Excessive Unused Token Permissions
Description
An identity with an enabled token was found to have unused excessive permissions. This goes against the fundamental principle of least privilege, which states that only the minimum necessary permissions should be granted to each identity. To minimize the attack surface and ensure maximum security, it is recommended to create identities with precise permissions that align with their intended purpose.

Risk triggers
-
GCP: SailPoint Entro will analyze all service account tokens for their usage against correlated permissions using the Policy Analyzer service, and will highlight insights about potential unused sensitive permissions. Enabling logging per integration is required for this.
-
Azure: Since Azure permissions can be granted across the entire Microsoft ecosystem, SailPoint Entro only analyzes the permissions without generating a new risk for it. You can see the analyzed permissions under the tokens “Permissions” tab.
-
AWS: SailPoint Entro will highlight any unused permissions by comparing CloudWatch activity logs against actual analyzed permissions assigned to an IAM token.
Mitigation
Reduce over-permissive policies.
Establish granular policies that only allow the minimum permissions needed for your identities.
-
Check the "Excessive Permissions" tab to see which permissions are being used.
-
Create a policy per identity that gives it all the permissions it needs to function.
-
Avoid using one identity and token for multiple applications, as it will make working with the Principle of Least Privilege difficult.
JSON Example
Risk JSON
account: {environment: "qa", environmentType: "QA"}
accountId: "116849364939"
accountType: "AWS"
category: "LEAST_PRIVILEGE"
correlationGuid: "NTR-127156"
creationDate: "2024-08-06T16:20:15.493Z"
customData: null
customerId: 34
data: {title: "Excessive unused IAM token permissions"}
description: "This goes against the fundamental principle of least privilege, which states that only the minimum necessary permissions should be granted to each identity. To minimize the attack surface and ensure maximum security, it is recommended to create identities with precise permissions that align with their intended purpose. This best practice ensures that unused and potentially dangerous permissions are not granted, thereby reducing the risk of a cyber attack."
destination: "AWS_IAM_ACCESS_KEY"
guid: "RSK-6367"
hasComment: null
hasJiraTicket: null
hasSeen: false
hasSlackMessage: null
id: 20070
isArchived: false
key: "EXCESSIVE_PERMISSIONS-TKN-869"
linkedElements: ["TKN-869"]
logChangeType: null
modifyDate: "2024-10-28T16:24:12.784Z"
name: "Excessive unused token permissions"
occurrences: ["AWS_IAM_ACCESS_KEY"]
owner: "shaked.rosen@entro.security"
ownerAiObject: {similarity: 1, ownerItemType: "email", elementItemType: "username",…}
ownerUid: "904094ca-3371-440c-8b86-a84b01ab8ff4"
path: "AKIARWNGDZ7F5PALO94E"
ruleCode: "EXCESSIVE_PERMISSIONS"
scanId: 2900991
severity: "MEDIUM"
source: "AWS"
status: "OPEN"
tags: ["Least Privilege", "Human", "Programmatic", "App", "qa"]
tasks: [{customerId: 34, riskId: 20070, type: "REDUCE_PERM_POLICY", level: "MEDIUM",…}]
type: "EXCESSIVE_PERMISSIONS"
Linked Element (NHI Token) JSON
accessedDate: "2024-09-29T13:01:00.000Z"
account: {environment: "qa", environmentType: "QA", accountType: "AWS", id: "116849364939"}
accountId: "116849364939"
accountType: "AWS"
awsPolicies: {policies: [,…],…}
policies: [,…]
policiesUsage: {s3: ["Read"], ec2: ["List"], kms: ["Read", "List"], rds: ["List"], tag: ["Read"],…}
cloudformation: ["Write", "Read", "List"]
docdb-elastic: ["Read", "List"]
ec2: ["List"]
kms: ["Read", "List"]
lambda: ["List", "Permissions management", "Write", "Read"]
rds: ["List"]
redshift: ["List"]
redshift-serverless: ["List", "Read"]
s3: ["Read"]
secretsmanager: ["Admin"]
serverlessrepo: ["Write", "Read"]
tag: ["Read"]
tokenExcessiveUsage: {ec2: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]},…}
cloudformation: {diff: ["Write", "Read"], serviceTokenUsage: ["List"], servicePolicyUsage: ["Write", "Read", "List"]}
docdb-elastic: {diff: ["Read", "List"], serviceTokenUsage: [], servicePolicyUsage: ["Read", "List"]}
ec2: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]}
kms: {diff: ["Read", "List"], serviceTokenUsage: [], servicePolicyUsage: ["Read", "List"]}
lambda: {diff: ["List", "Permissions management", "Write", "Read"], serviceTokenUsage: [],…}
rds: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]}
redshift: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]}
redshift-serverless: {diff: ["List", "Read"], serviceTokenUsage: [], servicePolicyUsage: ["List", "Read"]}
secretsmanager: {diff: ["Admin"], serviceTokenUsage: ["List", "Read"], servicePolicyUsage: ["Admin"]}
serverlessrepo: {diff: ["Write", "Read"], serviceTokenUsage: [], servicePolicyUsage: ["Write", "Read"]}
tag: {diff: ["Read"], serviceTokenUsage: [], servicePolicyUsage: ["Read"]}
tokenUsage: {ecs: ["Write"], sts: ["Read"], apprunner: ["List"], cloudformation: ["List"],…}
apprunner: ["List"]
cloudformation: ["List"]
ecs: ["Write"]
secretsmanager: ["List", "Read"]
sts: ["Read"]
userExcessiveUsage: {ec2: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]},…}
cloudformation: {diff: ["Write", "Read"], serviceTokenUsage: ["List"], servicePolicyUsage: ["Write", "Read", "List"]}
docdb-elastic: {diff: ["Read", "List"], serviceTokenUsage: [], servicePolicyUsage: ["Read", "List"]}
ec2: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]}
kms: {diff: ["Read", "List"], serviceTokenUsage: [], servicePolicyUsage: ["Read", "List"]}
lambda: {diff: ["List", "Permissions management", "Write", "Read"], serviceTokenUsage: [],…}
rds: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]}
redshift: {diff: ["List"], serviceTokenUsage: [], servicePolicyUsage: ["List"]}
redshift-serverless: {diff: ["List", "Read"], serviceTokenUsage: [], servicePolicyUsage: ["List", "Read"]}
secretsmanager: {diff: ["Admin"], serviceTokenUsage: ["List", "Read"], servicePolicyUsage: ["Admin"]}
serverlessrepo: {diff: ["Write", "Read"], serviceTokenUsage: [], servicePolicyUsage: ["Write", "Read"]}
tag: {diff: ["Read"], serviceTokenUsage: [], servicePolicyUsage: ["Read"]}
userUsage: {ecs: ["Write"], sts: ["Read"], apprunner: ["List"], cloudformation: ["List"],…}
apprunner: ["List"]
cloudformation: ["List"]
ecs: ["Write"]
secretsmanager: ["List", "Read"]
sts: ["Read"]
azurePermissions: null
azureRoles: null
correlationGuid: "NTR-127156"
creationDate: "2024-07-30T11:13:25.000Z"
creator: {eventId: "a09d49e9-c802-4ede-bac3-7f4a2caee5bc", username: "shaked.rosen@entro.security",…}
customerId: 34
devices: [{role: "sus_boi", region: "ca-central-1", ipAddress: "213.8.185.214",…},…]
guid: "TKN-869"
infoJSON: "{\"serviceName\":\"secretsmanager\",\"region\":\"ca-central-1\",\"userArn\":\"arn:aws:iam::116849364939:user/sus_boi\"}"
isActive: true
isAdmin: false
isArchived: false
isIdle: false
isProd: false
lastAccessors: [{eventId: "279a344b-44e9-49b4-bc43-24b41e22119e", username: "sus_boi", awsRegion: "ca-central-1",…},…]
lastModifiers: []
lastOwnerAiUpdate: null
liminalCreationDate: "2024-07-30T11:34:46.629Z"
liminalModifyDate: "2024-10-29T15:39:39.949Z"
originAccessMethod: "AWS_IAM_ACCESS_KEY"
owner: "shaked.rosen@entro.security"
ownerAiObject: {similarity: 1, ownerItemType: "email", elementItemType: "username",…}
ownerSource: null
ownerUid: "904094ca-3371-440c-8b86-a84b01ab8ff4"
riskSeverity: "HIGH"
rotationDate: "2024-07-30T11:13:25.000Z"
scanId: 2884527
serviceName: "secretsmanager"
status: "Active"
tags: {tags: ["Human", "Programmatic", "App"]}
tokenId: "AKIARWNGDZ7F5PALO94E"
tokenTotalAccess: 34
tokenTotalIp: 8
tokenTotalUserAgent: 9
uid: "26fb53ce-a5d7-4b27-bb30-a2ab15b06745"
userAgent: "Boto3/1.34.150 md/Botocore#1.34.150 ua/2.0 os/macos#23.1.0 md/arch#arm64 lang/python#3.11.9 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.34.150"
username: "sus_boi"