Getting Started with Warden IAM

Before getting started on Warden IAM, make sure you have already added a scan group and on boarded at least one account.

What does Warden IAM Support?

Currently supports both AWS IAM and GCP IAM.

Best Practices and Limitations

As stated, our initial launch supports AWS and GCP, and focuses on providing IAM support for resources the Warden platform currently supports.

Warden IAM will continue to expand support and capabilities as we work with our customers to incorporate their feedback and requirements into our roadmap. If you have questions about the specifics of what we support or questions around a certain use case, reach out to us at

Supported IAM Features

  • AWS Resource Types
  • AWS Policy "Allow" Statements
  • GCP Resource Types
  • GCP Policy Bindings

Understanding IAM Terminology

This page provides a glossary of terminology with definitions for Warden IAM specific terminology as well as some useful cloud-based terms.


An entity that is used to identify and group people or machines


An entity that is created in the Cloud Environment to represent a person, applications or people


An identity that has specific permissions via entitlements


A group of Users

Service Account

An identity that represents a machine or application

Federated User

A User that has gained access to the Cloud Environment via identity providers(IdP)


A Service Principal is a Principal / Identity that represents a Cloud Environment service


A specific instance of a Cloud service. (Example: “arn:aws:s3:::test-public-s3bucket-demo-1234”)

Resource Count

The number of Resources accessible

Resource Type

The grouping for the Resource in the Cloud Environment. (Example: “S3Bucket”, “ComputeNetworks”)

Resource Category

The grouping for the Resource based from the functions that the resource and do on the Cloud Environment. (Example: “Storage”, “Compute”)


Actions that an Identity can perform on the Cloud Environment.

Policies / Roles 

Sometimes referred to as “Entitlements”.  These are entities that contain the permissions for what identities can do on resources.


The Scan Account where the Identity or Resource was found


Cloud service providers. (Example: “AWS” - Amazon Web Services, “GCP” - Google Cloud Platform. )