Cloud Security Management Identity Risks

Cloud Security Management Identity Risks (CSM Identity Risks) is a Cloud Infrastructure Entitlement Management (CIEM) product that helps you mitigate entitlement risks across your clouds. It continually scans your cloud infrastructure and finds issues such as lingering administrative privileges, privilege escalations, permission gaps, large blast radii, and cross-account access. It also enables you to proactively resolve identity risks on an ongoing basis to secure your cloud infrastructure from IAM-based attacks. For quick remediation, it suggests downsized policies, Datadog Workflows based remediations, and deep links to cloud consoles.

CSM Identity Risks is available for AWS, Azure, and GCP.

Review identity risks

Review your organization’s active identity risks on the Identity Risks Explorer. Use the Group by options to filter by Identity Risks, Resources, or None (individual identity risks). View additional details on the side panel.

CSM Identity Risk detections include users, roles, groups, policies, EC2 instances, and Lambda functions.

CSM Identity Risks Explorers page

Remediate identity risks

For detailed insights and remediation help, click the Remediation tab. In the following example, the Remediation tab shows the usage of provisioned permissions.

The Remediation tab on the identity risks side panel shows the usage of provisioned permissions

Click View Suggested Policy to view a suggested downsized policy based on the actual usage.

Review suggestions for downsizing a policy on the Suggested downsized policy dialog

To remediate the identity risk, click Fix in AWS to update the resource in AWS IAM console. To create a Jira issue and assign it to a team, click Add Jira issue. See Create Jira Issues for Cloud Security Management Issues for more information.

Remediate identity risks using the action buttons on the side panel

You can also use Terraform remediation to generate a pull request in GitHub with code changes that fix the underlying identity risk, or leverage Workflow Automation to create automated workflows for identity risks (with or without human involvement).

Gain visibility into who can access at-risk resources

To see all the principals that can directly or indirectly access a given misconfigured resource, click the Access Insights tab in Misconfigurations, Identity Risks, and the Security Inbox. In this example, it shows all the principals that can access this EC2 instance:

The Access Insights panel, showing a list of publicly accessible EC2 instances with highly privileged IAM roles

You can see the risks associated with each principal in the Risks column, as well as the type of Path the principal can take (direct or indirect) to access the resource.

You can search for a subset of principals by name, type, public accessibility, or administrative access. Additionally, you can filter for direct or indirect access.

Click the Actions dropdown beside a principal to see it in Resource Catalog, or update its configuration in AWS IAM console.

AWS IAM Access Analyzer integration

Datadog CIEM is integrated with AWS IAM Access Analyzer to further improve the permissions gap detections. If you are using AWS IAM Access Analyzer, Datadog CIEM automatically leverages its unused access findings to enrich permissions gap detections and downsized policy recommendations.

If you are enabling AWS IAM Access Analyzer for the first time, there is an additional AWS cost associated with this enablement and it could take up to two hours before AWS IAM Access Analyzer's insights are made available.
Banner about AWS IAM Access Analyzer enriching permissions gap detections and policy recommendations

Video walkthrough

The following video provides an overview of how to enable and use CSM Identity Risks:

Further Reading