Coverage
Entitlements Analyzer Coverage
This document serves as a reference for the coverage of the Plerion Entitlements Analyzer feature.Supported Provider
AWS onlySupported Identities
| Identity Type | Support |
|---|---|
| AWS IAM Role | ✅ |
| AWS IAM User | ✅ |
| AWS IAM Group | ✅ |
Supported policy types
| Policy Type | Support |
|---|---|
| Inline policy | ✅ |
| Managed Policy (Custom / AWS Managed) | ✅ |
| Permissions boundary | ✅ |
| Resource based policy | ❌ |
| Group Linked Policies | ❌ |
| SCPs | ❌ |
| VPC Endpoint policies | ❌ |
ABAC Support
| Type | Support |
|---|---|
| Properties of the principal | Partial |
| Properties of the resource | Partial (aws:ResourceAccount, aws:ResourceTag/tag::key) |
| Properties of a role session | ❌ |
| Properties of the network | ❌ |
| Properties of the request | ❌ |
Supported resource types
- AWS::Lambda::Function
- AWS::EC2::InternetGateway
- AWS::EC2::Subnet
- AWS::EC2::RouteTable
- AWS::EC2::NetworkAcl
- AWS::EC2::Instance
- AWS::IAM::InstanceProfile
- AWS::EC2::NetworkInterface
- AWS::IAM::Role
- AWS::IAM::Policy
- AWS::ApiGatewayV2::Api
- AWS::ApiGatewayV2::Route
- AWS::DynamoDB::Table
- AWS::ECS::Service
- AWS::ECS::Cluster
- AWS::ECS::TaskDefinition
- AWS::EC2::SecurityGroup
- AWS::S3::Bucket
- AWS::RDS::DBCluster
- AWS::EC2::VPC
- AWS::APIGateway::RestAPI
- AWS::ApiGatewayV2::Integration
- AWS::APIGateway::Resource
- AWS::APIGateway::Integration
- AWS::RDS::DBInstance
- AWS::ElasticLoadBalancingV2::Listener
- AWS::AutoScaling::LaunchConfiguration
- AWS::EC2::LaunchTemplate
- AWS::AutoScaling::AutoScalingGroup
- AWS::ElasticLoadBalancingV2::LoadBalancer
- AWS::ElasticLoadBalancingV2::TargetGroup
- AWS::EC2::LaunchTemplateVersion
- AWS::RDS::DBSecurityGroup
- AWS::IAM::User
- AWS::IAM::Group
- AWS::KMS::Key
- AWS::EC2::Volume
- AWS::EC2::AMI
- AWS::SQS::Queue
- AWS::EventBridge::EventBus
- AWS::ECR::Repository
- AWS::CloudTrail::Trail
- AWS::EC2::Snapshot
- AWS::RDS::DBClusterSnapshot
- AWS::Backup::BackupVault
- AWS::SecretsManager::Secret
- AWS::SNS::Topic
- AWS::SageMaker::Notebook
- AWS::Neptune::DBCluster
- AWS::Neptune::DBInstance
- AWS::Lambda::Layer
- AWS::SES::EmailIdentity
Limitations
- Currently permissions associated with S3 bucket objects like
s3:GetObject,s3:WriteObjectetc aren’t supported