IAM Settings
The IAM Settings page in InsightCloudSec is divided into two sections:
- LPA Configuration -- Hosts the settings and configuration for the InsightCloudSec Least-Privileged Access (LPA) feature
- Cache Settings -- Displays the IAM cache build status
IAM License
With InsightCloudSec version 22.10.5, the following features no longer require the IAM license:
- IAM-related Query Filters
- Principal Activity panel (AWS & Azure)
- Principal Explorer (via the [Resources](doc: page)
Note: To use these features, Self-hosted customers will need to add at least one AWS EC2 P3 worker to their InsightCloudSec environment (see Access Explorer - Setup for more information). Workers are automatically managed for SaaS customers, so these features will be available after you upgrade to version 22.10.5. In a future release (November 2022), this requirement will be removed and these features will rely on an existing worker pool.
LPA Configuration
The InsightCloudSec LPA feature requires varying configuration for both AWS and Azure. Details on setup, support, and usage are included on the following pages:
- For information on AWS LPA, see AWS Least-Privileged Access (LPA)
- For information on Azure LPA, see Azure Least Privileged Access (LPA)
- For information on GCP LPA, see GCP Least Privileged Access (LPA)
Cache Settings
The Cache Settings page displays the IAM cache build status for the Access Explorer. Every 10 minutes, InsightCloudSec diagnoses any changes to the Access Explorer Settings, calculates the best time to rebuild the cache based on available compute resources, and then initiates a cache rebuild.
Access Explorer currently only supports AWS and requires a separate license. Review Getting Started with Access Explorer or contact Customer Support via the portal for more information.
A list of possible cache statuses follows:
Currently recomputing Effective Access data for one or more accounts
-- There are some accounts that require a full recompute; this will happen on the first run (because everything needs to be computed the first time), if there’s an update to the InsightCloudSec analyzer, if there were any changes to Service Control Policies (which restrict access within accounts), or if particular accounts have gone too long without an update. This is a normal happy state.Effective Access data for all accounts have been computed
-- InsightCloudSec has finished at least one full pass for each account and none of the triggers mentioned above require a full recompute of any accounts. At this stage, InsightCloudSec will just recompute access when changes are detected for principals or resources.The Differential Cache has not been configured, so there is no data or status to show
-- If InsightCloudSec detects that no infrastructure has been configured/enabled for the differential cache. Contact Customer Support or your CSM if you see this status.Some accounts might be lagging behind
-- When InsightCloudSec has processed all the accounts the first time, but the rate at which InsightCloudSec is re-processing accounts with changes is not fast enough to recompute all accounts every 24 hours. This may be related to not having enough compute power to re-compute changes quickly enough; contact Customer Support or your CSM if you see this status for a lengthy period of time.