Identity Collection

The AWS identities will be collected by the permission collector at the beginning of the task.

• The following identities are collected:

  • AWS Accounts (root users)

  • IAM Users

  • IAM Groups

  • IAM Roles

• The AWS predefine groups are represented as the following groups:

  http://acs.amazonaws.com/groups/global/AllUsers

  “Anonymous” with type "Everyone or Authenticated Users, or contains it"

  http://acs.amazonaws.com/groups/global/AuthenticatedUsers

  “AwsAuthenticatedUsers” with type "Everyone or Authenticated Users, or contains it"

  http://acs.amazonaws.com/groups/s3/LogDelivery

  “S3LogDelivery” with type “Local Group”.

• From each IAM Role, File Access Manager collects its trusted entities as members of the role.

• The AWS entities will be mapped to the following types:

  • IAM Users – will be saved as FAM “Local User” type.

  • IAM Groups – will be saved as FAM “Local Group” type.

  • IAM Roles – will be saved as FAM “Local Role” type.

  • AWS Account – will be saved as FAM “AWS Account” type.

  • AWS Service – will be saved as FAM “AWS Service” type.

  • All other types, including “Federated”, etc. , – will be saved as FAM “AWS External Account” type.

• IAM Role trusted Identity of type "*" is represented as “Anonymous” with type "Everyone, Authenticated Users, or contains it".

• "Principal": "*" in bucket policy is represented as “Anonymous” with type "Everyone, Authenticated Users, or contains it".

• For each Collected identity, the primary ID will be their Arn and Alternative Ids will be collected as well:

  • For AWS Accounts – Id, root user Arn ("arn:aws:iam::{iamRootUser.Id}:root") and canonical Id.

  • For other identities – Id.

• Additional information that is collected:

  • Name

  • Display Name

  • Description

  • Domain – will be the AccountName(#AccountId)

  • Email (Only for Aws Account)

  • LastLogin (Only for IAM Users)