Concepts
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This document introduces the concepts behind Shisho Cloud's Cloud Infrastructure Entitlement Management (CIEM) feature. It specifically details the following:
- What you can achieve with Shisho Cloud's CIEM feature
- Key features of Shisho Cloud's CIEM functionality
What You Can Achieve with Shisho Cloud's CIEM Feature
Understand How Permissions Are Granted
Strict permission management based on the Principle of Least Privilege (PoLP) is essential for securing your cloud environment. CIEM (Cloud Infrastructure Entitlement Management) aims to centrally monitor and control identities and access permissions in cloud environments to reduce the risk of unauthorized access and information leakage.
Shisho Cloud's CIEM feature provides detailed and clear visualization of permissions assigned to IAM users, roles, and groups. This helps you identify and correct potential excessive permissions and misconfigurations early, supporting safe and appropriate cloud operations.
Determine if Policies Assigned to Entities (Cloud Resources) Are Appropriate
Properly managing policies assigned to each entity (cloud resource) is important. Excessive permissions or misconfigurations can lead to serious threats such as resource destruction or information leakage. Therefore, it's necessary to continuously verify whether each policy meets the principle of least privilege.
Shisho Cloud's CIEM feature automatically evaluates policies assigned to resources and visualizes any detected risks to notify customers. This helps you understand potential risks early and supports the prompt implementation of appropriate corrective measures.
Key Features of Shisho Cloud's CIEM Feature
Comprehensive Identity Visualization
The CIEM feature visualizes permissions granted to all IAM entities in your cloud environment:
- Users: Human and service accounts with direct or inherited permissions
- Roles: IAM roles that can be assumed by users, services, or external entities
- Groups: Collections of users with shared permissions
Cross-Account Relationship Visualization
The CIEM feature identifies and lists accounts (cross-accounts) and entities that can access resources across account boundaries.
You can also export information about entity and cross-account relationships as CSV.
Enumeration of Entities with Risks
The CIEM feature lists entities with risky policies in four levels, along with detailed information:
| Risk Level | Description |
|---|---|
| Critical | Entities with administrative privileges or equivalent, or with dangerous permission combinations |
| High | Entities with high-risk permissions or extensive cross-account access |
| Medium | Entities with relatively sensitive permissions or limited cross-account access |
| Low | Entities with relatively low-risk permissions with limited scope |