Cloud Access Settings

Follow

Cloud Access Settings

Settings > System Settings > Application Settings > Cloud Access

Admin Audit

Admin audit analyzes your cloud accounts to identify access risks. When enabled, it provides a detailed daily report of principals with privileged access on the accounts within your projects and OUs.

Enabling administrator audit will deploy two CloudFormation templates responsible for analyzing access and creating reports. The stacks will be deployed to the account Kion is installed in and all managed accounts.

  • Access Analyzer. Runs the audit.
  • Report Generator. Compiles results into data files.

ClosedResources Deployed

  • DynamoDB database
  • Lambda functions to ingest and report on data
  • S3 bucket to store admin audit reports
  • Step Functions to manage workflows of the Lambda functions
  • IAM Roles for Lambda execution
  • KMS key(s) for encryption at rest
  • A Cloudwatch Log Group
  • An SNS Topic for Report Delivery Notifications to Kion
  • An SQS Queue to buffer Delivery Notifications

Once the required CloudFormation templates are deployed, you will be able to view users with IAM administrator access to your AWS accounts by OU or project.

  • To view a count of your cloud administrators and a summary of recent changes, navigate to an OU or project and select Overview.
  • To view a detailed report of your cloud administrators, navigate to an OU or project and select Cloud Management > Cloud Administrators.

For more information, see Admin Audit Overview.

The resources deployed by these CloudFormation templates will incur costs. Cost will vary based on the amount of accounts and IAM principles in your environment.

User Assignment on Cloud Access Roles

This option removes the option to assign individual users to cloud access roles. When viewing cloud access roles with this enabled, you no longer see a list of every user assigned to the role, only user groups. This is useful for preserving user privacy in multi-tenant environments.

This applies to existing and new cloud access roles throughout Kion.

If individual users are assigned to cloud access roles, they will be removed when this is enabled. Existing user group assignments will not be affected.