Find and Remediate Identity Risks With Datadog CIEM | Datadog

Find and remediate identity risks with Datadog CIEM

Author Rajat Luthra
Author Max Gebhardt

Published: November 27, 2023

Identity and access management (IAM) systems are necessary for authenticating and authorizing access to your environment. However, their mismanagement is one of the leading causes of breaches and insider threats today. Engineering teams must rapidly provision identities and permissions to keep pace with infrastructure growth—consequently, the ratio of non-human or machine identities to every human identity is also increasing at a substantial rate. This complexity makes it difficult to keep IAM configurations up to date and protect your environment against IAM-based attacks.

That’s why we’re excited to announce Datadog Cloud Infrastructure Entitlement Management (CIEM), a new feature of Datadog Cloud Security Management (CSM) that enables you to proactively identify and quickly remediate identity and access risks in your AWS environment (with support planned for other cloud providers) before a threat actor can exploit them. In this post, we’ll show you how Datadog CIEM enables you to secure your infrastructure from IAM-based attacks.

Surface identity risks based on best practices and research

Datadog CIEM enables you to identify and address identity risks in order to reduce their impact. It accomplishes this by leveraging your environment’s current IAM configuration and resource usage—along with the latest industry best practices and attack vectors—to automatically detect and prioritize identity risks for users, roles, groups, policies, EC2 instances, and Lambda functions. The types of risks that Datadog CIEM detects include:

  • Administrative privileges
  • Permissions gaps
  • Large blast radius
  • Privilege escalation
  • Cross-account access

Datadog’s Security Research team routinely curates the list of identity risks that Datadog CIEM detects so that our users can remain proactive in their defenses as new identity-based risks are identified.

As you sort through your IAM risk findings, you can review individual at-risk resources or address one identity risk at a time by grouping all resources (e.g., users, roles, groups, policies) that carry that risk, as seen in the following screenshot.

List of identity risks in CSM

Get deeper insights to efficiently mitigate identity risks

For every identified risk, Datadog CIEM provides a detailed description of the issue and suggested remediation steps. In the following screenshot, Datadog CIEM has identified several IAM roles with unused permissions, which a threat actor can leverage to gain access to your services and resources.

Identity risk detail side panel

Datadog CIEM also provides advanced insights for each identified risk, providing you with additional context for understanding its scope. For example, the following screenshot shows a list of all provisioned permissions for an IAM role that Datadog CIEM has identified as unused.

List of permissions for IAM role

In this example, you can see that several permissions have not been used in the recent past. In these cases, you may want to remove the permissions that are no longer necessary for that role. Roles should be assigned permissions based on the principle of least privilege, which recommends granting only the set of permissions that are needed to accomplish a specific task.

You can see AWS’ suggested remediation steps by clicking the “Fix in AWS” button to navigate to the console. Alternatively, you can click “Remediate” to get a suggested downsized policy based on the actual usage.

Suggested downsized access policy

To create a case and assign the remediation to someone, click on “Create Jira Issue.” To ensure consistent and easy remediation, you can also leverage Workflow Automation to initiate a workflow, with or without human involvement, in response to any identity risk.

Take action on identity risk

Datadog includes several out-of-the-box Workflow Blueprints related to IAM to help you respond to identity-related risks. For example, if you discover an inactive AWS IAM user with excessive privileges, you can initiate a workflow that disables or deletes that user.

Delete/disable IAM role Workflow blueprint

Secure your environment with Datadog Cloud Security Management

Datadog CIEM is now generally available for organizations using AWS—check out our documentation to get started, or head to the Identity Risks Explorer. You can also check out the CSM documentation for more information about getting started with Datadog Cloud Security Management. If you don’t already have a Datadog account, you can sign up for a 14-day today.