[](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Cortex Cloud logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/cortexcloud-logo-dark.svg)](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * Use Cases ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Use Cases Use Cases * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) Real-time cloud security powered by unified data, AI and automation * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) Prevent risks at the source * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) Rapidly prioritize and remediate risks across any cloud * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) Stop cloud attacks before they become breaches * [Security Operations](https://www.paloaltonetworks.com/cortex?ts=markdown) Detect, investigate and respond to threats across enterprise and cloud * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [IaC Security](https://www.paloaltonetworks.com/cortex/cloud/infrastructure-as-code-security?ts=markdown) * [Software Composition Analysis](https://www.paloaltonetworks.com/cortex/cloud/software-composition-analysis?ts=markdown) * [Secrets Security](https://www.paloaltonetworks.com/cortex/cloud/secrets-security?ts=markdown) * [Open Partner Ecosystem](https://www.paloaltonetworks.com/cortex/cloud/appsec-partner-ecosystem?ts=markdown) [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Vulnerability Management](https://www.paloaltonetworks.com/cortex/cloud/vulnerability-management?ts=markdown) * [Cloud Attack Surface Management (ASM)](https://www.paloaltonetworks.com/cortex/cloud/attack-surface-management?ts=markdown) [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Cloud Detection and Response (CDR)](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Container \& Kubernetes Security](https://www.paloaltonetworks.com/cortex/cloud/container-security?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [API Security](https://www.paloaltonetworks.com/cortex/cloud/api-security?ts=markdown) * [Web Application Security](https://www.paloaltonetworks.com/cortex/cloud/web-application-security?ts=markdown) * [Serverless Security](https://www.paloaltonetworks.com/cortex/cloud/serverless-security?ts=markdown) [Security Operations](https://www.paloaltonetworks.com/cortex/?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Government](https://www.paloaltonetworks.com/cortex/cloud/government?ts=markdown) * [Product Tours](https://www.paloaltonetworks.com/cortex/cloud/product-tours?ts=markdown) * Resources ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Resources Learn * [Blog](https://www.paloaltonetworks.com/blog/cloud-security?ts=markdown) * [Cloud Research](https://www.paloaltonetworks.com/cortex/cloud/research?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Live Community](https://live.paloaltonetworks.com/) * [Interactive Workshops](https://www.paloaltonetworks.com/cortex/cloud/interactive-workshops?ts=markdown) Product Information * [Technical Documentation](https://docs.paloaltonetworks.com/) * [Open Source Projects](https://www.paloaltonetworks.com/cortex/cloud/open-source-projects?ts=markdown) * [Support](https://support.paloaltonetworks.com/Support/Index) Resources * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Customer Success Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Resource Center](https://www.paloaltonetworks.com/resources?ts=markdown) * [Events](https://events.paloaltonetworks.com) * * [Request a Demo](https://www.paloaltonetworks.com/cortex/cloud/demo?ts=markdown) ![palo alto networks logo icon](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-default.svg) ![white arrow icon pointing left to return to main Palo Alto Networks site](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg) [](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) Search Close search modal *** ** * ** *** ## Cloud Infrastructure Entitlement Management #### Cortex^®^ Cloud gives you control over permissions across multicloud environments * [Request a Demo](https://www.paloaltonetworks.com/cortex/cloud/trial?ts=markdown) **inherit** ![Identity and Access Management Security Front](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Hero-Front-Approach.png) ![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-white.svg) ![Identity and Access Management Security Front](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Hero-Front-Approach.png) WHY IT MATTERSOUR APPROACHMODULES * [WHY IT MATTERS](#why) * [OUR APPROACH](#approach) * [MODULES](#modules) {#why} ## Overly permissive roles, poor credential hygiene and accidental public exposure have all caused significant breaches of enterprise cloud environments. ### Effective permissions calculations are complex In the public cloud, permissions can be defined and inherited from many places --- roles, resources, access control lists and more. Gaining visibility into net-effective permissions across cloud providers is complex, to say the least. ### Overly permissive roles can lead to high-impact failures By exploiting identity and access management (IAM) misconfigurations such as overly permissive roles, an attacker can establish control over your entire cloud environment. With these "keys to the kingdom," it's easy to take down entire accounts or repurpose them for malicious activities. ### Implementing least-privileged access is challenging While the principle of least privilege is a straightforward concept, continuously maintaining this best practice across highly dynamic multicloud environments eventually becomes a major challenge for every organization. ## Monitor permissions and continuously enforce least-privileged access Cloud Infrastructure Entitlement Management (CIEM) provides users with broad visibility into effective permissions, continuously monitors multicloud environments for risky and unused entitlements, and automatically makes least privilege recommendations. Users gain simple yet powerful insight into which identities have access to critical infrastructure -- including those associated with an IdP provider -- all seamlessly integrated into Cortex Cloud. * Query permissions across users, compute instances, cloud resources and more * Monitor excessive and unused privileges * Automate remediation of overly permissive roles * ![Net-effective permissions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-net-effective-permissions.svg) Net-effective permissions * ![Rightsizing permissions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-rightsizing-permissions.svg) Rightsizing permissions * ![IAM entitlement investigation](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-investigate-Entitlements.svg) IAM entitlement investigation * ![IDP integration](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-idp-integration.svg) IdP integration * ![Automated remediation](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/vcg-automated-remediation.svg) Automated remediation {#approach} SOLUTION ## Our approach to Cloud Infrastructure Entitlement Management ### Net-effective permissions Gain comprehensive visibility into who can take what actions on which resources. CIEM is purpose-built to directly solve the challenges of managing permissions across AWS, Azure, and GCP. Cortex Cloud automatically calculates users' effective permissions across cloud service providers, detects overly permissive access, and suggests corrections to reach least privilege. * #### Manage multicloud entitlements from a single solution Gain integrated multicloud capabilities delivered from Cortex Cloud that extend everything we do for Cloud Security Posture Management (CSPM) to cloud identities. \* #### Implement pre-built policies Leverage specialized out-of-the-box policies to detect risky permissions and remove unwanted access to cloud resources. \* #### Audit permissions for internal compliance Quickly audit cloud permissions with related user data, service data and cloud accounts. [![Net-effective permissions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/CIEM-Net-effective-permissions.png)](#prismastickyimagecomapproach1_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_en_US_pan_content_) ### Rightsizing permissions Specialized out-of-the-box policies detect risky permissions and help remove unwanted access to cloud resources. Automatically detect overly permissive user access, and then leverage automated recommendations to rightsize them to achieve least-privileged access. * #### Detect overly permissive policies Remove unwanted access to cloud resources by automatically detecting overly permissive access policies. \* #### Implement pre-built policies Use out-of-the-box policies to detect public access, use of wildcards, risky permissions and more. \* #### Automated recommendations Use automated recommendations to achieve least privilege permissions. [![Rightsizing permissions](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Hero-Back-Approach.png)](#prismastickyimagecomapproach2_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_en_US_pan_content_) ### IAM entitlement investigation Query all relevant IAM entities, including all the relationships among different entities and their effective permissions across cloud environments. Understand which user can take what actions on which resources on which cloud. Turn queries into custom cloud-agnostic policies and define remediation steps as well as compliance implications. * #### Investigate IAM entitlements See real-time and historical data to understand IAM activity and entitlements. \* #### Query data to get the full picture of user activity Gain a detailed view of suspicious activity as well as connected accounts and resources. \* #### Query data specific to identity providers Discover overly permissive roles of IdP users and correlate results with cloud identities, such as IAM users and machine identities. [![IAM entitlement investigation](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Entitlement-Investigation-Table.png)](#prismastickyimagecomapproach4_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_en_US_pan_content_) ### IdP integration Integrate with identity provider (IdP) services like Okta, Azure AD and AWS IAM Identity Center to ingest single sign-on (SSO) data. View effective permissions and overly permissive roles of IdP users, and correlate results with cloud identities, such as IAM users and machine identities. * #### Leverage integrated support for IdP Services Ingest single sign-on (SSO) data for permissions mapping and calculate the effective permissions of IdP users across multicloud accounts. \* #### Query data specific to identity providers Discover overly permissive roles of IdP users and correlate results with cloud identities, such as IAM users and machine identities. \* #### Turn queries into cloud-agnostic policies Easily build custom guardrails for IdP users by turning RQL queries into IAM security policies with specific compliance and remediation implications. [![IDP integration](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/IdP-Integration-updated.png)](#prismastickyimagecomapproach3_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_en_US_pan_content_) ### Automated remediation Automatically adjust permissions and continuously enforce least-privileged access. Send alert notifications to 14 third-party tools, including email, AWS Lambda and Security Hub, PagerDuty^®^, ServiceNow^®^ and Slack^®^. * #### Activate automated remediation for over-privileged users Get suggestions for ideal permissions levels for any cloud user from Cortex Cloud. \* #### Support for 14 common integrations Seamlessly integrate Cortex Cloud alerting with your existing alert management tools with built-in support for 14 third-party tools. \* #### Remediation playbooks Leverage custom Cortex^®^ XSOAR playbooks for Cortex Cloud and easily operationalize advanced security orchestration capabilities. [![Automated remediation](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Auto-Remediation.png)](#prismastickyimagecomapproach5_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_en_US_pan_content_) {#modules} ## Additional Cloud Posture Security capabilities ### Cloud Security Posture Management Remove your most critical risk across public and multicloud environments with Cortex Cloud. [Learn more](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) ### Data Security Posture Management Discover, classify and protect sensitive data in cloud environments. [Learn more](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) ### AI Security Posture Management Identify and address vulnerabilities in the AI supply chain. [Learn more](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) ### Vulnerability Management Ruthlessly prioritize and remediate vulnerabilities with code to cloud to SOC context. [Learn more](https://www.paloaltonetworks.com/cortex/cloud/vulnerability-management?ts=markdown) {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language