Exempting Identities
© 2025 Sonrai Security. All rights reserved.
Exempted Identities Management
Sonrai's Cloud Permissions Firewall (CPF) includes a powerful feature for managing identity exemptions from CPF protections. This feature is designed to help administrators define explicit rules around which identities (IAM or SSO) are excluded from specific enforcement controls, ensuring operational continuity for critical users while maintaining strong security postures.
What Are Exempted Identities?
Exempted identities are IAM users, IAM roles, or SSO users that are deliberately excluded from one or more types of CPF protections. This helps ensure essential access and workflows continue uninterrupted—especially for breakglass accounts, automated scanners, or infrequently used but critical roles (e.g. swatters).
These exemptions apply conditionally within CPF's enforcement policies and are managed centrally in the Sonrai platform.
Supported Exemption Types
| Exemption Type | Description | Applicable To |
|---|---|---|
| Disabled Regions | Identity bypasses regional block enforcement | IAM Users, IAM Roles, SSO Users |
| Disabled Services | Identity bypasses blocked service enforcement (NOT protected services) | IAM Users, IAM Roles, SSO Users |
| Protected Services | Identity is not restricted by CPF-protected services policies | IAM Users, IAM Roles, SSO Users |
| Zombie Detection | Identity is never flagged as a "Zombie" (unused, aged identity) | IAM Users, IAM Roles |
| Just-in-Time (JIT) | Identity is exempt from just-in-time approval flows | SSO Users only |
| Firewall Tampering Protections | Identity is exempt from CPF's firewall protection hardening mechanisms | IAM Users, IAM Roles, SSO Users |
Protected Services and Service Blocks are distinct with each having its own exemption control.
The "Firewall Tampering Protections" exemption can only be configured at the top level of the AWS Organization. It cannot be applied at the OU or individual account level.
How to Configure Identity Exemptions
To assign an exemption, administrators can navigate to Exempt at Scope which is accessible via the menu on the Firewall Services panel of the UI.
Exemption Settings Interface
Steps:
- Click Add to add a new exempted identity (or identity pattern)
- Enter an ARN pattern (supports wildcards, e.g., arn:aws:iam::123456789012:role/stacksets-exec-*)
- Choose one or more exemptions as needed—for example, you may exempt an identity from Disabled Regions, Disabled Services, Protected Services, Firewall Tampering Protections, Zombie Detection, or just-in-time (JIT) approval flows.
- Click Add to register the exemption.
Managing Exempted Identities
All currently exempted identities across the organization can be viewed under Exempt at Scope which is accessible via the menu on the Firewall Services panel of the UI.
Exempted Identities Overview
This view displays:
- Identity patterns (wildcard-supported)
- Scope (e.g., organizational unit or account)
- Exemption Type (e.g., Protected Service)
- Edit/delete actions for each exemption
Use Cases & Best Practices
Here are a few common scenarios and use cases where identity exemptions are especially useful:
1. Breakglass Identities
- Exempt From: All
- Purpose: Emergency access accounts; must remain functional even when most of the cloud is locked down.
- Risk Note: These accounts can access disabled services and regions—ensure they're audited and tightly controlled.
2. Security/Scanning Tools
- Exempt From: Disabled Regions, Disabled Services
- Purpose: SecOps and scanning tools require full visibility. Blocking these causes monitoring failures.
3. Swatters
- Exempt From: Zombie Classification
- Purpose: Rarely used but essential accounts. Should not be auto-flagged as dormant.
Summary
The Exempted Identities capability gives teams the flexibility to uphold business continuity while applying CPF protections precisely where needed. Administrators can now:
- Apply exemptions by identity or pattern.
- Choose specific exemption types aligned with use cases.
- View and manage organization-wide exemptions via a streamlined UI.
For more information on best practices or bulk management of exemptions, please refer to Sonrai’s CPF admin guide or contact your Sonrai support team.