Skip to main content


About Identities

Cloud Identity Risk

Identities play an increasingly important role in securing cloud resources and data. Traditional wisdom calls for a least privileged approach to granting access, which means only giving users the permissions they need to perform their jobs. However, approaching this end state is far more complex for cloud-native applications.

Cloud users and entities are typically over-permissioned, with the intention of right-sizing access at a future date. However, this rarely happens. Excess entitlements, dormant identities, and toxic combinations leave organizations highly exposed to cloud breach, account takeover, and data exfiltration.

Gain Visibility and Control of Cloud Identities

Cloud identity risk management requires visibility into all cloud identities and what actions each can perform. Cloud infrastructure entitlement management (CIEM) is a set of capabilities that helps organizations enforce the principle of least privilege when it comes to managing cloud infrastructure services.

Lacework provides security teams with the visibility and context to understand their cloud identity architectures and right-size cloud permissions to achieve least privilege goals. Comprehensive Lacework-provided visibility lets you:

  • Show all identities - Lacework continuously discovers cloud identities and their associated entitlements dynamically to provide a full and always up-to-date inventory of cloud users, resources, groups, and roles.
  • Know precisely who can perform which actions to identify overly permissive identities - Lacework continuously ingests event data from cloud services to determine all of the actions an identity has taken over a given time period.
  • Prioritize the greatest risks - Lacework calculates a risk score for each identity based on multiple factors.
  • Scope down permissions accordingly to reduce risk - Lacework automatically generates suggested changes for right-sizing permission artifacts.


To take full advantage of Lacework identity management capabilities, enable all of the following:


Identity management requires:


  • Only AWS is supported.
  • Lacework evaluates service control policies (SCPs) defined at the root level and account level. Lacework does not currently evaluate SCPs defined at the OU level.
  • Only resource policies supported by resource management are supported (refer to AWS Configuration Datasources for resource management support information).
  • For lateral role chains, currently one hop is supported.
  • For linked identities, Lacework currently supports AWS principal exact matches for assume role policies (trust policies). There is a special form of principal identifier that allows any user/role within an account. For information, refer to How to use trust policies with IAM roles.
  • Entitlement usage and dormant identity risk consider a lookback of 180 days. This is a static value and will be customizable in the future.

Identity Data Capture Frequency

Lacework captures identity data every 24 hours.

AWS Configuration Integration for the AWS Organization Management Account

To take full advantage of Lacework identity management capabilities, Lacework recommends integrating your AWS organization management account. To do this, use your preferred method (Terraform, CloudFormation, or manual) to create a Configuration integration with your AWS organization account. A CloudTrail integration is not needed for the AWS organization account.

To learn more about AWS organizations, refer to What is AWS Organizations?