Remediating Cloud Entitlements' Risks from PAM360

With the Cloud Entitlements feature in PAM360, you can identify and address identity-related risks within your AWS account directly from the interface with ease. Any detected risks can be mitigated through a streamlined remediation process, and previously remediated risks can be effortlessly restored using the Revert functionality if needed. Refer to the section below for detailed steps on how to remediate or revert PAM360-defined risks within your AWS account identities.

By the end of this document, you will have a clear understanding of the steps involved in effectively remediating identity risks in your AWS account.

  1. Remediating Cloud Entitlements' Risks
  2. Reverting Cloud Entitlements' Risks

Note: Excessive Privileges and Shadow Admins risks in your AWS account can be remediated or reverted directly from the PAM360 interface. Whereas the remaining pre-defined risks can be remediated from the AWS interface using the detailed steps provided below.


1. Remediating Cloud Entitlements's Risks

The risk remediation options for identity - such as Users, User Groups, and Roles - are accessible in two main ways: through the respective identity tab or the Risks tab.

  1. Navigate to the Risks tab. On the displayed page, select any predefined risk that requires remediation. On the subsequent page, choose the relevant identity to remediate the associated risk.
  2. Alternatively, go directly to the respective identity tab (Users, User Groups, or Roles), use the filter dropdown to choose the specific risk, and select the identity needing remediation.

Once you have accessed the identity details in PAM360, remediation actions for the selected risk are available under the Risks & Remediation tab.

The following sections provide step-by-step instructions for remediating specific risks.

1.1 Remediating the Excessive Privileges Risk

The identities (IAM users and roles) possessing unused permissions are grouped under Excessive Privileges. Holding excess permissions will increase the risk of data exposure when an unauthorized identity gains access to the account. Refer to the section below for the remediation information for the excessive privileges risk.

To automatically remediate the excessive privileges risk from PAM360 for the IAM users or roles in your AWS account, perform the following steps:

  1. From the Risks & Remediation tab, select the Excessive Privileges risk and click the Remediate button.
  2. On the next page, you will find a comparison between the identity's currently attached IAM policy and the PAM360 recommended inline policy. This suggested inline policy retains only essential permissions, removing excessive or unused permissions based on activities tracked during the designated CloudTrail Event Retrieval period.
  3. Click the Remediate button at the bottom of the page.
  4. In the dialog box that appears, confirm your action to remediate the risk and click the Remediate button.

Upon remediation, PAM360 automatically replaces the existing policies with the suggested inline policy in IAM, adhering to the Principle of Least Privilege (PoLP).

To remediate the risk manually from the AWS server using the PAM360 recommended inline policy, perform the following actions:

  1. Copy the PAM360 suggested inline policy from the remediation page.

    Note: Due to AWS inline policy constraints, the inline policy suggested by PAM360 includes policy delimiters (marked as <POLICY_DELIMITER> within the policy displayed in PAM360). When manually remediating the risk, separate the permissions in the copied policy and assign them as individual custom policies in AWS.

  2. Log in to your AWS console using administrator credentials.
  3. Navigate to the IAM dashboard and open the Permissions page for the identity.
  4. Detach all the existing policies and permissions for the IAM user or role.
  5. Select the option to create a new inline policy.
  6. Paste the copied PAM360 suggested inline policy in the JSON editor.
  7. Attach the newly created custom policy to the identity to complete the remediation process.

1.2 Remediating the Shadow Admin Risk

To remediate the Shadow Admin risk from PAM360 for the IAM users, user groups or roles in your AWS account, perform the following steps:

  1. From the Risks & Remediation tab, select the Shadow Admin risk and click the Remediate button.
  2. On the page that appears, you can view the list of toxic permissions that grant administrative privileges to the identity and the PAM360 recommended inline policy to remediate the risk. The toxic permissions that are responsible for the Shadow Admin risk are classified into Individual Toxic Permissions, Toxic Permission Pairs, and Toxic Permission Triads. Refer to the table below for detailed information:
    3. Terms Toxic Permissions

    Individual Toxic Permissions
    • iam:CreatePolicyVersion
    • iam:SetDefaultPolicyVersion
    • iam:CreateAccessKey
    • iam:CreateLoginProfile
    • iam:UpdateLoginProfile
    • iam:AttachUserPolicy
    • iam:AttachGroupPolicy
    • iam:AttachRolePolicy
    • iam:PutUserPolicy
    • iam:PutGroupPolicy
    • iam:PutRolePolicy
    • iam:AddUserToGroup
    • iam:UpdateFunctionCode
    • iam:CreatePolicy
    • iam:DeleteRolePermissionsBoundary
    • iam:DeleteRolePolicy
    • iam:DeleteUserPermissionsBoundary
    • iam:DeleteUserPolicy
    • iam:DetachRolePolicy
    • iam:DetachUserPolicy

    Toxic Permission Pairs
    • iam:UpdateAssumeRolePolicy
      sts:AssumeRole
    • iam:PassRole
      glue:CreateDevEndpoint
    • glue:UpdateDevEndpoint
      glue:GetDevEndpoint(s)
    • iam:PassRole
      cloudformation:CreateStack
    • iam:PassRole
      ec2:AssociateIamInstanceProfile

    Toxic Permission Triads
    • iam:PassRole
      lambda:CreateFunction
      lambda:InvokeFunction
    • iam:PassRole
      lambda:CreateFunction
      lambda:CreateEventSourceMapping
    • iam:PassRole
      datapipeline:CreatePipeline
      datapipeline:PutPipelineDefinition
    • iam:PassRole
      iam:CreateInstanceProfile
      iam:AddRoleToInstanceProfile
    • iam-PassRole
      iam-RemoveRoleFromInstanceProfile
      iam-AddRoleToInstanceProfile

  3. Click the Remediate button at the bottom of the page.
  4. In the dialog box that appears, confirm your action and click the Remediate button.

Upon remediation, the toxic permissions that grant the administrator privileges to the identity will get removed.

To remediate the Shadow Admin risk manually from the AWS server using the PAM360 recommended inline policy, perform the following actions:

  1. Copy the PAM360 suggested inline policy from the remediation page.
  2. Log in to your AWS console using administrator credentials.
  3. Navigate to the IAM dashboard and open the Permissions page for the identity (user, group, or role).
  4. Select the option to create a new custom policy.
  5. Paste the copied PAM360 suggested inline policy in the JSON editor.
  6. Attach the new custom policy to the identity to complete the remediation process.

1.3 Remediating the Non-Rotated Passwords Risk

After identifying the IAM users with non-rotated passwords in your AWS account using PAM360's Cloud Entitlements, you can remediate the risk by resetting password or enforcing password rotation on the next immediate login in AWS. This can be done either from the AWS console or AWS CLI. Refer to the sections below to remediate the risk.

To remediate the risk from the AWS console, perform the following steps:

  1. Log in to your AWS console using administrator credentials.
  2. Navigate to the IAM dashboard and select Users from the left pane.
  3. Select the IAM user from the list to whom you want to enforce password rotation on the next login.
  4. On the page that appears, click the Security credentials tab and navigate to the Console sign-in section.
  5. Click the Manage console access button. In the dialog box that appears, click Reset password.
  6. Under Console password, select either Autogenerated password or Custom password as required and click the Reset password button to reset the password.
  7. To enforce a policy for password rotation, tick the User must create new password at next sign-in checkbox instead of selecting an option beneath the Console password section and click the Reset password button.

To remediate the risk from the AWS CLI, update the user's password settings and mark the password as requires a reset upon the user's next login. To do so, execute the following command:

aws iam update-login-profile --user-name USERNAME --password-reset-required


1.4 Remediating the Non-MFA Users Risk

After identifying the users without MFA in your AWS account using PAM360's Cloud Entitlements, perform the following actions to enable MFA in the AWS server.

  1. Log in to your AWS console using a root user account or IAM user with administrative privileges.
  2. Click Services at the top pane and select IAM from the list.
  3. Select Users from the left pane and click the user account for which you want to enable MFA.
  4. Click the Security credentials tab and select Assign MFA device under the Multi-factor authentication (MFA) section.
  5. On the page that appears, enter a device name and select the authenticator app. Click Add MFA and complete the MFA setup for the IAM user.

For detailed instructions, refer to this document.

1.5 Remediating the Non-Rotated Access Keys Risk

To mitigate the risk posed by non-rotated access keys identified in AWS via PAM360 Cloud Entitlements, it is essential to rotate them. The key rotation process involves generating a new access key, associating it with the IAM user, and then securely deactivating and deleting the old, unrotated key. This process can be done directly via the AWS console or the AWS CLI, ensuring that access keys are regularly updated, thus enhancing security and reducing potential vulnerabilities associated with stale or compromised access keys.

To remediate the risk from the AWS console, perform the following steps:

  1. Log in to your AWS console and navigate to the IAM dashboard.
  2. Click the Users tab from the left pane and select the IAM user from the list.
  3. On the page that appears, switch to the Security credentials tab and click the Create access key button from the Access keys section.
  4. On the next page, select Other and click Next.
  5. Enter any description tag value and click the Create access key button.
  6. Click the Download .csv file button to save the new credentials.
  7. Update all application instances to use the newly created access key. Ensure this key is distributed across all systems that require access, reducing any risk of service disruption during rotation.
  8. Ensure that applications are functioning as expected with the new access key before deleting the old access key.
  9. Now, return to the user configuration page and navigate to Security credentials >> Access keys.
  10. Click the Actions dropdown beside the old access key and select Deactivate.
  11. Click the Actions dropdown again and select Delete.
  12. In the dialog box that appears, enter the access key ID to confirm the deletion and click the Delete button.

Now, you have rotated the access key for the IAM user. Remember to store the access key in a secure location.

To remediate the risk from the AWS CLI, execute the following commands:

  1. Execute the following command to generate a new access key for the user. This will provide a new access key ID and secret access key, which should be securely stored.

    aws iam create-access-key --user-name USERNAME

    Replace USERNAME with the actual IAM username.
  2. Update all the application instances to use the newly created access key. Ensure this key is distributed across all systems that require access, reducing any risk of service disruption during rotation.
  3. Execute the following command to list the access keys associated with the user. This command will display all keys for the user, with each key's status as active or inactive.

    4. aws iam list-access-keys --user-name USERNAME

  4. Once the new key is in use, disable the old access key by executing the following command.

    aws iam update-access-key --access-key-id <OLD_ACCESS_KEY_ID> --status Inactive --user-name USERNAME

    Replace <OLD_ACCESS_KEY_ID> with the actual key ID of the non-rotated access key.
  5. Re-run the list-access-keys command to confirm that the old key is now inactive and the new key remains active.

    6. aws iam list-access-keys --user-name USERNAME

  6. Ensure that applications are functioning as expected with the new access key before deleting the old access key.
  7. Once validated, permanently delete the inactive access key using the following command.

    8. aws iam delete-access-key --access-key-id <OLD_ACCESS_KEY_ID> --user-name USERNAME

Refer to this AWS documentation for more detailed information.

Following any of the access key rotation methods ensures the security and integrity of AWS resources.

Note: PAM360 allows you to secure the access key sharing by following these steps,
1. Import the IAM users into PAM360.
2. Create a File Store and import the new access key as a file.
3. Share the resource with the IAM users.


1.6 Remediating the Inactive Users Risk

To remediate the risk posed by inactive users identified in your AWS account, begin by disabling console access for these users from the AWS console. Assess whether the user’s inactivity requires complete access removal; if yes, proceed by deleting their console access to prevent AWS Management Console access.

To remove console access, delete the user’s login profile using the following command:

aws iam delete-login-profile --user-name USERNAME

For detailed instructions, refer to this document.

1.7 Remediating the Inactive Roles Risk

After identifying the inactive roles in your AWS account using PAM360's Cloud Entitlements, remediate the risk by deleting the IAM role from your AWS server.

To remediate the risk from the AWS console, perform the following steps:

  1. Log in to your AWS console with administrator credentials.
  2. Navigate to the IAM dashboard and select Roles from the left pane.
  3. On the page that appears, select the IAM role that is to be deleted.
  4. Under the Permissions tab, detach/remove all the policies attached to the role.
  5. Above the Summary section, click the Delete button and confirm your action to delete the IAM role.

To remediate the risk from the AWS CLI, execute the following commands:

  1. Execute the following command to list all IAM roles associated with your AWS account. This will help you identify the specific inactive IAM role that is to be deleted.

    aws iam list-roles

  2. Once you have identified the IAM role, execute the following command to list all policies currently attached to it.

    aws iam list-attached-role-policies --role-name ROLE_NAME

  3. Detach each attached policy from the role using the following command. You will need the ARN of each policy to successfully detach it.

    aws iam detach-role-policy --role-name ROLE_NAME --policy-arn POLICY_ARN

    Replace ROLE_NAME with the role name and POLICY_ARN with the ARN of each policy to be detached. Repeat for all policies associated with the role.
  4. After all policies have been detached, delete the IAM role by executing the following command:

    aws iam delete-role --role-name ROLE_NAME

    Ensure that ROLE_NAME is the correct IAM role name. This action permanently deletes the role from your AWS account.

Following any of the remediation methods for inactive roles, ensures the security and integrity of AWS resources.

Important Notes:

  • If an IAM role is actively used by an AWS service (such as an EC2 instance or Lambda function), it may need to be disassociated from the service for a successful deletion process.
  • Exercise caution when deleting roles in your AWS account in IAM, as this action could impact your AWS resources.

2. Reverting the Cloud Entitlements' Risks

PAM360 provides an easy-to-use interface for reviewing and reverting remediated actions, ensuring permissions are always aligned with your organization’s requirements. Reverting a previously remediated risk can be especially valuable in instances where unexpected issues arise due to changes in permissions.

For example, if remediation actions unintentionally remove necessary permissions, they can disrupt ongoing AWS processes or cause applications to stop functioning. Additionally, permissions may need to be reverted due to human error, such as misidentifying critical privileges during the remediation process. The ability to revert mitigated risks quickly in PAM360 helps maintain uninterrupted operations while adjusting permissions as needed.

To revert a remediated risk in PAM360 Cloud Entitlements, follow these steps:

  1. Navigate to the Cloud Entitlements tab and select your AWS account.
  2. Go to the Users, User Groups, or Roles tab and choose the identity for which the remediated risk to be reverted.
  3. From the History tab, select the remediated risk that is to be reverted.

    Note: From the History section, you can view the details of a remediated risk, such as remediation time, reason for remediation, removed policies, attached policies, dissociated user groups, and more.

  4. Click the Revert button next to the risk.
  5. Review the policies or permissions that will be restored to the identity and click the Revert button.
  6. In the window that appears, confirm your action to revert the risk.

    7. Note: Please exercise caution while reverting a risk, as the toxic permissions or policies remediated/removed could be restored to the identity and may trigger the PAM360-defined risks again.

3. Audits and Reports of Cloud Entitlements

PAM360 records all actions performed under Cloud Entitlements management as audits, providing comprehensive tracking. Customizable auditing options and notifications are available for specific operations. Access audits via Audit >> Cloud Entitlements and reports via Reports >> Query Reports >> Cloud Entitlements.

Below is the list of reports that can be generated in PAM360 while managing the cloud entitlements.

  1. Critical-Risk Identities - The list of identities with critical risk.
  2. Identities with Non-MFA User Risks - The list of identities with Non-MFA users.
  3. Identities with Non-Rotated Passwords - The list of identities with non-rotated passwords in the last 90 days.
  4. Identities with Shadow Admin Risks - The list of identities with Shadow Admin risks.
  5. High-Risk Identities - The list of identities with high risks.
  6. Inactive Identities - The list of inactive identities (IAM users and roles) in the AWS account for the past 90 days.
  7. Low-Risk Identities - The list of identities with low risks.
  8. Medium-Risk Identities - The list of identities with medium risks.
  9. Non-Retrieved Accounts - The list of accounts that failed during CloudTrail event retrieval.
  10. Roles with Active Risks - The list of roles with active risks.
  11. Event Retrieval Paused Accounts - The list of CloudTrail event retrieval paused accounts with the last data retrieval details.
  12. User Groups with Active Risks - The list of user groups with active risks.
  13. Users with Active Risks - The list of users with active risks.
Top