Warden IAM Access Graph visualizes the access path from identities to resources for cloud infrastructure in an AWS environment (GCP support will be available in the coming months). It provides users a graphical representation of how access has been granted, for each individual identity and resource instance.
The graph is automatically updated with every Warden scan, there are no additional setup required.
Table of Contents
- Navigating the Access Graph
- Understanding the Access Graph Components
- Understanding the Icons and Terminology
Navigating the Access Graph
-
Locating the Access Graph
The Access Graph is accessible from the Identity Explorer and Resource Explorer, as well as in the Identity Drawer or Resource Drawer by clicking the “Access Graph” link. The graph will open in a new tab.
-
Navigating the Access Graph
By default, the graph is zoomed out to show all resources and identities in the graph. Zooming in allows closer inspection of the graph. Tips on panning and zooming the Graph:
-
- Zoom in/out:
Mouse-wheel scroll (up/down)
track-pad pinch with 2 fingers to expand/condense
track-pad shift up (zoom in), down (zoom-out).
- Panning:
Hold down the mouse or trackpad to move the graph around.
- Zoom in/out:
-
-
Navigating the Details Drawer
Clicking on each individual node displays its details on the side. It will also highlight its connecting paths in the graph.
For grouped resource nodes or identity nodes, clicking on the node will expand the list of resources or identities in the side drawer. Clicking on each identity or resource will open up the details of the selected item.
Understanding the Access Graph Components
1. Circular Nodes
Each single circular node represents a single identity/resource instance, or a grouped identities/resource instances, with a number of nodes indicated below.
|
Single Identity |
Grouped Identities* |
|
|
|
|
* Identities (Roles and Groups) are grouped when there are 2 or more identities of the same type granting the same access to the same group of users. * This grouping only applies to the Resource Access Graph. |
|
|
Single Resource Instance |
Grouped Resource Instances* |
|
|
|
|
* Resources are grouped when access is granted to 2 or more instances of the same Resource Type. |
|
2. Square Nodes
Each square node represents a policy
3. Lines
Lines between the nodes represent the access granting path.
4. Vertical Lanes
The nodes are grouped and organized into 4 lanes for ease of tracing and better readability.
In Identity-centric Access Graph, the graph expands from left to right with the following order:
- Identities: The main identity node.
- Inheritance: The roles and groups that are assumed by or inherited by the main identity.
- Policies: The policies attached to the groups and roles and granted resource access to the main identity.
- Resources: The resources accessible by the main identity.
In Resource-centric Access Graph, the graph expands from left to right with the following order:
- Resources: The main resource instance node.
- Policies: The managed/inline policies that granted access to the main resource instance.
- Inheritance: The roles and groups to which the policies are attached to.
- Identities: The identities that have access to the main resource instance.
Understanding the Icons & Terminology:
|
Identity |
An entity that is used to identify and group people or machines |
|
|
User |
An entity that is created in the Cloud Environment to represent a person or application |
|
|
Role |
An identity that can pass the permissions that it can access to other identities |
|
|
Group |
A group of Users |
|
|
Service Account |
An identity that represents a machine or application |
|
|
Federated User |
A User that has gained access to the Cloud Environment via Identity Providers(IdP) |
|
|
Resource |
A specific instance of a Cloud service. (Example: “arn:aws:s3:::test-public-s3bucket-demo-1234”) |
Cloud provider logo |
|
Policy |
Sometimes referred to as “Entitlements”. These are entities that contain the permissions for what identities can do on resources. |
|
