Optimize AWS User Entitlements

You can examine and remediate identity risks associated with specific IAM accounts and their permissions by using the detailed drawers. Simply click on individual rows on the Users page to open the detailed drawer for further analysis.

Manage User Entitlements with Detail Drawers

The Users page organizes everything around the individual user account.

Overview: Displays the critical permissions issues detected for this user account, sorted by Risk and Actionable Risk.
Attached IAM Policies: Displays the policies this user account is connected to, sorted by unused permissions and total permissions included in the policy.
Attached Groups: Displays the groups this user account is connected to, sorted by unused permissions and permissions count.
User Details: Displays a summary of total granted permissions, group associations, activity, user ARN ID, and findings associated with the select user account.

To reduce a user entitlements, click on the user name to open the detail drawer and sub-tabs. The following examples provide various remediation options.

Understand User Permissions

Total Permissions are the total number of permissions granted to a user from all the policies the user is associated with.
Unused Permissions/Pemissions Unused are the total number of unused permissions from all the user’s policies.
Permissions Given are the permissions granted to a user per policy.

Investigate the Attached IAM Policies tab in a user’s detail drawer to see how the permission totals are divided and how to handle the surfaced risks.

For example, this user has been granted 421 permissions, divided between two policies. 403 permissions are unused.

To remediate the permissions in this example, you might:

Delete an unused policy: In the example above, the policy with 103 permissions given has not been used by any IAM entity. Sysdig recommends removing this policy from your AWS environment.
Optimize the Policy Globally.
For more information, see Create an Optimized User Policy.
Create an Optimized User Policy.

See Understanding the Suggested Policy Changes for more information.

Apply Remediation Strategies

Sysdig suggests the following remediation possibilities.

Create an Optimized User Policy

If the Optimize IAM Policy button is displayed on a User Detail Overview tab, you can download the suggested policy, upload it to your AWS Console, and associate it with this user. This option creates a new, user-specific policy that considers all the policies with which the user is associated.

You can also note the user’s policy associations listed in the Attached IAM Policies subtab and remove those associations in AWS.

Delete an Inactive User

Sometimes, a user may be associated with multiple policies and groups and have a very high cumulative number of permissions granted, but Sysdig detects no user activity in the environment for over 400 days. In this case, removing the user from your cloud environment is recommended.

In the example above, this would eliminate all 15,521 permissions granted and remove this identified Critical risk.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.