Entitlement Management Identities
Entitlement management is currently in preview.
To display an identity's details, go to Entitlements > Explorer, select Identities above the filters, and then click an identity in the list.
- The Summary provides identity details and a trend chart for Granted vs used (in the past 180 days) entitlements. Click the information icon for each risk to display an explanation about why it's an identity risk factor.
- The Entitlements tab displays the used and unused entitlements for each service.
Click a service in the left panel to display its resource and entitlement details. - The Linked identities tab contains two separate subtabs with inbound and outbound privilege information. Click the More actions icon to view identity details or open the Resource Explorer.
- The Remediations tab provides information about available remediations based on the risks identified for the specified identity. Click a remediation to view the suggested actions, rationale for remediation, and resulting risk reduction.
Summary
This tab provides a summary of identity details and a trend chart for Granted vs used (in the past 180 days) entitlements.
The risk severity is the highest severity of the risks that are associated with the identity.
To view the identity in a resource context, click the View in Resource Explorer icon (next to the Principal ID). To view access key details, hover over the access key. For risk details, click individual risk information icons.
The Summary tab displays the following information:
| Field | Description |
|---|---|
| Name | An identity name is a unique identifier or name assigned to an individual or entity within the cloud environment. It represents a specific user, service account, group, or role that has access rights and permissions to interact with the cloud resources and services. |
| Type | An identity type refers to the classification or category of an identity within the cloud environment. Currently supported types: AWS group, AWS instance profile, AWS role, AWS root user, AWS service, AWS service-linked role, and AWS user. |
| Principal ID | The principal ID from the cloud service provider. |
| Account | The account ID from the cloud service provider. |
| Last used time | The last time the identity was used to access a resource or entitlement. |
| Created time | The creation date. |
| Access keys | Applicable to user identity types only. The access keys associated with the identity and whether they are active or inactive. You must guard them carefully because they can be used to access your cloud resources and perform unauthorized actions or compromise security. |
| Risks | The identity's overall risk and the individual risks that are associated with the identity. Color-coded icons indicate the risks' severities. Click the information icon for details about each risk. Refer to Entitlement risks for a list of all possible risks. |
| Tags | The tags assigned to the identity for categorization. |
Identity Types
- AWS group - A collection of IAM users that lets you specify permissions for multiple users. For more information, refer to IAM user groups in the AWS documentation.
- AWS instance profile - It represents the identity of an EC2 instance. The EC2 instance profile's permissions are derived from assuming a role that has permissions defined by an authorized user. For more information, refer to Using instance profiles in the AWS documentation.
- AWS role - An IAM identity that you can create in your account that has specific permissions. For more information, refer to IAM roles in the AWS documentation.
- AWS root user - The single sign-in identity you begin with when you create an AWS account. It has complete access to all AWS services and resources in the account. For more information, refer to AWS account root user in the AWS documentation.
- AWS service - A specific cloud functionality.
- AWS service-linked role - A type of IAM role that is linked directly to an AWS service. It is predefined by the service and includes all permissions that the service requires to call other AWS services on your behalf. For more information, refer to Using service-linked roles in the AWS documentation.
- AWS user - An entity that represents the human user or workload that uses the IAM user to interact with AWS. For more information, refer to IAM users in the AWS documentation.
Entitlements
This tab displays the percentage and number of the total granted entitlements that have been used for each service. Click a service in the left panel to display its details.
The table has the following information:
| Column | Description |
|---|---|
| Resource | The ARN or expression of the resource that the identity has privileges for. |
| Actions | The actions that the entitlements allow. If a non-expanded wildcard is present, it means that none of the actions within that wildcard are used. Wildcards are expanded if any discrete actions within the service are used. |
| Account | The account identifier from the cloud service provider. |
| Used? | The last time the identity was used. No means it has not been used in the past 180 days. |
| Policy name | The name of the policy that defines the identity's permissions. |
Linked Identities
This tab contains two separate subtabs with the following information:
- Inbound - The selected identity's privileges can be assumed by the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then these users can assume the role in question.
- Outbound - The selected identity can assume the privileges of the identities listed here. For example, if the current identity is an AWS role and a list of users is in this section, then the role in question can assume these users' privileges.
The tables have the following information:
| Column | Description |
|---|---|
| Principal ID | The principal ID from the cloud service provider. |
| Name | Name of the identity. |
| Account ID | The account ID from the cloud service provider. |
| Account alias | The account alias from the cloud service provider. |
| Relation type | How the privileges relate. |
The More actions icon lets you access actions such as View identity details and View in Resource Explorer.
Remediations
This tab provides information about available remediations based on the risks identified for the specified identity.
For detailed information, refer to Entitlement Management Remediation.
Access Entitlement and Identity LQL Datasources
You can access entitlement and identity data directly from Lacework Query Language (LQL) datasources using the Lacework CLI. If you are new to LQL, refer to LQL Overview to learn more.
If you are new to the Lacework CLI, refer to Get Started to learn about installing and configuring the CLI.
List Available Datasources
The following command lists the available relevant datasources. The prefix LW_ denotes Lacework-created data and CE_ denotes cloud entitlements.
lacework query list-sources | grep LW_CE
LW_CE_ENTITLEMENTS
LW_CE_IDENTITIES
Preview Datasources
The following command previews the LW_CE_IDENTITIES datasource.
lacework query preview-source LW_CE_IDENTITIES
{
"ACCESS_KEYS": {},
"CREATED_TIME": 1635442232000,
"DOMAIN_ID": "123456789012",
"LAST_USED_TIME": null,
"METRICS": {
"risk_score": 0.0,
"risk_severity": "INFO"
},
"NAME": "ReadOnly+IAMFullAcces",
"PRINCIPAL_ID": "arn:aws-us-gov:iam::123456789012:group/ReadOnly+IAMFullAcces",
"PROVIDER_TYPE": "AWS",
"RECORD_CREATED_TIME": 1697097600000,
"TAGS": {}
}
The following command previews the LW_CE_ENTITLEMENTS datasource.
lacework query preview-source LW_CE_ENTITLEMENTS
{
"ACTION": "securityhub:GetEnabledStandards",
"DOMAIN_ID": "123456789012",
"LAST_USED_TIME": null,
"POLICY_ID": "arn:aws-us-gov:iam::123456789012:user/Administrator:policy/AdminUser:default:0",
"PRINCIPAL_ID": "arn:aws-us-gov:iam::123456789012:user/Administrator",
"PROVIDER_TYPE": "AWS",
"RECORD_CREATED_TIME": 1697097600000,
"RESOURCE_ID": "*",
"RESOURCE_TYPE": "securityhub",
"SERVICE": "securityhub"
}