Identity & Access
Mission Control consolidates identity data from disparate sources into a unified catalog, allowing you to track who has access to what across your entire infrastructure. By mapping access to specific applications via the Application CRD, you gain a clear, auditable view of your organization's security posture. This unified perspective is critical for identifying unauthorized access, enforcing least-privilege principles, and meeting regulatory requirements like SOC 2, HIPAA, and ISO 27001.
Azure AD / Entra ID
Mission Control integrates directly with Entra ID to scrape users, groups, enterprise applications, and app role assignments. This provides a centralized record of identity provider access, essential for auditing cloud resource permissions and user authentication.
See the Entra ID integration guide for full setup instructions including Azure Portal steps, permissions, and troubleshooting. To scrape sign-in and directory audit logs, see Audit Logs.
azure-entra-scraper.yamlapiVersion: configs.flanksource.com/v1
kind: ScrapeConfig
metadata:
name: azure-entra
spec:
schedule: "@every 1h"
azure:
- connection: connection://mc/entra
include:
- entra
- appRoles
- authMethods
entra:
users:
- {}
groups:
- {}
appRegistrations:
- {}
enterpriseApps:
- {}
appRoleAssignments:
- {}
Mission Control stores users and groups as users and groups (not config items). They appear in access control views when linked through an Application. App registrations and enterprise applications appear as config items in the catalog.
After deploying the scraper, follow the verification steps to confirm users, groups, and apps are being scraped correctly.
Use an Application to map Entra resources to a specific app - the mapping.logins field selects the enterprise application, and mapping.roles maps Entra groups to named roles:
payments-application.yamlapiVersion: mission-control.flanksource.com/v1
kind: Application
metadata:
name: payments-api
namespace: mc
spec:
type: Application
description: Payment processing service
mapping:
logins:
- search: type=Azure::EnterpriseApplication name="Payments API"
roles:
- search: type=Azure::Group name=payments-users
role: User
- search: type=Azure::Group name=payments-admins
role: Admin
AWS IAM
Mission Control pulls AWS IAM users, roles, policies, and their attachments into its unified catalog. This provides a clear audit trail of permissions granted within your AWS environments, helping to enforce least privilege and identify over-provisioning.
Scrape IAM resources using the AWS scraper with compliance: true to also pull compliance metadata from Trusted Advisor and Security Hub:
aws-iam-scraper.yamlapiVersion: configs.flanksource.com/v1
kind: ScrapeConfig
metadata:
name: aws-iam-audit
spec:
schedule: "@every 6h"
full: true
aws:
- connection: connection://aws/prod
compliance: true
include:
- IAMUser
- IAMRole
- IAMPolicy
- IAMGroup
Kubernetes RBAC
Mission Control scrapes Kubernetes RBAC configurations including Roles, ClusterRoles, and their bindings. This gives auditors a precise view of who can perform what actions within your clusters.
Use the Kubernetes scraper to watch RBAC resources:
k8s-rbac-scraper.yamlapiVersion: configs.flanksource.com/v1
kind: ScrapeConfig
metadata:
name: k8s-rbac-audit
spec:
schedule: "@every 1h"
kubernetes:
- clusterName: production
watch:
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
- apiVersion: rbac.authorization.k8s.io/v1
kind: Role
- apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
- apiVersion: v1
kind: ServiceAccount
Database Users & Roles
Mission Control collects database users, roles, and their assigned privileges using SQL scrapers. This ensures you can audit and verify access to sensitive data stores.
postgres-access-scraper.yamlapiVersion: configs.flanksource.com/v1
kind: ScrapeConfig
metadata:
name: postgres-access-audit
spec:
schedule: "@every 6h"
full: true
sql:
- connection: connection://postgres/prod
type: Postgres::Role
id: $.rolname
name: $.rolname
items: |
SELECT rolname, rolsuper, rolinherit, rolcreaterole,
rolcreatedb, rolcanlogin, rolreplication, rolvaliduntil
FROM pg_roles ORDER BY rolname