Identity (CIEM) module
The Identity page is the CIEM home. It has four sub-tabs that cover the full IAM surface across every connected cloud.
Tabs
Users
Lists every human-style identity across every cloud (AWS IAM users, GCP users with IAM bindings, Azure Entra ID accounts, Scaleway IAM users).
| Column | Notes |
|---|---|
| User | Name + email. |
| Cloud | The cloud provider logo. |
| Status | active, disabled. |
| MFA | Enabled / disabled. |
| Over-privileged | Bullet if the user has policies they never exercise. |
| Policies | Number of attached policies. |
| Groups | Number of group memberships. |
| Unused actions | Count of actions granted but never called in 90 days. |
Service Accounts
Lists every machine-style identity (AWS service users with programmatic access only, GCP service accounts, Azure managed identities, Scaleway IAM applications).
Same columns as Users, plus an API keys count.
Roles
Lists every role across every cloud. Role types vary per cloud, AWS IAM roles, GCP custom roles, Azure RBAC role assignments, Scaleway custom roles.
| Column | Notes |
|---|---|
| Role | Name + ARN / full path. |
| Cloud | Provider logo. |
| Type | Service (assumed by a cloud service) or Custom. |
| Last used | Date of last assumption, Never for dormant roles. |
| Policies | Count of attached policies. |
| Unused actions | Same metric as users / accounts. |
Cross-Cloud
Lists pairs of identities across two clouds that match on email, SSO subject, or key fingerprint. These are the bridges an attacker would use to escalate from one cloud to another.
| Column | Notes |
|---|---|
| Source | Identity in the first cloud, with provider logo. |
| Match | The matching criterion (email, sso_subject, key_fingerprint). |
| Target | Identity in the second cloud. |
| Resources | Count of resources accessible on each side. |
Filters
Each tab has its own filter bar:
- Users: cloud, status, MFA, risk (over-privileged, no MFA, unused actions).
- Service Accounts: cloud, has unused actions.
- Roles: cloud, type, used / never used.
- Cross-Cloud: source cloud, target cloud, match type.
Detail panel
For an identity:
- Effective permissions tree: every action the identity can perform, grouped by service.
- Action usage histogram: which actions were called and how often, in the last 90 days.
- Recommendation: a tighter policy that grants only the actions used.
- Toxic combinations the identity sits on (e.g. App user assumes prod-deploy → can write to billing bucket).
Tips
- Sort by Unused actions descending. That is the prioritised attack surface.
- MFA gaps first. Filter
MFA: disabledand treat those as same-day work. - Cross-Cloud pairs are not always bad. A shared SSO identity is normal. The risk is when both clouds have admin permissions and there is no conditional access.
What's next
- CIEM concept
- CDR module, the runtime sibling