Identities FAQ
The Last Used field for a role shows "Unknown". Why?
Certain types of identities such as AWS groups do not track usage information. These identity types will report "Unknown".
The Last Used field for a role shows "Never", even though I switched to this role recently. Why?
Switching to a role does not constitute role usage. Role usage means you switch to a role and perform at least one non-STS operation (for example, listing EC2 instances). At this time Lacework does not consider actions like STS GetCallerIdentity as an entitlement because it does not require a policy to grant access.
The Last Used field for an identity shows as "Never", even though the AWS console and IAM Access Advisor show it as used. Why?
The most likely reason is that a CloudTrail integration has not been set up within Lacework. Lacework identity management calculates usage by inspecting CloudTrail data.
The Status on the Entitlements tab shows "Unknown". Why?
Possible reasons for an "Unknown" entitlement status:
- The actions are data events. Lacework currently supports management events only.
- A CloudTrail integration has not been set up within Lacework.
When I add or delete IAM users/groups/roles, how long should it take for Lacework identity management dashboards to update?
Up to 24 hours. If you want to get an update sooner, you can trigger a refresh using:
lacework api post '/Inventory/scan?csp=AWS'
You can see deleted identities if you change the time of assessment to a date/time when the identity was active.
How frequently does Lacework identity management evaluate user privileges including excessive privileges?
Currently, every 24 hours when there is an update from resource collection through cloud configuration integrations.
Are there any plans to support Google Cloud and Azure?
Currently, Lacework supports AWS only. However, Lacework intends to support Google Cloud and Azure in the future.
Which condition keys and operators are supported in AWS policies?
Supported condition keys
- aws:PrincipalArn (static)
- aws:SourceIp (runtime)
- aws:PrincipalIsAWSService (static)
- aws:PrincipalServiceName (static)
- aws:userid (static)
- sts:ExternalId (special)
Supported condition operators
String ARN Bool Numeric IP address
I have Okta or another Identity Provider (IdP). Where are all my users?
Lacework currently supports these identity types. Lacework is actively looking to support federated identities and integrate IdP data in the future.
In Top Identity Risks or the Explorer there are identities that I have accepted as risky that aren’t operational to me, like “break-glass” accounts and root identities. How can I exclude these?
Open the identity's details and click the Exceptions tab. Click Create new exception to add an exception for the identity.
I have an identity with cross-account access but notice each Identity Details page only shows one AWS account. Is there a way to find the multiple AWS accounts this identity is associated with?
Yes. The Identity Details page shows the AWS account associated with the identity. To source which account entitlements come from, go to the Entitlements tab and add the Account ID column. To find accounts this identity can access, select the Related Identities tab. This tab lets you navigate to any associated inbound or outbound identities.
What do all the risk icons mean? How can I find identities with similar risks?
Hover over each icon to display text that explains why that risk category was assigned to the identity of interest. If you click the Risk severity or the Risk icons themselves in the Explorer, a pop-up window displays to further explain the risks pertaining to an identity. To find identities with similar risks, select the Risk filter and select combinations you are interested in. At the top right corner, you can also save this filtered view using the Save icon.
The Explorer doesn’t show me all the data I need to help me explore or prioritize identities. What should I do?
At the top left of the Explorer table is a Select columns icon. The icon informs you how many columns you have active. Click the icon to toggle on/off any additional columns that may be of use.
Why do I see a lot of unused permissions for a particular identity but I don’t see any remediations?
Lacework considers unused permissions as “excessive” only if the permissions haven’t been used for 180 days or more. Here is a way to check: Open the identity's details and check the identity creation date. If the creation date is greater than 180 days ago, switch to the Entitlements tab and check the status column in the right pane.
Why is the Jira ticket status in the Remediations tab in the Lacework Console different from the status I see in Jira?
Lacework doesn't currently synchronize the ticket status and other details into the Lacework Console. The Remediations tab only contains a link to the Jira ticket.