Identity and Access (CIEM)

As cloud services proliferate, so do user access policies, and most enterprises use overly permissive policies that create large attack surfaces and significant security risks. With Sysdig’s Identity and Access module for cloud accounts (also known as CIEM), you can review and mitigate these risks in minutes.

Prerequisites

AWS

When your AWS account(s) are successfully connected to Sysdig Secure with CIEM, the policies, roles, users, and groups you’ve configured in AWS are detected and analyzed for identity and access weak points, and Sysdig proposes remediation steps.

  • Connect a Cloud Account for AWS
    • Installed with Terraform or CloudFormation Template
      • These enable Threat Detection for Cloudtrail, which is required for CIEM to work with AWS
    • Either installation automatically creates a required IAM role, which gives Sysdig read-only access to your AWS resources.
      • Terraform role name: sfc-cloudbench
      • CFT role name: SysdigComplianceAgentlessRole
  • Adequate AWS permissions to read policies related to users, roles, and access.

GCP

When your GCP account(s) are successfully connected to Sysdig Secure with CIEM, the policies, roles, users, groups, and service accounts you’ve configured in GCP are detected and analyzed for identity and access weak points, and Sysdig proposes remediation steps.

See Connect a Cloud Account for GCP.

Understand Identity and Access

In Sysdig Secure, Identity and Access works together with Compliance tools under the Posture navigation tab in the Sysdig Secure menu to highlight user-focused and resource-focused risks.

The interfaces highlight risk from different focal points:

  • IAM Policy: (AWS only) This page highlights critical risks organized by IAM policies. The detail drawers present policy optimization changes to remove those risks. Optimization affects the entire policy.
  • Users: This page highlights critical risks organized by individual users, focusing on unused permissions and inactive users. The detail drawers suggest when to consider removing a user due to inactivity and present policy optimization changes. Optimization affects the targeted user only.
  • Roles: This page highlights critical risks organized by role, focusing on unused permissions and unused roles. The detail drawers suggest when to consider removing a role due to inactivity and present policy optimization changes. Optimization affects the targeted role only.
  • Groups: This page highlights critical risks organized by group, focusing on unused permissions and unused groups. The detail drawers suggest when to consider removing a group due to inactivity and present policy optimization changes. Optimization affects the targeted group only.
  • Service Accounts (GCP only) This page highlights the risks associated with your GCP service accounts.

Understanding Risk Scoring

IAM permissions primarily determine Risk in Identity and Access Management (IAM). The value for Actionable Risk is n/a if no used permissions are tracked.

Each IAM action maps to a Risk Score corresponding to one of the following Risk labels: Critical, High, Medium, Low.

Risk Scores

Risk Scores are determined by the worst permissions given by a policy. For example, a policy with a Critical Risk Score has at least one permission allowing a Critical action.

Actionable Risk

Actionable Risk focuses on unused permissions, while Risk looks at all permissions. Actionable Risk is designed to help you achieve Least Permissive access.

Note: The Actionable Risk and Risk scores can differ if there are Used permissions with higher scores than Unused.

Understanding the Suggested Policy Changes

The Sysdig CIEM may prompt you to optimize policies in different ways.

  • Optimize an AWS Policy Globally: You can create an optimized policy to replace an existing policy. This “global” change affects all associated IAM entities (users, roles, groups).

    Use the Optimize IAM Policy button on an IAM Policy tab or page. See example.

  • Create Entity-Specific Optimized Policy: You can create a new, entity-specific policy that applies only to a user, role, or group. This “local” change affects the policies the IAM entity is associated with but does not replace the original policy.

    Use the Optimize IAM Policy button on a User, Role, or Group Detail Overview. See an example.

  • Delete: Sysdig may detect a policy that has not been used by any IAM entity. It will recommend removing this policy from your AWS environment.

Understand Highest Access

Highest Access offers a quick way to filter by Access Category. It shows this identity entity’s highest level of access according to all of its permissions. The categories are:

  • Admin: Actions that match certain patterns related to permissions or administrative controls, such as account/organization management, are categorized as Admin.
  • Write: Actions that modify data are categorized as Write. This includes subcategories like Write/Delete,Write/Create.
  • Read: Actions that allow one to view data are categorized as Read. This includes subcategories like List, Read, Action, Tagging.
  • Empty Access: Either no policies are attached, or a policy is attached with zero permissions.