Identify and Remediate Permission Gaps in AWS With Datadog CIEM and AWS IAM Access Analyzer | Datadog

Identify and remediate permission gaps in AWS with Datadog CIEM and AWS IAM Access Analyzer

Author Rajat Luthra
Author Kevin Cao

Published: June 26, 2024

Identity and access management (IAM) is one of the key security challenges in cloud environments. Because of the complexity of these systems and the large number of user accounts associated with them, managing permissions can be difficult, often leading to excessive privileges for many users and workloads.

AWS IAM Access Analyzer is a service that identifies overprivileged resources in your AWS environment and validates your IAM policies against established best practices. We’re excited to announce that Datadog Cloud Infrastructure Entitlement Management (CIEM) now integrates with AWS IAM Access Analyzer to help you detect permission gaps in your cloud infrastructure and determine next steps for remediation.

In this post, we’ll show you how you can use Datadog CIEM to discover unused access findings from AWS IAM Access Analyzer and identify concrete steps to remediate these risks.

Discover and remediate unused access findings from AWS IAM Access Analyzer

Datadog CIEM (or CSM Identity Risks) helps you identify and address entitlement risks across your cloud environment. It continually scans your cloud infrastructure to surface issues such as lingering administrative privileges, privilege escalations, permission gaps, large blast radii, and cross-account access. For quick remediation, it suggests downsized policies and remediation steps that utilize Datadog Workflow Automation, alongside links to cloud consoles where you can access any resources needed to take these actions.

Now, Datadog CIEM’s integration with AWS IAM Access Analyzer allows you to see unused access findings directly in Datadog. These findings from AWS IAM Access Analyzer surface unused roles, credentials, and permissions across your AWS organization and accounts, which can create risk in your environment by granting excessive access to sensitive cloud resources. Datadog CIEM uses this context from AWS to detect permission gaps and recommend specific downsized policies to remediate these risks.

For example, Datadog CIEM’s detection “AWS IAM user has a large permissions gap” will be triggered when AWS IAM Access Analyzer finds actions that have not been used as far back as 180 days.

Identity Risks with AWS IAM Access Analyzer insights in Datadog CIEM

When a finding is detected, Datadog CIEM then suggests a comprehensive downsized policy that incorporates all of AWS IAM Access Analyzer’s unused access detections, so you can mitigate permission gaps across your entire environment by adopting the suggested policy.

Suggested downsized permissions policy in Datadog CIEM

Start enriching your identity risk detections today

If you are already using Datadog CIEM and have AWS IAM Access Analyzer enabled, Datadog will automatically start enriching your detections with insights from Access Analyzer. If you don’t have AWS IAM Access Analyzer enabled, use these AWS instructions to get started.

Datadog CIEM’s integration with AWS IAM Access Analyzer provides comprehensive visibility into identity risks across your AWS environment. If you’re new to Datadog, you can get started today with a 14-day .