: Cloud Identity Inventory

Cloud Identity Inventory

Table of Contents

Cloud Identity Inventory

Prisma Cloud surfaces detailed information on IAM access in your cloud environment to give you greater visibility into over-privileged AWS Groups and Roles. You can then take action to enforce least privileged access by removing unused privileges and restricting permissions within existing AWS Groups and Roles.

IAM Details View

Inventory > Assets
and click on any asset to view more detailed information. Choose
IAM Details
from the top navigation bar to view the following IAM information:
Trust relationships - Lists resources or services assigned to a role, includes last access permission data
Policies - Lists policies attached to the role and last access information
Trusted Entities - User, Role, SAML Provider, OIDC Provider, Lambda function, ECS, IDP - No Link
Granted Policies - Managed and Inline
Group membership - Lists users assigned to the group and last access information for users
Policies - Lists policies associated with the group and last access information
Granted Policies - Managed and Inline
Role specific - Lists roles associated with a policy and last access data
Group specific - Lists groups associated with a policy and last access information
Resource specific - Lists resources (users) directly attached to the policy and last access data

Remediate Over Privileged Access

You also have the option to right-size permissions for AWS Groups and Roles. The
Suggest Least Privilege Access
wizard helps you remediate overly permissive access by helping you:
  • Create a new policy for a Group or Role that includes all the permissions required by its members.
  • Repurpose existing policies that already contain the minnimum required permissions for any given Group or Role.
Follow the steps below to use the
Suggest Least Privilege Access
  1. Navigate to
    Inventory > Assets
    and click on any asset to view the Assets sidecar.
  2. Choose the
    IAM Details View
    and select
    Suggest Least Privilege Access
    from the top navigation bar.
  3. The
    Suggest Least Privilege Access
    wizard allows you to set the period of time after which a permission will be considered be “unused”, for a particular asset. Move the slider to any defined time limit of your choice. By default, the slider is set at 90 days and options ranging 1 day to 2 years are available. Last access days are calculated from the day IAM is enabled in your environment.
  4. Next, create a customized IAM policy in your preferred output format:
    1. Select
      Create New AWS Policy
      to generate a file with code to create a new Custom policy, including all used permissions. Supported policy types include Managed, Custom, and Inline. The following output formats are avaiable: *JSON *Terraform *Cloud Formation
    2. Select
      Reuse Existing AWS Policy
      to repurpose an existing Managed or Custom policy. Choose from one of the following output options:
      • Terraform file with existing minimum required permissions.
      • List of policies with the appropriate minimum permissions.
        Only policies with no conditions applied and the parameters
        Effect = ’Allow’ and Resource = ‘*’
        can be considered for reuse.
  5. Select the
    tab to view and download the code for your custom policy. If you opted to reuse a policy, select
    Download File
    to download the Terraform file or click on any listed policy to reuse it.

Recommended For You