Managing AWS Cloud Accounts and Entitlements
To display your AWS entitlement data in IdentityNow, you must mark supported entitlements as cloud enabled.
Supported Entitlement Types
IdentityNow supports the following AWS and AWS Identity Center entitlements:
GroupsAWSManagedPolicyCustomerManagedPolicyInlinePolicy
GroupsICAccountAssignment
The CIEM AWS source aggregates AWS Identity Center accounts and entitlements.
Viewing Identity Center Accounts and Entitlements
After you've aggregated your source, you can view the collected Identity Center users on the Accounts tab of the CIEM AWS source.
CIEM uses the AWS Identity Center Groups and ICAccountAssignment entitlements to identify cloud access. If you enabled native change detection, IdentityNow will scan your AWS accounts for changes made out-of-band.
IAM User and Identity Center Accounts Schema
Not all fields apply to Identity Center users.
| Attribute | Type | Description |
|---|---|---|
| UserName | string | The friendly name of the user |
| UserId | string | The unique ID of the user |
| Path | string | Path to the user |
| ARN | string | Amazon Resource Name of the user |
| CreatedDate | string | User Creation date |
| ConsoleAccess | string | Password Status |
| Access Keys | string | Access keys associated with the user |
| AWS CodeCommit HTTPS Credentials | string | AWS CodeCommit HTTPS Git credentials associated with the user |
| AWS CodeCommit SSH Keys | string | AWS CodeCommit SSH public keys associated with the user |
| Signing Certificates | string | Signing Certificates associated with the user |
| AccountType | string | Account is either Federated, Local Federated or Local |
| AWSAccountSet | string (multi-valued) | AWS Accounts this User has access to |
| DisplayName | string | User friendly display name |
| string | User email |
While the schemas match, the account ID displayed on the CIEM AWS source is the account ID associated with a user's AWS Identity Center access, not their AWS IAM ARN.
Identity Store APIs
CIEM calls the following Identity Store and Identity Store SSO APIs:
ListUsersListGroupsListGroupMemberships
ListInstancesListPermissionSetsDescribePermissionSetListAccountsForProvisionedPermissionSetListAccountAssignmentsGetInlinePolicyForPermissionSetGetPermissionsBoundaryForPermissionSetListManagedPoliciesInPermissionSetListCustomerManagedPolicyReferencesInPermissionSet
Viewing Identity Center Entitlements
After you've aggregated your source, you can view the collected Identity Center entitlements on the Entitlements tab of the CIEM AWS source.
CIEM uses the AWS Identity Center Groups and ICAccountAssignment entitlements to identify cloud access. They are comprised of the following schemas:
Identity Center Group Schema
| Attribute | Type | Description |
|---|---|---|
| GroupId | string | The Unique Identifier for the group |
| ICAccountAssignments | string | Accounts and Permission Set assigned to this group |
ICAccountAssignment Schema
| Attribute | Type | Description |
|---|---|---|
| AWSAccountName | string | The Account Name of associated AWS account |
| AWSAccountId | string | The Account Id of the associated AWS account |
| ICAccountAssignmentId | string | Unique Id for the entitlement |
| PermissionSetName | string | The Name of the Permission Set associated with this assignment |
| PrincipalId | string | PrincipalId associated with Permission Set |
| PrincipalType | string | Principal Type - User or Group |
Marking AWS Cloud-Enabled Entitlement Types
When your entitlements are pulled from your AWS cloud environment, you must mark the AWS IAM entitlement types that relate to cloud access. If you use AWS Identity Center, you must also mark those entitlements as cloud enabled on the CIEM AWS source.
Identifying these entitlements as cloud enabled will display cloud access details for identities with those entitlements in IdentityNow. It will also allow certification campaign reviewers to view the cloud access details on cloud entitlements included in certification campaigns for AWS cloud infrastructure users.
Marking AWS IAM Entitlements
On the AWS IAM source, you must mark the supported entitlements as cloud enabled to allow CIEM to display the cloud access granted by AWS entitlements.
To mark entitlements as cloud enabled on the AWS IAM source:
- Go to Admin > Connections > Sources.
- Select the AWS IAM source.
- Select the Import Data tab and choose Entitlement Types.
-
Edit and select the Cloud Enabled checkbox for the following entitlements:
GroupsAWSManagedPolicyCustomerManagedPolicyInlinePolicy
-
Select Update.
You can now view an identity's cloud access granted through entitlements and add cloud-based entitlement types to certification campaigns to allow certifiers to view the effective access your AWS IAM users have to your AWS resources.
Important
If you are using AWS Identity Center, you must also mark your AWS Identity Center entitlements as cloud enabled.
Marking AWS Identity Center Entitlements
If you use AWS Identity Center, you must mark the supported Identity Center entitlements as cloud enabled to allow CIEM to display the cloud access granted by Identity Center entitlements. You must mark AWS Identity Center Groups and Identity Center Account Assignment entitlements as cloud enabled.
To mark entitlements as cloud enabled on the CIEM AWS source:
- Go to Admin > Connections > Sources.
- Select the CIEM AWS source.
- Select the Import Data tab and choose Entitlement Types.
- Edit the following entitlement types that grant cloud access and select the Cloud Enabled checkbox:
GroupsICAccountAssignment
- Select Update.
CIEM can now display the effective access users have to your AWS cloud resources.
Viewing Effective Access to AWS Resources
After marking your entitlement types, you can include cloud-enabled entitlements in certification campaigns to allow your certifiers to view cloud access details like the last level of access and type of action taken on the resource.
Notes
Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource. Your certifiers will still see how the resource was accessed, but may not have full activity data details.