Overview of Cloud Infrastructure Entitlement Management

With Security Command Center's Cloud Infrastructure Entitlement Management (CIEM) capabilities, you can manage which identities have access to which resources in your deployments on multiple cloud platforms and mitigate potential vulnerabilities that result from misconfigurations.

Security Command Center's CIEM capabilities provide a comprehensive view of the security of your identity and access configuration. Specifically, the following CIEM features help you identify misconfigurations and enforce the principle of least privilege:

  • Detection of potential identity and access misconfigurations in your deployments on multiple cloud platforms, including Google Cloud, Amazon Web Services (AWS), and Microsoft Azure (Preview).
  • Identification of vulnerability findings that provide insight into the roles that are granted to principals in your Google Cloud, AWS, and Microsoft Azure (Preview) environments. This includes federated identities from other identity providers—like Entra ID (Azure AD), Okta, and on-premises Active Directory—for Google Cloud and AWS IAM Identity Center.
  • Guidance on how to remediate misconfigurations, such as removing permissions from a principal with excess permissions.
  • Case management to efficiently track misconfiguration remediation efforts using cases in Security Command Center Enterprise or other ticket management systems.

Manage identity and access security issues with CIEM

The following sections describe the CIEM capabilities that help you manage identity and access misconfigurations.

Quick access to identity and access findings

Security issues often arise due to undetected identity and access misconfigurations such as highly privileged principals, dormant identities, unrotated service account keys, and a lack of multifactor authentication.

CIEM generates findings that help alert you to potential identity and access security issues across your cloud environments. Many different Security Command Center services (such as IAM recommender, Security Health Analytics, and CIEM) produce the identity and access findings that are considered part of Security Command Center's CIEM capabilities. For example, the CIEM detection service itself produces a subset of identity and access findings for AWS and Microsoft Azure (Preview) that alert you to highly privileged roles, groups, and users.

On the Standard and Standard-legacy tiers, CIEM provides recommendations for Google Cloud basic roles only. For details, see the IAM recommender features.

To learn how to investigate identity and access findings to understand your identity and access security, see Investigate identity and access findings.

Discovery of federated identities' permissions

CIEM helps provide a more granular view of the security of your identity and access configurations by providing insight into the permissions of federated identities from other identity providers, such as Entra ID (Azure AD), Okta, and on-premises Active Directory. CIEM helps identity federated identities with roles that have excess permissions on your Google Cloud resources. Cloud Infrastructure Entitlement Management can also be used with AWS IAM Identity Center to expose vulnerabilities in federated identities on AWS resources.

You can view offending access grants and recommended remediations directly from the Security Command Center Findings page. For more information on offending access grants in findings, see Offending access grants.

Google Cloud IAM lets you investigate the permissions of principals from other identity providers on the IAM page in the Google Cloud console.

Remediation and tracking using cases

Security teams working with multicloud infrastructure often struggle to remediate identity and access misconfigurations at scale. Security Command Center provides you with remediation guidance through case management, response playbooks, and security operations capabilities.

To learn more about reviewing findings cases, see Review cases for identity and access issues.

What's next