Skip to content

Getting Started

Accessing the Cloud Access Management Portal

When you've received both your Cloud Access Management username and password via email, you're ready to log in to the portal.

When you're done working in the portal, be sure to end your session by selecting the Profile icon in the top right (or the down arrow to the right of your name) to display the menu and select Logout.

You can see your user information and configure alert settings when you first log in.

Federating Users With SSO

Your user account information is automatically generated from your IdentityNow user account. To use SailPoint's Shared Authentication Service to access Cloud Access Management, users must exist in IdentityNow. You can work with your CSM and SailPoint Services to identify the best method for creating user sources based on your requirements and existing systems. If your organization is already using IdentityNow, please contact your identity team administrator for assistance.

There are two levels of access that you can give to users of Cloud Access Management: user level and administrative level. Only administrators can manage the sources page, such as adding, editing, or deleting cloud sources. Additionally, only administrators can perform manual snapshots.

To give users administrative access to Cloud Access Management, grant them the Cloud Gov Admin user level in IdentityNow. For all other users, grant them the Cloud Gov User user level. The Org Admin user level also grants access to Cloud Access Management but includes full Admin privileges in IdentityNow and should therefore be granted only when that level of access is appropriate.

Federating Users With SAML

IdentityNow and Cloud Access Management can use SAML-based identity providers to support federated users. The IDP can be set up to use IDP-initiated access directly into Cloud Access Management. When an IDP (such as Okta, Microsoft ADFS, or Ping Identity) initiates a SAML authentication with Cloud Access Management, it will send the default relay state, if configured, to IdentityNow.

After the IDP-initiated SAML authentication has succeeded, a URL must be supplied in the default relay state. This URL tells IdentityNow where to forward user information and redirects the user after successful authentication.

The URL pattern will look like:

You must update your IdentityNow settings to accept this as a redirect URL. In the Admin section, navigate to Global > Security Settings > Redirect Patterns and enter the redirect URL.

Configuring Alert Settings

We know how important it is to be able to monitor your cloud infrastructure for any potential issues. That's why Cloud Access Management provides several ways to create, view, and triage alerts.

In addition to using the Alerts dashboard, you can also configure alert settings to choose the type of activity and severity of alerts that will trigger notifications and how to handle those notifications.

Select the Alerts High, Alerts Medium, and/or Alerts Low tabs to configure the notification methods for each alert level.

Cloud Access Management supports the following notification methods, so you can choose your preferred method (or combination of methods) to receive alert notifications.

  • Email — Specify the email address(es) you want to receive alert notifications.

  • Syslog — Specify the IP address, port number, and protocol (udp or tcp) of the syslog server you want to collect Cloud Access Management alert notifications.

  • Slack — If you've enabled incoming webhooks in your Slack settings, provide the incoming webhook URL so Cloud Access Management can post alert notifications to the Slack channel you've configured to receive messages.


The alert settings you specify will apply to all registered cloud sources. They can be changed any time by selecting the Settings icon and selecting Alert Settings.

Registering Cloud and Identity Provider Sources

You will need to register your cloud and identity provider sources to enable Cloud Access Management to begin providing governance data.

To prepare your CSP to work with Cloud Access Management, see Configuring Cloud Service Providers. When you're done configuring, you can register your CSP source(s).

To prepare your IDP(s) to be registered with Cloud Access Management, see Configuring Identity Providers. When you're done configuring, you can register your IDP source(s).

Viewing the Status of Your Cloud Infrastructure

Cloud Access Management provides a snapshot of your entire cloud infrastructure across all the cloud sources and subscriptions you've configured it to access and govern.

Select Dashboard in the left menu to view a summary of the current security and compliance status for your cloud infrastructure. Information is organized into the following tiles, based on the data accessible to Cloud Access Management:

Sources — This number refers to the total number of cloud sources being governed, and can therefore be a combination of Amazon Web Services accounts, Google Cloud sources, and Azure subscriptions. Select the tile to see a snapshot all of your cloud sources. For more information, see Working with Sources.

Users — These numbers represent the total number of user identities discovered across cloud sources, including service accounts, security principals, groups, and privileged users, as well as the percentage of these users who are currently inactive.

Inactive users can pose a security threat, as their credentials can be more easily compromised and used to gain unauthorized access to your cloud infrastructure.

Privileges — These numbers represent the total number of privileges available for performing operations across cloud sources, as well as the percentage of these privileges that are currently inactive or unused/excess. Each cloud platform has thousands of privileges that Cloud Access Management monitors and analyzes.

Privilege abuse and escalation is a leading attack vector for insider threats and targeted attacks. To minimize risk, it is therefore essential to maintain least privilege in cloud environments.

Unused Access — These numbers show the total numbers of sensitive access across cloud sources that has not been used for the past 90 days. This is divided by roles, users, and direct IAM user access without roles. This includes unused access provided by services as well. For more information, on viewing and managing unused access, refer to Viewing Unused Access.

Alerts — This tile provides the current count of alerts based on their severity. Select this tile for a detailed view into these alerts. For more information, see Viewing and Triaging Alerts.

Below this top set of tiles are two pie charts that summarize the publicly accessible objects in your cloud infrastructure, as well as the external sources that can currently access them. Because they can represent a significant security risk, Cloud Access Management also identifies sources with privileged or admin-level access to objects or data on your cloud infrastructure.

Hover over a colored section of the pie chart to display the actual numbers associated with that piece of the whole. For example, here are the values for the other segments of the Public Objects pie chart:

Public Objects — This pie chart provides a combined view of all publicly accessible objects in the cloud infrastructure. Select this tile to view a detailed list of all public objects by type.

Select the name of each type of object listed - instances, object stores, relational databases, security groups, or subnets - to filter the list by that type.

You can also select the name of an item in the list to view additional details about that specific item in its associated section of the Cloud Access Management portal (e.g., object stores or relational databases).

Shadow Access — This pie chart displays the external sources and identities that Cloud Access Management has identified as having unauthorized or shadow access. Cloud Access Management analyzes access to every object in your cloud infrastructure and detects unauthorized access from external cloud sources and external networks that have access to your data.

Select this tile to view a detailed list of all shadow access by type. Select the heading for each type of access listed (UNKNOWN SOURCES, KNOWN SOURCES, SHADOW NETWORKS) to filter the list by that type.

Select a hyperlinked number under Resources Accessible to view all details captured regarding the total access paths for the item.

The query used to search the system and generate these results is also provided, so you can easily use this query as the basis for a guardrail rule. For more information, see Using Search Queries and Guardrails.

Location Map — At the bottom of the dashboard, the location map provides a visual representation of critical security issues and compliance risks on your cloud infrastructure across regions.

If there's a red circle on the map, you can hover over it to see the exact location and number of resource objects involved in generating the alerts.

Click on a red circle to open the Alerts page for a more detailed view of the associated alerts. For more information, see Viewing and Triaging Alerts.

You can also select the Change View icon to view an Access Graph that visually depicts the cloud infrastructure related to the alert.

Select an item in the graph to view identifying details. If there are additional details available for the item, you can select OPEN DETAIL PAGE to view to open the Objects page for a more detailed view of the infrastructure object. For more information, see Working with Discovered Objects.

Filtering Your View

By default, the Cloud Access Management Dashboard displays an aggregate of information available for all cloud sources it's configured to govern to provide a complete view.

To view information for a single cloud source, select the Filter icon and select the specific cloud source you want to view.

Select APPLY NOW to update the information in the Dashboard based on your selection.

When you're done reviewing the information for that cloud instance, you can select a different one in the list or select RESET ALL to reset the Dashboard to the default view.