Identify Over-Privileged Entities with Saner CIEM
Managing entitlements in Saner Cloud begins with gaining visibility into identities such as IAM users, roles, and groups, with their associated permissions and policies. This discovery process evaluates predefined risks in cloud accounts, such as excessive privileges and inactive or dormant identities. Once AWS accounts are discovered, administrators can effectively manage entitlements, remediate risks, and ensure compliance across all identified accounts in the AWS.
Once the automatic scanning completes, details about the AWS accounts — such as usernames, user IDs, group names, group IDs, roles, and policies — can be accessed through various blocks in the Cloud Entitlements (CIEM) dashboard.
Below are the actions you can perform on your discovered accounts in the Cloud Entitlement Dashboard:
- Gain a detailed view of identified risks in your AWS account by accessing the relevant blocks. The dashboard automatically identifies over-privileged entities based on actual usage, allowing you to review and adjust permissions as necessary.
- Gather key insights into the number of identities—Users, Roles, and Groups—that have excessive privileges, have been inactive for an extended period, or have attached policies. Additionally, you will find detailed statistics on Managed Policies, High-Privilege Policies, Services, Permissions, and more.
- The Policy Details section lists the policies linked to each identity (Users, Groups, or Roles) that grant more permissions than necessary. Review these permissions to ensure they adhere to the principle of least privilege.
- In the Users and Groups section, you can view the list of IAM users or groups associated with each identity. From the “All Findings” block, you can get a consolidated view of security and compliance issues across your cloud environment. Each column is significant for understanding and addressing identified vulnerabilities, misconfigurations, or non-compliant practices.
- Troubleshoot or Analyze the Critical Activity Logs that capture security-related actions and events that may indicate threats, policy violations, or operational issues. These logs include details about the event, request information, user identities, additional user context, resource information, and more. Users can filter critical activity logs using specific search criteria.
Gain insights into the total number of identified fixes to improve your security posture with the built-inPolicy Details Map. The Map provides clear visibility into areas of excessive privileges, facilitating a streamlined approach to managing “least-privilege” access. This interactive map tree offers a comprehensive view of policies, permissions, resources, and services linked to each identity: User, Group, Role, or Policy.
Salient Highlights
AI Assistant Integration
The summarization grid in the various dashboards enables the AI assistant to retrieve responses related to the relevant data.
By clicking the green icon within the summarization grid, the AI assistant dynamically fetches and displays the summary in a tooltip within the dashboard.
Detailed Risk Identification
- Access blocks that provide a detailed view of identified risks in your AWS account.
- Automatically detect over-privileged entities based on actual usage, enabling permission reviews and adjustments.
Key Insights into Identities
- Analyze the number of identities (Users, Roles, Groups) with:
- Excessive privileges.
- Extended periods of inactivity.
- Attached policies (e.g., Managed or High-Privilege Policies).
- View statistics on services, permissions, and policies for better access management.
Policy Details and Least-Privilege Compliance
- Review policies linked to each identity that grant excessive permissions.
- Ensure permissions adhere to the principle of least privilege for enhanced security.
Users and Groups Overview
- Access a consolidated list of IAM users or groups associated with each identity.
- Utilize the “All Findings” block for a comprehensive view of security and compliance issues across the cloud environment.
Critical Activity Logs
- Troubleshoot or analyze security-related actions, threats, policy violations, or operational issues.
- Logs include detailed event information such as user identities, requests, resources, and additional context.
- Filter logs with specific search criteria for efficient analysis.
Built-In Policy Details Map
- Gain visibility into areas of excessive privileges with the interactive Policy Details Map.
- Visualize policies, permissions, resources, and services linked to Users, Groups, Roles, or Policies.
- Streamline management of “least-privilege” access.
Security Posture Improvement
- Track the total number of identified fixes to improve your AWS security posture.
- Utilize actionable insights to address misconfigurations, and non-compliant practices.
Explore the Dashboard Views
| Component | What it Conveys? |
|---|---|
| Users | Inactive users in cloud entitlements refer to accounts or user identities that have access to cloud resources but have not been active—meaning they have not logged in, used, or performed any actions—for a specified period. This inactivity can pose potential risks to the security and efficiency of your cloud environment. With Saner CIEM, users can identify inactive accounts on specific cloud platforms(AWS or Azure). The dashboard view presents the count of IAM (Identity Access Management) users who have not been active and pose a security risk. The unused or excessive permissions result in privilege escalation or account compromise issues. Clicking the link navigates to the detailed view providing a breakdown on the user and their associated AWS permissions. Key details include: 1) User Information with Name, ID, ARN, Created date, Last accessed date, Inline policies, Managed policies, User groups, and High privilege policies 2) Policy details with Name, Association link to the user, ARN, Services, Resources, and Effect(allow or deny access to users) 3) Policy Details Graph displaying a visual representation of the user connected with the policy |
| Groups | Groups in cloud entitlements refer to collections of user accounts or identities that are grouped together to facilitate easier access and permissions management in cloud environments. Saner CIEM allows for managing permissions through these Groups, which helps streamline role assignments, reduce errors, and enhance scalability. The dashboard view presents the count of groups having excessive permissions in the associated cloud service. Clicking the link navigates to the detailed view providing insight into the policies and permissions for the group. Key details include: 1) Group Information with Name, ID, ARN, Created date, Inline Policies, Managed Policies, High Privilege Policies, , and Number of Users in Groups 2) Policy Details with Name, ARN, Services, Resources, and Effect(allow or deny access to groups) 3) Policy Details Graph that shows a visual representation of the group connected with the policy |
| Policies | Policies regarding cloud entitlements establish the rules and permissions that govern access to resources in a cloud environment. These policies are crucial for managing security, ensuring compliance, and enforcing governance within cloud infrastructure. Saner CIEM allows for the management of these policies, which are implemented as JSON documents. These documents specify the actions, resources, and conditions under which permissions are granted or denied. Clicking the link navigates the user to the detailed view providing a breakdown on what’s displayed in the policy: 1) Policy Information that include: Name, ID, ARN, Roles, Users and Groups, Created Date, Policy Type, and Evidence for Excessive Permission 2) Policy Details that include: Services, Resources, and Effect(allow or deny access to policies) 3) Policy Details Graph that shows a visual representation of the role connected with the policy |
| Roles | Roles in cloud entitlements outline a specific set of permissions that determine the actions a user, group, or service can perform on resources within the cloud environment. In Saner CIEM, roles are a fundamental part of identity and access management (IAM) systems. They are designed to enforce the principle of least privilege, ensuring that entities have access only to what they need to perform their tasks. The dashboard block displays the number of inactive IAM (Identity Access Management) roles in your AWS account that may increase over time, making them unused or obsolete. If an IAM role remains inactive for an extended period, it can create unnecessary access points, which could lead to authentication-based attacks. Clicking the link navigates to the detailed view providing a breakdown on the role and their associated AWS permissions. Key details include: 1) Role overview with Name, ID, ARN, Created Date, Last Accessed Date, and High Privilege Policies 2) Managed Policies(Identity-based) associated to the role with services affected, resources involved, and effect(allow or deny access to roles) 3) Visual representation of the association between the role and its policies, making it easier to understand the relationships |
| Fixes Required | Fixes in cloud entitlements involve correcting misconfigurations, reducing over-provisioning, and addressing gaps in access controls within a cloud environment. These measures enhance security, ensure compliance, and improve overall efficiency. Specifically, fixes in Saner CIEM helps tackle issues such as inactive users, roles with excessive permissions, and outdated policies. The dashboard block displays the total number of identified issues that need to be resolved to improve security posture and highlights the urgency to highlight misconfigurations or vulnerabilities. |
| Critical Activity Logs | Critical activity logs for cloud entitlements are audit logs that capture important events related to identity and access management (IAM), resource permissions, and user or service activities within a cloud environment. In Saner CIEM, these critical activity logs are vital for ensuring security, compliance, and visibility into the actions performed by users, groups, roles, and services. By using these logs, users can monitor events and take prompt action to mitigate risks, enforce compliance, and improve operational efficiency. The dashboard block captures key security-related actions and events that could indicate a potential threat, policy violation, or operational issue. Every column provides vital piece of context about the logged event, enabling enhanced visibility, quick analysis, incident response, and compliance. A quick look at what the columns represent: 1) Event Name: Specific action or operation performed(for example, createuser/deleteinstance/updatepolicy). The details provide security teams with a clear understanding of what occurred during the logged in event and enables focus on critical operations. 2) Event Category: Categorized the type of event(for example, authentication/access control/data access/configuration) that helps identify and prioritize events based on security relevance. For example, access control change might call for immediate review. 3) Region: Geographical location where the activity took place. Helps identify anomalies, such as actions originating from unauthorized or unexpected regions. 4) Resources: Specific cloud resources affected by the action such as EC2/S3/Database/Virtual Machines. Provides insight into the assets targeted/accessed/modified. Critical for tracking the potential impact of the event in cloud environment 5) ARN: Unique identifier for resources in cloud platform like AWS. Enables precise identification of affected resources involved in an incident 6) Account: Cloud account or subscription ID. Helps segregate logs and monitor activities across different cloud accounts 7) Performed By: Identity(user/role/service) responsible for initiating the event. Identifies who/what triggered the action 8) Event Time: Time stamp of when the event occurred. Critical to analyze sequence of events during incidents. Users have an additional capability to filter critical activity logs with specific search criteria. |
| All Findings | Consolidated view of security and compliance issues across the cloud environment. Every column is significant for understanding and addressing identified vulnerabilities, misconfigurations, or non-compliant practices. A quick look at what the columns represent: 1) ID: Unique identifer assigned to each id as a quick reference for tracking 2) Title: Brief, descriptive summary of the finding for at-a-glance understanding of the issue 3) Description: Detailed explanation of the issue to understand the potential impact of the issue 4) Affected Services: Cloud services impacted by the finding and helps assess if critical services are affected 5) Affected Resource Type: Type of resource(for example, storage/virtual machine/IAM role) that’s useful for role-specific teams 6) Affected Resource IDs: Unique identifier of the impacted resources and essential for remediation 7) Severity: Level of risk(High/Med/Low) to ensure critical risks are addressed first to reduce overall risk exposure 8) Fix: Guidance or recommended steps for resolving the issue |
Learn How To
How to Get Visibility into Cloud Entitlements?
Overview
Using the Cloud Entitlement Dashboard get a detailed view of the identified risks in your AWS account by clicking on the relevant dashboard blocks. The dashboard automatically identifies over privileged entities based on actual use and recommends the right privileges.
Step 1: Access Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Get an Overview of the Inactive Users, Roles, and Over-Privileged Entities
View the count of:
- IAM (Identity Access Management) Users who have not been active and pose a security risk. The unused or excessive permissions result in privilege escalation or account compromise issues.
- Groups having excessive permissions in the associated cloud service
- Policies attached to the identity(Users, User Groups, or Roles) that grant permissions more than what’s needed
- The number of inactive IAM (Identity Access Management) Roles in your AWS account that may increase over time, making them unused or obsolete
- Critical Activity Logs that determine which permissions were in use
- Consolidated list of available Users, Groups, and Roles from the All Findings
Step 3: View the Detailed Statistics of Every Entity
Click on the entities from the various sections and get a detailed summary on the:
- User and their associated AWS permissions. Key details include: User Information with Name, ID, ARN, Created date, Last accessed date, Inline policies, Managed policies, User groups, and high privilege policies
- Policy details with Name, Association link to the user, ARN, Services, Resources, and Effect(allow or deny access to users)
Step 4: Examine Permissions with Details Map
Examine the permissions mapped to an identity by looking into the details.
How to View by Type and Usage for any Identity in CIEM?
Saner CIEM enables viewing by Type and Usage for any identity (Users, Groups, Roles, or Policies) that’s crucial for gaining insights into their purpose and utilization in a cloud environment.
Step 1: Launch Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Navigate to the Details Page to Access Type and Usage Filters
Click any identity block as needed from CIEM dashboard and navigate to the details page. On the left-hand side of the page, use the filters to narrow down your search.
Step 3: Use the Filters to Narrow Down Your Search
Click the Filter button on the side pane and combine filters to narrow down your results.
Filtering Options Available for the Different Identities
| Identity | Filter Options |
|---|---|
| Users | Unused, Excessive |
| Groups | Unused, Excessive |
| Policies | Policy Status, Policy Type, Permission Categories (Excessive) |
| Roles | Role Status, Role Type, Permission Categories |
How to Visually See the Relationship between Identity, Entitlement, Policy, or Permission?
Overview
Saner CIEM offers a built-in Policy Details Map that provides a visual representation of the relationships between an identity (user, group, role, or service account) and its entitlements, policies, and permissions in a cloud environment. It helps security teams understand how an identity can access resources and identify potential risks or policy misconfigurations.
Step 1: Launch Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Access the Identity for Which You Want to View the Relationship
From the CIEM dashboard, click on any of the Identity blocks(Users/Groups/Policies/Roles) to open the additional details page.
Step 3: View the Details Map
The Details Map presents an interactive tree view of policies, permissions, services, and resources linked to each identity — Users, Groups, Policies, or Roles — within the AWS environment.
On clicking any node in the map tree view, the corresponding details display in the Policy Details section.
How to Use Evidence to Address Policies with Excessive Permission?
Overview
When reviewing a policy, use the “Evidence for Excessive Permission” that pinpoints unnecessary permissions in AWS IAM policies and helps you understand and address excessive permission.
Step 1: Launch Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Access the Evidence for Excessive Permission Popup
- From the CIEM dashboard, click the “Policies” block to open the detailed statistics page
- From the left-hand-side, filter by Permission Categories(Excessive). This lists all the policies that have excessive permissions.
- Click the Evidence for Excessive Permission icon and analyze the information from the pop-up
Step 3: Analyze the Evidence Information
- Look at the “Reference Path” to understand where in the policy structure the excessive permission is defined
- Review the “Response” to identify the action that may be unnecessarily allowed or denied
| Evidence Path | Structured representation of the policy’s JSON document, highlighting where the permission is defined. For example, “Policies.PolicyVersionList.Document.Action” refers to the Action field in the policy’s Document structure where permissions like “s3:ReplicateDelete” are specified. |
| Response | Specific permission or action evaluated for excessive access. For example, ” s3:ReplicateDelete” indicates a permission related to s3 bucket replication. |
How to Know the Excessive Permissions on a Specific Service?
Overview
Excessive permissions can lead to unauthorized access, data breaches, or misuse of resources, so identifying them is critical. Saner CIEM helps identify excessive permissions and ensures your resources are only accessible by those who need them, reducing security risks.
Step 1: Launch Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Access the Identity for Which You Want to Review Excessive Permissions
From the CIEM dashboard, click on any of the Identity blocks(user/role/group/policy) to open the additional details page.
Step 3: Access the Details Map to View the Requisite Service
How to Troubleshoot or Analyze with Critical Activity Logs?
Overview
Critical activity logs are essential for monitoring, auditing, and securing cloud environments. These logs help organizations track actions, events, detect anomalies, and ensure compliance with security and governance policies.
Saner CIEM captures key security-related actions and events that could indicate a potential threat, policy violation, or operational issue. Every column provides vital piece of context about the logged event, enabling enhanced visibility, quick analysis, incident response, and compliance.
For additional information on the critical activity logs, access the relevant cloud service portal.
What are the Recommended Critical Events to Monitor?
Click here for a detailed list of critical events with description and security implication.
What are the High-Privilege Actions in AWS?
Click here to read more about which actions are considered high-privilege in Critical Activity Logs in AWS and more.
Step 1: Launch Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Access the Logs
From the CIEM dashboard, access the Critical Activity Logs block.
A quick look at what the columns represent:
| Column | What it conveys? |
|---|---|
| Event Name | Specific action or operation performed(for example, createuser/deleteinstance/updatepolicy). The details provide security teams with a clear understanding of what occured during the logged in event and enables focus on critical operations. |
| Event Category | Categorized the type of event(for example, authentication/access control/data access/configuration) that helps identify and prioritize events based on security relevance. For example, access control change might call for immediate review. |
| Region | Geographical location where the activity took place. Helps identify anomalies, such as actions originating from unauthorized or unexpected regions. |
| Resources | Specific cloud resources affected by the action such as EC2/S3/Database/Virtual Machines. Provides insight into the assets targeted/accessed/modified. Critical for tracking the potential impact of the event in cloud environment |
| ARN | Unique identifier for resources in cloud platform like AWS. Enables precise identification of affected resources involved in an incident. |
| Account | Cloud account or subscription ID. Helps segregate logs and monitor activities across different cloud accounts |
| Performed By | Identity(user/role/service) responsible for initiating the event. Identifies who/what triggered the action |
| Event Time | Time stamp of when the event occured. Critical to analyze sequence of events during incidents. |
Step 3: What do you see in the logs?
Click the icon after Event Time column in the Critical Activity Logs block to view the log information.
Step 4: See the Total Count of Activity Logs
The total count of activity logs displays as a pie chart in the block next to Critical Activity Logs.
Step 5: Filter with Specific Search Criteria for Analysis
Users have an additional capability to filter critical activity logs with specific search criteria. From the search box within the Critical Activity Logs block, key in your search criteria to retrieve the relevant information. Analyze the log for troubleshooting or subsequent action.
How to See the Active Version for an IAM Policy?
Overview
Excessive permissions can lead to unauthorized access, data breaches, or misuse of resources, so identifying them is critical. Saner CIEM helps identify excessive permissions and ensures your resources are only accessible by those who need them, reducing security risks.
Step 1: Launch Cloud Entitlements
After you login, select Cloud Security from the landing page. Next, click the App Launcher(on top of the page) and choose CIEM(Cloud Infrastructure Entitlement Management).
Step 2: Access the IAM Policy for Which You Want to See the Active Version
From the CIEM dashboard, click the Policies block and navigate to the Details page that displays the specific version(Active Version) of an IAM policy that is currently in effect for the identity (such as a user, group, or role) to which the policy is attached.
Step 3: View the Active Version of the IAM Policy
By default, the first version of a policy is the active version when the policy is created. Subsequent versions are inactive until explicitly set as active from the appropriate cloud provider.
How to Determine if a Policy has Excessive Permission?
Quickly Identify Policy Categories with Excessive Permissions
From the dashboard, go straight to the dashboard block Policies with Excessive Permission Based on Category and view the policy categories that Saner CIEM has automatically identified and listed as Excessive for your immediate use.
How to Initiate Patch Remediation from CIEM Dashboard?
Overview
Remediation of findings from Saner CIEM dashboard involves systematically addressing the security and governance issues identified for cloud identities and their associated entitlements. You can identify and resolve identity-related risks within your AWS account directly from the interface with ease.
Initiate the Patching Task in Two Ways
Option1: By Accessing the Fix (Wrench) Icon on the CIEM Dashboard
Step 1: Go to the top-right of the CIEM dashboard and click on the Fix (wrench) icon.
Step 2: Automatic Redirection to CSRM:
The application automatically redirects you to Cloud Security Resource Management(CSRM) and opens the CIEM Tabular Listing to begin the patching activity.
Step 3: Select the Fixes from the Relevant Tab:
- Predefined: Displays all fixes that use default values. Choose the relevant fixes and proceed with remediation.
- Custom: Shows user-defined fixes, allowing you to modify the fixes before applying them.
- All: Displays a combination of both predefined and custom fixes. You can select from the entire range of fixes available and proceed with remediation.
Option 2: From the “Recommended Remediation” Block
Step1: In the Recommended Remediation block on the CIEM dashboard, click the Fix (wrench) icon next to the relevant Risk ID
Step2: Automatic Redirection to CSRM:
Clicking the fix icon automatically redirects you to CSRM with the CIEM module opened, allowing you to directly create the patching task using the wizard.
Step3: Follow the Wizard
The wizard guides you through the process of selecting and applying the necessary patches.
This method makes it easier to manage your patching tasks and risk remediation in CIEM.
Commonly Asked Questions
What are inactive users in the context of cloud entitlements?
Inactive users, in the context of cloud entitlements, refer to accounts or identities in your cloud environment that meet the following criteria:
— They have not engaged in any activities, such as accessing resources or executing tasks.
— They have not logged in or authenticated within a specified time frame.
How do I identify inactive users?
The dashboard view — Users — presents the count of IAM (Identity Access Management) users who have not been active and pose a security risk. Clicking the link navigates to the detailed view providing a breakdown on the user and their associated AWS permissions.
Key details include:
1) User Information with Name, ID, ARN, Created date, Last accessed date, Inline policies, Custom Managed policies, User groups, and High privilege policies
2) Policy details with Name, Association link to the user, ARN, Services, Resources, and Effect(allow or deny access to users)
3) Policy Details Graph displaying a visual representation of the user connected with the policy
What actions should I take for inactive users?
For inactive accounts, you can take the following recommended actions:
1. Implement Temporary Suspension Policies: Automatically deactivate accounts after a specified period of inactivity.
2. Disable Accounts to prevent further usage while you investigate whether the accounts are still relevant.
3. Revoke Permissions to remove access to sensitive resources to protect information.
4. Delete Accounts to permanently remove accounts that are no longer necessary.
What is Cloud Infrastructure Entitlement Management (CIEM) and why is it important?
Cloud Infrastructure Entitlement Management (CIEM) is a specialized security practice focused on managing and securing access to cloud resources by controlling entitlements — permissions, roles, and privileges assigned to users, groups, applications, and services. With Saner CIEM, users can enforce least privilege access across multi-cloud and hybrid environments.
How do I monitor newly granted and decremented Excessive permission for my cloud Users, Groups, Policies and Roles, from Dashboard?
The Evidence for Excessive Permission that can be accessed from the detailed statistics page from any view in the CIEM dashboard provides information on the Excessive permission across Users, Groups, Roles, or Policies.
How do I check recent identity-based activities in my cloud infra that I should be concerned about?
Look into the Critical activity logs for cloud entitlements that capture important events related to identity and access management (IAM), resource permissions, and user or service activities within a cloud environment. In Saner CIEM, these critical activity logs are vital for ensuring security, compliance, and visibility into the actions performed by users, groups, roles, and services. By using these logs, users can monitor events and take prompt action to mitigate risks, enforce compliance, and improve operational efficiency.
How do I find CIEM rule that is most critical but also mostly broken?
You can find these rules in the “All Findings” table, which shows any broken rules along with the maximum number of affected resources in the “Affected Resources” column. The rule’s criticality can be determined by its Severity, also listed in the same table.
How do I get detailed analysis of Users, Groups, Policies and Roles with Excessive permission?
The Evidence for Excessive Permission that can be accessed from the detailed statistics page from any view in the CIEM dashboard provides information on the Excessive permission across Users, Groups, Roles, or Policies.
How do I know why Saner Cloud has marked a CIEM Policy as Excessive one?
When reviewing a policy , use the “Evidence for Excessive Permission” that pinpoints unnecessary permissions in AWS IAM policies and helps you understand and address excessive permission.
Access the Evidence for Excessive Permission popup from the detailed statistics page for a policy. To interpret the information:
1) Look at the “Reference Path” to understand where in the policy structure the excessive permission is defined
2) Review the “Response” to identify the action that may be unnecessarily allowed or denied
— Reference Path is the structured representation of the policy’s JSON document, highlighting where the permission is defined. For example, “Policies.PolicyVersionList.Document.Action” refers to the Action field in the policy’s Document structure where permissions like “s3:ReplicateDelete” are specified.
— Response is the specific permission or action evaluated for excessive access. For example,
“s3:ReplicateDelete” indicates a permission related to s3 bucket replication.
I want to know the increase in count for excessive permissions by date? How can I get that?
After each scan, the increased count displays in the CIEM dashboard. Just hover over the different identities(users/groups/roles/policies) to see the updated count since the last scan date.
How can I view policies by “Type” and “Usage” for any identity(User/Group/Role/Policy)?
You can filter policies based on the following categories from the Detailed statistics page:
— All: Displays all policies irrespective of type or status
— Excessive: Shows policies that have excessive permissions, meaning they grant more access than necessary.
— Unused: Lists policies that are attached but haven’t been used for any action or resource access in a specified period.
— Inline: Highlights policies that are directly embedded within a user, group, or role rather than being standalone entities.
— Managed Policies: Focuses on standalone policies, either customer-managed or AWS-managed.
I want to see a combination of “Unused Inline Policies” or “Excessive Permissions in Managed Policies”. How can I do that?
Navigate to the Detailed Statistics page for a policy by clicking on the Policy block in the dashboard. Within the Policy Details page, from the Filter drop-down list on the side pane, combine filters to narrow down your results.
For example, select the following combination within a policy:
Managed + Excessive: Displays excessive permissions in managed policies
Inline + Unused: Displays unused inline policies
How do I determine if a policy is considered to have excessive permission?
When reviewing a policy , use the “Evidence for Excessive Permission” that pinpoints unnecessary permissions in AWS IAM policies and helps you understand and address excessive permission.
Access the Evidence for Excessive Permission popup from the detailed statistics page for a policy. To interpret the information:
1) Look at the “Reference Path” to understand where in the policy structure the excessive permission is defined
2) Review the “Response” to identify the action that may be unnecessarily allowed or denied
— Reference Path is the structured representation of the policy’s JSON document, highlighting where the permission is defined. For example, “Policies.PolicyVersionList.Document.Action” refers to the Action field in the policy’s Document structure where permissions like “s3:ReplicateDelete” are specified.
— Response is the specific permission or action evaluated for excessive access. For example, ” s3:ReplicateDelete” indicates a permission related to s3 bucket replication.
I want to know the difference between an “Allow” and a “Deny” Effect?
By default, AWS denies all actions unless explicitly allowed.
— Deny: Explicitly blocks access, overriding any “Allow” permissions.
— Allow: Grants access to specified actions and resources.
I want to know what is ARN and its role in policies?
ARN stands for “Amazon Resource Name”, a unique identifier for AWS resources. Policies use ARNs to specify resources. Example: arn:aws:s3:::my-bucket
How can I view or manage different versions of a policy or configuration associated with an identity (such as a user, role, or group)?
Within the Identity details page, the “Version” drop-down allows users to switch between different versions of a policy to review changes over time or compare settings.
Where can I find the Active Version for an IAM policy?
From the CIEM dashboard, click the Policy block and navigate to the Details page that displays the specific version(Active Version) of an IAM policy that is currently in effect for the identity (such as a user, group, or role) to which the policy is attached.
By default, the first version of a policy is the active version when the policy is created. Subsequent versions are inactive until explicitly set as active.
How do I get to know the excessive permission on a specific bucket?
From the Identity details page, you can search by one of the following in the Policy Details section:
1) Amazon Resource Name(ARN)
2) Cloud service provider(for example, AWS)
3) Resource Type(for example, IAM)
4) Unique Account ID where the resource resides(for example, 438664686704)
5) Resource Path that contains the specific IAM group(for example, CIEM_Test_Group)
I want to view policies, permissions, and services linked to each identity. Where can I get this from?
Within the Identity details page, the Policy Details Map presents an interactive tree view of policies, permissions, services, and resources linked to each identity — User, Group, or Role — within the AWS environment.
For quick analysis of events, I need vital piece of information. Where can I get it from?
Saner CIEM dashboard provides Critical Activity Logs that contain information about Events, Request details, User identity, Additional user context, Resource information and more. Users have an additional capability to filter critical activity logs with specific search criteria.
How do I proceed with remediation or fixes for the findings?
From Saner CIEM dashboard, click the Fix icon pertaining to a finding for guidance or recommended steps for resolving the issue.
I want to quickly analyze the identities based on complete and current information of findings. How does Saner CIEM enable me to do this?
You can directly view the breakdown of findings from the All Findings block in Saner CIEM dashboard. Alternatively, you can export the findings to a CSV spreadsheet, select the necessary identities and findings and proceed with the remediation.
How is the principle of least privilege applied in Saner CIEM?
By default, AWS denies all actions unless explicitly allowed. Within the Policy Details section for an identity, you’ll find the options applied for a resource.
— Allow: Grants access to specified actions and resources.
— Deny: Explicitly blocks access, overriding any “Allow” permissions.
I’d like to analyze if the access is effective enough? How do I do that?
Within the Identity details page, the Policy Details Map presents an interactive tree view of policies, permissions, services, and resources linked to each identity — User, Group, or Role — within the AWS environment and helps organizations and teams to determine who has access to what. By analyzing the effective permissions from this inbuilt topographic map of identities and their access across, users can mitigate unauthorized access.
I want to understand the key capability of Saner CIEM
The centralized dashboard in Saner CIEM helps businesses surveil and manage cloud entitlements and privilege policies. With enhanced visibility organizations can eliminate redundant, dormant, or overprivileged identities.
What key challenges can I overcome with Saner CIEM?
Saner CIEM helps identify Over-permissive access and ensure users and services have only minimum required privileges.
What do I utilize for surveillance and managing cloud entitlements?
Saner CIEM provides “Identity” that denotes a user, group, or role with permissions assigned to access cloud resources and helps in surveillance and managing cloud entitlements.
How can I utilize policies to govern access and permissions in cloud environment?
Policies contain a set of rules and configurations that you can leverage to govern access and permissions in the cloud environment.
How to Know the Excessive Permissions on a Specific Bucket?
Click to read about the excessive permissions on a specific bucket or service.
