Cloud Entitlements Manager now provides visibility into permissions usage for employee identities accessing AWS roles via federation, through either AWS Identity and Access Management (IAM) or AWS Single Sign-On (SSO). Many organizations utilize federation to establish trust between their Identity Provider and AWS, allowing users to assume an AWS role and access resources in their environments.
Cloud Entitlements Manager customers and free trial users federating access to AWS via their preferred SSO provider can now identify a) which user identities accessed which AWS IAM roles and b) which identities used permissions assigned to the IAM role. This added visibility streamlines workflows for risk reduction processes, enabling organizations to confidently expand in the cloud by following AWS best practices and federating access.
AWS regards using roles to delegate permissions as an IAM best practice, as it reduces the volume of user credentials and access keys and lowers overall risk of credential theft. By federating access to AWS roles, organizations can manage their user identities outside of AWS and provision these users with access to AWS infrastructure and services through their preferred SSO provider.
This visibility allows organizations to better understand usage patterns for IAM roles. Armed with this intelligence, organizations can review the permissions assigned to an AWS role and reduce risk by scoping down unused permissions as necessary. Organizations could additionally use these insights to build more efficient operations provisioning access in their AWS environments. Armed with intelligence regarding which permissions are actually used, organizations can create new IAM roles for specific tasks used by only a select number of users.
CEM’s improved visibility and control over federated identities and their entitlements is critical for implementing least privilege in AWS environments.
As with all Cloud Entitlements Manager features, detection of entitlements for federated identities is available with our 30-Day Free Trial.
For information on this release and all Cloud Entitlements Manager updates, please visit our “What’s New” section on CyberArk Docs.