[](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Cortex Cloud logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/cortexcloud-logo-dark.svg)](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * 用例 ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) 用例 用例 * [Cortex Cloud](https://www.paloaltonetworks.cn/cortex/cloud?ts=markdown) 由统一数据、AI 和自动化提供助力的实时云安全 * [应用安全](https://www.paloaltonetworks.cn/cortex/cloud/application-security?ts=markdown) 从源头阻止风险 * [云态势安全](https://www.paloaltonetworks.cn/cortex/cloud/cloud-posture-security?ts=markdown) 快速确定任何云中的风险优先级并进行补救 * [云运行时安全](https://www.paloaltonetworks.cn/cortex/cloud/runtime-security?ts=markdown) 实时预防云攻击 * [安全运营](https://www.paloaltonetworks.cn/cortex?ts=markdown) 检测、调查和应对整个企业和云中的威胁 * 解决方案 ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) 解决方案 [应用安全](https://www.paloaltonetworks.cn/cortex/cloud/application-security?ts=markdown) * [应用安全态势管理 (ASPM)](https://www.paloaltonetworks.cn/cortex/cloud/application-security-posture-management?ts=markdown) * [软件供应链安全](https://www.paloaltonetworks.cn/cortex/cloud/software-supply-chain-security?ts=markdown) * [IaC 安全](https://www.paloaltonetworks.cn/cortex/cloud/infrastructure-as-code-security?ts=markdown) * [软件构成分析](https://www.paloaltonetworks.cn/cortex/cloud/software-composition-analysis?ts=markdown) * [机密安全](https://www.paloaltonetworks.cn/cortex/cloud/secrets-security?ts=markdown) * [开放合作伙伴生态系统](https://www.paloaltonetworks.cn/cortex/cloud/appsec-partner-ecosystem?ts=markdown) [云态势安全](https://www.paloaltonetworks.cn/cortex/cloud/cloud-posture-security?ts=markdown) * [云安全态势管理 (CSPM)](https://www.paloaltonetworks.cn/cortex/cloud/cloud-security-posture-management?ts=markdown) * [云基础架构权限管理 (CIEM)](https://www.paloaltonetworks.cn/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [数据安全态势管理 (DSPM)](https://www.paloaltonetworks.cn/cortex/cloud/data-security-posture-management?ts=markdown) * [AI 安全态势管理 (AI-SPM)](https://www.paloaltonetworks.cn/cortex/cloud/ai-security-posture-management?ts=markdown) * [漏洞管理](https://www.paloaltonetworks.cn/cortex/cloud/vulnerability-management?ts=markdown) * [云攻击面管理 (ASM)](https://www.paloaltonetworks.cn/cortex/cloud/attack-surface-management?ts=markdown) [云运行时安全](https://www.paloaltonetworks.cn/cortex/cloud/runtime-security?ts=markdown) * [云检测与响应 (CDR)](https://www.paloaltonetworks.cn/cortex/cloud-detection-and-response?ts=markdown) * [容器和 Kubernetes 安全](https://www.paloaltonetworks.cn/cortex/cloud/container-security?ts=markdown) * [云工作负载保护 (CWP)](https://www.paloaltonetworks.cn/cortex/cloud/cloud-workload-protection?ts=markdown) * [API 安全](https://www.paloaltonetworks.cn/cortex/cloud/api-security?ts=markdown) * [Web 应用安全](https://www.paloaltonetworks.cn/cortex/cloud/web-application-security?ts=markdown) [安全运营](https://www.paloaltonetworks.cn/cortex/?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.cn/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.cn/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.cn/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.cn/cortex/cortex-xpanse?ts=markdown) * [Unit 42 托管检测和响应](https://www.paloaltonetworks.cn/cortex/managed-detection-and-response?ts=markdown) * [产品之旅](https://www.paloaltonetworks.com/cortex/cloud/product-tours?ts=markdown) * 资源 ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) 资源 学习 * [博客](https://www.paloaltonetworks.com/blog/cloud-security/?lang=zh-hans) * [云研究](https://www.paloaltonetworks.com/cortex/cloud/research) * [Cyberpedia](https://www.paloaltonetworks.cn/cyberpedia?ts=markdown) * [Live Community](https://live.paloaltonetworks.com/) * [互动研讨会](https://www.paloaltonetworks.com/cortex/cloud/interactive-workshops) 产品信息 * [技术文档](https://docs.paloaltonetworks.com/) * [开源项目](https://www.paloaltonetworks.com/cortex/cloud/open-source-projects) * [支持](https://support.paloaltonetworks.com/Support/Index) 资源 * [技术合作伙伴](https://www.paloaltonetworks.com/partners/technology-partners) * [客户成功案例](https://www.paloaltonetworks.cn/customers?ts=markdown) * [资源中心](https://www.paloaltonetworks.cn/resources?ts=markdown) * [事件](https://events.paloaltonetworks.com) * * [申请演示](https://www.paloaltonetworks.cn/cortex/cloud/trial?ts=markdown) ![palo alto networks logo icon](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-default.svg) ![white arrow icon pointing left to return to main Palo Alto Networks site](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-white.svg) [](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) 搜索 Close search modal *** ** * ** *** # 云基础设施授权管理 ## Cortex^®^ Cloud 让您在多云环境中控制权限 * [申请演示](https://www.paloaltonetworks.cn/cortex/cloud/trial?ts=markdown) **inherit** ![Identity and Access Management Security Front](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Hero-Front-Approach.png) ![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-white.svg) ![Identity and Access Management Security Front](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Hero-Front-Approach.png) 重要意义我们的方法模块 * [重要意义](#why) * [我们的方法](#approach) * [模块](#modules) {#why} ## 角色过度宽松、证书安全性差以及意外的公开暴露都导致企业云环境遭到严重破坏。 ### 有效权限计算非常复杂 在公有云中,权限可以在多个位置定义和继承,包括角色、资源、访问控制列表,等等。退一步说,跨云提供商获取净有效权限的可视性也是很复杂的。 ### 角色过度宽松会导致影响重大的故障 通过利用身份和访问管理 (IAM) 错误配置(例如过度宽松的角色),攻击者可以建立对整个云环境的控制。拿到这些"进入王国的钥匙",就很容易入侵所有帐户或者将其用于恶意活动。 ### 实施最低特权访问颇具挑战性 虽然最低特权原则是一个直观的概念,但要在高度动态的多云环境中持续维护这种最佳实践,对于每个企业来说终究是一大挑战。 ## 监控权限并持续实施最低特权访问 云基础设施授权管理 (CIEM) 为用户提供对有效权限的广泛可视性,持续监控多云环境中是否存在有风险和未使用的授权,并自动提出最低特权建议。用户可以简单而高效地了解哪些身份可以访问关键基础设施,包括与 IdP 提供商相关的身份,所有这些都无缝集成到 Cortex Cloud 中。 * 查询用户、计算实例、云资源等的权限 * 监视多余以及未使用的权限 * 自动修复过于宽松的角色 * ![净有效权限](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-net-effective-permissions.svg) 净有效权限 * ![适当调整权限](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-rightsizing-permissions.svg) 适当调整权限 * ![IAM 权限调查](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-investigate-Entitlements.svg) IAM 权限调查 * ![IdP 集成](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/iam-security-idp-integration.svg) IdP 集成 * ![自动修复](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/icons/vcg-automated-remediation.svg) 自动修复 {#approach} 解决方案 ## 我们的云基础设施授权管理方法 ### 净有效权限 全面了解谁可以对哪些资源采取哪些行动。CIEM 专门用于直接解决跨 AWS、Azure 和 GCP 管理权限的难题。Cortex Cloud 可自动计算用户在各云服务提供商之间的有效权限,检测过度宽松的访问,并提出修正建议,以达到最低权限。 * #### 用一个解决方案管理多云授权 获得 Cortex Cloud 提供的集成多云功能,将我们为云安全态势管理 (CSPM) 所做的一切扩展到云身份。 \* #### 实施预建的策略 利用专用的开箱即用型策略检测存在风险的权限并移除不需要的云资源访问权限。 \* #### 审核权限实现内部合规 使用相关用户数据、服务数据和云帐户快速审核云权限。 [![净有效权限](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/CIEM-Net-effective-permissions.png)](#prismastickyimagecomapproach1_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_zh_CN_pan_content_) ### 适当调整权限 专用的开箱即用型策略检测存在风险的权限并帮助移除不需要的云资源访问权限。自动检测过度宽松的用户权限,然后利用自动化建议适当调整权限,以实现最低特权访问。 * #### 检测过度宽松的策略 通过自动检测过度宽松的访问策略,移除不需要的云资源访问权限。 \* #### 实施预建的策略 使用开箱即用型策略检测公开访问、通配符使用、风险权限,等等。 \* #### 自动化建议 使用自动化建议实现最低特权原则。 [![适当调整权限](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Hero-Back-Approach.png)](#prismastickyimagecomapproach2_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_zh_CN_pan_content_) ### IAM 权限调查 查询所有相关 IAM 实体,包括不同实体间的所有关系,以及它们在云环境中的有效权限。了解哪个用户可以对哪个云上的哪些资源采取哪些操作。将查询转换为自定义云不可知策略,并定义补救步骤和合规性影响。 * #### 调查 IAM 权限 查看实时数据和历史数据,了解 IAM 活动和权限。 \* #### 查询数据以全面了解用户活动 获取可疑活动的详细视图,以及连接的帐户和资源。 \* #### 查询特定于身份提供商的数据 发现过度宽松的 IdP 用户角色,并将结果与云身份(例如 IAM 用户和机器身份)相关联。 [![IAM 权限调查](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Entitlement-Investigation-Table.png)](#prismastickyimagecomapproach4_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_zh_CN_pan_content_) ### IdP 集成 与 Okta、Azure AD 和 AWS IAM Identity Center 等身份提供商 (IdP) 服务集成,以提取单点登录 (SSO) 数据。查看有效权限和过度宽松的 IdP 用户角色,并将结果与云身份(例如 IAM 用户和机器身份)相关联。 * #### 利用 IdP 服务的集成支持 提取单点登录 (SSO) 数据以进行权限映射,并计算多云帐户中 IdP 用户的有效权限。 \* #### 查询特定于身份提供商的数据 发现过度宽松的 IdP 用户角色,并将结果与云身份(例如 IAM 用户和机器身份)相关联。 \* #### 将查询转换为云不可知策略 将 RQL 查询转换为具有特定合规性和修复影响的 IAM 安全策略,轻松为 IdP 用户构建自定义护栏。 [![IdP 集成](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/IdP-Integration-updated.png)](#prismastickyimagecomapproach3_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_zh_CN_pan_content_) ### 自动修复 自动调整权限并持续实施最低特权访问。向 14 种第三方工具发送警报通知,包括电子邮件、AWS Lambda 和 Security Hub、PagerDuty^®^、ServiceNow^®^ 和 Slack^®^。 * #### 为权限过高的用户激活自动补救 从 Cortex Cloud 获取针对任何云用户的理想权限级别的建议。 \* #### 对 14 个常见集成的支持 通过内置的 14 种第三方工具支持,将 Cortex Cloud 警报与现有的警报管理工具无缝集成。 \* #### 修复剧本 利用为 Cortex Cloud 定制的 Cortex^®^ XSOAR 剧本,轻松实现高级安全编排功能。 [![自动修复](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cortexcloud/usecases/ciem/Auto-Remediation.png)](#prismastickyimagecomapproach5_prisma-custom-background_prismacustombackgrou_14379965_cleanParsys_cloud-infrastructure-entitlement-management_cloud_cortex_zh_CN_pan_content_) {#modules} ## 更多云态势安全功能 ### 云安全态势管理 利用 Cortex Cloud 在公有云和多云环境中消除最关键的风险。 [了解更多](https://www.paloaltonetworks.cn/cortex/cloud/cloud-security-posture-management?ts=markdown) ### 数据安全态势管理 发现、分类和保护云环境中的敏感数据。 [了解更多](https://www.paloaltonetworks.cn/cortex/cloud/data-security-posture-management?ts=markdown) ### AI 安全态势管理 识别和解决 AI 供应链中的漏洞。 [了解更多](https://www.paloaltonetworks.cn/cortex/cloud/ai-security-posture-management?ts=markdown) ### 漏洞管理 从代码到云再到 SOC,一如既往确定漏洞的优先次序并进行补救。 [了解更多](https://www.paloaltonetworks.cn/cortex/cloud/vulnerability-management?ts=markdown) {#footer} ## 产品和服务 * [实时人工智能驱动的网络安全](https://www.paloaltonetworks.cn/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.cn/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.cn/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.cn/sase/ai-access-security?ts=markdown) * [云交付的安全服务](https://www.paloaltonetworks.cn/network-security/security-subscriptions?ts=markdown) * [高级威胁预防](https://www.paloaltonetworks.cn/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.cn/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.cn/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.cn/network-security/advanced-dns-security?ts=markdown) * [企业数据丢失防护](https://www.paloaltonetworks.cn/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.cn/network-security/enterprise-iot-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.cn/network-security/medical-iot-security?ts=markdown) * [工业 OT 安全](https://www.paloaltonetworks.cn/network-security/industrial-ot-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.cn/sase/saas-security?ts=markdown) * [新一代防火墙](https://www.paloaltonetworks.cn/network-security/next-generation-firewall?ts=markdown) * [硬件防火墙](https://www.paloaltonetworks.cn/network-security/hardware-firewall-innovations?ts=markdown) * [软件防火墙](https://www.paloaltonetworks.cn/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.cn/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.cn/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.cn/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.cn/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.cn/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.cn/sase?ts=markdown) * [应用加速](https://www.paloaltonetworks.cn/sase/app-acceleration?ts=markdown) * [自主数字体验管理](https://www.paloaltonetworks.cn/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.cn/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.cn/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.cn/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.cn/sase/sd-wan?ts=markdown) * [远程浏览器隔离](https://www.paloaltonetworks.cn/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.cn/sase/saas-security?ts=markdown) * [基于 AI 的安全运营平台](https://www.paloaltonetworks.cn/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.cn/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.cn/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.cn/cortex/cloud/application-security?ts=markdown) * [云态势安全](https://www.paloaltonetworks.cn/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.cn/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.cn/prisma/cloud?ts=markdown) * [人工智能驱动的 SOC](https://www.paloaltonetworks.cn/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.cn/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.cn/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.cn/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.cn/cortex/cortex-xpanse?ts=markdown) * [Unit 42 托管检测和响应](https://www.paloaltonetworks.cn/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.cn/cortex/managed-xsiam?ts=markdown) * [威胁情报和事件响应服务](https://www.paloaltonetworks.cn/unit42?ts=markdown) * [主动评估](https://www.paloaltonetworks.cn/unit42/assess?ts=markdown) * [事故响应](https://www.paloaltonetworks.cn/unit42/respond?ts=markdown) * [安全策略转型](https://www.paloaltonetworks.cn/unit42/transform?ts=markdown) * [发现威胁情报](https://www.paloaltonetworks.cn/unit42/threat-intelligence-partners?ts=markdown) ## 公司 * [关于我们](https://www.paloaltonetworks.cn/about-us?ts=markdown) * [人才招聘](https://jobs.paloaltonetworks.com/en/) * [联系我们](https://www.paloaltonetworks.cn/company/contact-sales?ts=markdown) * [企业责任](https://www.paloaltonetworks.com/about-us/corporate-responsibility) * [客户](https://www.paloaltonetworks.cn/customers?ts=markdown) * [投资者关系](https://investors.paloaltonetworks.com/) * [位置](https://www.paloaltonetworks.com/about-us/locations) * [新闻资讯](https://www.paloaltonetworks.cn/company/newsroom?ts=markdown) ## 热门链接 * [博客](https://www.paloaltonetworks.com/blog/?lang=zh-hans) * [社区](https://www.paloaltonetworks.com/communities) * [内容库](https://www.paloaltonetworks.cn/resources?ts=markdown) * [网络百科](https://www.paloaltonetworks.com/cyberpedia) * [事件中心](https://events.paloaltonetworks.com/) * [管理电子邮件首选项](https://start.paloaltonetworks.com/preference-center) * [产品清单](https://www.paloaltonetworks.cn/products/products-a-z?ts=markdown) * [产品认证](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance) * [报告漏洞](https://www.paloaltonetworks.com/security-disclosure) * [网站地图](https://www.paloaltonetworks.cn/sitemap?ts=markdown) * [技术文档](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [请勿出售或分享我的个人信息](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [隐私](https://www.paloaltonetworks.com/legal-notices/privacy) * [信任中心](https://www.paloaltonetworks.com/legal-notices/trust-center) * [使用条款](https://www.paloaltonetworks.com/legal-notices/terms-of-use) * [文档](https://www.paloaltonetworks.com/legal) 版权所有 © 2025 Palo Alto Networks。保留所有权利 * [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * CN Select your language