Skip to content

Viewing Cloud Access

After connecting your cloud service providers and marking the cloud-enabled entitlement types, SailPoint CIEM can display the effective access identities have to your cloud infrastructure, the unused management activity from the past 90 days, and the specific resources your identities can access. You can also search for logs of CIEM events.

Non-admin users must have the Cloud Gov User permission to view and approve CIEM account entitlements. Refer to User Level Permissions and User Level Matrix.

Viewing Effective Access

When you include cloud-enabled entitlements in certification campaigns, your certifiers can view how identities are receiving access, as well as details like the last level of access and type of action taken on the resource.

Access paths display between scoped objects like groups, policies, and projects granting the user access to the selected resource. This includes the direct access granted by the entitlement or all access paths to the resource. The access granted by the entitlement is highlighted.

A node with the user's name is at the top with lines to nodes representing the groups, policy bindings, organizations, and projects they can access.

If a user has multiple of the same type of access at the same scope, such as multiple role assignments that lead to the same management group, your certifiers can select the node to display the access leading to the resource.

Refer your certifiers to Viewing Cloud Access Details in the User Help for guidance on reviewing cloud-enabled entitlements.

AWS CloudTrail Limitations

Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource in a certification campaign. Your certifiers will still see how the resource was accessed, but may not have full activity data details.

Excluded GCP Asset Types

SailPoint CIEM displays the effective and last access data for supported GCP asset types except:

anthos.googleapis.com/ConnectedCluster dlp.googleapis.com/DlpJob networkconnectivity.googleapis.com/PolicyBasedRoutes
bigquerymigration.googleapis.com/MigrationWorkflow firebase.googleapis.com/FirebaseAppInfo networkservices.googleapis.com/EdgeCacheKeyset
compute.googleapis.com/RegionDisk firestore.googleapis.com/Database networkservices.googleapis.com/EdgeCacheOrigin
containerregistry.googleapis.com/Image identity.accesscontextmanager.googleapis.com/AccessLevel networkservices.googleapis.com/EdgeCacheService
dialogflow.googleapis.com/KnowledgeBase identity.accesscontextmanager.googleapis.com/AccessPolicy sqladmin.googleapis.com/Instance
dialogflow.googleapis.com/LocationSettings identity.accesscontextmanager.googleapis.com/ServicePerimeter

Viewing CIEM Event Logs

When your cloud access data is pulled into IdentityNow, you can use Search to view logs about CIEM events.

  • actor.name:CIEM_SYSTEM - Allows you to view events generated by the CIEM system.

  • type:CIEM_SOURCE_MANAGEMENT - Allows you to view events related to CIEM source management.

  • type:CIEM_TEST_CONNECTION - Allows you to view logs of test connection successes and failures.

Viewing Unused Cloud Management Activity

You can download the Unused Cloud Management Activity report to view information from the past 90 days about the unused actions, entitlements, and services of identities in your AWS, Azure, and GCP cloud environments. IAM admins can use this report to optimize entitlements and collaborate with cloud admins to refine cloud policies.

To download the report:

  1. Go to Search.
  2. Select the Reports icon in the toolbar.
  3. Select Unused Cloud Management Activity to generate the report.
  4. Select Download at the bottom of the browser to download the .zip file.

When you extract the .zip file, you can view reports for each CSP listing the unused actions, services, and entitlements.

Reading Unused Management Activity Reports

The Unused Cloud Management Activity report includes 9 CSVs detailing the unused actions, services, and entitlements for each CSP. Data covers the past 90 days, or activity since the onboarding to CIEM if added fewer than 90 days ago.

Data-plane and read actions are not included. Reports are overwritten with new data daily on an asynchronous schedule.

Report Limitations

To account for limitations in creating a list of management actions from cloud audits, CIEM excludes AWS data plane and GCP Read actions from the report. This may result in some data access actions being marked as unused. Before making decisions based on the report, verify the unused access action is not a data action.

Each report includes the following fields:

Field Description
AccountCloudName                 The cloud service provider the identity came from (Azure, AWS, GCP, Okta).

AWS Identity Center accounts will be listed under the AWS AccountCloudName as N/A.
AccessCloudName The cloud service provider where the access is granted.
AccountId The native ID associated with the identity from their cloud service provider. This includes all identities in CIEM with unused access.

AWS Identity Center users are identified with a UUID. Native users are identified with an AWS ARN.
Email The email associated with the identity.

AWS native users will be blank as they are not required to add email addresses.
AccountDisplayName The human readable name associated with the account.

Each report contains additional fields:

Action Report

Management-plane permissions for an identity that have not been used according to CIEM activity processing.

Field Description
Action The permission unused by the identity based on the last 90 days of activity, or activity since the time of onboarding to CIEM if added less than 90 days ago.
Service The cloud service provider service associated with the unused action.

Service Report

Services where all management-plane permissions associated with the service were unused by the identity. Services where some access is used by the identity are not included, even if some actions were left unused.

Field Description
Service The cloud service provider service associated with the unused action.
CloudSourceNativeId The native ID of the CSP parent source where the resource exists.

AWS - ManagementAccountId

Azure - AzureTenantId

GCP - OrganizationId
CloudSubSourceNativeId The subsource where the resource is.

AWS - AccountId

Azure - N/A

GCP - N/A
CloudSourceDisplayName The source display name of the CSP associated with the account.

AWS - Management Account Name (N/A for non-organizational accounts)

Azure - Azure Tenant Name

GCP - GCP Tenant Name
CloudSubSourceDisplayName The subsource display name.

AWS - Account name will be N/A for non-organizational accounts.

Azure - N/A

GCP - N/A

Entitlement Report

Entitlements that contained one or more unused services. This can help identify entitlements that are too broad and can be revised to craft smaller least-privilege entitlements.

Field Description
EntitlementId The native ID of the CIEM entitlement that the identity has been granted.

AWS - The AWS ARN of the policy granted to the identity and the relevant statement ID within that policy in the format <policy arn>|<statement id>

Azure - The RoleAssignment, RoleAssignmentScheduleInstance (PIM) or RoleEligibilityScheduleInstance (PIM) ID that has mapped the permissions to the given identity.

GCP - The policy (scope of the entitlement) and Role that grant permissions in the format <policy id>:<role id>
CloudSourceNativeId The native ID of the CSP parent source where the account exists.

AWS - ManagementAccountId

Azure - AzureTenantId

GCP - OrganizationId
CloudSubSourceNativeId The subsource where the resource is.

AWS - AccountId

Azure - N/A

GCP - N/A
CloudSourceDisplayName The source display name of the CSP associated with the account.

AWS - Management Account Name (N/A for non-organizational accounts)

Azure - Azure Tenant Name

GCP - GCP Tenant Name
CloudSubSourceDisplayName The subsource display name.

AWS - Account name will be N/A for non-organizational accounts.

Azure - N/A

GCP - N/A

Viewing Cloud Resource Access

You can download the Cloud Resource Access report to view the services and resources identities can access in each of your connected CIEM sources. Reports are divided by service and are updated once per day on an asynchronous schedule.

To download the report:

  1. Go to Search.
  2. Select the Reports icon in the toolbar.
  3. Select Cloud Resource Access to generate the report.
  4. Select Download at the bottom of the browser to download the .zip file.

When you extract the .zip file, you can view reports of the access identities have to your cloud resources.

Reading Cloud Resource Access Reports

Each Cloud Resource Access report includes the following fields about the resources the identity can access.

Field Description
ResourceId The native ID associated with the resource from the cloud service provider.
ResourceType The type of resource.
ResourceName The name of the resource.
Email The email of the correlated identity who can access the resource.
DisplayName The human readable name associated with the correlated identity.
AccessLevel The level of access, Read, Write, or Admin, the identity has to that resource.
AccountSourceType The cloud service provider the account originated from.

CIEM supports federated AWS access from Okta and Azure accounts. AWS Identity Center users are identified with a UUID. Native users are identified with an AWS ARN.
AccountStatus The status of the account at the last time of processing.

Enabled - The account is enabled and the user can access it.

Disabled - The account is disabled, and the user cannot access it, but the identity is not disabled in IdentityNow. This can occur when an administrator disables the account or when the user's lifecycle state changes.

Locked - The account is locked. This may occur when someone has entered an incorrect password for the account too many times.

Pending - The account is updating.
AccountId The account ID from the cloud service provider for a given account.

Resource access reports lists all known accounts in CIEM that have resource access even if the account is not correlated to an identity.
Service The service the resource belongs to.
ResourceAccountName The sub source where the resource belongs. This value will be N/A for Azure and GCP resources that are directly at the AzureTenantId or OrganizationId level.

AWS - AccountId

Azure - SubscriptionId

GCP - ProjectId

CloudSourceNativeId The native ID of the CSP parent source where the resource exists.

AWS - ManagementAccountId

Azure - AzureTenantId

GCP - OrganizationId
CloudSubSourceNativeId The subsource where the resource is. This value will be N/A for Azure and GCP resources that are at the AzureTenantId or OrganizationId levels.

AWS - AccountId

Azure - Subscription Id

GCP - ProjectId
Manager The manager of the identity with resource access.
Department The department of the identity with resource access.

Notes

  • The ResourceAccountName value will be N/A for Azure and GCP resources that are directly at the AzureTenantId or OrganizationId level.
  • The Email, DisplayName, AccountStatus, Manager, and Department columns may be empty if there is an uncorrelated account that can access resources or if those values are not set for an identity (correlated or uncorrelated).