Accessing the Cloud Access Management Portal
When you've received both your Cloud Access Management username and password via email, you're ready to log in to the portal.
When you're done working in the portal, be sure to end your session by selecting the icon in the top right (or the down arrow to the right of your name) to display the menu and select Logout.
You can see your user information and configure alert settings when you first log in.
Federating Users With SSO
Your user account information is automatically generated from your IdentityNow user account. To use SailPoint's Shared Authentication Service to access Cloud Access Management, users must exist in IDN. You can work with your CSM and SailPoint Services to identify the best method for creating user accounts based on your requirements and existing systems. If your organization is already using IdentityNow, please contact your identity team administrator for assistance.
To give users access to Cloud Access Management, grant them the Cloud Gov Admin user level in IdentityNow. The Org Admin user level also grants access to Cloud Access Management but includes full Admin privileges in IdentityNow and should therefore be granted only when that level of access is appropriate.
Federating Users With SAML
IdentityNow and Cloud Access Management can use SAML-based identity providers to support federated users. The IDP can be set up to use IDP-initiated access directly into Cloud Access Management. When an IDP (such as Okta, Microsoft ADFS, or Ping Identity) initiates a SAML authentication with Cloud Access Management, it will send the default relay state, if configured, to IdentityNow.
After the IDP-initiated SAML authentication has succeeded, a URL must be supplied in the default relay state. This URL tells IDN where to forward user information and redirects the user after successful authentication.
The URL pattern will look like: https://company.cam.sailpoint.com/authorize/idn
You must update your IDN settings to accept this as a redirect URL. In the Admin section, navigate to Global > Security Settings > Redirect Patterns and enter the redirect URL.
Configuring Alert Settings
We know how important it is to be able to monitor your cloud infrastructure for any potential issues. That's why Cloud Access Management provides several ways to create, view, and triage alerts.
In addition to using the Alerts dashboard, you can also configure alert settings to choose the type of activity and severity of alerts that will trigger notifications, and how to handle those notifications.
Select the Alerts High, Alerts Medium, and/or Alerts Low tabs to configure the notification methods for each alert level.
Cloud Access Management supports the following notification methods, so you can choose your preferred method (or combination of methods) to receive alert notifications.
Email — Specify the email address(es) you want to receive alert notifications.
Syslog — Specify the IP address, port number, and protocol (
tcp) of the syslog server you want to collect Cloud Access Management alert notifications.
Slack — If you've enabled incoming webhooks (in your Slack settings), provide the incoming webhook URL so Cloud Access Management can post alert notifications to the Slack channel you've configured to receive messages.
The alert settings you specify will apply to all registered cloud accounts. They can be changed any time by selecting the Settings icon and selecting Alert Settings.
Registering Cloud and Identity Provider Accounts
You will need to register your cloud and identity provider accounts to enable Cloud Access Management to begin providing governance data.
Viewing the Status of Your Cloud Infrastructure
Cloud Access Management provides a snapshot of your entire cloud infrastructure across all the cloud accounts and subscriptions you've configured it to access and govern.
Select Dashboard in the left menu to view a summary of the current security and compliance status for your cloud infrastructure. Information is organized into the following tiles, based on the data accessible to Cloud Access Management:
Accounts — This number refers to the total number of cloud accounts being governed, and can therefore be a combination of Amazon Web Services accounts, Google Cloud accounts, Azure subscriptions. Select the tile to see all of your cloud accounts. For more information, see Working with Accounts.
Users — These numbers represent the total number of user identities discovered across cloud accounts, including service accounts, security principals, groups, and privileged users, as well as the percentage of these users who are currently inactive.
Inactive users can pose a security threat, as their credentials can be more easily compromised and used to gain unauthorized access to your cloud infrastructure.""
Data — These numbers represent the total number of data repositories discovered across cloud accounts — including object-based storage such as Amazon S3, relational databases such as SQL, and NoSQL databases such as DynamoDB — as well as the number of these repositories that are public. In production deployments this can include hundreds of data repositories with millions of objects.
Public data repositories should be closely monitored as they are more susceptible to accidental or malicious data exposure.
Privileges — These numbers represent the total number of privileges available for performing operations across cloud accounts, as well as the percentage of these privileges that are currently inactive or unused/excess. Each cloud platform has thousands of privileges that Cloud Access Management monitors and analyzes.
Privilege abuse and escalation is a leading attack vector for insider threats and targeted attacks. To minimize risk, it is therefore essential to maintain least privilege in cloud environments. For more information, see Viewing Unused Access.
Instances — These numbers represent the total number of instances of virtual machines currently running across the cloud infrastructure, as well as the number of these instances that are public. Cloud Access Management continually monitors the cloud accounts it's configured to govern and updates these numbers as instances are provisioned and deprovisioned.
Public instances can be used to attack cloud workloads using protocols such as SSH and RDP, and therefore should be closely monitored and restricted.
Networks — These numbers represent the total number of networks provisioned across the cloud infrastructure, as well as the number of these networks that are public. Cloud Access Management monitors all connected networks and detects public networks that have internet connectivity. The number of networks can become significant as a result of segmentation.
Public networks can be targets of malicious network traffic and used to access and extract sensitive data.
You'll also notice an Alerts tile that provides the current count of alerts based on their severity. Select this tile for a detailed view into these alerts. For more information, see Viewing and Triaging Alerts.
Below this top set of tiles are a series of pie charts that summarize the publicly accessible objects in your cloud infrastructure, as well as the external accounts that can currently access them. Because they can represent a significant security risk, Cloud Access Management also identifies accounts with privileged or admin-level access to objects or data on your cloud infrastructure.
Hover over a colored section of the pie chart to display the actual numbers associated with that piece of the whole. For example, here are the values for the other segments of the Public Objects pie chart:
Public Objects — This pie chart provides a combined view of all publicly accessible objects in the cloud infrastructure. Select this tile to view a detailed list of all public objects by type.
Select the name of each type of object listed (e.g., instance, object store, subnet) to filter the list by that type.
You can also select the name of an item in the list to view additional details about that specific item in its associated section of the Cloud Access Management portal (e.g., objects or networks).
Shadow Access — This pie chart displays the external accounts and identities that Cloud Access Management has identified as having unauthorized or shadow access. Cloud Access Management analyzes access to every object in your cloud infrastructure and detects unauthorized access from external cloud accounts and external networks that have access to your data.
Select this tile to view a detailed list of all shadow access by type. Select the heading for each type of access listed (UNKNOWN ACCOUNTS, KNOWN ACCOUNTS, SHADOW NETWORKS) to filter the list by that type.
Select the hyperlinked number under Resources Accessible to view all details captured regarding the total access paths for the item.
The query used to search the system and generate these results is also provided, so you can easily use this query as the basis for a guardrail rule. For more information, see Using Guardrails to Detect Violations and Risk.
Unused Access — Quickly see all of the unused access broken down by role, identities with roles, and identities without roles. Select the tile to see granular detail about unused access. For more information, see Detecting Unused Access.
Location Map — At the bottom of the dashboard, the location map provides a visual representation of critical security issues and compliance risks on your cloud infrastructure across regions.
If there's a red circle on the map, you can hover over it to see the exact location and number of resource objects involved in generating the alerts.
Click on a red circle to open the Alerts page for a more detailed view of the associated alerts. For more information, see Viewing and Triaging Alerts.
You can also select the Change View icon to view an Access Graph that visually depicts the cloud infrastructure related to the alert.
Select an item in the graph to view identifying details. If there are additional details available for the item, you can select OPEN DETAIL PAGE to view to open the Objects page for a more detailed view of the infrastructure object. For more information, see Working with Discovered Objects.
Filtering Your View
By default, the Cloud Access Management Dashboard displays an aggregate of information available for all cloud accounts it's configured to govern, to provide a complete view.
To view information for a single cloud account, select the Filter icon and select the specific cloud account you want to view.
Select APPLY NOW to update the information in the Dashboard based on your selection.
When you're done reviewing the information for that cloud instance, you can select a different one in the list or select RESET ALL to reset the Dashboard to the default view.