and change that browser setting, if desired.
Troubleshooting
Check read Access
Sysdig’s Identity and Access feature needs read
access for specific resources such as IAM to function. Certain AWS policies block Sysdig from reading data:
- SCP: Ensure there are no restrictions on read access to IAM
- Certain region level policies which restricts everything to be read from that specific region
Check Role Provisioning
Verify the role provisioned for Sysdig is correct with this API.
Check Health of cloud-connector
Verify the cloud-connector component is healthy by following these steps:
Within the Sysdig Secure UI, navigate to
Posture → Identity and Access → Overview
Click on
Learning
in the top right corner.
Your connected cloud accounts will be shown with the status of the cloud-connector and the last time Sysdig received an event listed.
If cloud-connector is disconnected
and the(Last Event Sent
timestamp is older than a few hours, user activity will not be monitored. Please check logs and contact Sysdig support to help resolve the issue.
Limitations
Currently, only the identity-based policies (managed, inline, and group policies), Organization SCPs, and permission boundaries are considered for permission calculation. Resource-based, ACLs, and Session policies are not yet accounted for during permission calculations.
More details on these policies here.
Two notes about the data displayed:
AWS Last seen time
is based onGetServiceLastAccessedDetails
. For more information, see Amazon’s documentation.- The AWS permissions used by IAM identities is based on user activity observed in Cloudtrail logs. Currently, permissions used after assuming roles is not taken into account.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.