Cloud IAM Governance - Access Explorer

An Overview of the Access Explorer, the Cloud IAM Governance tool.

Within the InsightCloudSec platform, the Cloud IAM Governance functionality is managed using Access Explorer. This page provides a high-level overview of this feature to help existing and potential customers understand the capabilities.


Getting Access to Cloud IAM Governance

The Cloud IAM Governance (Access Explorer) capability is an add-on to the InsightCloudSec platform. If you are interested in adding this feature or learning more reach out to us through the Customer Support Portal.

What Is Identity and Access Management?

In the wider technical space, Identity and Access Management (IAM) is defined as "the tools and processes used to govern the privileges a user, role, or group has to access resources." In the traditional IT world, IAM may have meant user access to files on a local network server, but as cloud adoption increases so has the use of IAM in the cloud. With cloud, organizations need visibility and management around who and what has access to a cloud resource. This challenge is what led us to create our Cloud IAM Governance Module - Access Explorer.

To learn more about the value of IAM in cloud security, check out our white paper Gaining Control Over Cloud IAM Chaos.

What Problems Does the InsightCloudSec IAM Governance Capability Solve?

Cloud IAM Governance (through Access Explorer) enables organizations to manage IAM challenges across the full scope of their cloud footprint. Within AWS there are five different ways to specify or grant access to an individual resource. Attempting to track these various methods of access across dozens of resource types through separate console interfaces with differing structures is a time-consuming and error-prone process. Access Explorer gives you the ability to pull all of this information into a single interface. This capability dramatically improves visibility across your entire cloud, ensuring access defined around users and associated resources are accounted for.

Understanding IAM Terminology

To better understand Access Explorer and how some of the main components operate, the list below reflects some of the common terms we use.

  • Principal - A user, role, or group making a request for an action or operation on a resource. Federated users, IAM roles, and IAM users are all constructs that can be used to access cloud resources. Access Explorer uses principals to map the who to what and explains the how.
  • Resource - Any of the resource types that InsightCloudSec can harvest for AWS (S3 bucket, EC2 instance, etc.). Want to know which EC2 instances can access a critical S3 bucket, or which containers can access an SNS Topic? Access Explorer allows you to view information at a resource-to-resource level.
  • Application - A logical group of resources based on tagging or naming schemes. Your application and services are made up of cloud resources. Use your own tagging and naming scheme to group your resources to applications and then explore the other resources and principals that have access to those applications.
  • Federated User - Federated users rely on a single authentication ticket/token (often called single sign-on or SSO) to obtain access across numerous networks or IT systems (in this case cloud-based systems, services, and resources). A Federated user doesn't have to perform any other separate login processes. Federated identity is all about assigning the task of authentication to an external identity provider.
  • Effective Access - The net actions that a principal may perform on a resource taking into account the evaluation of relevant cloud IAM policies. The primary purpose of Access Explorer is to understand the relationship between principals, resources, and applications. Starting with any of these subjects users can explore access down to the principal -> resource level and understand the how and the why behind the access (Effective Access).
    • Note: When starting with an Application, the context of the principals and resources is scoped to those associated with the application.

How Do We Handle IAM Governance?

InsightCloudSec harvests IAM policies from your cloud environment. Access Explorer performs an analysis of these policies, which establishes the connections between resources and principals.

Access Explorer tells the access story based on application(s) through configuration that incorporates the tagging and/or naming scheme an organization uses.

In addition, Access Explorer offers the following:

  • CMDB Integration - Import application-specific metadata from your configuration management database (CMDB) to add more detailed information to your access exploration.
  • EIAM Integration - Understand the relationship between your federated users and the roles that they can assume. By importing groups and users from your enterprise and defining how those groups map to AWS Roles they can assume, Access Explorer can link federated users to the resources they can access through role assumption.

What's Next?

If you have questions about using our IAM Governance capabilities or other InsightCloudSec platform features, we want to hear from you! Reach out to us through the Customer Support Portal.

Otherwise, check out Getting Started with Access Explorer to explore our documentation on working with this feature.