Cloud Infrastructure Entitlement Management (CIEM)
Infracast's CIEM module provides comprehensive IAM security analysis across AWS, Azure, and GCP. It identifies overprivileged identities, stale credentials, and privilege escalation risks.
Overview
IAM misconfigurations are the #1 cause of cloud breaches. Infracast automatically analyzes your identity landscape and surfaces:
- Admin Sprawl — Too many accounts with administrator access
- Overprivilege — Wildcard permissions (
*:*) granting excessive access - Stale Credentials — Access keys and passwords not rotated
- Unused Identities — Accounts with no recent activity
- Cross-Account Trust — Risky trust relationships between accounts
- Privilege Escalation Paths — Combinations that allow privilege escalation
Supported Providers
| Provider | Identity Types |
|---|---|
| AWS | IAM Users, Roles, Groups, Policies, Permission Boundaries |
| Azure | Entra ID Users, Groups, Service Principals, Role Assignments |
| GCP | IAM Members, Service Accounts, Role Bindings |
Finding Types
Admin Sprawl
Detects identities with administrator-level access:
- AWS:
AdministratorAccess,PowerUserAccesspolicies - Azure:
Owner,Contributorroles - GCP:
roles/owner,roles/editor
Severity: HIGH (CRITICAL for Owner)
Overprivilege
Identifies policies with wildcard permissions:
"Action": "*"— All actions allowed"Resource": "*"— All resources accessible
Severity: HIGH
Stale Credentials
Flags credentials not rotated within security best practices:
- Access keys > 90 days old (HIGH if > 180 days)
- Passwords not changed in compliance window
Severity: MEDIUM to HIGH
Unused Permissions
Detects identities with no recent activity:
- No API calls in 90+ days
- Candidates for removal or access reduction
Severity: MEDIUM
Cross-Account Trust
Identifies IAM roles that can be assumed by external accounts:
- Trust policies referencing external AWS account IDs
- Missing external ID conditions for third-party access
Severity: MEDIUM
Service Account Risks
GCP-specific checks for service accounts:
- User-managed keys (can be exfiltrated)
- Recommendation: Use workload identity federation
Severity: MEDIUM
Privilege Escalation
Detects dangerous permission combinations:
iam:PassRolewith wildcard resources- Ability to create/modify IAM policies
- Can modify role trust policies
Severity: HIGH to CRITICAL
Risk Scoring
Each finding includes a risk score (0-100) based on:
- Severity of the misconfiguration
- Blast radius (how many resources affected)
- Exploitability
Using the CIEM Dashboard
- Navigate to CIEM in the sidebar
- View summary statistics:
- Total identities across providers
- Admin account count
- Overprivileged identities
- Stale credentials
- Filter findings by severity, provider, or search term
- Click a finding to see details and remediation guidance
API Endpoints
Get CIEM Findings
GET /api/v1/tenants/{tenantID}/ciem/findings
Returns all CIEM findings with summary statistics.
Get CIEM Summary
GET /api/v1/tenants/{tenantID}/ciem/summary
Returns just the summary (faster for dashboards).
Get Identity Details
GET /api/v1/tenants/{tenantID}/ciem/identities/{identityID}
Returns detailed CIEM analysis for a specific identity.
Best Practices
- Review Admin Access Monthly — Validate that administrator accounts are still needed
- Rotate Credentials — Set up automated key rotation (AWS: 90 days recommended)
- Remove Unused Identities — Delete accounts with no activity in 90+ days
- Avoid Wildcards — Replace
*with specific actions and resources - Use Roles, Not Keys — Prefer IAM roles over long-lived access keys
- Enable MFA — Require MFA for all human users with console access
Compliance Mapping
CIEM findings map to compliance controls:
| Framework | Controls |
|---|---|
| NIST 800-53 | AC-2, AC-3, AC-6 (Least Privilege) |
| CIS AWS | 1.16–1.22 (IAM Benchmarks) |
| SOC 2 | CC6.1, CC6.3 (Logical Access) |
| CMMC | AC.L2-3.1.5–3.1.7 |