Using the Principal Explorer

Accessing, Navigating, and Using the Principal Explorer

Once you have completed the setup and configuration to launch Cloud IAM Governance - Access Explorer, InsightCloudSec offers a Principal Explorer that is accessible from the Resources page of the product or from the actions menu on Principals in Access Explorer.

In Resources, there are three (Matching Services, Allowed Services, Allowed Actions) that help surface AWS users and roles that have extensive permissions to various AWS services within your environment.

Once you have found Principals with the most privileges, the Principal Explorer provides a quick way to drill down into the types and level of permissions the user or role has.

Using the Principal Explorer

Resources Access to the Principal Explorer

To launch the Principal Explorer, navigate to “Resource → Resources” on your InsightCloudSec platform, then navigate to the "Identity & Management" tab. The Principal Explorer can only be accessed on the Cloud Users and Cloud Roles resources.

Once you've selected the desired resource, you will see the three aforementioned columns (in addition to the other columns that are normally there for the resource):

  • Matching Services (at least 90% allowed)
    • Note: 90% is the default value for the column but can be adjusted using filters. See below for details.
  • Allowed Services
  • Allowed Actions

Each of these column's values is a link. Clicking the value will open the "Principal Explorer". Alternatively, click the actions menu ("..."), then click "Principal Explorer".

Accessing the Principal ExplorerAccessing the Principal Explorer

Accessing the Principal Explorer

Fine-tuning Your Resource Results

Before opening the Principal Explorer, it may make sense to filter your environment results first. As mentioned previously, InsightCloudSec displays users or roles that have 90% or more access to a service by default, i.e., the user or role has 90% of the available service permissions or the user or role is 90% of the way to wildcard, or full, access. This number can be adjusted in several different ways:

1. With the Cloud User or Cloud Role resource open, click "Filters" in the top right-hand corner.

FiltersFilters

Filters

2. Search for "actions count".

Principal Explorer FiltersPrincipal Explorer Filters

Principal Explorer Filters

3. Select a filter:

  • "Principal has Wildcard Access to Services with Denied Actions Count Below Threshold (AWS)" -- Select this filter if you would like to search for users/roles based on how many actions they have denied to them.
  • "Principal has Effective Access to Services with Allowed Actions Count Above Threshold (AWS)" -- Select this filter if you would like to search for users/roles based on how many actions they have granted to them.

4. Optionally, provide a service you want to filter on.

5. Select a "Tolerance Type": "Action Count" or "Percentage".

  • Note: An Action is equivalent to a specific service permission, e.g., "ec2:DescribeAccountAttributes", so you're essentially choosing between raw number and percent.

6. Provide a tolerance value.

7. Click "Apply".

  • The "Matching Services... " column will be updated to match the selected filter.
Configured FilterConfigured Filter

Configured Filter

Opening Principal Explorer from Access Explorer

To launch the Principal Explorer within Access Explorer, navigate to “Security --> Access Explorer” on your InsightCloudSec platform, then navigate to the "Principals" tab. The Principal Explorer can be accessed by selecting the actions menu to the left of any Principal Name.

Principal Explorer within Access ExplorerPrincipal Explorer within Access Explorer

Principal Explorer within Access Explorer

Principal Explorer

After optionally filtering your results and opening the Principal Explorer, you'll be greeted by a three-panel window. The summary details above the three panels include details for the selected Principal including: the name of the selected Principal, Total # of services, Total # of Actions, and Total # of Resources (this is a hyperlinked value that will open a filtered version of the Access Explorer with those resources details).

The three panels from left-to-right are the Policy Stack, the Policy Viewer, and Effective Access.

Policy Stack

The Policy Stack provides information into the policies inherited via Service Control Policies, inherited via IAM Groups, and applied directly to the user/role themselves.

Expand each grouping to view the policies that are inherited or directly applied.

Deselecting a policy will simulate removing that policy and will update the "Effective Access" panel; clicking a policy will scroll to the policy and highlight it in the "Policy Viewer".

Policy StackPolicy Stack

Policy Stack

Policy Viewer

The Policy Viewer displays a JSON file containing the user/role's ARN, type, and attached policies. Click the "search" (magnifying glass) button to open a field that can be used to search for terms throughout the policy. Click "Download" to download the JSON file to your web browser.

Policy ViewerPolicy Viewer

Policy Viewer

Effective Access

Effective Access displays the various permissions, or actions, that this user or role has access to, grouped by service. Clicking on the right-facing arrow to the right of each service name will open a list of the actions that are granted for that service. You can use the search bar to search for permission names or services and the list will automatically filter as you type.

Effective AccessEffective Access

Effective Access


Did this page help you?