Findings

The Findings screen shows these types of findings related to IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. and permission management:

  • Posture Findings

  • Security Events

  • Overprivileged Entity findings from Cloud Infrastructure Entitlement Management (CIEM)

Findings use labels to show insights into the category of the specific finding, such as inactive entities, risky permissions, password policy, and misconfigurations. You can group and filter the findings by labels.

CIEM overpriviliged findings are supported for AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. and for AzureClosed Collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through a global network of data centers managed by Microsoft®..

To see findings in CIEM:

In the CloudGuard portal, from the left toolbar, click CIEM > Findings.

CIEM Suggestions

CIEM compares IAM permissions granted to IAM permissions in use to find identities that received unnecessary permissions. For these entities, CloudGuard creates a finding with the source CIEM and the label Overprivileged Entity. The finding contains suggestions to grant the least privilege for the entity.

Prerequisites

To allow CIEM to analyze the permissions in use, you must onboard your account to Intelligence Account Activity. For more information, see Intelligence Onboarding and Offboarding

Note - In an Azure environment, you must onboard Azure Activity logs to use this feature.

To get least privilege suggestions for AWS lambda functions, you must enable Serverless Risk Assesment for the AWS environment. For more information, see Serverless Risk Assessment

Supported Entities

CIEM policy suggestions support these entities:

Cloud Provider

Supported Entities

AWS

  • IAM Users

  • IAM Roles

  • Lamdba functions

Azure

  • User-Assigned Managed Identity

  • App Registration

How CloudGuard Makes Policy Suggestions

After you onboard an environment to Intelligence Account Activity, CIEM does a full scan of your identities and their permission usage after 24 hours. CIEM scans again after 7 days, 30 days, 60 days, and 90 days. Then, CIEM does a full scan every 90 days for roles that it already scanned and that were not modified.

For newly created roles or for roles that had permissions modified, CIEM does a new permission assessment after 3 hours, 24 hours, and 1 week.

For identities whose behavior is harder to predict (such as IAM roles used for SAML federation and some IAM users), CIEM uses machine learningClosed The process of using mathematical models to predict outcomes versus relying on a set of instructions. This is made possible by identifying patterns within data, building an analytical model, and using it to make predictions and decisions. Machine learning bears similarity to how humans learn, in that increased experience can increase accuracy. to build a baseline of the behavior of an entity. When CIEM creates a profile of the entity's behavior, it starts to provide suggestions to reduce the access rights for entities with a minimum of 75 days of activity.

Alert Details

The details of the alert appear in the CIEM Findings screen.

To see CIEM Overprivileged alert details:

  1. Go to CIEM > Findings.

  2. Filter by the label Overprivileged entity.

  3. Click an alert to see its details.

The Permissions tab of the finding shows the Entitlement Map. The Entitlement Map shows the asset entitlements and the effective policy. For more information about the Entitlement Map, see Entitlement Map.

Remediation

The Remediation section shows options to remediate findings in your cloud platform. Select one of these options:

Select one of these and do the suggested actions in AWS:

  • Option A: Update existing policies with suggestion - Shows the set of permissions that must be attributed to the entity for it to comply with the principle of least privilege. This suggestion is provided for each policy. To see the suggested policy, click Show.

    This option requires you to edit the policies used by the entity based on CloudGuard's suggestion. If a managed policy cannot be updated because it is used by a different entity or is managed by AWS, you can create a new policy with CloudGuard's suggestion and use it in place of the existing policy.

  • Option B: Add suggested Permission Boundary to the entity - Creates a permission boundary policy for the entity. The permission boundary policy is a type of policy that sets the maximum permissions an entity can have. This option allows for easy roll-back because you do not make changes to the existing policies.

    AWS allows one permissions boundary for each entity. If the entity already has a permission boundary, change the permission boundary to match CloudGuard's suggestion.

    Note -

    CloudGuard recommends a permission boundary based on actual usage of permissions. It is possible for CloudGuard to recommend a policy that is longer than the maximum permitted length of a policy in AWS (see AWS documentation). In this case, do one of these:

    • Use asterisks (*) to shorten the policy when this fits your use case.

    • Select Option A: Update existing policies with suggestion instead of Option B.

  • Redundant permissions - Shows the permissions that CIEM recommends for you to change with the policy name, the original permissions (as they appear in the policy), and the suggested permissions. A suggestion of empty brackets ([]) means to remove a full statement from the policy.

    To see redundant permissions, click . The Redundant Permissions window opens with the original permissions, for each policy, and a corresponding recommendation. The permissions are color-coded to indicate their sensitivity, which is also written as part of the original permissions. Use the filter options to display permissions with specific sensitivity levels.

Select one of these and do the suggested actions in Azure:

  • Option A: Update/replace role definitions with corresponding suggestion - Shows the set of permissions that must be attributed to the entity for it to comply with the principle of least privilege. This suggestion is provided for each role definition. To see CloudGuard's suggestion, click Show.

    This option requires you to edit the role definitions used by the entity based on CloudGuard's suggestion. If a role definition cannot be updated because it is managed by Azure, you can create a new Azure role deגfinition with CloudGuard's suggestion and use it in place of the existing role definition.

  • Option B: Create a single role definition with suggestion and use in place of all existing ones - Shows the set of permissions that must be attributed to the entity for it to comply with the principle of least privilege. In Azure, remove all existing role definitions and replaces them with CloudGuard's suggested role definition.

  • Redundant permissions - Shows the permissions that CIEM recommends to change. Shows the role definition, the original permissions (as they appear in the role definition), and the suggested permissions.

    To see redundant permissions, click . The Redundant Permissions window opens with the original permissions, for each role definition, and a corresponding recommendation. The permissions are color-coded to indicate their sensitivity, which is also written as part of the original permission. Use the filter options to display permissions with specific sensitivity levels.

Data Events (for AWS)

Because CIEM is based on AWS CloudTrail, it can suggest remediations only for actions that are tracked in CloudTrail. This is done to make sure that CIEM does not block your operations.

For example, if you do not log data events in CloudTrail, CIEM does not suggest remediation for actions that are in the category of data events.

Policy suggestions depend on the status of data events in your CloudTrail:

  • Data events are disabled on the account or for a specific resource - No information is logged in CloudTrail - No policy can be suggested for data events.

  • Data events are enabled only for Write (or Read) events - No information is logged in relation to Read (or Write) events - No policy can be suggested for Read (or Write) data events.

  • Data events are enabled on all resources for Write and Read events - Information is logged in CloudTrail - Policy suggestion can be to remove the event if it does not show in the log or to keep the event if it shows in the log.

Note - Data events are not supported in policy suggestions based on machine learning for these entities:

  • roles used for SAML federation

  • IAM users

Other Findings

Lambda Functions - Overprivileged Lambda functions are identified through code analysis, which is a feature of Serverless Risk Assessment. For more information, see Serverless Risk Assessment.

For Permissive Role findings for Lambda functions, see Finding Types.

Finding Severity

The severity of the finding is dynamic. It is based on an IAM Sensitivity score that CIEM calculates. The Sensitivity score represents the possible damage that IAM permissions may cause to the cloud environment.

After you make the suggested changes to the permissions, CloudGuard updates the finding accordingly.