Edit

Enable cloud infrastructure entitlement management (CIEM)

Microsoft Defender for Cloud provides a cloud infrastructure entitlement management (CIEM) security model. It helps organizations manage and control user access and entitlements in cloud infrastructure. CIEM is a core part of the Cloud Native Application Protection Platform (CNAPP) solution. It shows who or what has access to resources and helps enforce least-privilege access. With CIEM, users and workload identities get only the access they need to do their tasks. CIEM also helps you monitor and manage permissions across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Before you start

Before you enable CIEM, make sure you meet the following prerequisites:

  1. Make sure you have the right roles and permissions for each cloud environment to enable the Permissions Management (CIEM) extension in Defender cloud security posture management (Defender CSPM):

  2. Onboard your AWS or GCP environment to Defender for Cloud:

  3. Enable Defender CSPM on your Azure subscription, AWS account, or GCP project.

Enable CIEM for Azure

When you enable the Defender cloud security posture management (Defender CSPM) plan on your Azure account, the Azure CSPM regulatory compliance standard is automatically assigned to your subscription. The Azure CSPM standard provides cloud infrastructure entitlement management (CIEM) recommendations.

When CIEM is disabled, the CIEM recommendations within the Azure CSPM standard aren't calculated.

To enable CIEM for Azure, complete the following steps:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. Navigate to Environment settings.

  4. Select the relevant subscription.

  5. Locate the Defender CSPM plan and select Settings.

  6. Enable Permissions Management (CIEM).

    Screenshot that shows you where the toggle is for the permissions management is located.

  7. Select Continue.

  8. Select Save.

The applicable CIEM recommendations appear on your subscription within a few hours.

List of Azure recommendations:

  • Azure overprovisioned identities should have only the necessary permissions

  • Permissions of inactive identities in your Azure subscription should be revoked

Enable CIEM for AWS

When you enable the Defender CSPM plan on your AWS account, the AWS CSPM regulatory compliance standard is automatically assigned to your subscription. The AWS CSPM standard provides CIEM recommendations. When Permissions Management is disabled, the CIEM recommendations in the AWS CSPM standard aren't calculated.

To enable CIEM for AWS, complete the following steps:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. Navigate to Environment settings.

  4. Select the relevant AWS account.

  5. Locate the Defender CSPM plan and select Settings.

    Screenshot that shows an AWS account and the Defender CSPM plan enabled and where the settings button is located.

  6. Enable Permissions Management (CIEM).

  7. Ingest AWS CloudTrail logs to get more accurate CIEM recommendations and insights.

  8. Select Configure access.

  9. Select a deployment method.

  10. Run the CloudFormation deployment script on your AWS environment by using the onscreen instructions.

  11. Check the CloudFormation template has been updated on AWS environment (Stack) checkbox.

    Screenshot that shows where the checkbox is located on the screen.

  12. Select Review and generate.

  13. Select Update.

The applicable CIEM recommendations appear on your subscription within a few hours.

List of AWS recommendations:

  • AWS overprovisioned identities should have only the necessary permissions

  • Permissions of inactive identities in your AWS account should be revoked

Enable CIEM for GCP

When you enable the Defender CSPM plan on your GCP project, the GCP CSPM regulatory compliance standard is automatically assigned to your subscription. The GCP CSPM standard provides CIEM recommendations.

When Permissions Management (CIEM) is disabled, the CIEM recommendations within the GCP CSPM standard aren't calculated.

To enable CIEM for GCP, complete the following steps:

  1. Sign in to the Azure portal.

  2. Search for and select Microsoft Defender for Cloud.

  3. Navigate to Environment settings.

  4. Select the relevant GCP project.

  5. Locate the Defender CSPM plan and select Settings.

    Screenshot that shows where to select settings for the Defender CSPM plan for your GCP project.

  6. Toggle Permissions Management (CIEM) to On.

  7. Ingest GCP cloud logging to ensure your GCP identities are evaluated for permission risks.

  8. Select Save.

  9. Select Next: Configure access.

  10. Select the relevant permissions type.

  11. Select a deployment method.

  12. Run the Cloud Shell or Terraform deployment script on your GCP environment by using the onscreen instructions.

  13. Add a check to the I ran the deployment template for the changes to take effect checkbox.

    Screenshot that shows the checkbox that needs to be selected.

  14. Select Review and generate.

  15. Select Update.

The applicable CIEM recommendations appear on your subscription within a few hours.

List of GCP recommendations:

  • GCP overprovisioned identities should have only necessary permissions

  • Permissions of inactive identities in your GCP project should be revoked

Limitations

Be aware of the following CIEM limitations:

  • Serverless and compute identities for AWS are no longer included in CIEM inactivity logic, which can change recommendation counts.
  • The Permissions Creep Index (PCI) metric is being deprecated and will no longer appear in Defender for Cloud recommendations.

Next step

Review Defender CSPM plan settings

  • Last updated on