CIEM
Cloud Infrastructure Entitlement Management (CIEM) is responsible for modeling permissions and identity risks in cloud environments.
Graph Model
- Nodes: users, roles, service accounts
- Edges: trust relationships, policy permissions
Effective permissions are computed transitively across the graph.
Example:
User A → role X → EC2 instance → S3 bucket access
CIEM systems detect over-permissioned identities and potential escalation paths.
Escalation Example
- User A has
iam:PassRoleandec2:RunInstances - Role B has administrator privileges
- User A launches EC2 instance with Role B
- User A queries instance metadata to retrieve temporary credentials
- Result: full admin access
Detection requires permission graph evaluation.