Security criteria for recommendations
  • 3 minutes to read
  • Dark
    Light
  • PDF

Security criteria for recommendations

  • Dark
    Light
  • PDF

Article summary

In this article, you'll learn more about the specific criteria that Cloud Entitlements uses to evaluate the security of your cloud infrastructures.

Info

Cloud Entitlements uses criteria that vary according to the specific Cloud Service Provider (CSP).


Recommendations for AWS

Cloud Entitlements uses the following criteria to monitor the identities registered in AWS accounts and provide security recommendations:

CriterionDefinitionIdentities monitored
User MFADetermines if the user has enabled multi-factor authentication (MFA). The absence of MFA increases the vulnerability of the account, making it more susceptible to hacking attempts.Only users.
AdministratorAccess policyAssesses whether the identity has the AdministratorAccess policy attached. Excessive permissions can pose a threat as they increase the user's potential to compromise resources.Users, roles, and groups.
Access to all resourcesChecks if the identity has access to all resources. It's advisable to grant users access only to the resources they require, as providing excessive access can compromise the environment.Users, roles, and groups.
Access to all actionsVerifies if the identity has full permissions within a resource. Excessive permissions can lead to risks and misuse of resources.Users, roles, and groups.
Password policyChecks if the account has a defined password policy. The absence of a password policy can make the environment insecure.Only users.
Access key lifetimeVerifies if there is an access key older than the specified period. It's important to rotate users' access keys if they haven't been used for a while or if they've remained the same for an extended period.Only users.
Access key last useChecks for unused access keys within the specified period. Regularly rotating users' access keys helps mitigate potential risks associated with inactive access keys.Only users.
Last console loginVerifies the last access to the AWS Console and compares it to the specified period. It's recommended to delete and create a new user when necessary, update passwords regularly, or revoke console access when appropriate.Only users.
Overprivileged access to servicesChecks for unused access to services by users, roles, or groups within the specified period. It's recommended to restrict users' access to the services they actively use, in order to maintain a secure environment.Users and roles.

Recommendations for GCP

Cloud Entitlements uses the following criteria to monitor the identities registered within GCP projects and provide security recommendations:

CriterionDefinitionIdentities monitored
Administrator privilegeVerifies whether the identity has the Owner role assigned.Users and Service accounts.
Basic rolesVerifies whether the identity has GCP Basic roles assigned.Users and Service accounts.
Service Account user roleVerifies if the user has been assigned the Service Account User role. This role grants the user indirect access to all resources that the associated service account has been authorized to access.Users and Service accounts.
Service Account Token Creator roleVerifies whether the principal has been assigned the Service Account Token Creator role. This role allows principals to impersonate service accounts and create authentication methods.Users and Service accounts.
Service account key lifetimeChecks if the Service account has an access key older than the specified duration. You can choose a duration of 30, 60, or 90 days.Only Service accounts.

Recommendations for Azure

Cloud Entitlements uses the following criteria to monitor the identities registered in Azure Active Directory (AD) tenants and provide security recommendations:

CriterionDefinitionIdentities monitored
Unique authentication methodAssesses whether a user is relying on only one authentication method. Microsoft strongly recommends having at least a second authentication method for enhanced identity security. This measure is crucial to prevent unauthorized access and protect against potential attacks.Only Users.
Administrative accessVerifies whether the identity holds the role of Global Administrator in your environment's directory. The Global Administrator role is considered super privileged, granting the associated identity extensive powers to modify and interact with any resource and configuration within the AD.Users, Groups, and Applications.
Last loginEvaluates the most recent login activity of the user in Azure, considering the specified time period outlined in the Cloud Entitlements Security Policies. You can customize this criterion to inspect logins within intervals of 30, 60, or 90 days.Only Users.
Shadow admin (privilege escalation)Verifies whether the identity possesses any of the following permissions: Microsoft.Authorization -elevateAccess/Action, Microsoft.Authorization-roleDefinitions/write, Microsoft.Authorization-roleAssignments/write. Having these permissions empowers the identity to elevate its own privileges.Users, and Applications.
Public domain userExamines whether an AD user is registered using a public address associated with domains such as .hotmail, .outlook, .live, and others.Only Users.
Permissive and caring rolesThe Contributor, Virtual Machine Contributor, and Application Administrator roles should be exclusively assigned to privileged users. These roles grant extensive permissions and should not be assigned to non-privileged identities due to their highly permissive nature.Users, Groups, and Applications.

Was this article helpful?