Excessive Unused Token Permissions
Eco-system support
-
AWS IAM Access token
-
GCP Service Account key
Description
An identity with an enabled token was found to have unused excessive permissions. This goes against the fundamental principle of least privilege, which states that only the minimum necessary permissions should be granted to each identity. To minimize the attack surface and ensure maximum security, it is recommended to create identities with precise permissions that align with their intended purpose.
Risk triggers
-
GCP: SailPoint Entro will analyze all service account tokens for their usage against correlated permissions using the Policy Analyzer service, and will highlight insights about potential unused sensitive permissions. Enabling logging per integration is required for this.
-
Azure: Since Azure permissions can be granted across the entire Microsoft ecosystem, SailPoint Entro only analyzes the permissions without generating a new risk for it. You can see the analyzed permissions under the tokens “Permissions” tab.
-
AWS: SailPoint Entro will highlight any unused permissions by comparing CloudWatch activity logs against actual analyzed permissions assigned to an IAM token.
Mitigation
Reduce over-permissive policies
Establish granular policies that only allow the minimum permissions needed for your identities.
-
Check the "Excessive Permissions" tab to see which permissions are being used.
-
Create a policy per identity that gives it all the permissions it needs to function.
-
Avoid using one identity and token for multiple applications, as it will make working with the Principle of Least Privilege difficult.