Entitlement analysis
The entitlement analysis feature is designed to discover risks to your cloud infrastructure. After an entitlement analysis job is completed, a summary of the analysis provides a list of at-risk resources. Resources at risk to your organization are highlighted in the summary, which also enables you to take appropriate action to remediate the risk.
Overview
Okta Privileged Access entitlement analysis functionality is based on the concept of jobs. Jobs contain information needed for Okta Privileged Access to connect to your Infrastructure as a Service (IaaS) applications such as Amazon Web Services (AWS). Also, the jobs also include inputs that are necessary for discovering resources.
One important aspect of creating a job is the Analysis configuration. It contains rules that instruct how to evaluate entitlements and determine if resources are at risk in the jobs.
Currently, this feature only supports AWS. Okta Privileged Access will support other analysis rules over time to address new risks and threat signals.
Analysis rules
Rule short name | Description |
Actions customers can take to resolve rule violations |
---|---|---|
Excessive User Access |
Indicates that current IAM policies and permission sets are providing access to a resource for many Okta-provisioned AWS users. This rule calculates the percentage of users granted access to a resource from the total users provisioned in an AWS Organization. If the percentage of users granted access to a resource exceeds the threshold value configured in the rule, the resource is marked as At risk. |
|
Supported entitlements
Okta Privileged Access supports discovery and analysis for the following AWS IAM permissions:
IaaS resource type | Permission |
Description |
---|---|---|
Relational Database Service (RDS) |
rds-db:connect |
The rds-db: service enables AWS IAM authentication to be used to authenticate to RDS database instances. With granted permission, an end user can connect directly to the database using a database client and then perform any operations permitted by the database user account mapped to the RDS IAM authentication role |
Things to consider
- Currently, entitlement analysis for AWS doesn't examine conditions in IAM policies to determine if access to resources is granted conditionally. Okta doesn't examine AWS Service Control Policies either. Okta Privileged Access only examines the principals in IAM policies to match them against individual users and groups.
- Entitlement analysis currently only works with action statements in IAM policies. IAM policies that are broad, such as NotAction policies that grant access to everything except APIs that are explicitly denied, aren't examined. Policy statements containing NotAction, Deny, and NotResources aren't allowed.
- If Okta Privileged Access encounters IAM policies it can't process, the jobs result in an error. This is a deliberate design decision to prevent Okta Privileged Access from reporting false negatives. For example, consider a scenario where Okta Privileged Access shows an access graph indicating that access isn't granted when, in fact, an unsupported IAM policy may be granting access to resources.
Create an entitlement analysis job
- In your Okta Privileged Access dashboard, go to .
- Click Create job.
- Enter a name.
- Configure resources to discover.
Setting Action Cloud provider type
The cloud infrastructure provider from which you can discover resources. Currently, only AWS is supported.
Cloud provider connection
Select one of the connections that you've created. The entitlement analysis job uses the connection to link to the cloud infrastructure provider.
Accounts
Select one or more accounts. You can select up to 10 accounts.
Resource type
The type of resources that are discovered inside your IaaS provider account. Currently, only RDS is supported.
Account resources
Select one of the following:
- All resources
- Only resources with names that contain this value. If this option is selected, enter a value containing the discovered resources' names. The field only accepts single words.
-
Under the
, set the threshold percentage.The threshold percentage specifies how many users with access to the IaaS application can access resources. If the total number of users exceeds this threshold, the analysis job marks the resource as At Risk. See Analysis rules.
-
Click Create.
-
Optional. Select
. When creating a job, you have the option to either run it immediately or run it later.
Run an entitlement analysis job
After creating an entitlement analysis job, you must run the job to retrieve information from your AWS account.
-
In your Okta Privileged Access dashboard, go to .
-
Identify a job that you want to run, and then select
.
After the job runs successfully, the status is updated to completed. You can now view the analysis summary.
Review an entitlement analysis summary
The entitlement analysis summary provides an overview of all permissions for resources that pose a risk to your organization if breached. By clicking a specific resource, you can access a detailed breakdown of user group access to the database in an easy-to-understand relationship graph, including permissions and policies. This graph allows you to quickly pinpoint the source of the risk, and take any necessary action to mitigate it.
-
In your Okta Privileged Access dashboard, go to .
-
Select
. -
Click a resource to view the relationship graph.
-
Click a node to see AWS-related information that you can correlate with your AWS account. For example, clicking the user group node displays all users in the group along with the group's AWS ID.