Users

The Users page provides numerous ways to sort, filter, and rank the detected user information to quickly remediate identity risks associated with individuals and their permissions.

The GCP CIEM data is in Technical Preview status.

Filter and Sort

Sortable Columns

Actionable Risk

Values: Critical, High, Medium, Low

Actionable Risk focuses on unused permissions, while Risk looks at all permissions. Actionable Risk is designed to help you achieve Least Permissive access.

Risk

Values: Critical, High, Medium, Low

This is a calculation of risk based on all permissions. See also: Understanding Risk Scoring.

% of Unused Permissions

This shows the number of unused permissions per total permissions for the user, shown as a percentage graph.

When remediating, immediately target the users with the greatest exposure and refine them according to the suggestions.

Highest Access

See also: Understand Highest Access

Values:

  • Admin: Admin access granted
  • Write: Write access granted
  • Read: Read access granted
  • Empty Access: No permissions are granted at all

Findings

The findings on User pages include:

  • No MFA
  • Admin

AWS-Specific

  • Access Key Not Rotated
  • Multiple Access Keys Active
  • Root User
  • Inactive

GCP-Specific

  • Editor Role Applied
  • Owner Role Applied

Available Filters

  • Search: Free text search on terms in the resource name
  • Actionable Risks: By severity
  • Cloud Accounts: Account name/number by cloud provider (e.g. AWS)
  • Access Categories: Admin, Write, Read, or Empty Access
  • Policy Types: AWS-Managed, ``Customer, Inline`
  • Findings: See options, above.

Analyze and Remediate

To reduce the entitlements for a particular user, click on the user name to open the detail drawer and subtabs. There are various remediation options in the Examples below.

Detail Drawers

The Users page organizes everything around the individual user.

  • Overview: Displays the critical permissions issues detected for this user, sorted by Risk and Actionable Risk.
  • Attached IAM Policies: Displays the policies this user is connected to, sorted by permissions unused from the policy and total permissions included in the policy.
  • Attached Groups: Displays the groups this user is connected to, sorted by unused permissions and permissions count.
  • User Details: Displays a summary of this user’s total granted permissions, group associations, activity, user ARN ID, and findings.

Optimization Examples

Sysdig suggests various remediation possibilities.

Understand User Permission Details

  • Total Permissions are the total number of permissions granted to a user from all the policies the user is associated with.
  • Unused Permissions/Pemissions Unused are the total number of unused permissions from all the user’s policies.
  • Permissions Given are the permissions granted to a user per policy.

Investigate the Attached IAM Policies tab in a user’s detail drawer to see how the permission totals are divided and how to handle the surfaced risks.

For example, this user has been granted a total of **421 **permissions divided between two policies. 403 permissions are unused.

To remediate the permissions in this example, you might:

  • Delete an unused policy: In the example above, the policy with 103 permissions given has not been used by any IAM entity. Sysdig recommends removing this policy from your AWS environment.
  • Optimize the Policy Globally (see example).
  • Create an Optimized User Policy (below).

See also: Understanding the Suggested Policy Changes.

Create an Optimized User Policy

If the Optimize IAM Policy button is displayed on a User Detail Overview tab, you can download the suggested policy, upload it to your AWS Console, and associate it with this user. This option creates a new, user-specific policy that considers all the policies with which the user is associated.

You can also take note of the user’s existing policy associations listed in the Attached IAM Policies subtab and remove those associations in AWS.

Delete an Inactive User

Sometimes, a user may be associated with multiple policies and groups and have a very high cumulative number of permissions granted, but Sysdig detects no user activity in the environment for over 400 days. In this case, removing the user from your cloud environment is recommended.

In the example above, this would eliminate all 15,521 permissions granted and remove this identified Critical risk.