IAM Policies

The IAM Policies page currently displays AWS policies only. Other cloud vendors will be added over time.

Filter and Sort

Sortable Columns

Actionable Risk

Values: Critical, High, Medium, Low`

Actionable Risk focuses on unused permissions, while Risk looks at all permissions. Actionable Risk is designed to help you achieve Least Permissive access.

Risk

Values: Critical, High, Medium, Low`

This is a calculation of risk based on all permissions. See also: Understanding Risk Scoring.

% of Unused Permissions

This shows the number of unused permissions per total permissions, shown as a percentage graph.

When remediating, immediately target the policies with the greatest exposure and refine them according to the suggestions.

Additional information in the Detail Drawers.

Policy Type

These reflect the policy types from AWS. See also the AWS documentation of policy types.

  • AWS Managed: A standalone policy that is created and administered by AWS.
  • Customer: Customer-managed standalone policies in the user’s own AWS account that the user can attach to principal entities, and change and update freely.
  • Inline: An AWS policy created for a single IAM identity (a user, group, or role). Inline policies maintain a strict one-to-one relationship between a policy and an identity.

Shared

The number of IAM entities (users, roles, and/or groups) assigned to a policy. When remediating, focus on the policies affecting the greatest number of entities and make a global policy change.

Highest Access

See also: Understand Highest Access

Values:

  • Admin: Admin access granted
  • Write: Write access granted
  • Read: Read access granted
  • Empty Access: No permissions are granted at all

Findings

Policies can be listed as Unused on this page. It is recommended to delete Unused policies if possible.

Available Filters

  • Search: Free text search on terms in the resource name
  • Actionable Risks: By severity
  • Cloud Accounts: Account name/number by the cloud provider (e.g. AWS)
  • Access Categories: Admin, Write, Read, or Empty Access
  • Policy Types: AWS-Managed, Customer, Inline
  • Findings: Unused indicates unused policies

Analyze and Remediate

To reduce the entitlements globally for a particular policy:

  1. Click on a policy name to open the detail drawer and open subtabs as needed.

  2. You may be prompted to consider removing an inactive user or unused policy altogether.

  3. Click Optimize IAM Policy and review the proposed code to resolve critical permissions issues on the policy.

    See also: Understand the Suggested Policy Changes

  4. You can copy (then paste), download (then upload), or open the adjusted policy directly in the AWS console and save.

  5. If you have configured the Jira Ticketing integration with Sysdig Secure, you can also open a Jira ticket to optimize the policy code.

    See also: Jira Ticketing integration

Detail Drawers

The IAM Policies page organizes everything around the policy. Click on a policy name to open the details drawer and subtabs.

  • Overview: Displays the critical permissions issues detected on the IAM Policy, sorted by Risk and Actionable Risk.
  • Attached Users: Displays the users attached to the policy.
  • Attached Roles: Displays the roles attached to the policy.
  • Attached Groups: Displays the groups attached to the policy.
  • Policy Details: Displays the current policy code, which can be replaced by suggested updates when you select Optimize IAM Policy.

Optimize a Policy Globally

Sysdig may suggest that you Optimize an IAM Policy on the IAM Policy page or subtab. If you click the button and download the proposed policy, it should be used to replace the existing policy in your AWS Console. It will affect all entities (users, roles, groups) associated with the policy.

In the example below, the Policy risk is Critical. There are 24 IAM entities listed in the Shared column, which are divided between Assigned Users, Groups, and Roles. (Open the subtabs to see the entity lists.) A number of the Attached Users are Inactive.

  1. Click Optimize IAM Policy for a streamlined policy suggestion that considers the attached entities. In this case, it reduces the permissions from 15,521 to 505.

  2. Upload this policy to your AWS Console and associate with appropriate users, roles, and/or groups.
  3. Recommended: Deactivate the old policy and potentially remove the detected inactive users in AWS.