Entitlement analysis

The entitlement analysis feature is designed to discover risks to your cloud infrastructure. After an entitlement analysis job is completed, a summary of the analysis provides a list of at-risk resources. Resources at risk to your organization are highlighted in the summary, which also enables you to take appropriate action to remediate the risk.

Overview

Okta Privileged Access entitlement analysis functionality is based on the concept of jobs. Jobs contain information needed for Okta Privileged Access to connect to your Infrastructure as a Service (IaaS) applications such as Amazon Web Services (AWS). Also, the jobs also include inputs that are necessary for discovering resources.

One important aspect of creating a job is the Analysis configuration. It contains rules that instruct how to evaluate entitlements and determine if resources are at risk in the jobs.

Currently, this feature only supports AWS. Okta Privileged Access will support other analysis rules over time to address new risks and threat signals.

Analysis rules

Rule short name	Description	Actions customers can take to resolve rule violations
Excessive User Access	Indicates that current IAM policies and permission sets are providing access to a resource for many Okta-provisioned AWS users. This rule calculates the percentage of users granted access to a resource from the total users provisioned in an AWS Organization. If the percentage of users granted access to a resource exceeds the threshold value configured in the rule, the resource is marked as At risk.	Remove users from Okta groups that have permission sets granting them access to the database. Instead, implement an Access Requests workflow that allows users to be added or removed from the group only when they need to access the resource. Create a permission set for single sign-on (SSO) and an accompanying IAM policy. This set should target the databases that grant excessive access and are linked to either an Okta group with a few users or to a group whose membership is controlled by Access workflows.

Rule short name

Description

Actions customers can take to resolve rule violations

Excessive User Access

Indicates that current IAM policies and permission sets are providing access to a resource for many Okta-provisioned AWS users. This rule calculates the percentage of users granted access to a resource from the total users provisioned in an AWS Organization. If the percentage of users granted access to a resource exceeds the threshold value configured in the rule, the resource is marked as At risk.

Remove users from Okta groups that have permission sets granting them access to the database. Instead, implement an Access Requests workflow that allows users to be added or removed from the group only when they need to access the resource.

Create a permission set for single sign-on (SSO) and an accompanying IAM policy. This set should target the databases that grant excessive access and are linked to either an Okta group with a few users or to a group whose membership is controlled by Access workflows.

Supported entitlements

Okta Privileged Access supports discovery and analysis for the following AWS IAM permissions:

IaaS resource type	Permission	Description
Relational Database Service (RDS)	rds-db:connect	The rds-db: service enables AWS IAM authentication to be used to authenticate to RDS database instances. With granted permission, an end user can connect directly to the database using a database client and then perform any operations permitted by the database user account mapped to the RDS IAM authentication role

Things to consider

Currently, entitlement analysis for AWS doesn't examine conditions in IAM policies to determine if access to resources is granted conditionally. Okta doesn't examine AWS Service Control Policies either. Okta Privileged Access only examines the principals in IAM policies to match them against individual users and groups.
Entitlement analysis currently only works with action statements in IAM policies. IAM policies that are broad, such as NotAction policies that grant access to everything except APIs that are explicitly denied, aren't examined. Policy statements containing NotAction, Deny, and NotResources aren't allowed.
If Okta Privileged Access encounters IAM policies it can't process, the jobs result in an error. This is a deliberate design decision to prevent Okta Privileged Access from reporting false negatives. For example, consider a scenario where Okta Privileged Access shows an access graph indicating that access isn't granted when, in fact, an unsupported IAM policy may be granting access to resources.

Create an entitlement analysis job

In your Okta Privileged Access dashboard, go to Resource AdministrationEntitlement Analysis.
Click Create job.
Enter a name.

Configure resources to discover.

Setting	Action
Cloud provider type	The cloud infrastructure provider from which you can discover resources. Currently, only AWS is supported.
Cloud provider connection	Select one of the connections that you've created. The entitlement analysis job uses the connection to link to the cloud infrastructure provider.
Accounts	Select one or more accounts. You can select up to 10 accounts.
Resource type	The type of resources that are discovered inside your IaaS provider account. Currently, only RDS is supported.
Account resources	Select one of the following: All resources Only resources with names that contain this value. If this option is selected, enter a value containing the discovered resources' names. The field only accepts single words.

Under the Analysis configuration Excessive User Access, set the threshold percentage.

The threshold percentage specifies how many users with access to the IaaS application can access resources. If the total number of users exceeds this threshold, the analysis job marks the resource as At Risk. See Analysis rules.
Click Create.
Optional. Select ActionsRun job. When creating a job, you have the option to either run it immediately or run it later.

Run an entitlement analysis job

After creating an entitlement analysis job, you must run the job to retrieve information from your AWS account.

In your Okta Privileged Access dashboard, go to Resource AdministrationEntitlement Analysis.
Identify a job that you want to run, and then select ActionsRun job.

After the job runs successfully, the status is updated to completed. You can now view the analysis summary.

Review an entitlement analysis summary

The entitlement analysis summary provides an overview of all permissions for resources that pose a risk to your organization if breached. By clicking a specific resource, you can access a detailed breakdown of user group access to the database in an easy-to-understand relationship graph, including permissions and policies. This graph allows you to quickly pinpoint the source of the risk, and take any necessary action to mitigate it.

In your Okta Privileged Access dashboard, go to Resource AdministrationEntitlement Analysis.
Select ActionsView analysis summary.
Click a resource to view the relationship graph.
Click a node to see AWS-related information that you can correlate with your AWS account. For example, clicking the user group node displays all users in the group along with the group's AWS ID.