Skip to content

Managing AWS Cloud Accounts and Entitlements

To display your AWS entitlement data, you must mark supported entitlements as cloud enabled.

Supported Entitlement Types

You can use the following AWS and AWS Identity Center entitlements:

  • Groups
  • AWSManagedPolicy
  • CustomerManagedPolicy
  • InlinePolicy
  • Groups
  • ICAccountAssignment

The CIEM AWS source aggregates AWS Identity Center accounts and entitlements.

Viewing Identity Center Accounts and Entitlements

After you've aggregated your source, you can view the collected Identity Center users on the Accounts tab of the CIEM AWS source.

CIEM uses the AWS Identity Center Groups and ICAccountAssignment entitlements to identify cloud access. If you enabled native change detection, your AWS accounts will be scanned for changes made out-of-band.

Note

Not all fields apply to Identity Center users.

Attribute Type Description
UserName string The friendly name of the user
UserId string The unique ID of the user
Path string Path to the user
ARN string Amazon Resource Name of the user
CreatedDate string User Creation date
ConsoleAccess string Password Status
Access Keys string Access keys associated with the user
AWS CodeCommit HTTPS Credentials string AWS CodeCommit HTTPS Git credentials associated with the user
AWS CodeCommit SSH Keys string AWS CodeCommit SSH public keys associated with the user
Signing Certificates string Signing Certificates associated with the user
AccountType string Account is either Federated, Local Federated or Local
AWSAccountSet string (multi-valued) AWS Accounts this User has access to
DisplayName string User friendly display name
Email string User email

While the schemas match, the account ID displayed on the CIEM AWS source is the account ID associated with a user's AWS Identity Center access, not their AWS IAM ARN.

Identity Store APIs

CIEM calls the following Identity Store and Identity Store SSO APIs:

  • ListUsers
  • ListGroups
  • ListGroupMemberships
  • ListInstances
  • ListPermissionSets
  • DescribePermissionSet
  • ListAccountsForProvisionedPermissionSet
  • ListAccountAssignments
  • GetInlinePolicyForPermissionSet
  • GetPermissionsBoundaryForPermissionSet
  • ListManagedPoliciesInPermissionSet
  • ListCustomerManagedPolicyReferencesInPermissionSet

Viewing Identity Center Entitlements

After you've aggregated your source, you can view the collected Identity Center entitlements on the Entitlements tab of the CIEM AWS source.

CIEM uses the AWS Identity Center Groups and ICAccountAssignment entitlements to identify cloud access. They are comprised of the following schemas:

Identity Center Group Schema

Attribute Type Description
GroupId string The Unique Identifier for the group
ICAccountAssignments string Accounts and Permission Set assigned to this group

ICAccountAssignment Schema

Attribute Type Description
AWSAccountName string The Account Name of associated AWS account
AWSAccountId string The Account Id of the associated AWS account
ICAccountAssignmentId string Unique Id for the entitlement
PermissionSetName string The Name of the Permission Set associated with this assignment
PrincipalId string PrincipalId associated with Permission Set
PrincipalType string Principal Type - User or Group

Marking AWS Cloud-Enabled Entitlement Types

When your entitlements are pulled from your AWS cloud environment, you must mark the AWS IAM entitlement types that relate to cloud access. If you use AWS Identity Center, you must also mark those entitlements as cloud enabled on the CIEM AWS source.

Identifying these entitlements as cloud enabled will display cloud access details for identities with those entitlements. It will also allow certification campaign reviewers to view the cloud access details on cloud entitlements included in certification campaigns for AWS cloud infrastructure users.

Marking AWS IAM Entitlements

On the AWS IAM source, you must mark the supported entitlements as cloud enabled to allow CIEM to display the cloud access granted by AWS entitlements.

To mark entitlements as cloud enabled on the AWS IAM source:

  1. Go to Admin > Connections > Sources.
  2. Select the AWS IAM source.
  3. Select the Import Data tab and choose Entitlement Types.
  4. Edit and select the Cloud Enabled checkbox for the following entitlements:

    • Groups
    • AWSManagedPolicy
    • CustomerManagedPolicy
    • InlinePolicy
  5. Select Update.

You can now view an identity's cloud access granted through entitlements and add cloud-based entitlement types to certification campaigns to allow certifiers to view the effective access your AWS IAM users have to your AWS resources.

Important

If you are using AWS Identity Center, you must also mark your AWS Identity Center entitlements as cloud enabled.

Marking AWS Identity Center Entitlements

If you use AWS Identity Center, you must mark the supported Identity Center entitlements as cloud enabled to allow CIEM to display the cloud access granted by Identity Center entitlements. You must mark AWS Identity Center Groups and Identity Center Account Assignment entitlements as cloud enabled.

To mark entitlements as cloud enabled on the CIEM AWS source:

  1. Go to Admin > Connections > Sources.
  2. Select the CIEM AWS source.
  3. Select the Import Data tab and choose Entitlement Types.
  4. Edit the following entitlement types that grant cloud access and select the Cloud Enabled checkbox:
    • Groups
    • ICAccountAssignment
  5. Select Update.

CIEM can now display the effective access users have to your AWS cloud resources.

Viewing Effective Access to AWS Resources

After marking your entitlement types, you can include cloud-enabled entitlements in certification campaigns to allow your certifiers to view cloud access details like the last level of access and type of action taken on the resource.

Notes

Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource. Your certifiers will still see how the resource was accessed, but may not have full activity data details.