This page covers the first-time user experience for installing and configuring Access Explorer. It walks you through the process and components (required and optional) necessary to set up Access Explorer.
To ensure you can complete the installation process we recommend that you gather all of the requirements and verify these details before you start.
If this is not your first time setting up Access Explorer, you can skip over to Access Explorer - Configuration and Settings for specific details on configuration and settings.
While most of the steps included in the setup are optional and can be skipped or configured later, we recommend completing all of these steps to provide the best overall user experience. The more data you provide, the more useful the tool will be. You will have better context, relationship data, and understanding around your cloud IAM configurations
Cloud IAM Governance infrastructure requirements are detailed below. If, after reading through the technical specifications here you have questions or are concerned about performance for your individual environment we are happy to work with you directly to make recommendations. Reach out to us through the Customer Support Portal.
Note to SaaS/Hosted Customers
The infrastructure requirements outlined here apply specifically to self-hosted customers only. If you are a SaaS/hosted customer InsightCloudSec will provide the infrastructure necessary to run IAM Access Explorer.
Deployment Requirements - ECS Fargate via Terraform is required
We do not support traditional EC2 instances for Access Explorer functionality. ECS Fargate deployment can be found here.
If you are already running our ECS Fargate deployment, perform the following to enable Access Explorer:
- Ensure your InsightCloudSec license has the Access Explorer feature enabled. Contact your CSM or reach out to us through Getting Support if you are unsure of license status.
- If Access Explorer was recently enabled for your license, manually refresh your license to ensure feature is enabled in your installation. Instructions to validate this can be found here.
- Enable the IAM Access Explorer via
enable_iam_analyzervariable in your
tfvarsfile. Instructions on enabling this can be found here.
- Increase the size of your Redis instance to accommodate the additional data used for IAM Access Explorer analysis. In your
redis_node_type = "cache.m5.large"(you may already been running an instance of this size).
- After updating the
tfvarsfile, run a Terraform plan/apply on your InsightCloudSec infrastructure. You will see the creation of a new ECS service and task definition labeled
worker-p3and existing task definitions being updated with a new environment variable
InsightCloudSec vs. DivvyCloud
Instructions, examples, database values and back end capabilities may still refer to DivvyCloud vs. InsightCloudSec. The functionality is the same - just ensure that when using paths/databases/etc., your configuration references the appropriate items.
- Run the Cache Workload Size Calculator
Navigate to this page (e.g. http://yourhostname.com/iam/cache_calculator)
- Ensure that all of the cloud accounts are selected. Click inside the Cloud Accounts box. Click on the check box at the top of the list until it is a check mark. This will not affect which clouds are AllowListed for the IAM cache build.
- Click on Calculate.
- Use the Total Pairs number in the following table to determine your starting workers count.
|Total Pairs||Starting Workers Count|
|up to 500M||12 workers|
|500M to 1B||24 workers|
|1B to 1.5B||36 workers|
|over 1.5B||contact InsightCloudSec through the Customer Support Portal|
The default P3 task count of
12 can be overridden by adding
worker_p3_task_count to your
After you successfully complete a cache build, then you can start reducing the number of workers until the cache build time starts to rise.
- An InsightCloudSec platform installation with administrative permissions
- At least one AWS cloud connected to InsightCloudSec
- For instructions on adding a cloud account to your InsightCloudSec platform refer to our Cloud Account Setup page
- Details on your Tagging or Name strategy to define your applications
- To complete the optional steps for configuring CMDB and EIAM you will need the following:
- A list of principals you want to exclude from your configuration (optional)
Users launching Access Explorer for the first time users will be met with a guided "Getting Started with Access Explorer" process. This process walks through the required and optional steps to complete the setup and configuration for Access Explorer.
Recommendations for Optional Steps
While only "Step 1 - Choose Cloud Accounts to Include" and building the cache are required to complete the setup, we strongly recommend completing the optional steps to provide a better overall experience.
In this step you will select the cloud accounts (currently AWS) that you have connected to your InsightCloudSec platform to include for analysis in Access Explorer.
- Refer to Cloud Account Setup for instructions on connecting additional cloud accounts to InsightCloudSec
- Check out Access Explorer - Configuration and Settings for details on Included Accounts.
In this optional step you can define rules to create applications. By understanding your tagging or naming schema, we can dynamically group resources in Application Groups.
- Refer to the complete documentation on [Configuring Application Groups].(doc:access-explorer-configuration-and-settings#configuring-application-groups)
- Add as many rules as you want to include.
- Select "Save Application Group" to save your application and reset the form. This will allow you to create a new application. (Note: You can also add applications after you complete the initial setup.)
- To verify that your rules are working as intended click "Test Group Rule," which will provide a list of resources that match (including a count) each rule provided.
In this optional step, users provide their CMDB settings in a CSV file. There are two options to share the CSV file: You can upload the file or point to an AWS S3 bucket to fetch the file.
- Refer to the Configuring CMDB documentation for the complete details on this step (file format requirements and details for both options).
- Review the details on the required CSV file here.
In this optional step, users provide their EIAM settings in a JSON file. There are two options to share the JSON file: You can upload the file or point to an AWS S3 bucket to fetch the file.
- Refer to the Configuring EIAM documentation for the complete details on this step.
- Review the details on the required JSON file here.
In this optional step, you can choose to define principals that you would like the analyzer to ignore. By excluding principals like IAM superusers or other users that have extensive permissions you can reduce your cache build time.
- Select "Add Role" to specify a Principal you would like to add to the ignore list.
- Click the "test" option for any role to see a list of matches before adding it to your list.
To revise the list of principals after the setup is complete you can visit the settings in Access Explorer. Read more about those on the Access Explorer - Configuration and Settings page.
When you have added all of the details you want to include for your Access Explorer installation, select the "Finish Setup & Start Cache Build" button to complete the setup process.
If everything has been added correctly, you will receive the following confirmation.
Once you have completed your initial setup for Access Explorer, after the cache-building process completes, your installation will be ready to use.
From your InsightCloudSec platform, navigate to "Security --> Access Explorer" and select "Access Explorer."
You can also check out the Using Access Explorer - Feature Guide for details on using the Cloud IAM Governance via Access Explorer.
For instructions on configuring any of the components included in the initial setup process outside of this guided setup, check out the Access Explorer - Configuration and Settings documentation.
Updated about 1 month ago