Skip to main content

Entitlement Management Identities

in preview

Entitlement management is currently in preview.

To display an identity's details, go to Entitlements > Explorer, select Identities above the filters, and then click an identity in the list.

  • The Summary provides identity details and a trend chart for Granted vs used (in the past 180 days) entitlements. Click the information icon for each risk to display an explanation about why it's an identity risk factor.
  • The Entitlements tab displays the used and unused entitlements for each service.
    Click a service in the left panel to display its resource and entitlement details.
  • The Linked identities tab contains two separate subtabs with inbound and outbound privilege information. Click the More actions icon to view identity details or open the Resource Explorer.
  • The Remediations tab provides information about available remediations based on the risks identified for the specified identity. Click a remediation to view the suggested actions, rationale for remediation, and resulting risk reduction.

Summary

This tab provides a summary of identity details and a trend chart for Granted vs used (in the past 180 days) entitlements.

The risk severity is the highest severity of the risks that are associated with the identity.

To view the identity in a resource context, click the View in Resource Explorer icon (next to the Principal ID). To view access key details, hover over the access key. For risk details, click individual risk information icons.

The Summary tab displays the following information:

FieldDescription
NameAn identity name is a unique identifier or name assigned to an individual or entity within the cloud environment. It represents a specific user, service account, group, or role that has access rights and permissions to interact with the cloud resources and services.
TypeAn identity type refers to the classification or category of an identity within the cloud environment. Currently supported types: AWS group, AWS role, AWS root user, AWS service, AWS service-linked role, and AWS user.
Principal IDThe principal ID from the cloud service provider.
AccountThe account ID from the cloud service provider.
Last used timeThe last time the identity was used to access a resource or entitlement.
Created timeThe creation date.
Access keysThe access keys associated with the identity and whether they are active or inactive. You must guard them carefully because they can be used to access your cloud resources and perform unauthorized actions or compromise security.
RisksThe identity's overall risk and the individual risks that are associated with the identity. Color-coded icons indicate the risks' severities. Click the information icon for details about each risk. Refer to Entitlement risks for a list of all possible risks.
TagsThe tags assigned to the identity for categorization.

Entitlements

This tab displays the percentage and number of the total granted entitlements that have been used for each service. Click a service in the left panel to display its details.

The table has the following information:

ColumnDescription
Resource nameThe name of the resource that the identity has privileges for.
Account IDThe account ID from the cloud service provider.
ActionsThe actions that the entitlements allow.
Used?The last time the identity was used. No means it has not been used in the past 180 days.
Policy nameThe name of the policy that defines the identity's permissions.

Linked identities

This tab contains two separate subtabs with the following information:

  • Inbound - The selected identity's privileges can be assumed by the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then these users can assume the role in question.
  • Outbound - The selected identity can assume the privileges of the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then the role in question can assume these users' privileges.

The tables have the following information:

ColumnDescription
Principal IDThe principal ID from the cloud service provider.
NameName of the identity.
Account IDThe account ID from the cloud service provider.
Account aliasThe account alias from the cloud service provider.
Relation typeHow the privileges relate.

The More actions icon lets you access actions such as View identity details and View in Resource Explorer.

Remediations

This tab provides information about available remediations based on the risks identified for the specified identity.

For detailed information, refer to Entitlement Management Remediation.