Supported provider
- Currently AWS only
Supported identities
| Identity type | Support |
|---|---|
| AWS IAM role | ✅ |
| AWS IAM user | ✅ |
| AWS IAM group | ✅ |
Supported policy types
| Policy type | Support |
|---|---|
| Inline policy | ✅ |
| Managed policy (custom / AWS managed) | ✅ |
| Permissions boundary | ✅ |
| Resource-based policy | ❌ |
| Group-linked policies | ❌ |
| Service control policies (SCPs) | ❌ |
| VPC endpoint policies | ❌ |
- Inline policy: A policy embedded directly in a single IAM identity (user, group, or role).
- Managed policy: A standalone policy that can be attached to multiple identities. AWS provides AWS managed policies, while you can also create customer managed policies.
- Permissions boundary: An advanced policy that sets the maximum permissions an identity-based policy can grant.
- SCP (Service control policy): An AWS Organizations feature used to manage permissions across accounts in an organization.
- Resource-based policy: A policy attached directly to a resource (e.g. S3 bucket policy).
ABAC support
ABAC (Attribute-based access control) is a strategy where access decisions are based on attributes (tags, account IDs, or session details) instead of just roles or groups.| Attribute type | Support |
|---|---|
| Properties of the principal | Partial |
| Properties of the resource | Partial (aws:ResourceAccount, aws:ResourceTag/tag::key) |
| Properties of a role session | ❌ |
| Properties of the network | ❌ |
| Properties of the request | ❌ |
Supported resource types
The following AWS resource types are supported in Entitlements analyzer:- AWS::Lambda::Function
- AWS::EC2::InternetGateway
- AWS::EC2::Subnet
- AWS::EC2::RouteTable
- AWS::EC2::NetworkAcl
- AWS::EC2::Instance
- AWS::IAM::InstanceProfile
- AWS::EC2::NetworkInterface
- AWS::IAM::Role
- AWS::IAM::Policy
- AWS::ApiGatewayV2::Api
- AWS::ApiGatewayV2::Route
- AWS::DynamoDB::Table
- AWS::ECS::Service
- AWS::ECS::Cluster
- AWS::ECS::TaskDefinition
- AWS::EC2::SecurityGroup
- AWS::S3::Bucket
- AWS::RDS::DBCluster
- AWS::EC2::VPC
- AWS::APIGateway::RestAPI
- AWS::ApiGatewayV2::Integration
- AWS::APIGateway::Resource
- AWS::APIGateway::Integration
- AWS::RDS::DBInstance
- AWS::ElasticLoadBalancingV2::Listener
- AWS::AutoScaling::LaunchConfiguration
- AWS::EC2::LaunchTemplate
- AWS::AutoScaling::AutoScalingGroup
- AWS::ElasticLoadBalancingV2::LoadBalancer
- AWS::ElasticLoadBalancingV2::TargetGroup
- AWS::EC2::LaunchTemplateVersion
- AWS::RDS::DBSecurityGroup
- AWS::IAM::User
- AWS::IAM::Group
- AWS::KMS::Key
- AWS::EC2::Volume
- AWS::EC2::AMI
- AWS::SQS::Queue
- AWS::EventBridge::EventBus
- AWS::ECR::Repository
- AWS::CloudTrail::Trail
- AWS::EC2::Snapshot
- AWS::RDS::DBClusterSnapshot
- AWS::Backup::BackupVault
- AWS::SecretsManager::Secret
- AWS::SNS::Topic
- AWS::SageMaker::Notebook
- AWS::Neptune::DBCluster
- AWS::Neptune::DBInstance
- AWS::Lambda::Layer
- AWS::SES::EmailIdentity
Limitations
- S3 object-level permissions (such as
s3:GetObject,s3:WriteObject) are not currently supported.