Access Discovery

Assess and remediate standing access to improve your cloud security posture

Permanent, always-on permissions to resources (standing access) create security vulnerabilities and complicate access management. Access Discovery helps eliminate unnecessary standing access while ensuring your teams can efficiently request permissions when needed.

Access Discovery analyzes your environment and helps you manage access rights through a two-step process:

Assessment: Automatically identifies and categorizes standing access to reveal where high-risk permissions exist
Remediation: Provides instructions to create access flows and revoke unnecessary standing permissions to improve your security posture

For example, you can identify all production resources with standing access, create an access flow for temporary permissions, and safely revoke permanent access. When team members need access, they can request it through the automated workflow, receive temporary permissions, and automatically have access revoked when their temporary permissions have expired.

Prerequisites

Item

Description

Cloud Environment Integration

At least one cloud environment integration set up with Apono:

AWS Organization
Azure Management Group (coming soon)
GCP Organization (coming soon)

AWS Connector required permission

The role assigned to the Apono connector must have the following permission: ListPermissionSets

Create a new assessment

Follow these steps to assess an integration:

On the Access Discovery page, click New Assessment. The New assessment page appears.
Select a Cloud provider.
(AWS Organization) Select an integration.
Click Assess. The My Assessments page appears with a row for the integration's assessment.

Explore an assessment

Follow these steps to explore an assessment:

On the Access Discovery page, in the row of an integration's assessment, click Explore. The View assessment page appears displaying the access posture and various remediation plans. The following table explains the details displayed for each entitlement.

Column

Description

Entitlements

AWS permission sets per account

Risk Score

Value (1-9) representing the level of risk associated with a specific resource, permission, or entitlement within your environment

Account

Account to which the entitlement is associated

Identities

Number of users assigned to the entitlement

Last Used

Number of days since an identity assigned to the entitlement used the permissions

Remediation Progress

Percentage completion of improving the security posture of the entitlement

(Optional) Filter the listed entitlements by one or several of the following filters.

Accounts

Follow these steps to filter by account:

Click the Accounts dropdown menu.
(Optional) In the Search field, enter a value to filter the list of accounts.
Select one or several accounts. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Entitlements

Follow these steps to filter by entitlement:

Click the Entitlements dropdown menu.
(Optional) In the Search field, enter a value to filter the list of entitlements.
Select one or several entitlements. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Risk Score

Follow these steps to filter by risk score:

Click the Risk Score dropdown menu.
(Optional) In the Search field, enter a value to filter the list of risk scores.
Select one or several risk scores. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

In Access Flow

Follow these steps to display only entitlements in an access flow:

Click the In Access Flow dropdown menu.
Select Yes or No. Only the entitlements meeting this criterion will be shown.
Click the top or outside of the dropdown menu to close it.

Revoked

Follow these steps to filter by revoked status:

Click the Revoked dropdown menu.
Select Yes or No. Only the entitlements meeting this criterion will be shown.
Click the top or outside of the dropdown menu to close it.

Click the row of the entitlement. The Entitlement Details panel opens. The following table explains the content displayed in the Identities section.

Column

Description

Identity

Name of the user

Relationship

Manner through which the identity is associated to the entitlement

An identity may be associated directly or through membership within a group

Last Used

Number of days since the identity used the entitlement

Step 1

Indicates the first step (access flow creation) of the remediation process has been completed

Step 2

Indicates the second step (standing access removal) of the remediation process has been completed

Click the X in the top right corner of the panel to close the panel.

Remediate access

Follow these steps to remediate an entitlement:

On the Access Discovery page, in the row of an integration's assessment, click Explore. The View assessment page appears displaying the access posture and various remediation plans.

Element

Description

Access Posture

Value between 0-100 representing the overall security state of your cloud environment, focusing on the prevalence of standing access across your resources

As you replace standing access with just-in-time access flow, your access posture improves.

Tiers Tiles

Tiles each representing a tier of risk

Each tile displays the following information:

Risk tier: Critical, High, Medium, or Low
Numerical impact on the access posture score
Number of affected entitlements
Button providing access to the remediation plan for the specific tier

On one of the four tier cards, click Remediation Plan. The Remediation Plan popup window appears.
In the Step 1 tile, click Create Now. The Create Access Flow page appears with a prepopulated access flow.

With the exception of the Grant for section, other sections in the access flow cannot be edited.

Under Grant for, you can adjust the access duration and choose a different approver.
Click Create Access Flow.
Click Back To Assessment. The Remediation Plan popup window reappears with a checkmark indicator in the Step 1 tile.
In the Step 2 tile, click Revoke Access. The Revoke standing access page appears.
(Optional) Filter the entitlement list by one or several of the following filters.

Account

Follow these steps to filter by account:

Click the Account dropdown menu.
(Optional) In the Search field, enter a value to filter the list of accounts.
Select one or several accounts. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Entitlement

Follow these steps to filter by entitlement:

Click the Account dropdown menu.
(Optional) In the Search field, enter a value to filter the list of entitlements.
Select one or several entitlements. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Risk Score

Follow these steps to filter by risk score:

Click the Risk Score dropdown menu.
(Optional) In the Search field, enter a value to filter the list of risk scores.
Select one or several risk scores. Only the entitlements meeting the criteria will be shown.
Click the top or outside of the dropdown menu to close it.

Select one or several entitlements.
Click Revoke. The Revoke standing access popup window appears.
Follow the instructions to revoke standing access for the selected entitlements with AWS CLI.
On the Revoke standing access popup window, click Reassess. The View assessment page for the integration will appear and display your improved access posture score.

The rows of the select entitlements will have green bars in the Remediation Progress column indicating the completion of the remediation process.

If other tiers need to be remediated, repeat steps 2-12.

PreviousGetting started NextIntegrating with Apono

Last updated 1 day ago

Was this helpful?