Upcoming Changes to Sysdig Product LineThe legacy Identity pages are now deprecated and will be phased out over a transition period. During this time, both the legacy and new experiences will remain available. We encourage you to start using the new Identity Overview and Findings pages to become familiar with the updated experience.
Overview
AWS Entitlements
Azure Entitlements
GCP Entitlements
Filter and Sort Roles
Use the sortable columns to organize and filter roles for assessing identity risks. You can sort roles based on the following criteria:Unused Permission Criticality
Unused Permission Criticality focuses on unused permissions, while Permission Criticality looks at all permissions. Unused Permission Criticality is designed to help you achieve Least Permissive access.Values: Critical, High, Medium, LowRisk
This is a calculation of risk based on all permissions. See Understanding Risk Scoring for more information.Values: Critical, High, Medium, Low% of Unused Permissions
This shows the number of unused permissions used with the role, per total permissions assigned to the role, shown as a percentage graph.When remediating, immediately target the roles with the greatest exposure and refine them according to the suggestions.Membership
For AWS, this reflects the number of users who can use this role.For GCP, the membership number reflects the number of users, groups, and/or service accounts who are bound to this role.Highest Access
Values:
- Admin: Admin access granted
- Write: Write access granted
- Read: Read access granted
- Empty Access: No permissions are granted at all
For more information, see Understand Highest Access.Findings
A finding in Cloud Infrastructure Entitlement Management (CIEM) indicates poor security hygiene, either due to misconfiguration or inadequate identity security practices. The findings on Roles pages include:Available Filters
- Search: Free text search on terms in the resource name
- Platform: by provider, e.g. AWS
- Unused Permission Criticalities: By severity
- Cloud Accounts: Account name/number by cloud provider (e.g. AWS)
- Access Categories:
Admin, Write, Read, or Empty Access
- Findings:
Admin , Inactive
Next Steps
Optimize AWS Role Entitlements
Use the detail drawers on the Roles page to analyze and remediate identity risks associated with roles and their permissions in your AWS environment.Manage Role Entitlements with Detail Drawers
The Roles page organizes everything around the AWS role.
- Summary: Displays the critical permissions issues detected for this role, sorted by Permission Criticality and Unused Permission Criticality.
- Remediation Strategies: Summarizes all the potential strategies to reduce the permissions for this role.
- Connected IAM Resources: Displays a summary of this role’s total granted permissions, group associations, activity, user ARN ID, and findings. Displays the policies to which this role is connected, sorted by unused permissions.
To reduce a role’s entitlements, click on the role name to open the detail drawer and subtabs. The remediation options for roles work the same way as for Users.See the AWS User Optimization Examples and follow the same pattern for Roles. You can:
- Analyze the Role Permissions Details
- Optimize a policy globally
- Create a role-specific optimized policy
- Delete an unused policy
Optimize Azure Role Entitlements
Use the detail drawers on the Roles page to analyze and remediate identity risks associated with individual roles and their permissions in your Microsoft Azure environment.Manage Role Entitlements with Detail Drawers
To reduce the entitlements for a particular role, click on the role name to open the detail drawer and subtabs.The Roles page organizes everything around the Azure role.
- Summary: Displays the critical permissions issues detected for this role, sorted by Permission Criticality and Unused Permission Criticality.
- Remediation Strategies: Summarizes all the potential strategies to reduce the permissions for this role.
- Connected IAM Resources: Displays a summary of this role’s total granted permissions, group associations, activity, and service principals. Displays the policies to which this role is connected, sorted by unused permissions.
If Sysdig has been profiling a role for less than 90 days, you will see the following message:We recommend a 90 day period to pass before applying remediation optimizations to establish a good baseline for used permissions.Understand Role Permissions
Hover over the % Unused Permissions column to see the permissions granted to a role:
- Total Permissions: The total number of permissions granted to a role
- Unused Permissions: The total number of unused permissions from all the connected entities.
-
Detach Users from this Role.
All the Users that have not used any permissions from this connected role can be detached
-
Detach Service Accounts from this Role
All the Service Accounts that have not used any permissions from this connected role can be detached
-
Detach Groups from this Role
All the Groups that have not used any permissions from this connected role can be detached
Optimize GCP Role Entitlements
Use the detail drawers on the Roles page to analyze and remediate identity risks associated with individual roles and their permissions in your GCP environment.Review the permissions that you can grant to the Sysdig service account by enabling domain-wide delegation.Guidelines
While Google Cloud, like other public cloud providers, offers a large number of roles and permissions, only the roles bound to at least one Google IAM principal are displayed on the identity roles page. This means that any roles not specified in the policy bindings associated with a member at the project level are not evaluated during processing and displayed on the Identity > Service Identities page. Policy inheritance is not currently supported.Manage Role Entitlements with Detail Drawers
To reduce the entitlements for a particular role, click on the role name to open the detail drawer and subtabs.The Roles page organizes everything around the GCP role.
- Summary: Displays the critical permissions issues detected for this role, sorted by Permission Criticality and Unused Permission Criticality.
- Remediation Strategies: Summarizes all the potential strategies to reduce the permissions for this role.
- Connected IAM Resources: Displays a summary of this role’s total granted permissions, group associations, activity, user accounts, and findings.
If Sysdig has been profiling a role for less than 90 days, you will see the following message:We recommend a 90 day period to pass before applying remediation optimizations to establish a good baseline for used permissions.Understand Role Permissions
Hover over the % Unused Permissions column to see the permissions granted to a role:
- Total Permissions: The total number of permissions granted to a role
- Unused Permissions: The total number of unused permissions from all the connected entities.
-
Detach Users from this Role.
All the Users that have not used any permissions from this connected role can be detached
-
Detach Service Accounts from this Role
All the Service Accounts that have not used any permissions from this connected role can be detached
-
Detach Groups from this Role
All the Groups that have not used any permissions from this connected role can be detached
