# Risk Scores

A **risk score** is a rating that indicates the potential security impact of a resource and its entitlements. These scores provide an efficient way to evaluate and manage access risk across your cloud infrastructure by assessing both resource sensitivity and permission levels.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfRXATHRA1_JSrrMx9edMtsOEwfHQkj34HPyiYoT1F-IjgFlBkLLvGOkXLY6N5vscS1NrYiWTVS0AWVQ5Gypy2So48XYJ1htu5vLAZg6cSSnRnRyklxFkuNDW2WhU-37db6S1pDsA?key=_3makn3Y7Te3ioDEkfJtD7Eu" alt="" width="563"><figcaption><p>Inventory page with risk scores</p></figcaption></figure>

Risk scores fall into one of three levels.

<table><thead><tr><th width="202">Level (Score)</th><th>Description</th></tr></thead><tbody><tr><td><strong>High (7-9)</strong></td><td>Access that has the potential to cause significant business impact</td></tr><tr><td><strong>Medium (4-6)</strong></td><td>Moderate daily activities with limited business impact</td></tr><tr><td><strong>Low (1-3)</strong></td><td>Typically, read-only access with little or no business impact</td></tr></tbody></table>

You can use these scores to build access flows with appropriate controls and maintain a robust security posture across all cloud environments:

* Set appropriate access controls
* Require multi-factor authentication
* Define administrative approval workflows
* Shorten access durations

***

### Score Calculation Defaults

By default, Apono uses best-practice security criteria to calculate a risk score.

{% hint style="success" %}
You can work with your Apono representative to tailor the criteria of the risk score calculation to meet your specific business needs.
{% endhint %}

<table><thead><tr><th width="203">Risk Score Criteria</th><th>Description</th></tr></thead><tbody><tr><td><strong>Resource Sensitivity</strong></td><td><p>Considers what is being accessed</p><p>Apono determines the sensitivity of a resource by analyzing the following information:</p><ul><li><strong>Resource names</strong>: Keywords such as <em>Customer</em>, <em>Production</em>, or <em>Sensitive</em></li><li><strong>Cloud-sourced tags</strong>: Tags such as PHI (personal health information)</li><li><strong>Environmental context</strong>: Location in sensitive or production environments</li></ul></td></tr><tr><td><strong>Permission Level</strong></td><td><p>Considers the level of access granted</p><p>Apono uses the following guidance to rank the permission level of a role:</p><ul><li><strong>High</strong>: Administrator, owner, full access permissions</li><li><strong>Medium</strong>: Contributor, edit permissions</li><li><strong>Low</strong>: Read-only, viewer permissions</li></ul></td></tr></tbody></table>

For example, a production database with full administrator access would receive a **High** combined risk score. Conversely, a sandbox environment with read-only access would likely receive a combined **Low** risk score.

***

### View risk scores

#### Resource Risk Level

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcXf6qfl1XZw5mLinBiu08Jgx8VSXEiGF3KoRPYCICzcJoHe9HGQVSdH2F_EErB86X62eKaysYtm7pi8SwemsMtBJM0wv5JxWV6MXjetS90VbU9l4cf7sxhWPVhQvsHxT7kyZ88fg?key=_3makn3Y7Te3ioDEkfJtD7Eu" alt="" width="563"><figcaption><p>Resource Details tab</p></figcaption></figure>

Follow these steps to view the resource risk level:

1. On the [**Inventory**](https://app.apono.io/inventory) page, click the row of a resource. The **Entitlement Details** panel opens.
2. Click the **Resource Details** tab. In the **Risk Level** row, the resource risk is displayed.

#### Entitlement Risk Level

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdN06-DsDQS098eAB4l5JcP8avjP0wNlN12zXAJbPJ13U853jFjvYY00ThWkT-kEmAvYDSS6N3g-Z3rVdCgRBqWABGz2Z12yeIuMFA9i6SeEuOMqBlPyMr_DbZYCJggiD88Ifly?key=_3makn3Y7Te3ioDEkfJtD7Eu" alt="" width="563"><figcaption><p>Entitlements tab</p></figcaption></figure>

Follow these steps to view the risk level of each entitlement:

1. On the [**Inventory**](https://app.apono.io/inventory) page, click the row of a resource. The **Entitlement Details** panel opens.
2. Click **Entitlements**. In the **Risk Score** column, the entitlement risk is displayed.

***

### Build a risk score access flow

Follow these steps to build a risk score access flow:

1. On the [**Inventory**](https://app.apono.io/inventory) page, [filter the list of resources](https://docs.apono.io/docs/inventory#filter-resources) by **Resource Risk Level**, **Permission Risk Level**, or both.
2. [Create an access scope](https://docs.apono.io/docs/access-scopes#create-an-access-scope).
3. Click **Use in access flow**. The **Select Access Flow for Scope** popup window appears.
4. Click **Create New Access Flow**. The **Create Access Flow** page appears with the access flow pre-populated.
5. (Optional) Set [multi-factor authentication](https://docs.apono.io/docs/architecture-and-security/multi-factor-authentication).
6. Continue to build a [Self Serve access flow](https://docs.apono.io/docs/access-flows/creating-access-flows-in-apono/self-serve-access-flows).

***

### Use Case: High-Risk Entitlements

Consider a critical incident response scenario where your team needs to investigate performance issues across multiple customer-facing production databases and their supporting infrastructure. This troubleshooting effort requires administrative access to ten high-risk resources, including production databases, authentication services, and API gateways.

Without risk scoring, coordinating secure access to these critical systems would require managing multiple separate permissions, each with its own approval process and security controls. This fragmented approach could delay incident response and create security gaps.

By leveraging risk scores, you can quickly identify the relevant high-risk entitlements, create a single access scope, and implement a unified access flow with appropriate security guardrails:

* Require multi-factor authentication for all access attempts
* Limit the access duration to a 4-hour troubleshooting window
* Enforce administrative approval before granting access
* Automatically revoke all permissions when the time window expires