Cloud Identity Inventory
Table of Contents
Prisma Cloud Enterprise Edition
Expand all | Collapse all
-
- Prisma Cloud
- Prisma Cloud License Types
- Prisma Cloud—How it Works
- Get Prisma Cloud From the AWS Marketplace
- Get Prisma Cloud From the GCP Marketplace
- Access Prisma Cloud
- Prisma Cloud—First Look
- Prisma Cloud—Next Steps
- Enable Access to the Prisma Cloud Console
- Access the Prisma Cloud REST API
- Prisma Cloud FAQs
-
- Cloud Account Onboarding
-
- Onboard Your AWS Organization
- Onboard Your AWS Account
- Configure Audit Logs
- Configure Flow Logs
- Configure Data Security
- Configure DNS Logs
- Configure Findings
- Update an Onboarded AWS Organization
- Add AWS Member Accounts on Prisma Cloud
- Update an Onboarded AWS Account
- Update an Onboarded AWS Account to AWS Organization
- AWS APIs Ingested by Prisma Cloud
- Troubleshoot AWS Onboarding Errors
- Prisma Cloud on AWS China
- Manually Set Up Prisma Cloud Role for AWS Accounts
- Automate AWS Cloud Accounts Onboarding
-
- Connect your Azure Account
- Connect your Azure Tenant
- Connect an Azure Subscription
- Connect an Azure Active Directory Tenant
- Authorize Prisma Cloud to access Azure APIs
- Update Azure Application Permissions
- View and Edit a Connected Azure Account
- Troubleshoot Azure Account Onboarding
- Microsoft Azure API Ingestions and Required Permissions
-
- Prerequisites to Onboard GCP Organizations and Projects
- Onboard Your GCP Organization
- Onboard Your GCP Projects
- Flow Logs Compression on GCP
- Enable Flow Logs for GCP Organization
- Enable Flow Logs for GCP Project
- Update an Onboarded GCP Account
- Create a Service Account With a Custom Role
- GCP API Ingestions
- Cloud Service Provider Regions on Prisma Cloud
-
- Prisma Cloud Administrator Roles
- Create and Manage Account Groups on Prisma Cloud
- Create Prisma Cloud Roles
- Create Custom Prisma Cloud Roles
- Prisma Cloud Administrator Permissions
- Manage Roles in Prisma Cloud
- Add Administrative Users On Prisma Cloud
- Add Service Accounts On Prisma Cloud
- Create and Manage Access Keys
- Manage your Prisma Cloud Profile
-
- Get Started
- Set up ADFS SSO on Prisma Cloud
- Set up Azure AD SSO on Prisma Cloud
- Set up Google SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Google
- Set up Okta SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on Okta
- Set up OneLogin SSO on Prisma Cloud
- Set up Just-in-Time Provisioning on OneLogin
- View Audit Logs
- Define Prisma Cloud Enterprise and Anomaly Settings
- Add a Resource List on Prisma Cloud
- Adoption Advisor
-
- Prisma Cloud Alerts and Notifications
- Trusted IP Addresses on Prisma Cloud
- Enable Prisma Cloud Alerts
- Create an Alert Rule for Run-Time Checks
- Configure Prisma Cloud to Automatically Remediate Alerts
- Send Prisma Cloud Alert Notifications to Third-Party Tools
- View and Respond to Prisma Cloud Alerts
- Suppress Alerts for Prisma Cloud Anomaly Policies
- Generate Reports on Prisma Cloud Alerts
- Alert Payload
- Prisma Cloud Alert Resolution Reasons
- Alert Notifications on State Change
- Create Views
-
- Prisma Cloud Integrations
- Integrate Prisma Cloud with Amazon GuardDuty
- Integrate Prisma Cloud with Amazon Inspector
- Integrate Prisma Cloud with Amazon S3
- Integrate Prisma Cloud with AWS Security Hub
- Integrate Prisma Cloud with Amazon SQS
- Integrate Prisma Cloud with Azure Service Bus Queue
- Integrate Prisma Cloud with Cortex XSOAR
- Integrate Prisma Cloud with Google Cloud Security Command Center (SCC)
- Integrate Prisma Cloud with Jira
- Integrate Prisma Cloud with Microsoft Teams
- Integrate Prisma Cloud with PagerDuty
- Integrate Prisma Cloud with Qualys
- Integrate Prisma Cloud with ServiceNow
- Integrate Prisma Cloud with Slack
- Integrate Prisma Cloud with Splunk
- Integrate Prisma Cloud with Tenable
- Integrate Prisma Cloud with Webhooks
- Prisma Cloud Integrations—Supported Capabilities
-
- What is Prisma Cloud IAM Security?
- Enable IAM Security
- Investigate IAM Incidents on Prisma Cloud
- Cloud Identity Inventory
- Create an IAM Policy
- Integrate Prisma Cloud with IdP Services
- Integrate Prisma Cloud with Okta
- Integrate Prisma Cloud with AWS IAM Identity Center
- Remediate Alerts for IAM Security
- Context Used to Calculate Effective Permissions
Cloud Identity Inventory
Prisma Cloud surfaces detailed information on IAM access in your cloud environment to give you greater visibility into over-privileged AWS Groups and Roles. You can then take action to enforce least privileged access by removing unused privileges and restricting permissions within existing AWS Groups and Roles.
IAM Details View
Select
Inventory > Assets
and click on any asset to view more detailed information. Choose IAM Details
from the top navigation bar to view the following IAM information:Role | Trust relationships - Lists resources or services assigned to a role, includes last access permission data Policies - Lists policies attached to the role and last access information Trusted Entities - User, Role, SAML Provider, OIDC Provider, Lambda function, ECS, IDP - No Link Granted Policies - Managed and Inline |
Group | Group membership - Lists users assigned to the group and last access information for users Policies - Lists policies associated with the group and last access information Granted Policies - Managed and Inline |
Policy | Role specific - Lists roles associated with a policy and last access data Group specific - Lists groups associated with a policy and last access information Resource specific - Lists resources (users) directly attached to the policy and last access data |
Remediate Over Privileged Access
You also have the option to right-size permissions for AWS Groups and Roles. The
Suggest Least Privilege Access
wizard helps you remediate overly permissive access by helping you:- Create a new policy for a Group or Role that includes all the permissions required by its members.
- Repurpose existing policies that already contain the minnimum required permissions for any given Group or Role.
Follow the steps below to use the
Suggest Least Privilege Access
wizard:- Navigate toInventory > Assetsand click on any asset to view the Assets sidecar.
- Choose theIAM Details Viewand selectSuggest Least Privilege Accessfrom the top navigation bar.
- TheSuggest Least Privilege Accesswizard allows you to set the period of time after which a permission will be considered be “unused”, for a particular asset. Move the slider to any defined time limit of your choice. By default, the slider is set at 90 days and options ranging 1 day to 2 years are available. Last access days are calculated from the day IAM is enabled in your environment.
- Next, create a customized IAM policy in your preferred output format:
- SelectCreate New AWS Policyto generate a file with code to create a new Custom policy, including all used permissions. Supported policy types include Managed, Custom, and Inline. The following output formats are avaiable: *JSON *Terraform *Cloud Formation
- SelectReuse Existing AWS Policyto repurpose an existing Managed or Custom policy. Choose from one of the following output options:
- Terraform file with existing minimum required permissions.
- List of policies with the appropriate minimum permissions.Only policies with no conditions applied and the parameters
can be considered for reuse.Effect = ’Allow’ and Resource = ‘*’
- Select theSummarytab to view and download the code for your custom policy. If you opted to reuse a policy, selectDownload Fileto download the Terraform file or click on any listed policy to reuse it.