Description: 

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment.


Rationale: 

We need to enable IAM Access Analyzer for each instance of a resource that is shared outside of your account, Access Analyzer generates a finding. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve. When you add a policy to a resource or update an existing policy, Access Analyzer analyzes the policy. Access Analyzer also analyzes all resource-based policies periodically.


Impact:

By enabling Access Analyzer

  • It creates an analyzer for your entire organization or your account. 

  •  The analyzer monitors all of the supported resources within your zone of trust.

  • Any access to resources by principals that are within your zone of trust is considered trusted. 

  • Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust. 

  • After the first analysis, Access Analyzer analyzes these policies periodically. If a new policy is added, or an existing policy is changed, Access Analyzer analyzes the new or updated policy within about 30 minutes.


Default Value:

IAM Access Analyzer is a feature in the IAM Service.

By default IAM Access Analyzer is not enabled.


Audit:

  1. Log in to the AWS console using the master account for your organization.

  2. Open the IAM console at https://console.aws.amazon.com/iam/

  3. Click on Access Analyzer in the left navigation pane under the Access Report Column

  4. If there is a “Create Analyzer” button on the right of the page it means Access Analyzer is not defined in that region

  5. Follow steps 1 to 4 for every region


Remediation:

Pre-Requisite:

Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources. 

  • Amazon Simple Storage Service Buckets

  • AWS Identity and Access Management Roles

  • AWS Key Management Service Keys

  • AWS Lambda Functions and Layers

  • Amazon Simple Queue Service Queues


Implementation Steps:

To enable Access Analyzer in a Region, you must create an analyzer in that Region. You must create an analyzer in each Region in which you want to monitor access to your resources.

To create an analyzer with the account as the zone of trust

  1. Open the IAM console at https://console.aws.amazon.com/iam/.'

  2. Choose the Region where you want to deploy the Access analyzer

  3. Click on  Access analyzer in the left navigation pane

  4. Choose to Create analyzer.

  5. On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer from top right corner.
  6. Enter a name for the analyzer or can just go with the default one.
  7. Choose the account as the zone of trust for the analyzer.

    Note: If your account is not the AWS Organizations management account or delegated administrator account, you can create only one analyzer with your account as the zone of trust.

  8. Optional) Add any tags that you want to apply to the analyzer.

  9. Click on Create Analyzer.

  10. If the Analyzer is created successfully a pop appears “Analyzer creation is complete”


Backout Plan:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Access analyzer.

  3. Click on Analyzers under the Access analyzer column

  4. Choose the analyzer you want to delete 

  5. Click on delete

  6. Type in “delete” to confirm

  7. A pop-up will appear confirming that the analyzer has been deleted


Note:

  • If your account is not the AWS Organizations management account or delegated administrator account, you can create only one analzyer with your account as the zone of trust.

  • When you create an analyzer for your entire organization or your account the account you choose is known as the zone of trust for the analyzer

  • When you create an analyzer to enable Access Analyzer, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in your account.

  • When you create an analyzer with the organization as the zone of trust, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in each account of your organization.


Reference:

Using service-linked roles for AWS IAM Access Analyzer - AWS Identity and Access Management 

Getting started with AWS IAM Access Analyzer - AWS Identity and Access Management 

Using AWS IAM Access Analyzer - AWS Identity and Access Management