Viewing Cloud Access
After connecting your cloud service providers and marking the cloud-enabled entitlement types, SailPoint CIEM can display the effective access identities have to your cloud infrastructure and the unused management activity from the past 90 days.
Viewing Effective Access
When you include cloud-enabled entitlements in certification campaigns, your certifiers can view how identities are receiving access, as well as details like the last level of access and type of action taken on the resource.
Access paths display between scoped objects like groups, policies, and projects granting the user access to the selected resource. This includes the direct access granted by the entitlement or all access paths to the resource. The access granted by the entitlement is highlighted.
If a user has multiple of the same type of access at the same scope, such as multiple role assignments that lead to the same management group, your certifiers can select the node to display the access leading to the resource.
Refer your certifiers to Viewing Cloud Access Details in the User Help for guidance on reviewing cloud-enabled entitlements.
AWS CloudTrail Limitations
Some CloudTrail entries delivered by AWS services do not contain the Resource
attribute, which is used to display the last activity on an AWS resource in a certification campaign. Your certifiers will still see how the resource was accessed, but may not have full activity data details.
Excluded GCP Asset Types
SailPoint CIEM displays the effective and last access data for supported GCP asset types except:
anthos.googleapis.com/ConnectedCluster |
dlp.googleapis.com/DlpJob |
networkconnectivity.googleapis.com/PolicyBasedRoutes |
bigquerymigration.googleapis.com/MigrationWorkflow |
firebase.googleapis.com/FirebaseAppInfo |
networkservices.googleapis.com/EdgeCacheKeyset |
compute.googleapis.com/RegionDisk |
firestore.googleapis.com/Database |
networkservices.googleapis.com/EdgeCacheOrigin |
containerregistry.googleapis.com/Image |
identity.accesscontextmanager.googleapis.com/AccessLevel |
networkservices.googleapis.com/EdgeCacheService |
dialogflow.googleapis.com/KnowledgeBase |
identity.accesscontextmanager.googleapis.com/AccessPolicy |
sqladmin.googleapis.com/Instance |
dialogflow.googleapis.com/LocationSettings |
identity.accesscontextmanager.googleapis.com/ServicePerimeter |
Viewing Unused Cloud Management Activity
You can download the Unused Cloud Management Activity report to view information from the past 90 days about the unused actions, entitlements, and services of identities in your AWS, Azure, and GCP cloud environments. IAM admins can use this report to optimize entitlements and collaborate with cloud admins to refine cloud policies.
To download the report:
- Go to Search.
- Select the Reports icon
in the toolbar.
- Select Unused Cloud Management Activity to generate the report.
- Select Download at the bottom of the browser to download the .zip file.
When you extract the .zip file, you can view reports for each CSP listing the unused actions, services, and entitlements.
Reading Unused Management Activity Reports
The Unused Cloud Management Activity report includes 9 CSVs detailing the unused actions, services, and entitlements for each CSP. Data covers the past 90 days, or activity since the onboarding to CIEM if added fewer than 90 days ago.
Data-plane and read actions are not included. Reports are overwritten with new data daily on an asynchronous schedule.
Report Limitations
To account for limitations in creating a list of management actions from cloud audits, CIEM excludes AWS
data plane and GCP Read
actions from the report. This may result in some data access actions being marked as unused. Before making decisions based on the report, verify the unused access action is not a data action.
Each report includes the following fields:
Field | |
---|---|
IdentityCloudName |
The cloud service provider the identity came from (Azure, AWS, GCP, Okta). |
AccessCloudName |
The cloud service provider where the access is granted. |
NativeId |
The native ID associated with the identity from their cloud service provider. This includes all identities in CIEM with unused access. AWS Identity Center users are identified with a UUID. Native users are identified with an AWS ARN. |
Email |
The email associated with the identity. AWS native users will be blank as they are not required to add email addresses. |
DisplayName |
The human readable name associated with the identity. |
Each report contains additional fields:
Action Report
Management-plane permissions for an identity that have not been used according to CIEM activity processing.
Action
- The permission unused by the identity based on the last 90 days of activity, or activity since the time of onboarding to CIEM if added less than 90 days ago.Service
- The cloud service provider service associated with the unused action.
Service Report
Services where all management-plane permissions associated with the service were unused by the identity. Services where some access is used by the identity are not included, even if some actions were left unused.
Service
- The cloud service provider service associated with the unused action.
Entitlement Report
Entitlements that contained one or more unused services. This can help identify entitlements that are too broad and can be revised to craft smaller least-privilege entitlements.
EntitlementId
- The native ID of the CIEM entitlement that the identity has been granted.- AWS: The AWS ARN of the policy granted to the identity and the relevant statement ID within that policy in the format
<policy arn>|<statement id>
- Azure: The
RoleAssignment
,RoleAssignmentScheduleInstance
(PIM) orRoleEligibilityScheduleInstance
(PIM) ID that has mapped the permissions to the given identity. - GCP: The policy (scope of the entitlement) and Role that grant permissions in the format
<policy id>:<role id>
- AWS: The AWS ARN of the policy granted to the identity and the relevant statement ID within that policy in the format