Entities

An entity is any AWS resource or actor that has been referenced in a security finding: an EC2 instance, an IAM user, an IAM role, an IAM access key, an S3 bucket, an EKS cluster, a Lambda function, or an ECS task. Entities are created automatically in DynamoDB the first time they appear in a finding.

Each row shows: the entity type (with icon), the entity identifier (ARN, instance ID, access key ID, or IP address depending on type), the AWS account it belongs to, the last time it appeared in a finding, and the total number of findings that reference it.

Entities that have appeared in multiple findings, or in findings of varying types, are surfaced as higher-risk. A single entity appearing in both an S3DataExfiltration event and a UnauthorizedAccess:IAMUser finding is a strong signal of a compromised credential — the same actor is both accessing the IAM service and exfiltrating data.

Click an entity row to filter the Events log to only findings that reference that specific resource. This is useful during incident response to build a timeline of all activity associated with a specific EC2 instance or IAM principal without sifting through unrelated findings.

Entities that have not appeared in any finding for 90 days are considered stale. They remain in the inventory but are visually de-emphasized. Periodically review stale entities — a decommissioned EC2 instance still in the list is harmless, but a stale IAM access key that reappears in a new finding may indicate a key that was not properly rotated.

A subtle distinction: the resource (e.g., an S3 bucket) is the target, while the actor (e.g., an IP address or IAM principal) is the entity that performed the action. Threat Reaction tracks both. In the entity list, actors are displayed alongside targeted resources, each with their own finding count and last-seen timestamp.