Explore Identities
To display an identity's details, go to Identities > Explore: Identities, and then click an identity in the list.
- The Summary provides identity details and a trend chart for Granted vs. used (in the past 180 days) entitlements. Click the information icon for each risk to display an explanation about why it's an identity risk factor.
- The Entitlements tab displays the used and unused entitlements for each service.
Click a service in the left panel to display its resource and entitlement details. - The Linked identities tab contains two separate subtabs with inbound and outbound privilege information. Click the More actions icon to view identity details or open the Resource Explorer.
- The Remediations tab provides information about available remediations based on the risks identified for the specified identity. Click a remediation to view the suggested actions, rationale for remediation, and resulting risk reduction.
- The Exceptions tab lets you create exceptions to risks and provides information about existing exceptions.
Summary
This tab provides a summary of identity details and a trend chart for Granted vs. used (in the past 180 days) entitlements. AWS instance profiles also display an Associated EC2 instances table.
The risk severity is the highest severity of the risks that are associated with the identity.
To view the identity in a resource context, click the View in Resource Explorer icon (next to the Principal ID). To view access key details, hover over the access key. For risk details, click individual risk information icons.
The Summary tab displays the following information:
| Field | Description |
|---|---|
| Name | An identity name is a unique identifier or name assigned to an individual or entity within the cloud environment. It represents a specific user, service account, group, or role that has access rights and permissions to interact with the cloud resources and services. |
| Type | An identity type refers to the classification or category of an identity within the cloud environment. Currently supported types: AWS group, AWS instance profile, AWS role, AWS root user, AWS service, AWS service-linked role, and AWS user. |
| Principal ID | The principal ID from the cloud service provider. |
| Account | The account ID from the cloud service provider. |
| Last used time | The last time the identity was used to access a resource or entitlement. |
| Created time | The creation date. |
| Access keys | Applicable to user identity types only. The access keys associated with the identity and whether they are active or inactive. You must guard them carefully because they can be used to access your cloud resources and perform unauthorized actions or compromise security. |
| Risks | The identity's overall risk and the individual risks that are associated with the identity. Color-coded icons indicate the risk severity. Click the information icon for details about each risk. Refer to Entitlement risks for a list of all possible risks. |
| Tags | The tags assigned to the identity for categorization. |
Identity Types
- AWS group - A collection of IAM users that lets you specify permissions for multiple users. For more information, refer to IAM user groups in the AWS documentation.
- AWS instance profile - It represents the identity of an EC2 instance. The EC2 instance profile's permissions are derived from assuming a role that has permissions defined by an authorized user. For more information, refer to Using instance profiles in the AWS documentation.
- AWS role - An IAM identity that you can create in your account that has specific permissions. For more information, refer to IAM roles in the AWS documentation.
- AWS root user - The single sign-in identity you begin with when you create an AWS account. It has complete access to all AWS services and resources in the account. For more information, refer to AWS account root user in the AWS documentation.
- AWS service - A specific cloud functionality.
- AWS service-linked role - A type of IAM role that is linked directly to an AWS service. It is predefined by the service and includes all permissions that the service requires to call other AWS services on your behalf. For more information, refer to Using service-linked roles in the AWS documentation.
- AWS user - An entity that represents the human user or workload that uses the IAM user to interact with AWS. For more information, refer to IAM users in the AWS documentation.
Entitlements
This tab displays the percentage and number of the total granted entitlements that are unused for each service. Click a service in the left panel to display its details.
The table has the following information:
| Column | Description |
|---|---|
| Resource name | The ARN or expression of the resource that the identity has privileges for. |
| Permissions | The permissions that the entitlements allow. If a non-expanded wildcard is present, it means that none of the permissions within that wildcard are used. Wildcards are expanded if any discrete permissions within the service are used. |
| Status | The status can be Excessive, Used, or Unknown. Excessive means there are unused permissions that should be removed. Used means the entitlement was used in the last 180 days. Unknown means this data is not recorded in event logs so usage cannot be determined. |
| Account | The account identifier from the cloud service provider. |
| Last used | The last time the entitlement was used. |
| Last used date/time | The last time the entitlement was used. No means it has not been used in the last 180 days. |
Linked Identities
This tab contains two separate subtabs with the following information:
- Inbound - The selected identity's privileges can be assumed by the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then these users can assume the role in question.
- Outbound - The selected identity can assume the privileges of the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then the role in question can assume these users' privileges.
The tables have the following information:
| Column | Description |
|---|---|
| Principal ID | The principal ID from the cloud service provider. |
| Name | Name of the identity. |
| Account ID | The account ID from the cloud service provider. |
| Account alias | The account alias from the cloud service provider. |
| Relation type | How the linked identities relate to each other. |
The More actions icon lets you access actions such as View identity details and View in Resource Explorer.
Remediations
This tab provides information about available remediations based on the risks identified for the specified identity.
For detailed information, refer to Identity Risk Remediation.
Exceptions
This tab lets you create exceptions to risks and provides information about existing exceptions.
For detailed information, refer to Identity Risk Exceptions.