Viewing Cloud Access
After connecting your cloud service providers and marking the cloud-enabled entitlement types, SailPoint CIEM can display the effective access identities have to your cloud infrastructure, the unused management activity from the past 90 days, and the specific resources your identities can access. You can also search for logs of CIEM events.
Viewing Effective Access
When you include cloud-enabled entitlements in certification campaigns, your certifiers can view how identities are receiving access, as well as details like the last level of access and type of action taken on the resource.
Access paths display between scoped objects like groups, policies, and projects granting the user access to the selected resource. This includes the direct access granted by the entitlement or all access paths to the resource. The access granted by the entitlement is highlighted.
If a user has multiple of the same type of access at the same scope, such as multiple role assignments that lead to the same management group, your certifiers can select the node 
to display the access leading to the resource.
Refer your certifiers to Viewing Cloud Access Details in the User Help for guidance on reviewing cloud-enabled entitlements.
AWS CloudTrail Limitations
Some CloudTrail entries delivered by AWS services do not contain the Resource attribute, which is used to display the last activity on an AWS resource in a certification campaign. Your certifiers will still see how the resource was accessed, but may not have full activity data details.
Excluded GCP Asset Types
SailPoint CIEM displays the effective and last access data for supported GCP asset types except:
anthos.googleapis.com/ConnectedCluster |
dlp.googleapis.com/DlpJob |
networkconnectivity.googleapis.com/PolicyBasedRoutes |
bigquerymigration.googleapis.com/MigrationWorkflow |
firebase.googleapis.com/FirebaseAppInfo |
networkservices.googleapis.com/EdgeCacheKeyset |
compute.googleapis.com/RegionDisk |
firestore.googleapis.com/Database |
networkservices.googleapis.com/EdgeCacheOrigin |
containerregistry.googleapis.com/Image |
identity.accesscontextmanager.googleapis.com/AccessLevel |
networkservices.googleapis.com/EdgeCacheService |
dialogflow.googleapis.com/KnowledgeBase |
identity.accesscontextmanager.googleapis.com/AccessPolicy |
sqladmin.googleapis.com/Instance |
dialogflow.googleapis.com/LocationSettings |
identity.accesscontextmanager.googleapis.com/ServicePerimeter |
Viewing CIEM Event Logs
When your cloud access data is pulled into IdentityNow, you can use Search to view logs about CIEM events.
-
actor.name:CIEM_SYSTEM- Allows you to view events generated by the CIEM system. -
type:CIEM_SOURCE_MANAGEMENT- Allows you to view events related to CIEM source management. -
type:CIEM_TEST_CONNECTION- Allows you to view logs of test connection successes and failures.
Viewing Unused Cloud Management Activity
You can download the Unused Cloud Management Activity report to view information from the past 90 days about the unused actions, entitlements, and services of identities in your AWS, Azure, and GCP cloud environments. IAM admins can use this report to optimize entitlements and collaborate with cloud admins to refine cloud policies.
To download the report:
- Go to Search.
- Select the Reports icon
in the toolbar. - Select Unused Cloud Management Activity to generate the report.
- Select Download at the bottom of the browser to download the .zip file.
When you extract the .zip file, you can view reports for each CSP listing the unused actions, services, and entitlements.
Reading Unused Management Activity Reports
The Unused Cloud Management Activity report includes 9 CSVs detailing the unused actions, services, and entitlements for each CSP. Data covers the past 90 days, or activity since the onboarding to CIEM if added fewer than 90 days ago.
Data-plane and read actions are not included. Reports are overwritten with new data daily on an asynchronous schedule.
Report Limitations
To account for limitations in creating a list of management actions from cloud audits, CIEM excludes AWS
data plane and GCP Read actions from the report. This may result in some data access actions being marked as unused. Before making decisions based on the report, verify the unused access action is not a data action.
Each report includes the following fields:
| Field | Description |
|---|---|
| AccountCloudName | The cloud service provider the identity came from (Azure, AWS, GCP, Okta). AWS Identity Center accounts will be listed under the AWS AccountCloudName as N/A. |
| AccessCloudName | The cloud service provider where the access is granted. |
| AccountId | The native ID associated with the identity from their cloud service provider. This includes all identities in CIEM with unused access. AWS Identity Center users are identified with a UUID. Native users are identified with an AWS ARN. |
| The email associated with the identity. AWS native users will be blank as they are not required to add email addresses. |
|
| AccountDisplayName | The human readable name associated with the account. |
Each report contains additional fields:
Action Report
Management-plane permissions for an identity that have not been used according to CIEM activity processing.
| Field | Description |
|---|---|
| Action | The permission unused by the identity based on the last 90 days of activity, or activity since the time of onboarding to CIEM if added less than 90 days ago. |
| Service | The cloud service provider service associated with the unused action. |
Service Report
Services where all management-plane permissions associated with the service were unused by the identity. Services where some access is used by the identity are not included, even if some actions were left unused.
| Field | Description |
|---|---|
| Service | The cloud service provider service associated with the unused action. |
| CloudSourceNativeId | The native ID of the CSP parent source where the resource exists. AWS - ManagementAccountId Azure - AzureTenantId GCP - OrganizationId |
| CloudSubSourceNativeId | The subsource where the resource is. AWS - AccountId Azure - N/A GCP - N/A |
| CloudSourceDisplayName | The source display name of the CSP associated with the account. AWS - Management Account Name (N/A for non-organizational accounts) Azure - Azure Tenant Name GCP - GCP Tenant Name |
| CloudSubSourceDisplayName | The subsource display name. AWS - Account name will be N/A for non-organizational accounts. Azure - N/A GCP - N/A |
Entitlement Report
Entitlements that contained one or more unused services. This can help identify entitlements that are too broad and can be revised to craft smaller least-privilege entitlements.
| Field | Description |
|---|---|
| EntitlementId | The native ID of the CIEM entitlement that the identity has been granted. AWS - The AWS ARN of the policy granted to the identity and the relevant statement ID within that policy in the format <policy arn>|<statement id> Azure - The RoleAssignment, RoleAssignmentScheduleInstance (PIM) or RoleEligibilityScheduleInstance (PIM) ID that has mapped the permissions to the given identity. GCP - The policy (scope of the entitlement) and Role that grant permissions in the format <policy id>:<role id> |
| CloudSourceNativeId | The native ID of the CSP parent source where the account exists. AWS - ManagementAccountId Azure - AzureTenantId GCP - OrganizationId |
| CloudSubSourceNativeId | The subsource where the resource is. AWS - AccountId Azure - N/A GCP - N/A |
| CloudSourceDisplayName | The source display name of the CSP associated with the account. AWS - Management Account Name (N/A for non-organizational accounts) Azure - Azure Tenant Name GCP - GCP Tenant Name |
| CloudSubSourceDisplayName | The subsource display name. AWS - Account name will be N/A for non-organizational accounts. Azure - N/A GCP - N/A |
Viewing Cloud Resource Access
You can download the Cloud Resource Access report to view the services and resources identities can access in each of your connected CIEM sources. Reports are divided by service and are updated once per day on an asynchronous schedule.
To download the report:
- Go to Search.
- Select the Reports icon in the toolbar.
- Select Cloud Resource Access to generate the report.
- Select Download at the bottom of the browser to download the .zip file.
When you extract the .zip file, you can view reports of the access identities have to your cloud resources.
Reading Cloud Resource Access Reports
Each Cloud Resource Access report includes the following fields about the resources the identity can access.
| Field | Description |
|---|---|
| ResourceId | The native ID associated with the resource from the cloud service provider. |
| ResourceType | The type of resource. |
| ResourceName | The name of the resource. |
| The email of the correlated identity who can access the resource. | |
| DisplayName | The human readable name associated with the correlated identity. |
| AccessLevel | The level of access, Read, Write, or Admin, the identity has to that resource. |
| AccountSourceType | The cloud service provider the account originated from. CIEM supports federated AWS access from Okta and Azure accounts. AWS Identity Center users are identified with a UUID. Native users are identified with an AWS ARN. |
| AccountStatus | The status of the account at the last time of processing. Enabled - The account is enabled and the user can access it. Disabled - The account is disabled, and the user cannot access it, but the identity is not disabled in IdentityNow. This can occur when an administrator disables the account or when the user's lifecycle state changes. Locked - The account is locked. This may occur when someone has entered an incorrect password for the account too many times. Pending - The account is updating. |
| AccountId | The account ID from the cloud service provider for a given account. Resource access reports lists all known accounts in CIEM that have resource access even if the account is not correlated to an identity. |
| Service | The service the resource belongs to. |
| ResourceAccountName | The sub source where the resource belongs. This value will be N/A for Azure and GCP resources that are directly at the AzureTenantId or OrganizationId level. AWS - AccountId Azure - SubscriptionId GCP - ProjectId |
| CloudSourceNativeId | The native ID of the CSP parent source where the resource exists. AWS - ManagementAccountId Azure - AzureTenantId GCP - OrganizationId |
| CloudSubSourceNativeId | The subsource where the resource is. This value will be N/A for Azure and GCP resources that are at the AzureTenantId or OrganizationId levels. AWS - AccountId Azure - Subscription Id GCP - ProjectId |
| Manager | The manager of the identity with resource access. |
| Department | The department of the identity with resource access. |
Notes
- The ResourceAccountName value will be N/A for Azure and GCP resources that are directly at the AzureTenantId or OrganizationId level.
- The Email, DisplayName, AccountStatus, Manager, and Department columns may be empty if there is an uncorrelated account that can access resources or if those values are not set for an identity (correlated or uncorrelated).