Cloud Security Management Identity Risks
Cloud Security Management Identity Risks (CSM Identity Risks) is a Cloud Infrastructure Entitlement Management (CIEM) product that helps you mitigate entitlement risks across your clouds. It continually scans your cloud infrastructure and finds issues such as lingering administrative privileges, privilege escalations, permission gaps, large blast radii, and cross-account access. It also enables you to proactively resolve identity risks on an ongoing basis to secure your cloud infrastructure from IAM-based attacks. For quick remediation, it suggests downsized policies, Datadog Workflows based remediations, and deep links to cloud consoles.
CSM Identity Risks is available for AWS, Azure, and GCP.
Review identity risks
Review your organization’s active identity risks on the Identity Risks Explorer. Use the Group by options to filter by Identity Risks, Resources, or None (individual identity risks). View additional details on the side panel.
CSM Identity Risk detections include users, roles, groups, policies, EC2 instances, and Lambda functions.
For detailed insights and remediation help, click the Remediation tab. In the following example, the Remediation tab shows the usage of provisioned permissions.
Click View Suggested Policy to view a suggested downsized policy based on the actual usage.
To remediate the identity risk, click Fix in AWS to update the resource in AWS IAM console. To create a Jira issue and assign it to a team, click Add Jira issue. See Create Jira Issues for Cloud Security Management Issues for more information.
You can also use Terraform remediation to generate a pull request in GitHub with code changes that fix the underlying identity risk, or leverage Workflow Automation to create automated workflows for identity risks (with or without human involvement).
Gain visibility into who can access at-risk resources
To see all the principals that can directly or indirectly access a given misconfigured resource, click the Access Insights tab in Misconfigurations, Identity Risks, and the Security Inbox. In this example, it shows all the principals that can access this EC2 instance:
You can see the risks associated with each principal in the Risks column, as well as the type of Path the principal can take (direct or indirect) to access the resource.
You can search for a subset of principals by name, type, public accessibility, or administrative access. Additionally, you can filter for direct or indirect access.
Click the Actions dropdown beside a principal to see it in Resource Catalog, or update its configuration in AWS IAM console.
AWS IAM Access Analyzer integration
Datadog CIEM is integrated with AWS IAM Access Analyzer to further improve the permissions gap detections. If you are using AWS IAM Access Analyzer, Datadog CIEM automatically leverages its unused access findings to enrich permissions gap detections and downsized policy recommendations.
If you are enabling AWS IAM Access Analyzer for the first time, there is an additional AWS cost associated with this enablement and it could take up to two hours before AWS IAM Access Analyzer's insights are made available.
Video walkthrough
The following video provides an overview of how to enable and use CSM Identity Risks:
Further Reading
Additional helpful documentation, links, and articles: