Review Identity Analysis

Identity Analysis provides a unified location to explore principals, federated users, and their associated details including cloud accounts, permissions, high-level Insight Summary details, and more. You'll be able to:

  • Identify and prioritize cloud identity risk through key risk indicators like overly permissive access and privilege escalation.
  • Narrow the scope of your assessment with tools for search & filtering and explore detailed information for individual principals/federated users.
  • Review permission usage summaries and remediation to take action on identified risks.
  • Assess federated users’ roles and permissions for customers using Azure AD.

Prerequisites

Before getting started with Identity Analysis you will need:

  • A functioning InsightCloudSec installation
  • One or more successfully onboarded cloud account(s)
  • For customers using AWS
    • Differential Cache must be enabled (this is enabled by default for SaaS/hosted customers)
    • LPA for AWS should be configured. Read more under the AWS LPA Setup documentation.
  • For customers using Azure
    • LPA should be configured. Read more under the Azure LPA Setup documentation.
  • For customers using GCP
    • LPA is set up automatically. Read more about this feature in the GCP LPA Usage documentation.

Customers using the Federated User Analysis feature

This is only currently available for customers using Azure Active Directory (AD) for user federation into AWS. InsightCloudSec is actively working on extending the Identity Provider support. The following prerequisites apply:

  • The Azure cloud account with Active Directory (AD) data available is successfully onboarded
  • AWS configuration enabled as above

For more context, please review this article from AWS.

Explore Identity Analysis

In InsightCloudSec, navigate to Security > Identity Analysis to start viewing your identity-related data. This feature is divided into two tabs:

  • Principals -- This tab contains the principals found across all of your onboarded cloud accounts.
  • Federated Users -- This tab contains the federated users found across all of your onboarded cloud accounts.

Filter

Identity Analysis has filtering functionality to effectively narrow the scope of and navigate the data.

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected Filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
  5. Select the checkbox for Make this a Public Filter to allow other users to see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

The Trend and Analytics section comprises charts that summarize critical details for your principals (not supported for federated users yet). Currently this section features two charts:

  • Risk Factors -- The most common risk factors in your environment as well as the count of principals affected by the factor
    • Click a Risk Factor to automatically configure the filters to scope the Data Display to the selected risk factor, e.g., clicking the Multi-Factor Authentication Disabled risk factor will add the filter Risk Factor is in mfa_disabled.
      • Click Clear All in the Filters section to clear all filters and reset the view
  • Unused Permissions Distribution -- The count of principals that have unused permissions allocated to them (grouped in 20% chunks).
    • Click an Unused Permissions Distribution to automatically configure the filters to scope the Data Display to the selected group, e.g., clicking the Under 20% group will add the filters Unused Permission Percentage greater than 0 and Unused Permission Percentage less than or equal to 20

Data Display

Below the Trends and Analytics is the main table of data. The value at the top of the table displays the total principals/federated users, but this value will update to reflect the number of principals/federated users scoped by any configured filters.

DetailsTabDescription
SearchBothField that enables free text search of the filtered data.
PermissionsBothDisplays a visualization of permissions with different colors for the quantity of unused, used, and unassessed permissions. Un-assessed permissions do not appear in the graph, but their count will be displayed in the tooltip if you hover on the graph.

  • Clicking the permissions visualization bar opens the detail view for the selected principal.
ActionBoth
  • Click View Context Details (left icon) to open the Context Details panel.
  • Click Download Source Data (right icon) to download source data for the principal.
Principal NamePrincipalsThe name of the principal.

  • Clicking the copy icon to the right of the name copies the full name
  • Clicking the name opens a detail view with expanded properties, Insight Findings, Related Resources, etc. Refer to Context Details for more information.
Principal TypePrincipalsThe principal type for the associated principal. Currently Cloud Role and Cloud User are supported.
Cloud AccountPrincipalsThe type of cloud account as well as the account name for the associated principal.

Insight SummaryPrincipalsDisplays highest criticality available (for example if the principal is only associated with an Insight (or Insights) with a Medium severity, that is what will display in the Insights Summary).

  • Critical, High, Medium, Low, Info: The count of the Insights associated with the principal respective to each individual severity. (e.g. Critical = 13, indicates 13 Critical Insights for that resource.)
  • Hover on the Insights badge for the counts of each Insight severity associated with the principal.
  • Click the Insights badge for expanded details on any Insight Findings associated with a specific principal.
Privilege EscalationPrincipalsDisplays a visual indicator for privilege escalation for the selected principal, options include none, N/A (where no data is available), and a flag to indicate that the principal may have issues around privilege escalation.

  • Clicking the value in the column opens to the Insight Findings tab of the Context Details to explore Insight Findings data that identifies risk of privilege escalation.
Federated UserFederated UsersThe name of the federated user.

  • Clicking the copy icon to the right of the name copies the full name
  • Clicking the name opens a detail view with expanded properties, Insight Findings, Related Resources, etc. Refer to Context Details for more information.
User TypeFederated UsersThe user type for the associated user. Currently Member and Guest are supported.
Identity ProviderFederated UsersThe identity provider for the associated user.
Roles AssumedFederated UsersThe count of unassumed roles and the count of assumed roles.

  • Clicking the role count opens the detail view for the selected user.
  • Hover on the count to show a breakdown of the unassumed vs. assumed roles for the user.

Context Details

Selecting an individual principal/federated user by clicking its name or by selecting View Context Details under Actions opens a detail view for the selected principal/federated user.

Principal/Federated User Detail Availability

For each individual principal/federated user available in Identity Analysis the context details will vary.

  • Areas that are not applicable and/or those that do not contain data will be inactive
  • Depending on the principal/federated user, different context details are available

This view includes information like: