🎯 Learning Objectives
After completing this module you will be able to: (1) explain the cloud identity sprawl problem, (2) describe how Delinea scans multi-cloud environments, (3) differentiate human vs. non-human identities, and (4) articulate the least-privilege violation lifecycle.
⚡ The Attack Surface
The average enterprise runs 3–5 cloud platforms with thousands of IAM roles, service accounts, and API keys — 80% of which have never been audited. Over-permissioned non-human identities are now the leading initial-access vector in cloud breaches.
📈 The Growth Rate
Non-human identities (service accounts, bots, pipelines) now outnumber human identities 45:1 in most cloud-native organizations — yet receive a fraction of the governance attention of user accounts.
📋 Prerequisites
Before connecting, ensure you have: (1) Delinea Platform admin or Connector Manager role, (2) Read-only IAM credentials in the target cloud account (minimum required permissions listed per provider below), (3) Network line-of-sight or API endpoint access from the Delinea connector host.
✅ AWS — Required IAM Permissions
Create a read-only IAM role in the target AWS account. Delinea uses cross-account role assumption (STS AssumeRole) — no long-lived access keys required.
Navigate to Delinea → Connectors → Cloud Accounts → Add Account
Select Amazon Web Services from the provider dropdown. Choose your connection method: Cross-Account Role (recommended) or Access Keys (legacy).
Create the cross-account IAM role in AWS Console
In AWS IAM, create a new role with Another AWS Account as the trusted entity. Enter Delinea's AWS Account ID (provided in the UI) and require the ExternalId condition to prevent confused-deputy attacks.
Attach the discovery policy and paste the Role ARN into Delinea
Copy the Role ARN (arn:aws:iam::123456789:role/DelineaDiscovery) into the Delinea connector form. Click Validate Connection — Delinea will perform an sts:GetCallerIdentity check to confirm access.
Configure scan scope and save
Optionally restrict discovery to specific regions or tag-filtered resources. Set scan frequency (default: daily). Click Save & Enable.
✅ Azure — App Registration & RBAC
Delinea connects via an Entra ID App Registration with a client secret or certificate. Assign the Reader role at the Management Group or Subscription level.
Register an application in Microsoft Entra ID
In Azure Portal → Entra ID → App Registrations → New Registration. Name it Delinea-CloudDiscovery. Copy the Application (client) ID and Tenant ID into Delinea.
Create a client secret or upload a certificate
Under Certificates & Secrets, create a client secret with a 12-month or 24-month expiry. Copy the secret value immediately — it is not shown again. Certificate-based auth is preferred for production.
Assign Reader + Directory.Read API permissions
Assign the Reader RBAC role at the subscription scope. Additionally, grant the API permission Microsoft Graph → Directory.Read.All (application permission) and have a Global Admin grant admin consent.
✅ GCP — Service Account & Workload Identity
Delinea uses a GCP Service Account with key-based or Workload Identity Federation authentication. Assign it the Security Reviewer and Browser predefined roles.
Create a service account in GCP IAM
In GCP Console → IAM & Admin → Service Accounts → Create. Name it delinea-discovery@PROJECT_ID.iam.gserviceaccount.com.
Grant required roles at the Organization level
Download key JSON and paste into Delinea
Create and download a JSON key for the service account. In Delinea → Cloud Accounts → Add Account → Google Cloud Platform, paste the JSON key content. Click Validate.
Phase 1 — Identity Enumeration
Delinea calls cloud-provider APIs (iam:ListUsers, iam:ListRoles, Graph API, GCP IAM list) to build a complete inventory of every principal. For organizations with multiple accounts, it fans out across all connected sub-accounts in parallel.
Phase 2 — Policy & Permission Collection
For each identity, Delinea retrieves all attached policies (inline, managed, group-inherited, resource-based, SCPs). It then resolves the full policy document — including JSON — so it can evaluate actual Allow/Deny statements, not just policy names.
Phase 3 — Effective Permission Computation
Using a policy evaluation engine that mirrors the cloud provider's own logic, Delinea computes the effective permissions for each identity. This reveals what's possible — not just what's listed.
Phase 4 — Usage Data Correlation
Delinea ingests CloudTrail / Azure Monitor / GCP Audit Logs to determine which permissions were actually used in the last 30/60/90 days. The delta between granted and used permissions is the over-permission score.
Phase 5 — Risk Scoring & Finding Generation
Findings are generated for permissions that: (a) violate least privilege, (b) grant admin/wildcard access, (c) allow privilege escalation paths, (d) expose sensitive data stores, or (e) have never been used. Each finding is scored Critical / High / Medium / Low.
⏱ Scan Duration
Initial scans typically complete in 15–90 minutes depending on the number of accounts and identities. Subsequent incremental scans run in 5–15 minutes as Delinea only processes delta changes. Large organizations with 50+ AWS accounts should expect the first scan to take 2–4 hours.
📐 Severity Definitions
Critical — Admin/root-level wildcard access, privilege escalation paths, or data-exfiltration-capable permissions on production resources. Remediate within 24 hours. High — Broad service-level write access or sensitive-data access granted to non-human identities. Remediate within 7 days. Medium — Unused permissions granted for 90+ days. Low — Minor policy hygiene issues.
🔍 Privilege Escalation Paths
A key differentiator of Delinea's analysis is the privilege escalation path detector. Even if an identity doesn't have admin permissions directly, combinations like iam:CreateRole + iam:AttachRolePolicy + sts:AssumeRole create a multi-step path to full admin — Delinea detects and surfaces these chains automatically.
iam:* usage in the last 90 days. A new engineer argues this is a Medium finding, not Critical, because "it's never been used to cause harm." How would you respond?🗺 Remediation Approaches
Delinea offers three remediation modes: Automated (immediate policy adjustment via API), Access Review (workflow to certify or revoke access with approver sign-off), and Guided Manual (generated right-sized policy JSON for your team to apply). Choose the mode based on risk tolerance and change-management requirements.
Step 1 — Initiate an Access Review
From any finding, click Start Access Review. Delinea creates a review task, assigns it to the identity owner or designated approver, and sets a deadline (default: 7 days). The reviewer sees a plain-language summary of what access the identity has vs. what it actually uses.
Step 2 — Manager / Owner Decision
The reviewer can choose: Certify (keep access — must provide business justification, triggers re-review in 90 days), Revoke (remove the specific permission), or Right-Size (accept Delinea's recommended least-privilege replacement policy).
Step 3 — Automated Enforcement
For Revoke and Right-Size decisions, Delinea calls the cloud provider API to apply the change immediately — no manual IAM console work required. A complete audit trail records who approved, when, and what change was made.
Step 4 — Post-Remediation Verification
Delinea re-scans the remediated identity within 24 hours and marks the finding as Resolved. If a Certified access generates a new risk finding within the certification window, the approver is automatically re-notified.
iam:* is listed as Critical with zero usage.iam:PutRolePolicy and iam:DetachRolePolicy to enforce the new policy.