Access Explorer - Setup
This page covers the first-time user experience for installing and configuring Access Explorer. It walks you through the process and components (required and optional) necessary to set up Access Explorer.
To ensure you can complete the installation process we recommend that you gather all of the requirements and verify these details before you start.
If this is not your first time setting up Access Explorer, you can skip over to Access Explorer - Configuration and Settings for specific details on configuration and settings.
Installation Recommendations
While most of the steps included in the setup are optional and can be skipped or configured later, we recommend completing all of these steps to provide the best overall user experience. The more data you provide, the more useful the tool will be. You will have better context, relationship data, and understanding around your cloud IAM configurations
Infrastructure Requirements
Cloud IAM Governance infrastructure requirements are detailed below. If, after reading through the technical specifications here you have questions or are concerned about performance for your individual environment we are happy to work with you directly to make recommendations. Reach out to us through the Customer Support Portal.
Note to SaaS/Hosted Customers
The infrastructure requirements outlined here apply specifically to self-hosted customers only. If you are a SaaS/hosted customer, InsightCloudSec will provide the infrastructure necessary to run IAM Access Explorer.
Deployment Requirements - ECS Fargate via Terraform is required
We do not support traditional EC2 instances for Access Explorer functionality. ECS Fargate deployment can be found here.
For Customers Running ECS Fargate
If you are already running our ECS Fargate deployment, perform the following to enable Access Explorer:
- Ensure your InsightCloudSec license has the Access Explorer feature enabled. Contact your CSM or reach out to us through Getting Support if you are unsure of license status.
- If Access Explorer was recently enabled for your license, manually refresh your license to ensure feature is enabled in your installation.
- Enable the IAM Access Explorer via the
enable_iam_analyzer
variable in yourtfvars
file. Instructions on enabling this can be found here.- You can also enable the
use_p3_autoscaling
variable to assist with P3 Worker sizing.
- You can also enable the
- Increase the size of your Redis instance to accommodate the additional data used for IAM Access Explorer analysis. In your
tfvars
file, addredis_node_type = "cache.m5.large"
(you may already been running an instance of this size). - After updating the
tfvars
file, run a Terraform plan/apply on your InsightCloudSec infrastructure. You will see the creation of a new ECS service and task definition labeledworker-p3
and existing task definitions being updated with a new environment variableDIVVY_IAM_ANALYZER_PARALLEL_ENABLED
.
Product name to be replaced
You may observe that some components, screen captures, or examples use our former product name, DivvyCloud. This doesn't affect the configuration or the product's functionality, and we will notify you as we replace these component names.
Sizing the P3 Workers Count
- Run the Cache Workload Size Calculator
Navigate to this page (for example:
http://<insightcloudsec-url>/iam/cache_calculator
) - Ensure that all of the cloud accounts are selected. Click inside the Cloud Accounts box. Click on the check box at the top of the list until it is a check mark. This will not affect which clouds are AllowListed for the IAM cache build.
- Click on Calculate.
- Use the Total Pairs number in the following table to determine your starting workers count.
Total Pairs | Starting Workers Count |
---|---|
up to 500M | 12 workers |
500M to 1B | 24 workers |
1B to 1.5B | 36 workers |
over 1.5B | contact InsightCloudSec through the Customer Support Portal |
The default P3 task count of 12
can be overridden by adding worker_p3_task_count
to your tfvars
file.
P3 Autoscaling
By default, the use_p3_autoscaling
variable is set to true
so you should not need to manually set a worker count.
After you successfully complete a cache build, then you can start reducing the number of workers until the cache build time starts to rise.
First-Time Setup
Prerequisites & Recommendations
- An InsightCloudSec platform installation with administrative permissions and the IAM license (contact us via the Customer Support Portal for more information)
- At least one AWS cloud connected to InsightCloudSec
- For instructions on adding a cloud account to your InsightCloudSec platform refer to our Cloud Account Setup page
- At least one AWS cloud connected to InsightCloudSec
- Details on your Tagging or Name strategy to define your applications
- To complete the optional steps for configuring CMDB and EIAM you will need the following:
- An appropriately formatted CMDB CSV file (for upload or fetched from S3)
- An appropriately formatted EIAM JSON file (for upload or fetched from S3)
- To complete the optional steps for configuring CMDB and EIAM you will need the following:
- A list of principals you want to exclude from your configuration (optional)
Users launching Access Explorer for the first time users will be met with a guided Getting Started with Access Explorer process. This process walks through the required and optional steps to complete the setup and configuration for Access Explorer.
Recommendations for Optional Steps
While only Step 1 - Choose Cloud Accounts to Include and building the cache are required to complete the setup, we strongly recommend completing the optional steps to provide a better overall experience.
Step 1 - Choose Cloud Accounts to Include
In this step you will select the cloud accounts (currently AWS) that you have connected to your InsightCloudSec platform to include for analysis in Access Explorer.
- Refer to Cloud Account Setup for instructions on connecting additional cloud accounts to InsightCloudSec
- Check out Access Explorer - Configuration and Settings for details on Included Accounts.
Step 2 - Create Application Groups
In this optional step you can define rules to create applications. By understanding your tagging or naming schema, we can dynamically group resources in Application Groups.
- Refer to the complete documentation on Configuring Application Groups.
- Add as many rules as you want to include.
- Select Save Application Group to save your application and reset the form. This will allow you to create a new application. (Note: You can also add applications after you complete the initial setup.)
- To verify that your rules are working as intended click Test Group Rule, which will provide a list of resources that match (including a count) each rule provided.
Step 3 - Configure CMDB Settings
In this optional step, users provide their CMDB settings in a CSV file. There are two options to share the CSV file: You can upload the file or point to an AWS S3 bucket to fetch the file.
- Refer to the Configuring CMDB documentation for the complete details on this step (file format requirements and details for both options).
- Review the details on the required CSV file here.
Step 4 - Configure EIAM Settings
In this optional step, users provide their EIAM settings in a JSON file. There are two options to share the JSON file: You can upload the file or point to an AWS S3 bucket to fetch the file.
- Refer to the Configuring EIAM documentation for the complete details on this step.
- Review the details on the required JSON file here.
Step 5 - Principal Ignore List
In this optional step, you can choose to define principals that you would like the analyzer to ignore. By excluding principals like IAM superusers or other users that have extensive permissions you can reduce your cache build time.
- Select Add Role to specify a Principal you would like to add to the ignore list.
- Click the test option for any role to see a list of matches before adding it to your list.
To revise the list of principals after the setup is complete you can visit the settings in Access Explorer. Read more about those on the Access Explorer - Configuration and Settings page.
Final Step - Finish Setup & Start Cache Build
When you have added all of the details you want to include for your Access Explorer installation, select the Finish Setup & Start Cache Build button to complete the setup process.
If everything has been added correctly, you will receive the following confirmation.
What's Next?
Once you have completed your initial setup for Access Explorer, after the cache-building process completes, your installation will be ready to use.
From your InsightCloudSec platform, navigate to Security>Access Explorer and select Access Explorer.
You can also check out the Using Access Explorer - Feature Guide for details on using the Cloud IAM Governance via Access Explorer.
For instructions on configuring any of the components included in the initial setup process outside of this guided setup, check out the Access Explorer - Configuration and Settings documentation.