Getting Started with Warden IAM

Before getting started on Warden IAM, make sure you have already added a scan group and on boarded at least one account.

For GCP users, make sure you have already onboarded GCP workspace data.

What does Warden IAM Support?

Currently supports  AWS IAM, GCP IAM, Huawei Cloud, Alibaba Cloud, and Azure IAM.

Supported IAM Security Risks

  • Dormant Identity (Unused/Inactive)
  • MFA Not Enabled
  • Password Update Required
  • Access Key Rotation required
  • Excessive Permission ( Permission Rightsizing based on Least Privilege Principles)

Best Practices and Limitations

Warden IAM will continue to expand support and capabilities as we work with our customers to incorporate their feedback and requirements into our roadmap. If you have questions about the specifics of what we support or questions around a certain use case, reach out to us at

Supported IAM Features

  • AWS Resource Types
  • AWS Policy "Allow" Statements
  • AWS Credentials Report
  • GCP Resource Types
  • GCP Policy Bindings
  • GCP Workspace

Understanding IAM Terminology

This page provides a glossary of terminology with definitions for Warden IAM-specific terminology as well as some useful cloud-based terms.


An entity that is used to identify and group people or machines


An entity that is created in the Cloud Environment to represent a person or application


An identity that can pass the permissions that it can access to other identities.


A group of Users

Service Account

An identity that represents a machine or application

Federated User

A User that has gained access to the Cloud Environment via Identity Providers(IdP)


A Service Principal is a Principal / Identity that represents a Cloud Environment service


A specific instance of a Cloud service. (Example: “arn:aws:s3:::test-public-s3bucket-demo-1234”)

Resource Count

The number of Resources accessible.

Resource Type

The grouping for the Resource in the Cloud Environment. (Example: “S3Bucket”, “ComputeNetworks”)

Resource Category

The grouping for the Resource based from the functions that the resource and do on the Cloud Environment. (Example: “Storage”, “Compute”)


Actions that an Identity can perform on the Cloud Environment.

Policies / Roles 

Sometimes referred to as “Entitlements”.  These are entities that contain the permissions for what identities can do on resources.


The Scan Account where the Identity or Resource was found


Cloud service providers. (Example: “AWS” - Amazon Web Services, “GCP” - Google Cloud Platform. )

Publically Accessible Resources

Resources whose Policy indicates that they are accessible either by the public internet or Cloud Provider’s AuthenticatedUsers.

Sensitive Access 

Identities with highly privileged or sensitive access. (Example: “External Identities”, “Root User”, “Super Admin”, “IAM Admin”)

External Identity

Identities that are not part of the cloud accounts scanned.

Root User

The primordial user that is used when a Cloud account is first created

Super Admin

Identities that have all permissions for all resources. (Example: users with “role/owner” in GCP)

IAM Admin

Identities that have all permissions governing access and permissions for other Identity (Example: Google Workspace Admin; or Users assigned “IAM role” in GCP).

Unused User

Users that can’t be used or signed in. (Example: user has no credentials) 

Inactive User

Users who has credentials but hasn’t signed in the past 90 days.

Credential Info

Security-related information for Identities

MFA not Enabled

Multifactor Authentication is not enabled for the indicated Identity.

Password Rotation Required

Password has not been used nor updated in the past 90 days

Key Rotation Required

Key has not been used nor updated in the past 90 days