IAM Access Review

The Dash IAM Access Review function enables teams to inventory IAM users, assets, and permissions across a cloud environments (scansets) and identify potential concerns across permissions and IAM entities. Security teams may use this module to better administer access control, user permissions and cloud permissions.

Dash customers may consider using the IAM Access Review page to perform periodic Access Reviews as defined via Dash Compliance Tasks.

IAM Access Review Page

Getting Started

You can view the IAM Access Review page by logging into Dash ComplyOps and navigating to “Compliance Center” > “IAM Access Review” in the left sidebar.

• If you have not already connected cloud account(s) to Dash ComplyOps you will want to follow this documentation for Connecting AWS Monitoring.

You will then be prompted to select the scanset to view IAM entities for IAM Access Review:

After selecting the scanset you will be to run a scan and see IAM Review insights.

• If you have not run an IAM Access Review scan for a scanset you can click the “Run scan” button and click “Yes” to start a scan.

Finding Groups

After a scan is run, you will see a list of IAM assets and insights within the IAM Access Review page. In this page you will see sections with overall metrics and information about IAM entities (IE. IAM Groups section) as well as potentially problematic configurations or IAM entities (IE. IAM Group Concerns section)

Note - Finding Groups in gray sections are more informational and items in these finding groups do not necessarily have issues in their configuration. For example - “All IAM Groups” lists ALL IAM groups, for information purposes

Additionally - IAM items found in Red sections (such as “IAM Group with High Privileges”) may still be valid and necessary. It is up to security teams to review an evaluate items.

The following options are provided for the IAM Access Review page:

• Scanset Dropdown – Select which Scanset (or Cloud environment) to see IAM Review insights from.

  • You can follow these steps to create a new Scanset or edit an existing Scanset.

• Run scan - If you have not run an IAM Access Review scan for a scanset you can click the “Run scan” button and click “Yes” to start a scan

Note - Findings may appear as identical across scansets that use the same AWS account/environments (since IAM entities are typically global resources)

Note - IAM Review findings and insights are not automatically updated. Your team should click the “Run scan” function to see IAM entities changes that happen in AWS environment.

Finding Group Status

• For finding groups where all findings are marked as “Reviewed”, a Green check will be displayed, indicating that all items have been reviewed.

• For finding groups where one or more findings have been marked “For Review”, a Red icon will be displayed, indicating that there are items for your team to review.

Viewing Findings

Users may click on any individual finding group to view more information about the related IAM entities. Individual issue pages may look like this:

In the IAM Review Issue View users can find the following information:

• Description – This is a plain-English description of the IAM entities identified in the scan. This description should provide service context about the associated IAM assets.

• Additional Information – Additional links and documentation related to the finding.

• Findings – This space outlines the IAM entity or resource(s) that have been flagged for this particular finding

  • You can see the resource ID as well as resource metadata for the given affected object. 

  • You can “Mark for Review” finding items that you believe your team should review in the environment.

  • You can “Mark as Reviewed” finding items that your team has approved or have corrected in your environment.

Marking Findings As “Reviewed”

When IAM entities are gathered in IAM Access Review finding group, related IAM entities/findings are automatically categorized as “Unclassified”. Teams should look through individual findings and approve or mark items as “Reviewed” for findings that do not need to be changed

For Example:

• Your team has found the item to be acceptable in it’s current configuration

For IAM entities that are identified as accepted or do not need to be changed, teams can mark individual “Findings” as valid or in no need of change by clicking “Mark as Reviewed“. These items, will be moved to the “Reviewed” section of the findings list.

Marking Findings As “Needs Review”

When IAM entities are gathered in IAM Access Review finding group, related IAM entities/findings are automatically categorized as “Unclassified”. Teams should look through individual findings and approve or mark items as “Reviewed” for findings that do not need to be changed

For Example:

• Your team would like to review the entity, resource or permission to ensure it has the correct configuration

• Your team has determined the entity, resource or permission should be changed or removed from the environment

In these cases, your team can open an individual “Finding” and click the “Mark for Review” button to categorize this finding for later review. These items, will be moved to the “Needs review” section of the findings list. Your team can later reclassify this item by opening the Finding and clicking “Mark As Reviewed” or “Mark as Unclassified”.