Entitlement Map

The Entitlement Map visually presents the permissions granted to the cloud identity and shows all the elements that contribute to the set of permissions.

It is applicable only for:

To see the Entitlement Map for a specific entity:

  1. In the CloudGuard portal, go to Assets > Protected Assets.

  2. Filter the view by the Asset Type and select one of the supported entities.

  3. Select an entity to open its details page.

  4. Select Permissions. The Entitlement Map opens to visualize the asset entitlements and effective policy.

In addition, you can see the entitlement map from the CIEM findings, see Findings for details.

Entitlement Map in AWS

Policy Types

For AWS identities, the Entitlement Map shows these policy types: Identity-based, Permissions boundaries, and Organizations SCPs (service control policy). For more information about these policies, see AWS Identity and Access Management.

Identity-based policies are Inline or Managed. Managed policies are managed by AWS or by the customer.

This is an example of an IAM role. For an EC2 instance or a Lambda, there is one node with the role attached to them.

Number

Description

1

Name of the context asset.

2

Policy (or policies) attached to the Role. Below the policy's name is the type of policy. For this example, the policy is "Identity-based".

3

AWS Service Category allowed by the policy. In the example above, the policy gives access to Containers and Security, identity and compliance.

4

List of services and resources that the policy gives permission to.

  • When you select Detailed View and then click a policy, it opens in the right pane in JSONClosed JavaScript Object Notation. A lightweight data interchange format. format. Or select Consolidated View and click the Consolidated permissions node to see the details of the permissions presented in a table. For more information, see Consolidated View.

  • When you click on a Service or Resource, it highlights it in the policy's details pane.

  • The map shows only services and resources linked to an Allow effect in the policy. Deny effect statements show in the policy's detail pane.

  • The default view shows all the policies, and the alternate view is called Consolidated Permissions.

Policy Sources

Use the Entitlement Map to see how policies are assigned to specific IAM users, including through direct assignment, group assignment, and through trust relationships.

Three types of policy sources:

Policy

Description

Example

IAM User Group

Attached through an IAM user group

Trust Relationship

Attached through a role trust relationship

Direct

Attached directly to the user

Policy by trust relationships with other IAM roles

Policies obtained through a trust relationship are indicated as such by an icon. For policies obtained through more than one trust relationship, CloudGuard gives the shortest path.

When you open a policy's details pane, it shows the Original and Effective set of permissions. If the policy is overpermissive, then Suggested also shows.

Number

Description

1

  • The Original Policy shows the policy as defined in a cloud platform.

  • The Effective Policy considers permission boundaries and SCPs and shows the Effective set of permissions.

  • The Suggested Policy only shows if the policy is overpermissive. It shows the set of permissions that must be granted by the policy so that it complies with the least-privilege principle.

2

Alert Details - Only relevant when the entity is overprivileged and within overpermissive policies (the link redirects to the original finding).

3

Permission status - The severity of the finding depends on the sensitivity of the excessive permissions.

  • Valid - Shows when the policy is not overpermissive.

  • Overpermissive - Shows the severity of the overpermissive policy.

  • N/A - The entity is in an account that is not onboarded to Intelligence Account Activity, as such, CIEM cannot analyze the permissions that are in use. In addition, it can be that the role is idle for the last 90 days.

4

IAM sensitivity - A number in the range from 0 to 100 that CIEM calculates. The Sensitivity score represents the possible damage that IAM permissions can cause to the cloud environment.

Entitlement Map in Azure

For Azure identities, the Entitlement Map shows Role Definitions. These entities are granted permissions through Role Assignment. In addition to assigning a role, Role Assignment defines the scope of the permissions, that is, for which resources these permissions are valid.

Azure VMs can obtain permissions in two ways: through a user-assigned managed identity or through a system-assigned managed identity. For more information about managed identities, see Managed Identity Types.

Some Azure identities, such as Users, Groups, and Service Principals (user-assigned or system-assigned identities) can be part of an Azure Group and obtain the Role Definition through this Group.

The Detailed View of the map shows the identity and all its paths to obtain permissions. You can see its user-assigned and system-assigned identities that obtain their role definition through the role assignment. The icon to the left of the role definition shows the role assignment and its ID. Below you see the scope of the role assignment.

On the graph, each role definition connects to a list of services grouped by categories.

The same information appears on the right pane of the detailed view. Click the role assignment button to navigate to its asset page. All assets on the right pane are clickable.

Consolidated View

The Consolidated View of the map combines all the permissions effectively given to the identity under one title called Consolidated Permissions. It lets you understand the overall effective permissions granted to the identity.

The table in the right pane shows the effective set of actions per Service that the identity can do.

Note - If an Action is on different resources, it may show several times.

  • To search the table, use the search bar. The search is a free text search.

  • To expand the table, click .

  • The Access Level is not available when an action is not specific and contains a set of actions. Such action cannot have a description otherwise available as a tooltip.

  • When you click a Service node, the corresponding row in the table is highlighted.

Limitations

CIEM does not support:

In the entitlement map, you can see the role definitions obtained through RBACClosed Role-Based Access Control - Manages authorization decisions, allowing admins to dynamically configure access policies through the Kubernetes API. role assignments on the specific subscription onboarded to CloudGuard.

In Azure, Microsoft Entra ID roles are used to manage Microsoft Entra ID resources in a directory, for example, create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or manage domains. Those roles are handled on the tenant or Entra ID level. As a result, permissions granted through Microsoft Entra ID roles are not part of the entitlement map and of the effective permissions of Microsoft Entra ID identities.