7. Cloud Infrastructure Entitlement Management (CIEM)

Introduction

  • CIEM helps you comply with the principle of least privilege, CIEM makes sure that your cloud assets, human or non-human (e.g. Lambda functions), receive the smallest set of permissions necessary to do their tasks.

  • CIEM provides visibility into cloud entitlements through a permissions map and calculates the effective permissions. In addition, CIEM identifies and alerts about misconfigurations and suspicious activities related to IAM.

  • Finally, CIEM automatically identifies overprivileged entities and recommends right-sized policies.

Discussion points

  • Give visibility into cloud entitlements and effective permissions.

  • Identify & alert about inactive and misconfigured entities and anomalous behavior.

  • Automatically finds overprivileged entities policies based on actual use and recommends the right privileges.

Instructions

Step

Instructions

1

Navigate to Assets > Protected Assets.

The very first thing in CIEM is getting visibility into cloud entitlements.

Permissions can be defined in different ways and at different levels.

For example, Organizations SCPs (Service Control Policies) are inherited within the organization and act as a mask to limit permissions granted elsewhere.

So, understanding what permissions are granted to a cloud asset is a challenge on its own and a mandatory step before optimizing them.

2

When you open an asset, a tab called Permissions allows you to review the permissions granted to the entity.

 

Open the following examples and navigate to the tab Permissions:

  1. Search for Role_B (Identity ID = AROA2C5NOZBOUR7U4H66U) and Click on it.

  2. Navigate to the Permissions tab.

  3. Explain what the map shows:

  • The policy attached to the role with its policy type.

  • From the policy, a link to the service categories as defined by AWS.

  • From each service category, a link to the specific services and resources.

  1. Show that within the policy pane we can see:

  • The permission status - we will get back to this later on when we discuss over overprivileged entities.

  • The IAM sensitivity - this score, between 0 and 100, represents the sensitivity of the permissions granted by the policy.

  • The policy type.

  1. Explain that you can see the original policy as well as the effective one.

    The effective policy corresponds to the effective set of permissions granted by the policy when considering Organization SCPs and Permissions boundaries if they exist (if they do, they will appear in the map as well) and any potential overlap of statements within the original policy (could happen with a custom defined policy).

     

  2. Click on a service and show that it is highlighted in the policy pane so that you can understand exactly what is allowed on that service.

In AWS, it is possible to define trust relationships between roles. This is called role chaining and it practically means that a role can grant permissions from other roles to the entities that assume it.

CloudGuard shows policies obtained via trust and takes them into account when calculating the effective policy of the role.

 

  1. Navigate to Assets > Protected Assets and search for Role_A (Identity ID = AROA2C5NOZBOT4QBOUA34).

  2. Click on a policy obtained via trust. You can see the trust relationship between roles in the policy pane.

  3. Click on Consolidated View and show how, with a simple click, CloudGuard shows a consolidated view of the permissions effectively granted to the entity, taking into account all the policies directly or indirectly attached to it.

3

Navigate to CIEM > Dashboard:

  • Show that the overview shows Inactive Users & Roles and Severely Overprivileged Entities.

4

Click on the View Details of IamRole entities.

5

Change the time-frame to All.

6

Select the finding S3FullAccessRoleDemo.

  1. There are 2 remediation options :

    • Option A: Update existing policies with suggestion.

      • Shows the set of permissions that must be attributed to the role for it to comply with the principle of least privilege.

        This suggestion is provided for each policy.

    • Option B: Add suggested Permission Boundary to the role.

      • Creates a permissions boundary policy for the role.

        The permissions boundary policy is a type of policy that sets the maximum permissions a role can have.

      • This option allows for easy roll-back as you do not make changes to the existing policies.

     

    Click on SHOW on Option A: Update existing policies with suggestion and explain that these are the set of permissions needed to ensure least privileges.

    • A drop-down allows selecting a policy to see how it should be remediated.

     

  2. Click on the eye to show Redundant permissions.

    The Redundant Permissions window opens with the original permissions and a corresponding recommendation.

    The permissions are color-coded to indicate their sensitivity, which is also written as part of the original permission. you can use the filter options to display permissions with specific sensitivity levels.

  3. Explain that the severity of the finding depends on the sensitivity of the excessive permissions.

  4. Show the Analysis Period. This is the period for which we looked at activity logs to determine which permissions were in use.

7

Click on the Permissions tab.

  • The entitlement map reflects the over permissive status of the policies.

    Over permissive policies are highlighted with a colored border and an icon.

    The color is derived from the severity of the excessive permissions for that policy. Hovering over the policy node shows more details.