Understanding and Navigating the Access Graph

Warden IAM Access Graph visualizes the access path from identities to resources for cloud infrastructure in an AWS environment (GCP support will be available in the coming months). It provides users a graphical representation of how access has been granted, for each individual identity and resource instance. 

The graph is automatically updated with every Warden scan, there are no additional setup required.

Table of Contents

Navigating the Access Graph 

  1. Locating the Access Graph 

    The Access Graph is accessible from the Identity Explorer and Resource Explorer, as well as in the Identity Drawer or Resource Drawer by clicking the “Access Graph” link. The graph will open in a new tab.
  2. Navigating the Access Graph

    By default, the graph is zoomed out to show all resources and identities in the graph. Zooming in allows closer inspection of the graph. Tips on panning and zooming the Graph:

      1. Zoom in/out:
        Mouse-wheel scroll (up/down)
        track-pad pinch with 2 fingers to expand/condense
        track-pad shift up (zoom in), down (zoom-out).
      2. Panning:
        Hold down the mouse or trackpad to move the graph around.
  3. Navigating the Details Drawer

    Clicking on each individual node displays its details on the side. It will also highlight its connecting paths in the graph.

    For grouped resource nodes or identity nodes, clicking on the node will expand the list of resources or identities in the side drawer. Clicking on each identity or resource will open up the details of the selected item.

Understanding the Access Graph Components 

1. Circular Nodes

Each single circular node represents a single identity/resource instance, or a grouped identities/resource instances, with a number of nodes indicated below.

Single Identity

Grouped Identities*



* Identities (Roles and Groups)  are grouped when there are 2 or more identities of the same type granting the same access to the same group of users. 

* This grouping only applies to the Resource Access Graph. 


Single Resource Instance

Grouped Resource Instances*



* Resources are grouped when access is granted to 2 or more instances of the same Resource Type.

2. Square Nodes 

Each square node represents a policy


3. Lines

Lines between the nodes represent the access granting path. 

4. Vertical Lanes 

The nodes are grouped and organized into 4 lanes for ease of tracing and better readability.

In Identity-centric Access Graph, the graph expands from left to right with the following order: 

  • Identities: The main identity node.
  • Inheritance: The roles and groups that are assumed by or inherited by the main identity.
  • Policies: The policies attached to the groups and roles and granted resource access to the main identity.
  • Resources: The resources accessible by the main identity.

In Resource-centric Access Graph, the graph expands from left to right with the following order:


  • Resources: The main resource instance node.
  • Policies: The managed/inline policies that granted access to the main resource instance.
  • Inheritance: The roles and groups to which the policies are attached to.
  • Identities: The identities that have access to the main resource instance.

Understanding the Icons & Terminology: 


An entity that is used to identify and group people or machines


An entity that is created in the Cloud Environment to represent a person or application 


An identity that can pass the permissions that it can access to other identities


A group of Users

Service Account

An identity that represents a machine or application

Federated User

A User that has gained access to the Cloud Environment via Identity Providers(IdP)



A specific instance of a Cloud service. (Example: “arn:aws:s3:::test-public-s3bucket-demo-1234”)

Cloud provider logo


Sometimes referred to as “Entitlements”.  These are entities that contain the permissions for what identities can do on resources.