Troubleshooting

Troubleshoot Identity and Access (CIEM) enablement.

Suggestions

Check read Access

Sysdig’s Identity and Access feature needs read access for specific resources such as IAM to function. Certain AWS policies block Sysdig from reading data:

SCP: Ensure there are no restrictions on read access to IAM.
Certain region level policies that restrict everything to be read from that specific region.

Check Role Provisioning

Verify the role provisioned for Sysdig is correct with this API.

Check Health of cloud-connector

For AWS, verify the cloud-connector component is healthy by following these steps:

In the Sysdig Secure UI, navigate to Posture → Identity and Access → Overview.
Click Learning in the top right corner.

Your connected cloud accounts appear with the status of the cloud-connector and the last time Sysdig received an event listed.

If cloud-connector is disconnected and the(Last Event Sent timestamp is older than a few hours, user activity will not be monitored. Please check logs and contact Sysdig support to help resolve the issue.

Limitations

Currently, only the identity-based policies (managed, inline, and group policies), Organization SCPs, and permission boundaries are considered for permission calculation. Resource-based, ACLs, and Session policies are not yet accounted for during permission calculations.
- AWS Last seen timeis based on GetServiceLastAccessedDetails. For more information, see Amazon’s documentation.
- The AWS permissions used by IAM identities is based on user activity observed in Cloudtrail logs. Currently, permissions used after assuming roles are not taken into account.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.