Entitlement Management Remediation

in preview

Entitlement management is currently in preview.

The Remediations tab provides information about available remediations based on the risks identified for the specified identity.

In the list of remediations each remediation has a corresponding entitlements removed number and percentage. These values represent the number and percentage of entitlements that would be removed by performing that specific remediation. For example, you have the following Remediation and Entitlements Removed values:

Detach policy AdministratorAccess 361 (64.12%)

This means that detaching the AdministratorAccess policy removes 361 entitlements, which equals 64.12% of the entitlements.

If you choose to remediate the issue, follow your organization's change workflow.

The following information is available for each remediation:

• Suggestion - What to do to accomplish remediation.
• Rationale - Why you should perform remediation.
• Risk reduction - Information about the change in overall risk severity and removed entitlements that remediation achieves. The table provides risk information before and after remediation as well as the risk change achieved and entitlements removed.
• Entitlement Details - Details about entitlements, including service, resource, action, and policy.

Statement Indexes

AWS policies let you include multiple statements to define multiple entitlements or a set of entitlements. For example, you have the following statements:

• Statement 1: Allow start and stop actions for EC2 instances with name starting with "project-1".
• Statement 2: Allow read and delete actions for the S3 buckets: customer-data, sales-orders.

The statement index helps you pinpoint the place where the excessive privileges are defined.