📋 What you'll learn in this training
This module applies the DART method specifically to Cloud Identity Discovery — Delinea's capability that automatically scans AWS, Azure, and GCP to find all human and non-human identities, map effective permissions, and highlight least-privilege violations. Each of the four subsequent modules maps to one DART phase.
⚡ The Identity Sprawl Problem
The average enterprise runs 3–5 cloud platforms with thousands of IAM roles, service accounts, and API keys — 80% of which have never been audited. Non-human identities now outnumber human accounts 45:1 and represent the leading initial-access vector in cloud breaches.
🔄 The Cyclical Nature of DART
DART is not a one-time project — it's a continuous cycle. Track/Audit feeds new insights back into Discovery, refining the process over time. Delinea's cloud-native architecture makes each cycle faster and more precise than the last.
🔍 DART · Discovery Phase
Delinea Secret Server's discovery tools automatically detect human and machine identities — including service accounts, API keys, and AI agents — across every connected cloud platform. By integrating with identity providers (IdPs) and cloud platforms, it maps access entitlements and identifies misconfigurations such as over-privileged accounts or unused credentials. Real-time AI-driven insights flag dormant or risky identities early.
📋 Prerequisites
Before connecting: (1) Delinea Platform admin or Connector Manager role, (2) Read-only IAM credentials in the target cloud account, (3) Network/API access from the Delinea connector host. No long-lived keys are required for AWS (uses STS AssumeRole).
✅ AWS — Cross-Account Role (Recommended)
Delinea uses STS AssumeRole — no static access keys required. Create a read-only IAM role with an ExternalId condition to prevent confused-deputy attacks.
Delinea → Connectors → Cloud Accounts → Add Account → Amazon Web Services
Choose connection method: Cross-Account Role (recommended) or Access Keys (legacy). Copy Delinea's AWS Account ID and generated ExternalId shown in the UI.
Create the cross-account IAM role in AWS Console
IAM → Create Role → Another AWS Account. Set Delinea's Account ID as the principal and add the ExternalId condition.
Paste the Role ARN into Delinea and validate
Delinea runs sts:GetCallerIdentity to confirm access. Set scan scope (regions, tag filters) and scan frequency (default: daily).
✅ Azure — App Registration + RBAC
Delinea connects via an Entra ID App Registration with client secret or certificate. Assign Reader RBAC at Management Group or Subscription scope, plus Microsoft Graph → Directory.Read.All.
Entra ID → App Registrations → New Registration
Name it Delinea-CloudDiscovery. Copy the Application (client) ID and Tenant ID into Delinea.
Create a client secret (or upload certificate)
Certificates & Secrets → New client secret, 12–24 month expiry. Certificate-based auth preferred for production. Copy the secret value immediately.
Assign Reader role + grant Graph API admin consent
Assign Reader at subscription scope. Add Directory.Read.All as an application permission, then have a Global Admin grant admin consent.
✅ GCP — Service Account + Security Reviewer
Delinea uses a GCP Service Account with Security Reviewer and Browser roles at the Organization level.
Create service account: delinea-discovery@PROJECT.iam.gserviceaccount.com
IAM & Admin → Service Accounts → Create Service Account.
Grant roles at Organization level
Download JSON key → paste into Delinea → Validate
Cloud Accounts → Add Account → Google Cloud Platform → paste key JSON → Validate Connection.
Phase 1 — Identity Enumeration
Calls iam:ListUsers, iam:ListRoles, Graph API, and GCP IAM list. For multi-account orgs, fans out in parallel across all sub-accounts. This phase consolidates data from disparate sources into a centralized view.
Phase 2 — Policy & Permission Collection
Retrieves all attached policies for each identity — inline, managed, group-inherited, resource-based, and SCPs. Resolves full policy JSON including Allow/Deny statements.
Phase 3 — Effective Permission Computation
Mirrors the cloud provider's own evaluation logic to compute effective permissions — what the identity can actually do, not just what's listed.
Phase 4 — Usage Data Correlation → ANALYZE PHASE
Ingests CloudTrail / Azure Monitor / GCP Audit Logs. Determines which permissions were actually used in the last 30/60/90 days. The delta between granted and used permissions becomes the input to the Analyze phase.
🔬 DART · Analyze Phase
Delinea Secret Server's ITDR (Identity Threat Detection and Response) capabilities use machine learning to detect deviations from normal behavior. The system assigns risk scores based on access patterns, privilege levels, and potential external threats. It flags abnormal login attempts, excessive cloud permissions, or unusual AI agent activities — and cross-references authentication logs, session monitoring, and entitlement usage for a holistic view.
⚠️ Risk Score Factors
Delinea's analytics engine scores each identity on: privilege level (admin vs. scoped), last usage (days since last API call), access pattern anomalies (unusual times, IPs, regions), entitlement breadth (number of services accessible), and external threat intel (leaked credentials, known-bad IPs).
🎯 Severity Definitions
Critical — Admin wildcard, privilege escalation path, data-exfil-capable. Act in 24h. High — Broad write access on NHIs. Act in 7 days. Medium — Unused 90+ day permissions. Low — Hygiene issues (e.g., password auth instead of managed identity).
🔗 Privilege Escalation Path Detection
A key differentiator of Delinea's Analyze phase is the privilege escalation path detector. Even if an identity lacks admin permissions directly, combinations like iam:CreateRole + iam:AttachRolePolicy + sts:AssumeRole form a multi-step path to full admin. Delinea detects and surfaces these chains — they cannot be seen by simply reading policy lists.
iam:* usage in 90 days. An engineer argues this is Medium — "it's never been used to cause harm." How does the DART Analyze framework respond?⚡ DART · Remediate Phase
Once the Analyze phase surfaces risks, Remediate takes action. Delinea facilitates remediation by enforcing just-in-time (JIT) access, credential rotation, and privilege elevation controls. Automated actions — revoking excessive entitlements, enforcing MFA, isolating compromised accounts — mitigate threats while maintaining business continuity. Delinea's Cloud Infrastructure Entitlement Management (CIEM) applies least privilege across multi-cloud environments. All remediation actions are auditable and comply with regulatory standards via RBAC and workflow approvals.
Step 1 — Initiate Access Review (from any Analyze finding)
Click Start Access Review on any finding. Delinea creates a review task, assigns it to the identity owner or designated approver, sets a deadline (default 7 days), and sends a notification with a plain-language summary of excess vs. used permissions.
Step 2 — Reviewer Decision: Certify / Revoke / Right-Size
Certify — keep access, provide business justification, auto-schedule re-review in 90 days. Revoke — remove the specific excess permission. Right-Size — accept Delinea's ML-generated least-privilege policy replacement.
Step 3 — Automated Cloud API Enforcement
For Revoke and Right-Size decisions, Delinea calls iam:PutRolePolicy and iam:DetachRolePolicy (AWS), Azure RBAC assignments, or GCP IAM bindings — immediately enforcing the change. Full audit trail is generated.
Step 4 — Post-Remediation Verification → back into DART cycle
Delinea re-scans the identity within 24 hours and marks the finding Resolved. Certification decisions trigger a new 90-day Discovery cycle. This feeds the Track/Audit phase with a complete change record.
iam:* is listed as Critical with zero 90-day usage.iam:PutRolePolicy + iam:DetachRolePolicy to enforce the change.📋 DART · Track/Audit Phase
The Track/Audit phase ensures security measures are continuously monitored and compliance is maintained. Delinea logs all access, changes, and activities for forensic review. Real-time alerts respond to identity-related threats, while the platform maintains audit trails required for regulatory compliance (GDPR, NIST, SOC 2, PCI-DSS). Session recording and behavioral analytics enable retrospective analysis. This phase feeds insights back into Discovery — completing the DART cycle and enabling continuous improvement over time.
📊 Compliance Frameworks Covered
GDPR — Access logs and data-access audit trails for data subject requests. NIST 800-53 — AC-2 Account Management, AU-2 Audit Events. SOC 2 Type II — Continuous evidence collection. PCI-DSS — Privileged access logging for cardholder data environments. HIPAA — PHI access audit records.
🔄 Feeding Back into Discovery
Track/Audit insights that trigger new Discovery scans: new identities detected in session recordings that weren't in the last scan, entitlements drifting from certified baselines, dormant accounts reactivating unexpectedly, and new cloud accounts or subscriptions provisioned outside normal IaC pipelines.