Using the Principal Explorer

Accessing, Navigating, and Using the Principal Explorer

Once you have completed the setup and configuration to launch Cloud IAM Governance - Access Explorer, InsightCloudSec offers a Principal Explorer that is accessible from the Resources page of the product or from the actions menu on Principals in Access Explorer.

Once you have found Principals with the most privileges, the Principal Explorer provides a quick way to drill down into the types and level of permissions the user or role has.

Using the Principal Explorer

Resources Access to the Principal Explorer

To launch the Principal Explorer from the Resources page, navigate to “Resource → Resources” on your InsightCloudSec platform, then navigate to the "Identity & Management" tab. The Principal Explorer can only be accessed from the Cloud User and Cloud Role resources.

Once you've selected the desired resource, you will see the three aforementioned columns (in addition to the other columns that are normally there for the resource):

  • Matching Services (at least 90% allowed) -- the number of services where this user or role has been granted 90% of actions for a service
    • Note: 90% is the default value for the column but can be adjusted using filters. See below for details.
  • Allowed Services -- the number of services to which this user or role has been granted access
  • Allowed Actions -- the number of actions to which this user or role has been granted

Each of these column's values is a link. Clicking the value will open the "Principal Explorer". Alternatively, click the actions menu ("..."), then click "Principal Explorer".

16001600

Accessing the Principal Explorer

Fine-tuning Your Resource Results

Before opening the Principal Explorer, it may make sense to filter your environment results first. As mentioned previously, InsightCloudSec displays users or roles that have 90% or more access to a service by default, i.e., the user or role has 90% of the available service permissions or the user or role is 90% of the way to wildcard, or full, access. This number can be adjusted in several different ways:

1. With the Cloud User or Cloud Role resource open, click "Query Filters" in the top right-hand corner.

13851385

Using Query Filters

2. In the Query Filters panel search for "actions count".

13801380

Principal Explorer Filters

3. Select a Query Filter:

  • "Principal has Wildcard Access to Services with Denied Actions Count Below Threshold (AWS)" -- Select this filter if you would like to search for users/roles based on how many actions they have denied to them.
  • "Principal has Effective Access to Services with Allowed Actions Count Above Threshold (AWS)" -- Select this filter if you would like to search for users/roles based on how many actions they have granted to them.

4. Optionally, provide a service you want to filter on.

5. Select a "Tolerance Type": "Action Count" or "Percentage".

  • Note: An Action is equivalent to a specific service permission, e.g., "ec2:DescribeAccountAttributes", so you're essentially choosing between raw number and percent.

6. Provide a tolerance value.

7. Click "Apply".

  • The "Matching Services... " column will be updated to match the selected filter.
13811381

Configured Filter

Opening Principal Explorer from Access Explorer

To launch the Principal Explorer within Access Explorer, navigate to “Security --> Access Explorer” on your InsightCloudSec platform, then navigate to the "Principals" tab.

  • The Principal Explorer can be accessed by selecting the actions menu to the left of any Principal Name.
13821382

Principal Explorer within Access Explorer

Principal Explorer

After optionally filtering your results and opening the Principal Explorer, you'll be greeted by a three-panel window.

  • The summary details above the three panels include details for the selected Principal including: the name of the selected Principal, Total # of services, Total # of Actions, and Total # of Resources (this is a hyperlinked value that will open a filtered version of the Access Explorer with those resources details).
  • The three panels from left-to-right are the Policy Stack, the Policy Viewer, and Effective Access.
14351435

Example Principal Explorer View

Policy Stack

The Policy Stack provides information into the policies inherited via Service Control Policies, inherited via IAM Groups, and applied directly to the user/role themselves.

Expand each grouping to view the policies that are inherited or directly applied.

Deselecting a policy will simulate removing that policy and will update the "Effective Access" panel; clicking a policy will scroll to the policy and highlight it in the "Policy Viewer".

295295

Policy Stack

Policy Viewer

The Policy Viewer displays a JSON file containing the user/role's ARN, type, and attached policies. Click the "search" (magnifying glass) button to open a field that can be used to search for terms throughout the policy. Click "Download" to download the JSON file to your web browser.

466466

Policy Viewer

Effective Access

Effective Access displays the various permissions, or actions, that this user or role has access to, grouped by service.

  • Clicking on the right-facing arrow to the right of each service name will open a list of the actions that are granted for that service.
  • You can use the search bar to search for permission names or services and the list will automatically filter as you type.
466466

Effective Access


Did this page help you?