The Cloud Infrastructure Entitlements API automatically determines which cloud infrastructure resources are accessible to users through entitlements. This feature enables OPA admins to determine the risks to high-value resources in their cloud infrastructure applications and take measures to remediate those risks.
See Cloud infrastructure entitlement discovery and analysis.
Currently, this feature only supports AWS and allows Teams to analyze entitlements that grant end user access to Amazon Relational Database Service (RDS).
Lists all existing Cloud Connections
This endpoint requires the following role: resource_admin
.
OK
{- "list": [
- {
- "cloud_connection_details": {
- "account_id": "123456789012",
- "external_id": "b4c617de-d58e-4d47-bbdf-c3a3db98ed3d",
- "role_arn": "arn:aws:iam::000000000000:role/example"
}, - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "APAC-1",
- "provider": "aws"
}
]
}
Creates a connection to a specified cloud provider. Currently, this only supports AWS.
This endpoint requires the following role: resource_admin
.
Created
{- "cloud_connection_details": {
- "account_id": "123456789012",
- "external_id": "b4c617de-d58e-4d47-bbdf-c3a3db98ed3d",
- "role_arn": "arn:aws:iam::000000000000:role/example"
}, - "name": "APAC-1",
- "provider": "aws"
}
{- "cloud_connection_details": {
- "account_id": "123456789012",
- "external_id": "b4c617de-d58e-4d47-bbdf-c3a3db98ed3d",
- "role_arn": "arn:aws:iam::000000000000:role/example"
}, - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "APAC-1",
- "provider": "aws"
}
Checks an existing Cloud Connection.
This endpoint requires the following role: resource_admin
.
OK
{- "cloud_connection_details": {
- "account_id": "123456789012",
- "external_id": "b4c617de-d58e-4d47-bbdf-c3a3db98ed3d",
- "role_arn": "arn:aws:iam::000000000000:role/example"
}, - "provider": "aws"
}
{- "details": "string",
- "status": "success"
}
Retrieves an existing Cloud Connection
This endpoint requires the following role: resource_admin
.
OK
{- "cloud_connection_details": {
- "account_id": "123456789012",
- "external_id": "b4c617de-d58e-4d47-bbdf-c3a3db98ed3d",
- "role_arn": "arn:aws:iam::000000000000:role/example"
}, - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "APAC-1",
- "provider": "aws"
}
Updates an existing Cloud Connection
This endpoint requires the following role: resource_admin
.
OK
{- "cloud_connection_details": {
- "account_id": "123456789012",
- "role_arn": "arn:aws:iam::000000000000:role/example"
}, - "name": "APAC-1",
- "provider": "aws"
}
{- "cloud_connection_details": {
- "account_id": "123456789012",
- "external_id": "b4c617de-d58e-4d47-bbdf-c3a3db98ed3d",
- "role_arn": "arn:aws:iam::000000000000:role/example"
}, - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "APAC-1",
- "provider": "aws"
}
Lists all accounts for a specified Cloud Connection. This is used to run Entitlement Analysis jobs.
This endpoint requires the following role: resource_admin
.
OK
{- "account_id": [
- "012345678911",
- "012345678912",
- "012345678913",
- "012345678914",
- "012345678915",
- "012345678916"
]
}
Lists all Cloud Entitlement Jobs.
This endpoint requires the following role: resource_admin
.
OK
{- "list": [
- {
- "account_ids": [
- "012345678911",
- "012345678912",
- "012345678913",
- "012345678914",
- "012345678915",
- "012345678916"
], - "analysis_rules": [
- {
- "rules": {
- "excessive_user_access": "10"
}
}, - {
- "rules": {
- "excessive_group_access": "10"
}
}
], - "connection_id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "created_at": "2023-08-25T12:00:00.000000Z",
- "discovery_rules": [
- {
- "resource_details": {
- "type": "rds",
- "action": [
- "rds-db:connect"
]
}, - "rules": {
- "resource_name_pattern": "*"
}
}
], - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "CloudEntitlementJob",
- "status": "COMPLETED",
- "updated_at": "2023-08-25T12:00:00.000000Z"
}
]
}
Creates a Cloud Entitlement Job
This endpoint requires the following role: resource_admin
.
OK
{- "account_ids": [
- "012345678911",
- "012345678912",
- "012345678913",
- "012345678914",
- "012345678915",
- "012345678916"
], - "analysis_rules": [
- {
- "rules": {
- "excessive_user_access": "10"
}
}, - {
- "rules": {
- "excessive_group_access": "10"
}
}
], - "connection_id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "discovery_rules": [
- {
- "resource_details": {
- "type": "rds",
- "action": [
- "rds-db:connect"
]
}, - "rules": {
- "resource_name_pattern": "*"
}
}
], - "name": "CloudEntitlementJob"
}
{- "account_ids": [
- "012345678911",
- "012345678912",
- "012345678913",
- "012345678914",
- "012345678915",
- "012345678916"
], - "analysis_rules": [
- {
- "rules": {
- "excessive_user_access": "10"
}
}, - {
- "rules": {
- "excessive_group_access": "10"
}
}
], - "connection_id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "created_at": "2023-08-25T12:00:00.000000Z",
- "discovery_rules": [
- {
- "resource_details": {
- "type": "rds",
- "action": [
- "rds-db:connect"
]
}, - "rules": {
- "resource_name_pattern": "*"
}
}
], - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "CloudEntitlementJob",
- "status": "COMPLETED",
- "updated_at": "2023-08-25T12:00:00.000000Z"
}
Retrieves a specified Cloud Entitlement Job
This endpoint requires the following role: resource_admin
.
OK
{- "account_ids": [
- "012345678911",
- "012345678912",
- "012345678913",
- "012345678914",
- "012345678915",
- "012345678916"
], - "analysis_rules": [
- {
- "rules": {
- "excessive_user_access": "10"
}
}, - {
- "rules": {
- "excessive_group_access": "10"
}
}
], - "connection_id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "created_at": "2023-08-25T12:00:00.000000Z",
- "discovery_rules": [
- {
- "resource_details": {
- "type": "rds",
- "action": [
- "rds-db:connect"
]
}, - "rules": {
- "resource_name_pattern": "*"
}
}
], - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "CloudEntitlementJob",
- "status": "COMPLETED",
- "updated_at": "2023-08-25T12:00:00.000000Z"
}
Updates an existing Cloud Entitlement Job
This endpoint requires the following role: resource_admin
.
account_ids required | Array of strings <= 10 items A list of accounts associated with the specified Cloud Connection | ||||
required | Array of objects (CloudEntitlementJobAnalysis) Conditions used to define risk thresholds for this job | ||||
Array
| |||||
connection_id required | string <regex> ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-... The ID of an existing Cloud Connection | ||||
required | Array of objects (CloudEntitlementJobDiscovery) The rules that control which resources are returned by the job | ||||
Array
| |||||
name required | string <regex> [ 1 .. 255 ] characters ^[\w\-_.]+$ The name of the job |
OK
{- "account_ids": [
- "012345678911",
- "012345678912",
- "012345678913",
- "012345678914",
- "012345678915",
- "012345678916"
], - "analysis_rules": [
- {
- "rules": {
- "excessive_user_access": "10"
}
}, - {
- "rules": {
- "excessive_group_access": "10"
}
}
], - "connection_id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "discovery_rules": [
- {
- "resource_details": {
- "type": "rds",
- "action": [
- "rds-db:connect"
]
}, - "rules": {
- "resource_name_pattern": "*"
}
}
], - "name": "CloudEntitlementJob"
}
{- "account_ids": [
- "012345678911",
- "012345678912",
- "012345678913",
- "012345678914",
- "012345678915",
- "012345678916"
], - "analysis_rules": [
- {
- "rules": {
- "excessive_user_access": "10"
}
}, - {
- "rules": {
- "excessive_group_access": "10"
}
}
], - "connection_id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "created_at": "2023-08-25T12:00:00.000000Z",
- "discovery_rules": [
- {
- "resource_details": {
- "type": "rds",
- "action": [
- "rds-db:connect"
]
}, - "rules": {
- "resource_name_pattern": "*"
}
}
], - "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "CloudEntitlementJob",
- "status": "COMPLETED",
- "updated_at": "2023-08-25T12:00:00.000000Z"
}
Deletes an existing Cloud Entitlement Job
This endpoint requires the following role: resource_admin
.
No Content
Lists all assigned users discovered by a Cloud Entitlement Job. You can filter by users assigned to a specific group or by users associated with a specific permission set within an account.
This endpoint requires the following role: resource_admin
.
account_id | string = 12 characters An AWS account ID. Required if you set |
filter_by required | string Whether to list users assigned to a specific group or associated with a specific permission set ARN |
group_id | string [ 1 .. 64 ] characters An AWS group ID. Required if you set |
permission_set_arn | string [ 1 .. 2048 ] characters An Amazon Resource Name (ARN) for your permission set. Required if you set |
OK
{- "account_id": "123456789012",
- "filter_by": "group_id",
- "group_id": "AGPA00000000",
- "permission_set_arn": "arn:${Partition}:sso:::permissionSet/${InstanceId}/${PermissionSetId}"
}
{- "list": [
- {
- "created_at": "2023-08-25T12:00:00.000000Z",
- "id": "a747a818-a4c4-4446-8a87-704216495a08",
- "updated_at": "2023-08-25T12:00:00.000000Z",
- "user_details": {
- "user_name": "Todd",
- "primary_email": "string",
- "display_name": "string"
}, - "user_id": "string"
}
]
}
Lists all resources discovered by a Cloud Entitlement Job. This list is sorted by risk.
This endpoint requires the following role: resource_admin
.
OK
{- "list": [
- {
- "at_risk": true,
- "details": {
- "name": "string",
- "account_id": "123456789012",
- "region": "string",
- "aws_id": "string",
- "arn": "string",
- "resource_id": "string",
- "resource_type": "rds",
- "org_details": {
- "orgid": "string",
- "name": "string"
}, - "children": [
- {
- "id": "string",
- "name": "string",
- "arn": "string",
- "children": [
- { }
]
}
]
}, - "id": "string"
}
]
}
Retrieves a specified Resource from a Cloud Entitlement Job
This endpoint requires the following role: resource_admin
.
OK
{- "at_risk": true,
- "details": {
- "name": "string",
- "account_id": "123456789012",
- "region": "string",
- "aws_id": "string",
- "arn": "string",
- "resource_id": "string",
- "resource_type": "rds",
- "org_details": {
- "orgid": "string",
- "name": "string"
}, - "children": [
- {
- "id": "string",
- "name": "string",
- "arn": "string",
- "children": [
- { }
]
}
]
}, - "id": "string"
}
Runs the specified Cloud Entitlement Job
This endpoint requires the following role: resource_admin
.
No Content
Retrieves a high-level summary of a previously run Cloud Entitlement Job. If the specified job doesn't have a status of COMPLETED
or ERROR
, this operation returns an empty response.
This endpoint requires the following role: resource_admin
.
OK
{- "details": {
- "resource_type": "rds",
- "resource_total_count": "string",
- "resources_at_risk_count": 0,
- "organization": {
- "id": "5f3159e9-e7ab-428e-8a87-c2ebffe407f6",
- "name": "US West 2 Prod"
}
}, - "errors": {
- "message": "string"
}, - "last_updated_at": "2023-08-25T12:00:00.000000Z",
- "status": "ERROR"
}