Module 01
Foundations
Privileged
Access Management
Access Management
What PAM is, why it matters, and the foundational controls that protect your most sensitive access paths β the essential building block before exploring cloud entitlements.
Learning Objective
Understand what privileged access is, why it's the primary target in virtually every breach, and how core PAM controls reduce that risk.
What is Privileged Access?
The definition that drives everything
Privileged access describes any account, credential, or permission that grants elevated rights beyond a standard user β the ability to modify system configurations, access sensitive data en masse, install software, or make changes that affect entire environments. In cloud contexts, this extends to IAM roles that can create or destroy infrastructure.
74%
of breaches involve privileged credential abuse
3Γ
more expensive when privileged access is involved
80%
of cloud security failures are due to misconfigured IAM
Core PAM Controls
Credential Vaulting & Password Management
βΌ
Privileged credentials are stored in an encrypted, access-controlled vault β never in spreadsheets, scripts, or shared drives. Users check out credentials for a session; passwords are rotated automatically afterward. This enforces no shared static passwords and a complete audit trail of who accessed what, when, and from where.
Privileged Session Management (PSM)
βΌ
All privileged sessions β RDP, SSH, database connections, cloud console access β are proxied through a session management layer. Sessions are recorded, monitored in real time, and can be terminated instantly. Keystroke logging and video capture provide forensic evidence and satisfy compliance requirements including SOX, PCI-DSS, and HIPAA.
Least Privilege & Just-In-Time (JIT) Access
βΌ
Least privilege ensures accounts only hold the minimum permissions necessary for their role. Just-In-Time (JIT) access goes further: privilege is granted only for the duration of a specific, approved task, then automatically revoked. This eliminates "standing privilege" β accounts that always have admin rights even when not actively using them β dramatically shrinking the attack surface. In cloud environments, this translates to temporary role assumption rather than permanent IAM role assignments.
Privileged Access Workflows & Governance
βΌ
PAM solutions enforce approval workflows: privileged access requests require justification, manager approval, and time-boxing. This creates a governance layer that satisfies auditors, provides a full change record, and ensures that every privileged action is intentional and authorized. Integration with ITSM tools like ServiceNow links every privileged session to a change ticket.
PAM in the Cloud Era
Traditional PAM was built for on-premises systems with clear perimeters. Cloud has fundamentally changed the game: IAM roles, service principals, and cloud entitlements are the new privileged accounts β and they require cloud-native PAM capabilities like Delinea PCCE to manage them effectively.
Module Complete
You've covered PAM fundamentals. Continue to explore the cloud identity threat landscape.
Module 02
Cloud Context
Identity Security
in the Cloud
in the Cloud
How cloud adoption transformed the identity threat landscape β and why cloud IAM has become the most targeted attack surface in modern enterprises.
The Cloud Shift
In cloud environments, identity IS infrastructure. A misconfigured IAM role doesn't just expose data β it can allow an attacker to spin up compute, exfiltrate entire S3 buckets, move laterally across accounts, or persist access indefinitely through backdoor roles.
Human Cloud Identities
Developers, DevOps engineers, cloud architects, and data scientists who directly access cloud consoles and CLIs. Each typically has far more permissions than needed β because cloud IAM policies are often written for convenience, not least privilege.
Cloud Console Users
Developers
Data Scientists
Non-Human Cloud Identities
Applications, Lambda functions, containers, CI/CD pipelines, and automation that authenticate to cloud services. These outnumber human identities by 10β50Γ and are frequently granted overly broad permissions for development convenience that is never revisited.
Service Principals
Lambda Roles
Managed Identities
API Keys
βοΈ The Multi-Cloud Identity Surface β Click to explore
Each cloud platform has its own identity model with unique risks and blind spots
AWS IAM
Users, roles, policies, trust relationships
Azure / Entra ID
Service principals, managed identities, RBAC
Google Cloud
Service accounts, IAM bindings, workload identity
SaaS & PaaS
GitHub, Snowflake, Salesforce org admins
β¬ Click a cloud platform above to see its identity risks and key entitlement types
Cloud Identity Attack Chain
π£
Initial Access
Phishing / leaked
API key / SSRF
API key / SSRF
π
Enumeration
IAM permissions
discovery (Pacu, ScoutSuite)
discovery (Pacu, ScoutSuite)
π
Privilege Escalation
Assume overprivileged
role / pass-role abuse
role / pass-role abuse
π
Lateral Movement
Cross-account trust
STS AssumeRole abuse
STS AssumeRole abuse
π₯
Impact
Data exfiltration
crypto-mining / ransomware
crypto-mining / ransomware
| Cloud Attack Vector | Description | PCCE Control |
|---|---|---|
| Pass-Role Abuse | Attacker with iam:PassRole assigns a high-privilege role to a resource they control | Entitlement analysis, least privilege enforcement |
| Assume-Role Chaining | Escalating privileges by hopping through trusted roles across accounts | Cross-account trust mapping, anomaly detection |
| Unused Access Keys | Long-lived programmatic keys that are leaked or stolen and used months later | Continuous discovery, auto-rotation workflows |
| Misconfigured IAM Policies | Wildcard actions (*) or wildcard resources (*) granting unintended permissions | Policy analysis, right-sizing recommendations |
| Shadow Service Accounts | GCP / Azure identities created by developers that security teams don't know about | Continuous multi-cloud identity discovery |
Module Complete
You understand the cloud identity threat landscape. Next: the specific challenge of cloud entitlements.
Module 03
CIEM
Cloud Entitlements
& The CIEM Gap
& The CIEM Gap
Understanding the permissions explosion in cloud environments, why traditional PAM doesn't solve it, and what Cloud Infrastructure Entitlement Management (CIEM) addresses.
The Permissions Explosion
AWS alone has over 15,000 individual IAM permissions. A typical enterprise cloud environment has millions of active permission grants across hundreds of roles and thousands of resources β impossible to audit manually, and almost always over-provisioned by a factor of 10Γ or more.
95%
of cloud permissions are never used (Gartner)
15K+
individual IAM permissions in AWS alone
10Γ
average over-provisioning ratio in cloud IAM
What is a Cloud Entitlement?
The unit of cloud access control
A cloud entitlement is any permission grant that allows an identity (human or non-human) to perform an action on a cloud resource. This includes IAM policies in AWS, RBAC role assignments in Azure, IAM bindings in GCP, and equivalent constructs in SaaS platforms. Entitlements can be direct (assigned to a user) or indirect (through group, role, or policy inheritance).
Why Entitlements Become a Security Problem
Entitlement Sprawl
βΌ
Permissions accumulate over time through a pattern of expansion but no contraction: a developer needs access to debug an issue β they get a broad role β the role is never removed or scoped down β it's copied when provisioning the next developer β repeat. Over months, every identity in the environment has access to far more than they need, and no one knows exactly what those permissions enable.
Privilege Escalation Paths
βΌ
Cloud IAM has unique escalation patterns that are invisible without entitlement analysis. For example: a user with
iam:PassRole + lambda:CreateFunction can effectively assume any role in the account by creating a Lambda function. These indirect privilege escalation paths are one of the most dangerous β and least understood β cloud security risks. PCCE maps these paths automatically.
Cross-Account & Cross-Cloud Trust
βΌ
Enterprise cloud environments often span dozens of AWS accounts, multiple Azure subscriptions, and GCP projects β connected by trust relationships that allow roles in one account to assume roles in another. Without a unified entitlement view, these trust chains create invisible lateral movement paths that span organizational boundaries. A compromise in a dev account could be the path to production.
Non-Human Identity (NHI) Entitlement Risk
βΌ
CI/CD pipelines, Lambda functions, Kubernetes workloads, and automation scripts all need cloud permissions β and they often get granted very broad access for convenience. Unlike human identities, NHIs can't be asked "do you still need this?" They operate silently, and their credentials β API keys, service account keys, instance profiles β are frequently the target of supply chain attacks and code repository scanning by adversaries.
What is CIEM?
Cloud Infrastructure Entitlement Management
Gartner-defined category, now integrated into PAM platforms
CIEM is the discipline of discovering, analyzing, and right-sizing cloud entitlements across all identities and cloud platforms. It combines continuous discovery of permissions, analytics to identify excess and risk, and automated remediation to enforce least privilege. Delinea PCCE integrates CIEM capabilities directly into the broader PAM and identity security platform.
| Traditional PAM | CIEM Alone | PCCE (PAM + CIEM) | |
|---|---|---|---|
| On-Prem Coverage | β | β | β |
| Cloud IAM Analysis | β | β | β |
| NHI Coverage | Limited | Partial | β Full |
| Entitlement Right-Sizing | β | β | β |
| Vault Integration | β | β | β |
| Unified Policy | β | β | β |
Module Complete
You understand CIEM and the cloud entitlement challenge. Now let's explore exactly how Delinea PCCE solves it.
Module 04
Delinea Platform
Delinea PCCE
Privilege Control for Cloud Entitlements β Delinea's integrated solution for discovering, analyzing, governing, and right-sizing cloud permissions across every identity and cloud platform.
What is Delinea PCCE?
Delinea Privilege Control for Cloud Entitlements (PCCE) is a CIEM-integrated capability within the Delinea Platform that provides unified visibility and control over cloud entitlements across AWS, Azure, GCP, and multi-cloud environments. It continuously discovers all cloud identities and their effective permissions, identifies over-privileged and risky entitlements, and provides AI-driven right-sizing recommendations with direct remediation β all integrated with the broader Delinea PAM vault and governance workflows.
βοΈ PCCE Platform Architecture β Hover over components
Multi-Cloud Ingestion Sources
π AWS IAM
π΅ Azure / Entra ID
π’ GCP IAM
π¦ SaaS Platforms
π’ On-Prem AD
β
PCCE Intelligence Engine
π Continuous Discovery
πΊοΈ Effective Access Mapping
β‘ Risk & Escalation Analysis
π€ AI Right-Sizing
β
Integrated Governance & Remediation
ποΈ Unified Inventory
βοΈ Policy Right-Sizing
π¦ Vault & JIT Integration
π Compliance Reporting
Key PCCE Capabilities
Continuous Multi-Cloud Entitlement Discovery
βΌ
PCCE continuously ingests IAM data from all connected cloud accounts and SaaS platforms β not as a periodic scan, but as a live feed of changes. Every new user, role, policy attachment, or permission grant is captured and analyzed within minutes. This gives security teams a real-time, accurate picture of the entitlement landscape, including effective permissions (what an identity can actually do, not just what's directly assigned) across all AWS accounts, Azure subscriptions, and GCP projects.
Effective Access Mapping & Privilege Path Analysis
βΌ
Raw IAM policies are complex and nested β PCCE computes the effective access for every identity: what they can actually do after accounting for permission boundaries, SCPs, deny policies, and inherited group permissions. More critically, PCCE maps privilege escalation paths: which identities can effectively reach admin-level permissions through sequences of allowed actions, even if they don't hold an explicit admin role. These invisible paths are a top cloud security risk.
AI-Driven Right-Sizing & Least Privilege Enforcement
βΌ
PCCE analyzes actual usage patterns β which permissions were exercised by each identity over the last 30, 60, or 90 days β and generates right-sized policy recommendations that retain only what was actually used. These recommendations can be reviewed and applied with a single click, generating a new, minimal IAM policy. Over time, this progressively drives the environment toward true least privilege without disrupting operations.
Just-In-Time Cloud Access & Vault Integration
βΌ
For highly sensitive cloud operations, PCCE integrates with the Delinea vault to provide JIT cloud access: instead of permanent role assignments, a developer requests elevated access for a specific task, the request goes through an approval workflow, a temporary role assumption is granted for a defined window, and all activity is session-recorded. After the window expires, the elevated access is automatically revoked β eliminating standing cloud privilege entirely.
Non-Human Identity (NHI) Governance
βΌ
PCCE specifically targets the NHI explosion: Lambda functions, EC2 instance profiles, GitHub Actions service accounts, Kubernetes service accounts, and automation pipelines. It discovers all NHIs across your cloud estate, assesses their permissions and usage, identifies stale or over-privileged machine identities, flags long-lived API keys and service account keys, and provides governance workflows to rotate, right-size, or decommission them.
Compliance & Audit Reporting
βΌ
PCCE generates pre-built compliance reports mapped to major frameworks: CIS Benchmarks (AWS, Azure, GCP), SOC 2, ISO 27001, PCI-DSS, HIPAA, and NIST CSF. Auditors receive evidence that least privilege is actively enforced, privileged access is governed and time-limited, and all entitlement changes are logged and attributable β eliminating weeks of manual audit preparation.
π Sample PCCE Risk Finding Distribution
Typical findings from an initial PCCE deployment on a mid-size enterprise cloud environment
# PCCE Cloud Entitlement Analysis β Sample Report Summary
cloud_accounts_scanned: 47 # AWS accounts + Azure subscriptions + GCP projects
total_identities_discovered: 8,291
human_identities: 412
non_human_identities: 7,879 # 19x more NHIs than humans
entitlement_findings:
critical_escalation_paths: 23 # identities that can reach admin via indirect perms
stale_access_keys: 841 # not used in 90+ days
wildcard_policy_grants: 156 # Action:* or Resource:* in effect
cross_account_risks: 34 # lateral movement paths via STS trust
over_privileged_nhi: 3,241 # NHIs with unused permissions > 30 days
right_sizing_opportunity:
permissions_removable: 94% # of all granted permissions are unused
policies_generated: 412 # ready-to-apply least-privilege policies
jit_workflows_triggered: 23 # critical identities moved to JIT model
compliance_status:
cis_aws_benchmark: "72% β 96%" # after applying recommendations
pci_dss_least_privilege: "PASS"
report_format: "SOC2, ISO27001, CIS, NIST"
cloud_accounts_scanned: 47 # AWS accounts + Azure subscriptions + GCP projects
total_identities_discovered: 8,291
human_identities: 412
non_human_identities: 7,879 # 19x more NHIs than humans
entitlement_findings:
critical_escalation_paths: 23 # identities that can reach admin via indirect perms
stale_access_keys: 841 # not used in 90+ days
wildcard_policy_grants: 156 # Action:* or Resource:* in effect
cross_account_risks: 34 # lateral movement paths via STS trust
over_privileged_nhi: 3,241 # NHIs with unused permissions > 30 days
right_sizing_opportunity:
permissions_removable: 94% # of all granted permissions are unused
policies_generated: 412 # ready-to-apply least-privilege policies
jit_workflows_triggered: 23 # critical identities moved to JIT model
compliance_status:
cis_aws_benchmark: "72% β 96%" # after applying recommendations
pci_dss_least_privilege: "PASS"
report_format: "SOC2, ISO27001, CIS, NIST"
π PCCE Business Value
- Reduce cloud attack surface by removing 90%+ of unused permissions
- Detect and eliminate privilege escalation paths before attackers find them
- Replace manual IAM audits with continuous, automated governance
- Accelerate compliance for SOC 2, PCI-DSS, and ISO 27001
- Enable developer agility without compromising security posture
PCCE Key Use Cases
- Cloud IAM audit and least-privilege enforcement pre-audit
- Discovery and governance of all service accounts across multi-cloud
- Automated right-sizing of developer IAM roles to actual usage
- JIT access for cloud console and CLI operations
- NHI lifecycle management for Lambda, CI/CD, and container workloads
- Cross-account trust chain visualization and risk scoring
Module Complete
You've covered Delinea PCCE in depth. One final step β test your knowledge with the module quiz.
Module 05
Assessment
Knowledge
Check
Check
Six questions across PAM, cloud identity security, cloud entitlements, and Delinea PCCE. Select the best answer for each.
β
β
β
Question 01 / 06
What does Just-In-Time (JIT) access mean in the context of cloud PAM?
Access that is automatically granted to new cloud users as soon as their account is created
A technique to pre-cache credentials for faster authentication to cloud consoles
β
Privilege is granted only for the duration of an approved task, then automatically revoked β eliminating standing cloud privilegeA scheduling system that rotates which cloud admins have access each day
Question 02 / 06
According to industry data, approximately what percentage of cloud IAM permissions are never actually used?
Around 30% β most permissions are used occasionally
Around 50% β a significant but expected overhead in large environments
β
Around 95% β the vast majority of granted permissions are never exercisedAround 70% β common in large organizations but manageable with good hygiene
Question 03 / 06
What is a "privilege escalation path" in cloud IAM, as addressed by PCCE?
A formal process for requesting elevated access through a ticketing system
β
A sequence of allowed IAM actions through which an identity can effectively gain admin-level privileges without holding an explicit admin roleWhen an employee receives a promotion and their cloud permissions are updated to match their new role
The process of moving from on-premises admin access to cloud admin access during a migration
Question 04 / 06
Why does PCCE's "effective access mapping" matter more than simply reading raw IAM policies?
Raw IAM policies are encrypted and cannot be read directly by security tools
β
An identity's actual permissions are determined by a combination of direct policies, group memberships, permission boundaries, SCPs, and deny rules β raw policies alone don't reveal what an identity can truly doRaw policies only apply to human identities; effective access mapping covers non-human identities
PCCE reads policies faster than native cloud consoles, making audits more efficient
Question 05 / 06
What does PCCE's AI-driven "right-sizing" capability do?
It resizes cloud compute instances to reduce infrastructure costs
It automatically assigns admin rights to identities that frequently request elevated access
β
It analyzes actual permission usage over time and generates minimal IAM policies that retain only what was actually used, enabling one-click enforcement of least privilegeIt balances IAM policy complexity across cloud accounts to improve authentication performance
Question 06 / 06
Which of the following best describes the relationship between PCCE and the broader Delinea PAM platform?
PCCE is a completely separate product that does not share data with the Delinea vault
PCCE replaces traditional PAM vaulting for cloud environments, making the vault unnecessary
PCCE only works for AWS and does not support other cloud providers
β
PCCE is an integrated CIEM capability within the Delinea Platform β discovered cloud identities can be enrolled into the PAM vault, subjected to JIT access workflows, and managed under a unified governance policy alongside on-prem identities