Skip to main content

Identity Management Use Cases

This topic covers some common use cases for using Lacework to identify, investigate, and remediate cloud identity risk.

Identify Excessive Privileges and Implement Least Privilege Access

This use case covers identifying excessive privileges across all identities and right sizing permissions—implementing least privilege access.

  1. Go to Identities > Overview.
  2. In the Summary section locate the Identities with excessive privileges chart.
    Leave the % unused entitlements dropdown menu at 75% or greater. This finds the identities that don't use 75% or more of their entitlements.
  3. Click Explore.
  4. Sort by the Risk severity in descending order.
  5. You can identify the highest risk identities with excessive privileges at the top of the list.
  6. Click the identity to open the identity's details.
  7. Review the Granted vs. used entitlements chart in the Summary tab to understand the entitlement usage at a glance.
  8. Click the Entitlements tab to review a comprehensive list of entitlements and identify the entitlements that have not been used in the past 180 days.
  9. Optionally, click the Download icon to download the entire list of entitlements and associated resources and services as a CSV file.
  10. Click the Remediations tab to review remediations, suggested changes, and rationale.
  11. Create an IT service request to right-size permissions.

Address Top Identity Risks​

This use case covers investigating top identity risks. You can find top identity risks in two locations:

  • The Identities > Top identity risks tab lists the top 25 at risk identities.
    1. Review the list of identities and click those of interest to display their details to the right.
    2. When you find one you want to investigate further, click Investigate.
    3. Review its risks, entitlements, and linked identities.
    4. Click the Remediations tab to review remediation suggestions, rationale, and risk changes that remediation achieves.
    5. Create an IT service request to remediate the issues.
  • The Attack path > Top work items page lets you review roles with admin privileges associated with vulnerable hosts exposed to internet.
    1. Review the list of identities in the Top risky paths with admin privilege role table.
    2. When you find a risky identity attack path you want to investigate further, click its View attack path icon. This displays the Path investigation page filtered to that specific identity.
    3. Review Exposure Polygraph and all sections of associated information.
    4. Review the IAM role section for detailed information about risks, entitlements, and linked identities.
    5. Click the Remediations tab to review remediation suggestions.
    6. Create an IT service request to remediate the issues.

Identify Access Keys That Haven’t Been Used for 180 Days or More

  1. Go to Identities > Overview.
  2. Locate the Active access keys older than 180 days chart.
    By default, the chart shows you long-lived active keys. You can also choose to display inactive keys or all keys.
  3. Click Explore.
    This opens the Explorer filtered for active access keys older than 180 days.
  4. Click an identity to open its details.
  5. Click the Remediations tab to review remediation suggestions. A suggestion may be to disable the access key or delete the access key.
  6. Create an IT service request to remediate the issue in the manner you choose.

Identify Inactive (Dormant) Identities and Mitigate Risk

  1. Go to Identities > Explore: Identities.
  2. Click the Risk filter, select Unused user (for 180 days), and click Show results.
  3. Click an identity to open its details.
  4. Click the Remediations tab to review remediation suggestions.
  5. Create an IT service request to remediate the issue in the manner you choose.

Add an Exception for One or More Risks

Suppose you monitor Top Identity Risks to identify the riskiest identities and open a ticket and assign the relevant application owner/developer to correct issues. After you assign a ticket to the relevant party, you want to quickly address other risky identities. If you want to free up space in Top Identity Risks and leaves just actionable identities. To achieve this, add an exception for a short time to demote specific identity risks to get rid of the ones where work is already in progress.

This use case covers creating an exception for an identity that has multiple risks. When the exception is active, it's probable this will reduce the identity's overall risk. This use case defines an expiration date to ensure the identity appears as a top identity risk if the app developer/owner fails to remediate the issue.

  1. Go to Identities > Explore: Identities.
  2. Sort the Risk severity column so the most severe risk is first.
  3. Click an identity to open the identity details page and review risks in the Summary tab.
  4. You decide to add an exception for multiple risks.
  5. Switch to the Exceptions tab and click Create new exception.
  6. Select the risks that you want to except from the risk severity calculation.
  7. Click Next.
  8. Provide a name and select a reason.
  9. Select an expiration date that makes sense for your situation. Lacework recommends setting a short expiration duration to help reduce overall risk.
  10. Provide a thorough description.
  11. Click Save exception.

The exception appears in the exceptions list.

Threat Detection

This use case covers receiving an alert about a possible threat.

For example, you receive this alert: Login from source using Calltype.

Gather Information from the Alert

Your first step is to click the alert on the Alerts page and view its details. The full alert description in the Why section will be similar to the following:

For account: 123456789012 : IAMRole/123456789012:an-admin-role-name logged in from a new source Bolivia using calltype AwsConsoleSignIn (and 1 more)

Some important information you can gather from the description to assist further investigation:

  • Identity name - From IAMRole/123456789012:an-admin-role-name, copy an-admin-role-name, which is the name of the identity that you can use later when investigating.
  • Source location - From the description, the identity logged in from Bolivia. Perhaps you think your organization doesn't have anyone who should be logging in from Bolivia, so this warrants investigating.

Investigate the Issue

To begin your investigation, go to the Why section, hover over the user, and click Investigate in Identities Dashboard. This opens the Explore: Identities tab filtered to the identity you want to investigate.

Drill Down

Click the identity to open its details and examine the identity in depth.

Start with the Summary tab and get an overall picture of what you are dealing with. To show what the identity has done, go to the Activity tab. To show what entitlements the identity has, go to the Entitlements tab.

Request Permission Changes

After gathering information, you may conclude that the identity is over-permissioned. In this case start a workflow to fix the issue. Follow your organization's prescribed workflow for correcting the issue, such as requesting IT to update the permissions.

Last updated on