Identity and Access (CIEM)

As cloud services proliferate, so do user access policies, and a majority of enterprises use overly permissive policies that create large attack surfaces and significant security risks. With Sysdig’s Identity and Access module for cloud accounts (also known as CIEM), you can review and mitigate these risks in minutes.

This topic includes the following high-level sections:

• Prerequisites
• Introduction (concepts)
• Overview page
• Users
• Roles
• Groups
• AWS IAM Policies
• Download CSV
• Troubleshooting
• Limitations

Prerequisites

• Connect Cloud Account for AWS
  • Can be installed with Terraform or CloudFormation Template
  • These will enable Threat Detection for Cloudtrail, which is required for CIEM to work
  • Either installation automatically creates a required IAM role which gives Sysdig read-only access to your AWS resources.
    • Terraform role name: sfc-cloudbench
    • CFT role name: SysdigComplianceAgentlessRole
• Adequate AWS permissions to read policies related to users, roles, and access

Introduction

Understanding Identity and Access

In Sysdig Secure for cloud, Identity and Access work together with Compliance and Benchmark tools under the Posture navigation tab in the Sysdig Secure menu.

Analysis: From this interface you can quickly acertain risks from two different angles:

User-Focused Risks

• Users and roles with excessive permissions
• Inactive users that can be removed
• Unnecessary permissions

Resource-focused Risks

• Who can access a resource
• Any suspicious cloud resource activity from a user with excessive permissions
• Recent permissions changes

Remediation: From there, the tool can suggest an improved policy, based on users’ actual activity, which you can immediately paste into your AWS policy in the linked AWS console.

Understanding the Suggested Policy Changes

When you find a user or a policy with excessive permissions, there are two suggested types of remediations:

• Global Policy Change: In this case, you click a targeted policy (e.g. AdministratorAccess) from either:

  • The policy link on a user’s panel, or
  • The Optimize IAM Policy button on a policy panel

  A revised policy is suggested based on the activities of all users in the system that have been granted this entitlement.

  

  You would copy the suggested code into your existing policy in the AWS console.

• User-Specific or Role-Specific Policy: In this case, when investigating an individual user or role entry, you click Optimize IAM Policy and a policy is suggested based on a combination of all policies and activities detected for that user or role.

  

  You would copy the suggested code into a new user policy in your AWS console.

Understanding Risk Scoring

Risk in Identity and Access Management (IAM) is primarily determined by IAM permissions.

Each IAM action maps to a Risk Score, which corresponds to one of the following Risk labels: Critical, High, Medium, Low.

Risk Scores are determined by the worst permissions given by a policy. For example, a policy with a Critical Risk Score has at least one permission allowing a Critical action.

Actionable Risk focuses on unused permissions, while Risk looks at looks at all permissions. Actionable Risk is designed to help you achieve Least Permissive access.

Note: It’s possible for the Actionable Risk and Risk scores to differ if there are Used permissions with higher scores than Unused.

Understanding Learning Mode and Disconnected States

Sysdig’s IAM page shows helpful information about cloud accounts and indicates several states for each registered account:

• Learning Mode: A cloud account is in learning mode when the account was connected less than 90 days prior. This ensures that the user activity has been profiled for a meaningful amount of time.

• Disconnected: A cloud account is in disconnected state if either of these events occur:

  • Cloud-Connector stops sending events. The timestamp shows the time the last events were received
  • The role provisioned on the customer’s AWS account cannot be impersonated

Understanding Highest Access

Highest Access offers a quick way to filter by Access Category. It shows the highest level of access that this identity entity has according to all of their permissions. The categories are:

• Read

  No write permissions

• Write

  No * anywhere, but there is write permissions attached in at least one policy

• Admin

  At least one admin privilege (*) for a service

• Global Admin

  Full Admin privileges (* : *)

Overview

Access the Overview

1. Log in to Sysdig Secure.
2. Select Posture >Identity and Access|Overview.
3. Review the global Permissions posture from the various panels and use the filtered links to access the Users and Policies subpages as needed.

Filter by Account

On each page in the Identity and Access section, all users and resources are listed by default. If desired, you can focus on a single cloud account, using the Accounts drop-down at the top of the page.

Review Unused Permissions

Total Permissions Usage

See at a glance the number of permissions that have been granted vs those that have actually been used. Click on the Used and Given links to see the related Policies list and remediate those with the highest number of unused permissions.

Users

See at a glance the number of active vs inactive users. Clicked on the Active and Inactive links to see the related Users and Roles lists and to remediate.

Average Permissions Per Policy

See at a glance the average number of permissions granted per policy. per account, and click into the Policies list to remediate.

Average Policies Per User

See at a glance the average number of policies a user is associated with, per account and click into the Users and Roles list to remediate.

Policies with Unused Permissions

The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.

Users and Roles with Unused Permissions

The Inventory section orders the Policies, Users, and Roles with the greatest number of unused permissions at the top of the list. Click to expand the lists and remediate.

Users

The AWS IAM Users page provides numerous ways to sort, filter, and rank the detected user information to quickly remediate identity risks associated with users and their policies.

Filter and Sort

Available filters:

• By Actionable Risk
• By Account
• By User Attributes
  • Root User
  • No MFA
  • Inactive
  • Admin
  • Multiple Access Keys Active
  • Access Key Not Rotated

Each column in the table can be sorted to help target, for example, the users with the highest number of granted permissions or the highest percentage of unused permissions.

Analyze and Remediate

To reduce the entitlements for a particular user or role:

1. Click on a user or role to open the detail pane.

   

   In the screenshot example above, the user has not triggered all of the permissions issued, and is associated with two different policies. Full AdministratorAccess has not been needed for the job the user has been performing.

2. Decide whether to Optimize IAM Policy, taking into account all the policies and permissions this user has employed, or whether to use the Suggested Policy for e.g., AdministratorAccess, globally. See: Understanding the Suggested Policy Changes.

3. Copy the generated policy and paste it into a policy in your AWS console.

Roles

The AWS IAM Roles page provides numerous ways to sort, filter, and rank the detected role information to quickly remediate identity risks associated with roles and their policies.

Filter and Sort

Available Filters:

• By Actionable Risk
• By Account
• By Role Attributes
  • Inactive
  • Admin

Analyze and Remediate

To reduce the entitlements for a particular role:

1. Click on a role to open the detail pane:

   

   In the screenshot example above, the role has actually triggered only 1 of the 60 permissions issued, and is associated with two different policies.

2. Decide whether to Optimize IAM Policy, taking into account all the policies and permissions this role has employed, or whether to use the Suggested Policy for e.g., AmazonEKSClusterPolicy, globally. See: Understanding the Suggested Policy Changes.

3. Copy the generated policy and paste it into a policy in your AWS console.

Groups

The Groups page provides numerous ways to sort, filter, and rank the detected AWS IAM User group information to quickly remediate identity risks associated with the group’s users and policies.

Filter and Sort

Available filters are by:

• Actionable Risk: Critical, High, Medium, Low
• Account: Detected and displayed in the drop-down
• Access Levels: Global, Admin, Write, Read
• Group Attribute: Admin (all members of a group have admin permissions) and Inactive ( all members of a group are inactive)

Each column in the table can be sorted to help target, for example, the group with the highest risk score or highest access category.

Analyze and Remediate

To reduce the entitlements for a particular group:

1. Click on a group to open the detail pane.

   

2. Decide whether to Optimize IAM Policy, by taking Sysdig’s Least Permissive suggestion to optimize the policy. This takes into account:

   • All the policies attached to this group
   • Permissions the users of the group have used

   and narrows the scope of permissions to only what was actually used.

3. Copy the generated policy and paste it into a policy in your AWS console.

AWS IAM Policies

The Identity and Access|AWS IAM Policies page currently displays AWS policies only. Other cloud vendors will be added over time.

Filter and Sort

As with the Users and Roles page, you can filter by account, and each column in the table is sortable.

Available filters:

• By Actionable Risk
• By Account
• By Policy Attributes (Unused)
• By Policy Type
  • AWS Managed
  • Customer
  • Inline

Each column in the table can be sorted. The most common sorting priorities are:

• By Unused % or Unused Permissions: Immediately target the policies with the greatest exposure and refine them according to the suggestions
• By Shared Policy (# of Users): Focus on the policies affecting the greatest number of users and make a global policy change

Analyze and Remediate

To reduce the entitlements globally for a particular policy:

1. Click on a policy name to open the detail pane.

   

2. Click Optimize IAM Policy and review the proposed code.

   

3. You can copy (then paste), download (then upload), or open the adjusted policy directly in the AWS console and save.

Download CSV

Each page of the Identity and Access module has a Download CSV button for retrieving the page data in a spreadsheet.

Note: If your Chrome browser is set to disallow downloading multiple files from a site, you may only get one CSV download and then a “blocked” message in the Chrome address bar. You can click the message to access and change that browser setting, if desired.

Troubleshooting

Check read Access

Sysdig’s Identity and Access feature needs read access for specific resources such as IAM to function. Certain AWS policies block Sysdig from reading data:

• SCP: Ensure there are no restrictions on read access to IAM
• Certain region level policies which restricts everything to be read from that specific region

Check Role Provisioning

Verify the role provisioned for Sysdig is correct with this API.

Check Health of cloud-connector

Verify the cloud-connector component is healthy by following these steps:

1. Within the Sysdig Secure UI, navigate to Posture → Identity and Access → Overview

2. Click on Learning in the top right corner.

Your connected cloud accounts will be shown with the status of the cloud-connector and the last time Sysdig received an event listed.

If cloud-connector is disconnected and the(Last Event Sent timestamp is older than a few hours, user activity will not be monitored. Please check logs and contact Sysdig support to help resolve the issue.

Limitations

• Currently, only the identity-based policies (managed, inline, and group policies), Organization SCPs, and permission boundaries are considered for permission calculation. Resource-based, ACLs, and Session policies are not yet accounted for during permission calculations.

  More details on these policies here.

• Two notes about the data displayed:

  • AWS Last seen timeis based on GetServiceLastAccessedDetails. For more information, see Amazon’s documentation.
  • The AWS permissions used by IAM identities is based on user activity observed in Cloudtrail logs. Currently, permissions used after assuming roles is not taken into account.