Before getting started on Warden IAM, make sure you have already added a scan group and on boarded at least one account.
For GCP users, make sure you have already onboarded GCP workspace data.
What does Warden IAM Support?
Currently supports both AWS IAM and GCP IAM.
Best Practices and Limitations
As stated, our initial launch supports AWS and GCP, and focuses on providing IAM support for resources the Warden platform currently supports.
Warden IAM will continue to expand support and capabilities as we work with our customers to incorporate their feedback and requirements into our roadmap. If you have questions about the specifics of what we support or questions around a certain use case, reach out to us at support@horangi.com.
Supported IAM Features
- AWS Resource Types
- AWS Policy "Allow" Statements
- AWS Credentials Report
- GCP Resource Types
- GCP Policy Bindings
- GCP Workspace
Understanding IAM Terminology
This page provides a glossary of terminology with definitions for Warden IAM-specific terminology as well as some useful cloud-based terms.
Identity |
An entity that is used to identify and group people or machines |
User |
An entity that is created in the Cloud Environment to represent a person or application |
Role |
An identity that can pass the permissions that it can access to other identities. |
Group |
A group of Users |
Service Account |
An identity that represents a machine or application |
Federated User |
A User that has gained access to the Cloud Environment via Identity Providers(IdP) |
Service |
A Service Principal is a Principal / Identity that represents a Cloud Environment service |
Resource |
A specific instance of a Cloud service. (Example: “arn:aws:s3:::test-public-s3bucket-demo-1234”) |
Resource Count |
The number of Resources accessible. |
Resource Type |
The grouping for the Resource in the Cloud Environment. (Example: “S3Bucket”, “ComputeNetworks”) |
Resource Category |
The grouping for the Resource based from the functions that the resource and do on the Cloud Environment. (Example: “Storage”, “Compute”) |
Permission |
Actions that an Identity can perform on the Cloud Environment. |
Policies / Roles |
Sometimes referred to as “Entitlements”. These are entities that contain the permissions for what identities can do on resources. |
Account |
The Scan Account where the Identity or Resource was found |
Provider |
Cloud service providers. (Example: “AWS” - Amazon Web Services, “GCP” - Google Cloud Platform. ) |
Publically Accessible Resources |
Resources whose Policy indicates that they are accessible either by the public internet or Cloud Provider’s AuthenticatedUsers. |
Sensitive Access |
Identities with highly privileged or sensitive access. (Example: “External Identities”, “Root User”, “Super Admin”, “IAM Admin”) |
External Identity |
Identities that are not part of the cloud accounts scanned. |
Root User |
The primordial user that is used when a Cloud account is first created |
Super Admin |
Identities that have all permissions for all resources. (Example: users with “role/owner” in GCP) |
IAM Admin |
Identities that have all permissions governing access and permissions for other Identity (Example: Google Workspace Admin; or Users assigned “IAM role” in GCP). |
Unused User |
Users that can’t be used or signed in. (Example: user has no credentials) |
Inactive User |
Users who has credentials but hasn’t signed in the past 90 days. |
Credential Info |
Security-related information for Identities |
MFA not Enabled |
Multifactor Authentication is not enabled for the indicated Identity. |
Password Rotation Required |
Password has not been used nor updated in the past 90 days |
Key Rotation Required |
Key has not been used nor updated in the past 90 days |