* [Blog](https://www.paloaltonetworks.com/blog) * [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/) * [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/) * IAM Security Controls to ... # IAM Security Controls to Protect Cloud Entitlements [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fiam-security-controls%2F) [](https://twitter.com/share?text=IAM+Security+Controls+to+Protect+Cloud+Entitlements&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fiam-security-controls%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fiam-security-controls%2F&title=IAM+Security+Controls+to+Protect+Cloud+Entitlements&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/iam-security-controls/&ts=markdown) \[\](mailto:?subject=IAM Security Controls to Protect Cloud Entitlements) Link copied By [Jonathan Bregman](https://www.paloaltonetworks.com/blog/author/jonathan-bregman/?ts=markdown "Posts by Jonathan Bregman") Oct 13, 2020 4 minutes [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [IAM](https://www.paloaltonetworks.com/blog/tag/iam/?ts=markdown) [Product Announcement](https://www.paloaltonetworks.com/blog/tag/product-announcement/?ts=markdown) This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com/blog/cloud-security/iam-security-controls/?lang=ja "Switch to Japanese(日本語)") Cloud Identity and Access Management (IAM) solutions represent a foundational component of a cloud native security platform. Yet, most enterprises that manage large numbers of cloud accounts and resources currently struggle to gain visibility and effectively govern permissions for them. The new Prisma Cloud IAM Security module addresses these challenges by providing broad visibility of effective permissions, monitoring for risky and unused entitlements, and least privilege recommendations with automated response. Users get simple yet powerful IAM security controls across their cloud environments, seamlessly integrated into Prisma Cloud. ## Addressing Requirements for Cloud Infrastructure Entitlement Management Over-permissive roles, poor credential hygiene, and accidental public exposure have all contributed to some of the most significant [vulnerabilities](https://www.paloaltonetworks.com/prisma/cloud/unit42-ctr-oct-2020-IAM?ts=markdown) of enterprise cloud environments. Security tools for cloud infrastructure entitlement management (CIEM) address these challenges, which are often insufficiently addressed by cloud services providers' built-in tools. Prisma Cloud IAM Security is an industry-leading CIEM solution, on top of other identity security functionality. It provides users an easier path to achieving least privilege access -- a security best practice that says each user or service account gets the minimum amount of entitlements needed to perform a given task. By taking a uniquely comprehensive approach that combines greater visibility and granular access control along with [user entity and behavior analytics](https://www.paloaltonetworks.com/blog/2020/01/cloud-ueba/?ts=markdown) (UEBA), Prisma Cloud reduces alert fatigue by delivering high-fidelity, contextual alerts on suspicious identity-related activities. ## IAM Security Module in Prisma Cloud Here's how the new IAM security controls can help users: ### Visibility to Net-Effective Permissions Gain deep visibility into who has the ability to take what action on which resources. By running complex calculations that analyze permissions such as Amazon Web Services (AWS) IAM roles, policies and groups; AWS resource-based policies; and AWS service control policies (SCPs), the IAM Security module can precisely determine net-effective permissions. ![Granular permissions investigation in Prisma Cloud showing source, grantor and capabilities](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/IAM-investigation.png) Granular permissions investigation in Prisma Cloud showing source, grantor and capabilities. ### Rightsizing Permissions The Prisma Cloud IAM security module ships with specialized out-of-the-box policies to detect risky permissions and help remove unwanted access to cloud resources. It can automatically detect overly permissive user access, then provide suggestions to rightsize them to achieve least privilege. ![Example out-of-the-box IAM policies in Prisma Cloud](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/IAM-policies.png) Example out-of-the-box IAM policies in Prisma Cloud. ### Investigate IAM Entitlements Leverage Prisma Cloud Resource Query Language (RQL) to quickly gain deeper insight into specific entitlements and their effective permissions. Ask nearly any identity-related question, such as: * Which users have access to a given resource * What accounts, services, or resources a specific identity has access to * Whether any users outside of a specific group have access to a given set of resources You can view documentation on [Prisma Cloud RQL](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/rql) to see the breadth of potential insights. ![Results of an RQL-based entitlement investigation in the Prisma Cloud IAM Security module. ](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/IAM-RQL-results.png) Results of an RQL-based entitlement investigation in the Prisma Cloud IAM Security module. ### Audit Permissions for Internal Compliance In addition to the existing resource audit trail which captures any change made to a resource from the moment it's first deployed, the new permissions tab displays all of the permissions "of" a resource and "to" the resource. It also enables users to look back and understand when an overly permissive entitlement was granted and by whom. ![The permissions audit trail for a resource tracked in the IAM Security module.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/Permissions-audit-trail-1.png) The permissions audit trail for a resource tracked in the IAM Security module. ### Identity Provider Integration: Okta Federate user identities with existing identity providers and management systems to prevent unnecessary management overhead like system duplication. Prisma Cloud integrates with Okta to ingest single sign-on (SSO) data for an effective permissions calculation and enables users to list the effective permissions of Okta users across cloud accounts. ![Okta permissions query results in Prisma Cloud.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/Okta-results-in-Prisma-Cloud-1.png) Okta permissions query results in Prisma Cloud. ### Auto remediation of Over Privileged Users IAM Security helps users maintain good identity and access management hygiene by suggesting the ideal permissions level for any cloud user. Automatic permissions adjustments can ensure continuous enforcement of least privilege access. ![Least privilege recommendations generated by Prisma Cloud.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2020/10/least-privilege-recommendation-1.png) Least privilege recommendations generated by Prisma Cloud. ## Start Using the Prisma Cloud IAM Security Module Combined with the rest of the functionality in [the recent release](http://blog.paloaltonetworks.com/2020/10/cloud-evolution-comprehensive-cnsp), the IAM Security module gives users the most comprehensive platform for cloud native security available today. To learn more about best practices for IAM security, including the depth of threats presented by misconfigurations, check out the [Unit 42 Cloud Threat Report 2H 2020](https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research?ts=markdown). *** ** * ** *** ## Related Blogs ### [AppSec](https://www.paloaltonetworks.com/blog/cloud-security/category/appsec/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### OpenID Connect: Let's Talk Security](https://www.paloaltonetworks.com/blog/cloud-security/openid-connect-oidc-security/) ### [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown) [#### Top 3 IAM Risks in Your GitHub Organization](https://www.paloaltonetworks.com/blog/cloud-security/prevent-inadequate-iam-github-organization/) ### [Cloud Infrastructure Entitlement Management](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-infrastructure-entitlement-management/?ts=markdown), [Cloud Security Posture Management](https://www.paloaltonetworks.com/blog/category/cloud-security-posture-management/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### The Role of Zero Trust for Cloud Identities and Infrastructure](https://www.paloaltonetworks.com/blog/cloud-security/identities-and-infrastructure/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown) [#### Announcing Multi-Cloud Drift Detection: Keep Code and Cloud Aligned](https://www.paloaltonetworks.com/blog/cloud-security/announcing-multi-cloud-drift-detection/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Prisma Cloud Automatically Secures Unprotected Cloud Workloads](https://www.paloaltonetworks.com/blog/2021/04/april-2021-release-prisma-cloud/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [DevSecOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devsecops/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/cloud-security/category/partners/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Manage your Unmanaged Cloud with Prisma Cloud and Cortex Xpanse](https://www.paloaltonetworks.com/blog/cloud-security/manage-unmanaged-cloud-prisma-cloud-and-cortex-xpanse/) ### Subscribe to Cloud Security Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language