Access Explorer - Setup

First-time setup for the Access Explorer

This page covers the first-time user experience for installing and configuring Access Explorer. It walks you through the process and components (required and optional) necessary to set up Access Explorer.

To ensure you can complete the installation process we recommend that you gather all of the requirements and verify these details before you start.

If this is not your first time setting up Access Explorer, you can skip over to Access Explorer - Configuration and Settings for specific details on configuration and settings.

📘

Installation Recommendations

While most of the steps included in the setup are optional and can be skipped or configured later, we recommend completing all of these steps to provide the best overall user experience. The more data you provide, the more useful the tool will be. You will have better context, relationship data, and understanding around your cloud IAM configurations

Infrastructure Requirements

Cloud IAM Governance infrastructure requirements are detailed below. If, after reading through the technical specifications here you have questions or are concerned about performance for your individual environment we are happy to work with you directly to make recommendations. Reach out to us through the Customer Support Portal.

Note to SaaS/Hosted Customers
The infrastructure requirements outlined here apply specifically to self-hosted customers only. If you are a SaaS/hosted customer InsightCloudSec will provide the infrastructure necessary to run IAM Access Explorer.

❗️

Deployment Requirements - ECS Fargate via Terraform is required

We do not support traditional EC2 instances for Access Explorer functionality. ECS Fargate deployment can be found here.

For Customers Running ECS Fargate

If you are already running our ECS Fargate deployment, perform the following to enable Access Explorer:

  • Ensure your InsightCloudSec license has the Access Explorer feature enabled. Contact your CSM or reach out to us through Getting Support if you are unsure of license status.
  • If Access Explorer was recently enabled for your license, manually refresh your license to ensure feature is enabled in your installation. Instructions to validate this can be found here.
  • Enable the IAM Access Explorer via enable_iam_analyzer variable in your tfvars file. Instructions on enabling this can be found here.
  • Increase the size of your Redis instance to accommodate the additional data used for IAM Access Explorer analysis. In your tfvars file, add redis_node_type = "cache.m5.large" (you may already been running an instance of this size).
  • After updating the tfvars file, run a Terraform plan/apply on your InsightCloudSec infrastructure. You will see the creation of a new ECS service and task definition labeled worker-p3 and existing task definitions being updated with a new environment variable DIVVY_IAM_ANALYZER_PARALLEL_ENABLED.

📘

InsightCloudSec vs. DivvyCloud

Instructions, examples, database values and back end capabilities may still refer to DivvyCloud vs. InsightCloudSec. The functionality is the same - just ensure that when using paths/databases/etc., your configuration references the appropriate items.

Sizing the P3 Workers Count

  1. Run the Cache Workload Size Calculator
    Navigate to this page (e.g. http://yourhostname.com/iam/cache_calculator)
  2. Ensure that all of the cloud accounts are selected. Click inside the Cloud Accounts box. Click on the check box at the top of the list until it is a check mark. This will not affect which clouds are AllowListed for the IAM cache build.
  3. Click on Calculate.
  4. Use the Total Pairs number in the following table to determine your starting workers count.
Total PairsStarting Workers Count
up to 500M12 workers
500M to 1B24 workers
1B to 1.5B36 workers
over 1.5Bcontact InsightCloudSec through the Customer Support Portal

The default P3 task count of 12 can be overridden by adding worker_p3_task_count to your tfvars file.

After you successfully complete a cache build, then you can start reducing the number of workers until the cache build time starts to rise.

First-Time Setup

Prerequisites & Recommendations

  • An InsightCloudSec platform installation with administrative permissions
  • At least one AWS cloud connected to InsightCloudSec
    • For instructions on adding a cloud account to your InsightCloudSec platform refer to our Cloud Account Setup page
  • Details on your Tagging or Name strategy to define your applications
  • To complete the optional steps for configuring CMDB and EIAM you will need the following:
    • An appropriately formatted CMDB CSV file (for upload or fetched from S3)
    • An appropriately formatted EIAM JSON file (for upload or fetched from S3)
  • A list of principals you want to exclude from your configuration (optional)

Users launching Access Explorer for the first time users will be met with a guided "Getting Started with Access Explorer" process. This process walks through the required and optional steps to complete the setup and configuration for Access Explorer.

📘

Recommendations for Optional Steps

While only "Step 1 - Choose Cloud Accounts to Include" and building the cache are required to complete the setup, we strongly recommend completing the optional steps to provide a better overall experience.

Step 1 - Choose Cloud Accounts to Include

In this step you will select the cloud accounts (currently AWS) that you have connected to your InsightCloudSec platform to include for analysis in Access Explorer.

Getting Started with Access Explorer - Step 1 (Included Cloud Accounts)Getting Started with Access Explorer - Step 1 (Included Cloud Accounts)

Getting Started with Access Explorer - Step 1 (Included Cloud Accounts)

Step 2 - Create Application Groups

In this optional step you can define rules to create applications. By understanding your tagging or naming schema, we can dynamically group resources in Application Groups.

  • Refer to the complete documentation on [Configuring Application Groups].(doc:access-explorer-configuration-and-settings#configuring-application-groups)
  • Add as many rules as you want to include.
  • Select "Save Application Group" to save your application and reset the form. This will allow you to create a new application. (Note: You can also add applications after you complete the initial setup.)
  • To verify that your rules are working as intended click "Test Group Rule," which will provide a list of resources that match (including a count) each rule provided.
Getting Started with Access Explorer - Step 2 (Application Groups)Getting Started with Access Explorer - Step 2 (Application Groups)

Getting Started with Access Explorer - Step 2 (Application Groups)

Step 3 - Configure CMDB Settings

In this optional step, users provide their CMDB settings in a CSV file. There are two options to share the CSV file: You can upload the file or point to an AWS S3 bucket to fetch the file.

  • Refer to the Configuring CMDB documentation for the complete details on this step (file format requirements and details for both options).
  • Review the details on the required CSV file here.
Getting Started with Access Explorer - Step 3 (CMDB)Getting Started with Access Explorer - Step 3 (CMDB)

Getting Started with Access Explorer - Step 3 (CMDB)

Step 4 - Configure EIAM Settings

In this optional step, users provide their EIAM settings in a JSON file. There are two options to share the JSON file: You can upload the file or point to an AWS S3 bucket to fetch the file.

Getting Started with Access Explorer - Step 4 (EIAM)Getting Started with Access Explorer - Step 4 (EIAM)

Getting Started with Access Explorer - Step 4 (EIAM)

Step 5 - Principal Ignore List

In this optional step, you can choose to define principals that you would like the analyzer to ignore. By excluding principals like IAM superusers or other users that have extensive permissions you can reduce your cache build time.

  • Select "Add Role" to specify a Principal you would like to add to the ignore list.
  • Click the "test" option for any role to see a list of matches before adding it to your list.

To revise the list of principals after the setup is complete you can visit the settings in Access Explorer. Read more about those on the Access Explorer - Configuration and Settings page.

Getting Started with Access Explorer - Step 5 (Principal Ignore List)Getting Started with Access Explorer - Step 5 (Principal Ignore List)

Getting Started with Access Explorer - Step 5 (Principal Ignore List)

Final Step - Finish Setup & Start Cache Build

When you have added all of the details you want to include for your Access Explorer installation, select the "Finish Setup & Start Cache Build" button to complete the setup process.

If everything has been added correctly, you will receive the following confirmation.

Getting Started with Access Explorer - ConfirmationGetting Started with Access Explorer - Confirmation

Getting Started with Access Explorer - Confirmation

What's Next?

Once you have completed your initial setup for Access Explorer, after the cache-building process completes, your installation will be ready to use.

From your InsightCloudSec platform, navigate to "Security --> Access Explorer" and select "Access Explorer."

Access Explorer Landing PageAccess Explorer Landing Page

Access Explorer Landing Page

You can also check out the Using Access Explorer - Feature Guide for details on using the Cloud IAM Governance via Access Explorer.

For instructions on configuring any of the components included in the initial setup process outside of this guided setup, check out the Access Explorer - Configuration and Settings documentation.


Did this page help you?