Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial draft of effective permissions docs #26888

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Initial draft of effective permissions docs #26888

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 17 additions & 5 deletions content/en/security/cloud_security_management/identity_risks/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,17 +51,29 @@ To remediate the identity risk, click **Fix in AWS** to update the resource in A

You can also use Terraform remediation to generate a pull request in GitHub with code changes that fix the underlying identity risk, or leverage [Workflow Automation][3] to create automated workflows for identity risks (with or without human involvement).

## Gain visibility into who can access at-risk resources
## Gain visibility into at-risk resource access

To see all the principals that can directly or indirectly access a given misconfigured resource, click the **Access Insights** tab in Misconfigurations, Identity Risks, and the Security Inbox. In this example, it shows all the principals that can access this EC2 instance:
In Misconfigurations, Identity Risks, and the Security Inbox, you can click the **Access Insights** tab to see:
- Which entities the resource can access across your accounts
- Which principals that can directly or indirectly access the resource

In this example, it shows all the principals that can access this EC2 instance:

{{< img src="security/csm/access_insights.png" alt="The Access Insights panel, showing a list of publicly accessible EC2 instances with highly privileged IAM roles" width="100%">}}

You can see the risks associated with each principal in the **Risks** column, as well as the type of **Path** the principal can take (direct or indirect) to access the resource.
Under **What can this resource access?**, you can:
- See the account associated with each entity, and details about the access type
- Search for entities, or filter them by entity type or account
- View a list of excluded policies
- Use the **All**, **Direct Access**, and **Indirect Access** tabs to filter which entities display in the table
- Click the **Actions** dropdown beside an entity to see it in Resource Catalog, or update its configuration in AWS IAM console

You can search for a subset of principals by name, type, public accessibility, or administrative access. Additionally, you can filter for direct or indirect access.
Under **Who can access this resource?**, you can:
- See the risks associated with each principal in the **Risks** column, as well as the type of **Path** the principal can take (direct or indirect) to access the resource
- Filter principals by name, type, public accessibility, or administrative access
- Use the **All**, **Direct Access**, and **Indirect Access** tabs to filter which principals display in the table
- Click the **Actions** dropdown beside a principal to see it in Resource Catalog, or update its configuration in AWS IAM console

Click the **Actions** dropdown beside a principal to see it in Resource Catalog, or update its configuration in AWS IAM console.

## AWS IAM Access Analyzer integration

Expand Down
Loading