Using the Principal Explorer

Once you have completed the setup and configuration to launch Cloud IAM Governance - Access Explorer, InsightCloudSec offers a Principal Explorer that is accessible from the Resources page of the product or from the actions menu on Principals in Access Explorer.

Once you have found Principals with the most privileges, the Principal Explorer provides a quick way to drill down into the types and level of permissions the user or role has.

IAM License

With InsightCloudSec version 22.10.5, the following features no longer require the IAM license:

To use these features, Self-hosted customers will need to add at least one AWS EC2 P3 worker to their InsightCloudSec environment (see Access Explorer - Setup for more information). Workers are automatically managed for SaaS customers, so these features will be available after you upgrade to version 22.10.5. In a future release (November 2022), this requirement will be removed and these features will rely on an existing worker pool.

Using the Principal Explorer

Resources Access to the Principal Explorer

To launch the Principal Explorer from the Resources page, navigate to Inventory>Resources on your InsightCloudSec platform, then navigate to the Identity & Management tab. The Principal Explorer can only be accessed from the Cloud User and Cloud Role resources.

Once you've selected the desired resource, you will see the three aforementioned columns (in addition to the other columns that are normally there for the resource):

  • Matching Services (at least 90% allowed) -- the number of services where this user or role has been granted 90% of actions for a service
    • 90% is the default value for the column but can be adjusted using filters. See below for details.
  • Allowed Services -- the number of services to which this user or role has been granted access
  • Allowed Actions -- the number of actions to which this user or role has been granted

Each of these column's values is a link. Clicking the value will open the Principal Explorer. Alternatively, click the actions menu (...), then click Principal Explorer.

Principal explorer

Fine-tuning Your Resource Results

Before opening the Principal Explorer, it may make sense to filter your environment results first. As mentioned previously, InsightCloudSec displays users or roles that have 90% or more access to a service by default, i.e., the user or role has 90% of the available service permissions or the user or role is 90% of the way to wildcard, or full, access. This number can be adjusted in several different ways:

  1. With the Cloud User or Cloud Role resource open, click Query Filters in the top right-hand corner.

  2. In the Query Filters panel search for "actions count".

  3. Select a Query Filter:

    • Principal has Wildcard Access to Services with Denied Actions Count Below Threshold (AWS) - Select this filter if you would like to search for users/roles based on how many actions they have denied to them.
    • Principal has Effective Access to Services with Allowed Actions Count Above Threshold (AWS) - Select this filter if you would like to search for users/roles based on how many actions they have granted to them.
  4. Optionally, provide a service you want to filter on.

  5. Select a Tolerance Type: Action Count or Percentage.
    An Action is equivalent to a specific service permission, e.g., "ec2:DescribeAccountAttributes", so you're essentially choosing between raw number and percent.

  6. Provide a tolerance value.

  7. Click Apply. The Matching Services... column will be updated to match the selected filter.

Opening Principal Explorer from Access Explorer

To launch the Principal Explorer within Access Explorer, navigate to Security > Access Explorer on your InsightCloudSec platform, then navigate to the Principals tab.

  • The Principal Explorer can be accessed by selecting the actions menu (...) to the left of any Principal Name.
  • The Access Explorer is only available to users with the IAM license (contact us via the Customer Support Portal for more information).

Principal Explorer

After optionally filtering your results and opening the Principal Explorer, you'll be greeted by a three-panel window.

  • The summary details above the three panels include details for the selected Principal including: the name of the selected Principal, Total # of services, Total # of Actions, and Total # of Resources (this is a hyperlinked value that will open a filtered version of the Access Explorer with those resources details).
  • The three panels from left-to-right are the Policy Stack, the Policy Viewer, and Effective Access.

Policy Stack

The Policy Stack provides information into the policies inherited via Service Control Policies (SCP), inherited via IAM Groups, and applied directly to the user/role themselves.

Expand each grouping to view the policies that are inherited or directly applied.

Deselecting a policy will simulate removing that policy and will update the Effective Access panel; clicking a policy will scroll to the policy and highlight it in the Policy Viewer.

Policy Viewer

The Policy Viewer displays a JSON file containing the user/role's ARN, type, and attached policies. Click the search (magnifying glass) button to open a field that can be used to search for terms throughout the policy. Click Download to download the JSON file to your web browser.

Effective Access

Effective Access displays the various permissions, or actions, that this user or role has access to, grouped by service.

  • Clicking on the right-facing arrow to the right of each service name will open a list of the actions that are granted for that service.
  • You can use the search bar to search for permission names or services and the list will automatically filter as you type.