Once you have completed the setup and configuration to launch Cloud IAM Governance - Access Explorer, InsightCloudSec offers a Principal Explorer that is accessible from the Resources page of the product or from the actions menu on Principals in Access Explorer.
In Resources, there are three (Matching Services, Allowed Services, Allowed Actions) that help surface AWS users and roles that have extensive permissions to various AWS services within your environment.
Once you have found Principals with the most privileges, the Principal Explorer provides a quick way to drill down into the types and level of permissions the user or role has.
To launch the Principal Explorer, navigate to “Resource → Resources” on your InsightCloudSec platform, then navigate to the "Identity & Management" tab. The Principal Explorer can only be accessed on the Cloud Users and Cloud Roles resources.
Once you've selected the desired resource, you will see the three aforementioned columns (in addition to the other columns that are normally there for the resource):
- Matching Services (at least 90% allowed)
- Note: 90% is the default value for the column but can be adjusted using filters. See below for details.
- Allowed Services
- Allowed Actions
Each of these column's values is a link. Clicking the value will open the "Principal Explorer". Alternatively, click the actions menu ("..."), then click "Principal Explorer".
Before opening the Principal Explorer, it may make sense to filter your environment results first. As mentioned previously, InsightCloudSec displays users or roles that have 90% or more access to a service by default, i.e., the user or role has 90% of the available service permissions or the user or role is 90% of the way to wildcard, or full, access. This number can be adjusted in several different ways:
1. With the Cloud User or Cloud Role resource open, click "Filters" in the top right-hand corner.
2. Search for "actions count".
3. Select a filter:
- "Principal has Wildcard Access to Services with Denied Actions Count Below Threshold (AWS)" -- Select this filter if you would like to search for users/roles based on how many actions they have denied to them.
- "Principal has Effective Access to Services with Allowed Actions Count Above Threshold (AWS)" -- Select this filter if you would like to search for users/roles based on how many actions they have granted to them.
4. Optionally, provide a service you want to filter on.
5. Select a "Tolerance Type": "Action Count" or "Percentage".
- Note: An Action is equivalent to a specific service permission, e.g.,
"ec2:DescribeAccountAttributes", so you're essentially choosing between raw number and percent.
6. Provide a tolerance value.
7. Click "Apply".
- The "Matching Services... " column will be updated to match the selected filter.
To launch the Principal Explorer within Access Explorer, navigate to “Security --> Access Explorer” on your InsightCloudSec platform, then navigate to the "Principals" tab. The Principal Explorer can be accessed by selecting the actions menu to the left of any Principal Name.
After optionally filtering your results and opening the Principal Explorer, you'll be greeted by a three-panel window. The summary details above the three panels include details for the selected Principal including: the name of the selected Principal, Total # of services, Total # of Actions, and Total # of Resources (this is a hyperlinked value that will open a filtered version of the Access Explorer with those resources details).
The three panels from left-to-right are the Policy Stack, the Policy Viewer, and Effective Access.
The Policy Stack provides information into the policies inherited via Service Control Policies, inherited via IAM Groups, and applied directly to the user/role themselves.
Expand each grouping to view the policies that are inherited or directly applied.
Deselecting a policy will simulate removing that policy and will update the "Effective Access" panel; clicking a policy will scroll to the policy and highlight it in the "Policy Viewer".
The Policy Viewer displays a JSON file containing the user/role's ARN, type, and attached policies. Click the "search" (magnifying glass) button to open a field that can be used to search for terms throughout the policy. Click "Download" to download the JSON file to your web browser.
Effective Access displays the various permissions, or actions, that this user or role has access to, grouped by service. Clicking on the right-facing arrow to the right of each service name will open a list of the actions that are granted for that service. You can use the search bar to search for permission names or services and the list will automatically filter as you type.
Updated 7 months ago