Entitlement Management Explorer
Entitlement management is currently in preview.
Introduction to the Explorer tab
The Explorer tab provides a list of identities or policies and their summary information.
To reach the Explorer tab, go to Entitlements > Explorer.
- The Explorer tab displays identities by default.
To display policies instead, select Policies from the dropdown. (Only summary information is currently available for policies.) - Use the filters or search if you want to display a subset of identities or policies. By default, the tab displays all identities from the latest week.
- Locate the identity that you want to investigate.
- Observe some of the identity information available in the table:
- Risk severity - Identify the most important to address
- Risks - Discover what types of risks exist
- Entitlements used % - Determine which identities have excessive privileges
- Click an identity in the list to display its details.
- Save and share the view information.
The following sections detail the actions you can take and the information you can view on Explorer tab.
Identities
To display identities on the Explorer tab, select Identities from the dropdown menu above the filters.
Identity filters
Use the following methods to refine what is displayed in the identities list:
- Use the search function at the top of the page to select a filter, operator, and values.
- Click the filter dropdowns along the top of the page, select your choices, and click Show results. Click an active filter to remove it or click Reset click Show results.
The following table lists available identity filters.
| Filter | Description |
|---|---|
| Cloud provider | Display identities for the selected cloud provider. |
| Account ID | Display identities for the selected account IDs. |
| Principal ID | Display identities with matching principal IDs. |
| Risk | Display identities with the selected risks. |
| Identity type | Display identities of the selected types. |
| Name | Display identities with matching names. |
| Tags | Display identities with the selected tags. |
| Access keys | Display identities with the selected access keys. |
| Entitlements used % | Display identities with the selected percentage of the total granted entitlements that have been used. |
Identities list
The list of identities appears below the filters and has the following information available.
Click the icons to refresh the table, download the table as a CSV, select columns, and search for specific text in the columns.
To go to an identity's details page, click an identity.
| Column | Description |
|---|---|
| Identity name | An identity name is a unique identifier or name assigned to an individual or entity within the cloud environment. It represents a specific user, service account, group, or role that has access rights and permissions to interact with the cloud resources and services. |
| Identity type | An identity type refers to the classification or category of an identity within the cloud environment. Currently supported types: AWS group, AWS role, AWS root user, AWS service, AWS service-linked role, and AWS user. |
| Risk severity | The risk severity is the highest severity of the risks that are associated with the identity. Click the risk severity for details about the associated risks. |
| Risks | The risks that are associated with the identity. Color-coded icons indicate the risks' severities. Click the risks for details about the associated risks. Refer to Entitlement risks for a list of all possible risks. |
| Entitlements used/total | The percentage and number of the total granted entitlements that have been used. |
| Entitlements used % | The percentage of the total granted entitlements that have been used expressed in quartiles. |
| Resources accessed/entitled | The percentage and number of resources that the identity has accessed (in the past 180 days) that it is entitled to. An accessed resource refers to any digital asset that is utilized or interacted with by users, applications, or processes within the cloud environment. An entitled resource refers to a specific cloud resource that an identity or user account has been granted access to based on their entitlements or permissions. |
| Services accessed/entitled | The percentage and number of services that the identity has accessed (in the past 180 days) that it is entitled to. An accessed service refers to a specific cloud service that is utilized or interacted with by users, applications, or processes within the cloud environment. An entitled service refers to a specific cloud service that an identity or user account has been granted access to based on their entitlements or permissions. |
| Linked identities | The number of identities that are linked to this identity. When a linked identity is established, it lets users authenticate themselves using their credentials from the external identity provider, and the cloud service provider verifies the identity and grants access based on the linked association. To view the specific identities, expand the value. |
| Last used | The last time the identity was used to access a resource or entitlement. |
| Created on | The creation date. |
| Principal ID | The principal ID from the cloud service provider. |
| Provider | The cloud service provider. |
| Account ID | The account ID from the cloud service provider. |
| Account alias | The account alias from the cloud service provider. |
| Tags | The tags assigned to the identity for categorization. |
| Key ID | The key ID from the cloud service provider. |
| Access keys | The access keys associated with the identity and whether they are active or inactive. You must guard them carefully because they can be used to access your cloud resources and perform unauthorized actions or compromise security. |
Risk severity
The overall risk window provides a description and severity for each risk. To open this window, click the risk severity or risks.
To view the identity's details, click Investigate.
The overall risk is the highest severity of the risks that are associated with the identity. To lower the overall risk, address all of the highest severity risks. This would lower the risk score to the highest severity of the remaining risks.
For example, if an identity has a critical overall risk with two critical risks and three medium risks, fixing all critical risks would lower the overall risk to medium.
Policies
To display policies on the Explorer tab, select Policies from the dropdown menu above the filters.
Policy filters
Use the following methods to refine what is displayed in the policies list:
- Use the search function at the top of the page to select a filter, operator, and values.
- Click the filter dropdowns along the top of the page, select your choices, and click Show results. Click an active filter to remove it or click Reset and then click Show results.
The following table lists available policy filters.
| Filter | Description |
|---|---|
| Cloud provider | Display policies for the selected cloud provider. |
| Account ID | Display policies for the selected account IDs. |
| Account alias | Display policies with matching account aliases. |
| Policy type | Display policies of the selected types. |
| Name | Display policies with matching names. |
| Tags | Display policies with the selected tags. |
Policies list
The list of policies appears below the filters and has the following information available.
Click the icons to refresh the table, download the table as a CSV, select columns, and search for specific text in the columns.
To go to a policy's details page, click a policy.
| Column | Description |
|---|---|
| Policy name | Name of the policy. |
| Policy type | Type of policy. Supported types include inline (group, role, user), managed (AWS, customer), and resource. |
| Created on | The creation date. |
| Policy ID | The policy ID from the cloud service provider. |
| Provider | The cloud service provider. |
| Account ID | The account ID from the cloud service provider. |
| Tags | The tags assigned to the policy for categorization. |
Save and share Explorer information
- Click the Save view icon
in the top right corner to save the current view. This lets you access the saved view later through the Open view icon 
. - You can also copy the link to the current view by clicking the Copy link icon
. You can then share that link with others, so they can see the same view.