Get Started

Getting Started

Deploy

Onboard and Manage Accounts

Amazon Web Services (AWS)

Google Cloud Platform (GCP)

Microsoft Azure

Oracle Cloud Infrastructure (OCI)

Additional Providers

Collect and Integrate Data

Harvesting & Event-Driven Harvesting

Integrations

Understand Data

Visibility & Reporting

Inventory

Query Filters & Insights

Manage and Act on Data

Bots & Automation

Infrastructure as Code (IaC) Security

Cloud IAM Governance

Vulnerability Management

Workload Security

Manage System Settings

InsightCloudSec System Configuration

Developer Resources

APIs

Support

Review Identity Analysis

Identity Analysis provides a unified location to explore principals, federated users, and their associated details including cloud accounts, permissions, high-level Insight Summary details, and more. You'll be able to:

Identify and prioritize cloud identity risk through key risk indicators like overly permissive access and privilege escalation.
Narrow the scope of your assessment with tools for search & filtering and explore detailed information for individual principals/federated users.
Review permission usage summaries and remediation to take action on identified risks.
Assess federated users’ roles and permissions for customers using Azure AD.

Prerequisites

Before getting started with Identity Analysis you will need:

A functioning InsightCloudSec installation
One or more successfully onboarded cloud account(s)
For customers using AWS
- Differential Cache must be enabled (this is enabled by default for SaaS/hosted customers)
- LPA for AWS should be configured. Read more under the AWS LPA Setup documentation.
For customers using Azure
- LPA should be configured. Read more under the Azure LPA Setup documentation.
For customers using GCP
- LPA is set up automatically. Read more about this feature in the GCP LPA Usage documentation.

Customers using the Federated User Analysis feature

This is only currently available for customers using Microsoft Entra ID for user federation into AWS. InsightCloudSec is actively working on extending the Identity Provider support. The following prerequisites apply:

The Azure cloud account with Microsoft Entra ID data available is successfully onboarded
AWS configuration enabled as above

For more context, please review this article from AWS.

Explore Identity Analysis

In InsightCloudSec, navigate to Security > Identity Analysis to start viewing your identity-related data. This feature is divided into two tabs:

Principals -- This tab contains the principals found across all of your onboarded cloud accounts.
Federated Users -- This tab contains the federated users found across all of your onboarded cloud accounts.

Filter

Identity Analysis has filtering functionality to effectively narrow the scope of and navigate the data.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

Each selected filter updates dynamically with options appropriate for the property selected.
After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
If filtering on a Resource Tag:
- Searching for a tag is case insensitive.
- New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

Click the Add Filters button to open the side panel.
Select and configure a property to get started.
After configuring your desired filters, click Apply to update the scope for the feature.

Save Filters (Optional)

After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
Click the ellipsis (...) button, then click Save Filter.
Provide a name for the filter and an optional description.
Select the checkbox for Set as Default Filter to set this filter as the default for the feature. This only applies to your user account and will not affect other users' default filter.
Select the checkbox for Make this a Public Filter to allow other users to use and see the filter.
Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Trends and Analytics (Principals Only)

The Trend and Analytics section comprises charts that summarize critical details for your principals (not supported for federated users yet). Currently this section features two charts:

Risk Factors -- The most common risk factors in your environment as well as the count of principals affected by the factor
- Click a Risk Factor to automatically configure the filters to scope the Data Display to the selected risk factor, e.g., clicking the Multi-Factor Authentication Disabled risk factor will add the filter Risk Factor is in mfa_disabled.
  - Click Clear All in the Filters section to clear all filters and reset the view
Unused Permissions Distribution -- The count of principals that have unused permissions allocated to them (grouped in 20% chunks).
- Click an Unused Permissions Distribution to automatically configure the filters to scope the Data Display to the selected group, e.g., clicking the Under 20% group will add the filters Unused Permission Percentage greater than 0 and Unused Permission Percentage less than or equal to 20

Data Display

Below the Trends and Analytics is the main table of data. The value at the top of the table displays the total principals/federated users, but this value will update to reflect the number of principals/federated users scoped by any configured filters.

Details	Tab	Description
Search	Both	Field that enables free text search of the filtered data.
Permissions	Both	Displays a visualization of permissions with different colors for the quantity of unused, used, and unassessed permissions. Un-assessed permissions do not appear in the graph, but their count will be displayed in the tooltip if you hover on the graph. Clicking the permissions visualization bar opens the detail view for the selected principal.
Action	Both	Click View Context Details (left icon) to open the Context Details panel. Click Download Source Data (right icon) to download source data for the principal.
Principal Name	Principals	The name of the principal. Clicking the copy icon to the right of the name copies the full name Clicking the name opens a detail view with expanded properties, Insight Findings, Related Resources, etc. Refer to Context Details for more information.
Principal Type	Principals	The principal type for the associated principal. Currently Cloud Role and Cloud User are supported.
Cloud Account	Principals	The type of cloud account as well as the account name for the associated principal. Click the Cloud Account name to open the Cloud Account Details page.
Insight Summary	Principals	Displays highest criticality available (for example if the principal is only associated with an Insight (or Insights) with a Medium severity, that is what will display in the Insights Summary). Critical, High, Medium, Low, Info: The count of the Insights associated with the principal respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that resource.) Hover on the Insights badge for the counts of each Insight severity associated with the principal. Click the Insights badge for expanded details on any Insight Findings associated with a specific principal.
Privilege Escalation	Principals	Displays a visual indicator for privilege escalation for the selected principal, options include none, N/A (where no data is available), and a flag to indicate that the principal may have issues around privilege escalation. Clicking the value in the column opens to the Insight Findings tab of the Context Details to explore Insight Findings data that identifies risk of privilege escalation.
Federated User	Federated Users	The name of the federated user. Clicking the copy icon to the right of the name copies the full name Clicking the name opens a detail view with expanded properties, Insight Findings, Related Resources, etc. Refer to Context Details for more information.
User Type	Federated Users	The user type for the associated user. Currently Member and Guest are supported.
Identity Provider	Federated Users	The identity provider for the associated user.
Roles Assumed	Federated Users	The count of unassumed roles and the count of assumed roles. Clicking the role count opens the detail view for the selected user. Hover on the count to show a breakdown of the unassumed vs. assumed roles for the user.

Context Details

Selecting an individual principal/federated user by clicking its name or by selecting View Context Details under Actions opens a detail view for the selected principal/federated user.

Principal/Federated User Detail Availability

For each individual principal/federated user available in Identity Analysis the context details will vary.

Areas that are not applicable and/or those that do not contain data will be inactive
Depending on the principal/federated user, different context details are available

This view includes information like:

Did this page help you?

Cloud IAM Governance

Understanding Cloud IAM Governance

Cloud IAM Governance

AWS Least-Privileged Access (LPA)