Skip to main content

Entitlements FAQ

in preview

Entitlement management is currently in preview.

Are there any plans to support Google Cloud and Azure?

Currently, Lacework supports AWS only. However, Lacework intends to support Google Cloud and Azure in the future.

Which condition keys and operators are supported in AWS policies?

Supported condition operators and keys

String operators
  • StringEquals
  • StringNotEquals
  • StringEqualsIgnoreCase
  • StringNotEqualsIgnoreCase
  • StringLike
  • StringNotLike
  • StringEqualsIfExists
  • StringLikeIfExists
  • StringNotEqualsIfExists
  • ARN operators
  • ArnLike
  • ArnEquals
  • ArnLikeIfExists
  • ArnNotLike
  • Bool operators
  • Bool
  • BoolIfExists
  • Null
  • Numeric operators
  • NumericLessThan
  • IP address operators
    Note: All IP address operators are runtime conditions.
  • IpAddress
  • NotIpAddressIfExists
  • NotIpAddress
  • Condition keys
  • aws:PrincipalArn (static)
  • aws:SourceIp (runtime)
  • aws:PrincipalIsAWSService (static)
  • aws:PrincipalServiceName (static)
  • aws:userid (static)
  • sts:ExternalId (special)
  • When I add or delete IAM users/groups/roles, how long should it take for Lacework entitlement management dashboards to update?

    Up to 24 hours. If you want to get an update sooner, you can trigger a refresh using:

    $ lacework api post '/Inventory/scan?csp=AWS'

    How frequently does Lacework entitlement management evaluate user privileges including excessive privileges?

    Currently, every 24 hours when there is an update from resource collection through cloud configuration integrations.

    Sometimes ‘Unknown’ is the Last Used Date for some roles. What does ‘Unknown’ mean?

    Certain types of identities such as AWS groups do not track usage information. These identity types will report ‘Unknown’.

    The Last Used date for a role shows ‘never’, even though I switched to this role recently. Why?

    Switching to a role does not constitute role usage. Role usage means you switch to a role and perform at least one non-STS operation (for example, listing EC2 instances). At this time Lacework does not consider actions like STS GetCallerIdentity as an entitlement because it does not require a policy to grant access.

    An entitlement shows Last Used as ‘never’, even though the AWS console and IAM Access Advisor show it as used. Why?

    The most likely reason is that a CloudTrail integration has not been set up within Lacework. Lacework entitlement management calculates usage by inspecting CloudTrail data.

    I have Okta or another identity provider (IdP). Where are all my users?

    Lacework currently supports the following identities: AWS IAM users, root users, IAM roles, and IAM Groups. Lacework is actively looking to support federated identities and integrate IdP data in the future.

    In the Top Identity Risks or Explorer tabs there are identities that I have accepted as risky that aren’t operational to me, like “break-glass” accounts and root identities. How can I exclude these?

    Lacework is working on an exceptions management tool that lets you add exceptions for these identities. Use the following as a workaround until the exceptions feature launches. If you want to exclude identities from appearing in the Top Identity Risks or Explorer tabs, use the Name or Principal ID to filter and apply an “excludes” or “does not match” filter to filter out any identities. To ensure you don’t have to repeat this step every time, click the Save icon in the top right corner to save and name the view of the page.

    I have an identity with cross-account access but notice each Identity Details page only shows one AWS account. Is there a way to find the multiple AWS accounts this identity is associated with?

    Yes. The Identity Details page shows the AWS account associated with the identity. To source which account entitlements come from, go to the Entitlements tab and add the Account ID column. To find accounts this identity can access, select the Related Identities tab. This tab lets you navigate to any associated inbound or outbound identities.

    What do all the risk icons mean? How can I find identities with similar risks?

    Hover over each icon to display text that explains why that risk category was assigned to the identity of interest. If you click the Risk Severity or the Risk icons themselves in the Explorer, a pop-up window displays to further explain the risks pertaining to an identity. To find identities with similar risks, select the Risk filter and select combinations you are interested in. At the top right corner, you can also save this filtered view using the Save icon.

    The Explorer tab doesn’t show me all the data I need to help me explore or prioritize identities. What should I do?

    At the top left of the Explorer table is a Select columns icon. The icon informs you how many columns you have active. Click the icon to toggle on/off any additional columns that may be of use.