Admin Audit Overview
Admin audit analyzes your cloud accounts to identify access risks. When enabled, it provides a detailed daily report of principals with privileged access on the accounts within your projects and OUs. Admin audit exposes over-privileged or 'accidental admins' across your cloud accounts, so you can proactively right-size permissions.
Currently, we are only able to identify AWS IAM administrators. More diverse functionality will be added in a future release.
Enabling Admin Audit
Admin audit functionality can be enabled by navigating to Settings > System Settings > Application Settings > Cloud Access.
Enabling administrator audit will deploy two CloudFormation templates responsible for analyzing access and creating reports. The stacks will be deployed to the account Kion is installed in and all managed accounts. These resources will incur costs. For more information, see Cloud Access Settings.
Admin audit data is only viewable by users with the Browse All Admin Audit Data permission.
Viewing Admins
To view principles with admin level access, navigate to a project or OU, and select Cloud Management > Cloud Administrators.
If you are viewing from the OU level, affected accounts are grouped together under each principle. Click on a row to fully expand the list of accounts the principle can access and the reason they have admin privileges.
Principle. The name of the IAM role or IAM user. This can be either human or machine users. When applicable, this is equivalent to the ARN.
Reason.
- Permission Policy. Principles that are directly granted admin privileges in the cloud provider permission policy (e.g. *.* or AdministratorAccess).
- Access Chain. Principles that can assume the role of an admin, indirectly granting it admin privileges through the access chain. These are principles that can assume other roles via an IAM role policy, resulting in privilege escalation. This includes principles that could create, and then assume, a new administrator role.
Source.
- External. Principles that are being granted admin privileges by a source outside of Kion, such as the cloud provider console.
- Cloud Access Role. Principles that are being granted admin privileges by a Kion cloud access role. These are considered to be managed by Kion.