Azure LPA Usage
With InsightCloudSec version 22.10.5, the following features no longer require the IAM license:
To use these features, Self-hosted customers will need to add at least one AWS EC2 P3 worker to their InsightCloudSec environment (see Access Explorer - Setup for more information). Workers are automatically managed for SaaS customers, so these features will be available after you upgrade to version 22.10.5. In a future release (November 2022), this requirement will be removed and these features will rely on an existing worker pool.
After completing the setup and configuration for Azure LPA, InsightCloudSec offers a principal activity view that is accessible from the Resources page in your installation.
To launch Azure LPA, navigate to Inventory>Resources on your InsightCloudSec platform, then navigate to the Identity & Management tab. The principal activity view can only be accessed on the Cloud User and Cloud Role resources.
Once you've selected the desired resource, click the vertical three dots to open the context menu, then select Principal Activity.
This opens a side pane listing all of the actions taken by the selected user or role.
It is possible that there may be no new user or role activity within the timeframe chosen by the page (default is the last 90 days).
Principal Activity Details
The Principal Activity pane contains permissions (or Policy Actions) that have been used within the selected time frame (7, 30, 60, or 90 days). This will provide useful information to support remediation of risk but should be used in conjunction with additional context of the Principal being assessed.
- Toggle Compress table to compress or un-compress the table of permissions
- Use the search field to narrow the scope of used permissions
- Click Download to download the Detailed Permission Usage (JSON) file
Considerations Before Editing
Prior to making changes to a policy based on this information we recommend the following:
- Have the information assessed by a qualified reviewer with knowledge of your specific infrastructure and implementation to avoid unwanted impacts (e.g., loss of required permission)
- Ensure that you have an existing process to revert or remediate issues prior to making changes
Detailed Permission Usage (JSON)
The Detailed Permission Usage JSON file includes the following information for the given principal:
- The action name
- The count or number of times an action was invoked (if at all)
- The last executed date for the action
- The name of the Azure permission the action maps to
- The plane for the permission
- The scope(s) for the permission
- The status of the permission (used, unused, or un-assessed)
Information provided by InsightCloudSec on used or un-assessed permissions for a given Principal are based on the information available from the relevant Cloud Service Provider (CSP) and the data is accurate based on usage data. The data can be used by a customer to determine which permissions to keep or remove from their policy stack. Used and un-assessed permissions in the context of this feature and InsightCloudSec are described below.
Used Permissions are based on API actions which we have visibility of through the configured data collection (see Azure LPA Setup documentation). There is a 1-to-1 mapping of User Activity to Permission for Azure, so we present Used Permissions based on that activity which is logged via Event Hub.
We based our calculation of Unused Permissions based on a Principal's permission set (using a portion of Effective Access but without consideration of resource policies at present). From this, we subtract Used and Un-assessed Permissions, with the resulting list being a set of Permissions which are determined to have been unused in the given timeframe.
When a Permission appears in a Principal's effective access but we are unable to assess it, we will highlight this as an Un-assessed Permission to ensure it’s not confused with an unused permission.
There are certain Azure services that InsightCloudSec cannot assess usage for. This may be due to the service not logging via the relevant method, and this is a limitation. We are currently exploring options on how to support these services with alternative approaches.