Entitlement Management Identities
Entitlement management is currently in preview.
To display an identity's details, go to Entitlements > Explorer, select Identities above the filters, and then click an identity in the list.
- The Summary provides identity details and a trend chart for Granted vs used (in the past 180 days) entitlements. Click the information icon for each risk to display an explanation about why it's an identity risk factor.
- The Entitlements tab displays the used and unused entitlements for each service.
Click a service in the left panel to display its resource and entitlement details. - The Linked identities tab contains two separate subtabs with inbound and outbound privilege information. Click the More actions icon to view identity details or open the Resource Explorer.
- The Remediations tab provides information about available remediations based on the risks identified for the specified identity. Click a remediation to view the suggested actions, rationale for remediation, and resulting risk reduction.
Summary
This tab provides a summary of identity details and a trend chart for Granted vs used (in the past 180 days) entitlements.
The risk severity is the highest severity of the risks that are associated with the identity.
To view the identity in a resource context, click the View in Resource Explorer icon (next to the Principal ID). To view access key details, hover over the access key. For risk details, click individual risk information icons.
The Summary tab displays the following information:
Field | Description |
---|---|
Name | An identity name is a unique identifier or name assigned to an individual or entity within the cloud environment. It represents a specific user, service account, group, or role that has access rights and permissions to interact with the cloud resources and services. |
Type | An identity type refers to the classification or category of an identity within the cloud environment. Currently supported types: AWS group, AWS role, AWS root user, AWS service, AWS service-linked role, and AWS user. |
Principal ID | The principal ID from the cloud service provider. |
Account | The account ID from the cloud service provider. |
Last used time | The last time the identity was used to access a resource or entitlement. |
Created time | The creation date. |
Access keys | The access keys associated with the identity and whether they are active or inactive. You must guard them carefully because they can be used to access your cloud resources and perform unauthorized actions or compromise security. |
Risks | The identity's overall risk and the individual risks that are associated with the identity. Color-coded icons indicate the risks' severities. Click the information icon for details about each risk. Refer to Entitlement risks for a list of all possible risks. |
Tags | The tags assigned to the identity for categorization. |
Entitlements
This tab displays the percentage and number of the total granted entitlements that have been used for each service. Click a service in the left panel to display its details.
The table has the following information:
Column | Description |
---|---|
Resource name | The name of the resource that the identity has privileges for. |
Account ID | The account ID from the cloud service provider. |
Actions | The actions that the entitlements allow. |
Used? | The last time the identity was used. No means it has not been used in the past 180 days. |
Policy name | The name of the policy that defines the identity's permissions. |
Linked identities
This tab contains two separate subtabs with the following information:
- Inbound - The selected identity's privileges can be assumed by the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then these users can assume the role in question.
- Outbound - The selected identity can assume the privileges of the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then the role in question can assume these users' privileges.
The tables have the following information:
Column | Description |
---|---|
Principal ID | The principal ID from the cloud service provider. |
Name | Name of the identity. |
Account ID | The account ID from the cloud service provider. |
Account alias | The account alias from the cloud service provider. |
Relation type | How the privileges relate. |
The More actions icon lets you access actions such as View identity details and View in Resource Explorer.
Remediations
This tab provides information about available remediations based on the risks identified for the specified identity.
For detailed information, refer to Entitlement Management Remediation.