diff --git a/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/azure-cloud-identity-inventory.adoc b/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/azure-cloud-identity-inventory.adoc index 2caa753674..bc1aa31f93 100644 --- a/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/azure-cloud-identity-inventory.adoc +++ b/docs/en/enterprise-edition/content-collections/administration/configure-iam-security/azure-cloud-identity-inventory.adoc @@ -1,6 +1,6 @@ == Azure Cloud Identity Inventory -Prisma Cloud surfaces detailed information on IAM access in your cloud environment to give you greater visibility into Azure roles, groups, service principals, and managed identities. This offers you the opportunity to enforce least privileged access by removing unused privileges and restricting permissions within existing Azure roles, groups, service principals, and managed identities. +Prisma Cloud surfaces detailed information on IAM access in your cloud environment to give you greater visibility into Azure roles, groups, service principals, and managed identities. This offers you the opportunity to enforce least privileged access by removing unused privileges and restricting permissions within existing Azure roles, groups, and service principals. === IAM Details View @@ -19,27 +19,14 @@ Click on any asset to view more detailed information. Choose *Identity* from the |Group membership - Lists users assigned to the group and last access information for users -Policies - Lists policies associated with the group and last access information +Roles - Lists roles associated with the group and last access information -Granted Policies - Managed and Inline |Service Principal |Trust relationships - Lists resources or services assigned to a role, includes last access permission data -Policies - Lists policies attached to the role and last access information - -Trusted Entities - User, Role, SAML Provider, OIDC Provider, Lambda function, ECS, IDP - -Granted Policies - Managed and Inline - -|Managed Identities - -|Role specific - Lists roles associated with a policy and last access data - -Group specific - Lists groups associated with a policy and last access information - -Resource specific - Lists resources (users) directly attached to the policy and last access data +Roles - Lists roles associated with the group and last access information |=== @@ -49,7 +36,7 @@ Resource specific - Lists resources (users) directly attached to the policy and Limit over-privileged access by right-sizing permissions for Azure Groups, Service Principals and Managed Identities. The *Suggest Least Privilege Access* wizard helps you remediate overly permissive access by helping you: * Create a new policy for a Group, Service Principals or Managed Identity that includes all the permissions required by its members. -* Repurpose existing policies that already contain the minimum required permissions for any given Group or Role. +* Repurpose existing roles that already contain the minimum required permissions for any given Group or Role. Follow the steps below to use the *Suggest Least Privilege Access* wizard: @@ -57,16 +44,16 @@ Follow the steps below to use the *Suggest Least Privilege Access* wizard: . Select the Assets side panel from the Alerts, Inventory, or Investigate page. Click *Identity* on the side panel navigation menu and select *Suggest Least Privilege Access*. . The *Suggest Least Privilege Access* wizard allows you to set the period of time after which a permission will be considered be “unused”, for a particular asset. Move the slider to any defined time limit of your choice. By default, the slider is set at 90 days and options ranging 1 day to 2 years are available. Last access days are calculated from the day IAM is enabled in your environment. . Next, create a customized IAM policy in your preferred output format: -.. Select *Create New Azure Policy* to generate a file with code to create a new Custom policy, including all used permissions. Supported policy types include Managed, Custom, and Inline. The following output formats are avaiable: +.. Select *Create New Azure Role* to generate a file with code to create a new Custom policy, including all used permissions. Supported policy types include Custom, and Inline. The following output formats are avaiable: *JSON *Terraform *Cloud Formation -.. Select *Reuse Existing Azure Policy* to repurpose an existing Managed or Custom policy. Choose from one of the following output options: +.. Select *Reuse Existing Azure Role* to repurpose an existing Custom policy. Choose from one of the following output options: * Terraform file with existing minimum required permissions. -* List of policies with the appropriate minimum permissions. +* List of roles with the appropriate minimum permissions. + [NOTE] ==== -Only policies with no conditions applied and the parameters `Effect = ’Allow’ and Resource = ‘*’` can be considered for reuse. +Only roles with no conditions applied and the parameters `Effect = ’Allow’ and Resource = ‘*’` can be considered for reuse. ==== . Select the *Summary* tab to view and download the code for your custom policy. If you opted to reuse a policy, select *Download File* to download the Terraform file or click on any listed policy to reuse it.