Description:
AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment.
Rationale:
We need to enable IAM Access Analyzer for each instance of a resource that is shared outside of your account, Access Analyzer generates a finding. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve. When you add a policy to a resource or update an existing policy, Access Analyzer analyzes the policy. Access Analyzer also analyzes all resource-based policies periodically.
Impact:
By enabling Access Analyzer
It creates an analyzer for your entire organization or your account.
The analyzer monitors all of the supported resources within your zone of trust.
Any access to resources by principals that are within your zone of trust is considered trusted.
Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust.
After the first analysis, Access Analyzer analyzes these policies periodically. If a new policy is added, or an existing policy is changed, Access Analyzer analyzes the new or updated policy within about 30 minutes.
Default Value:
IAM Access Analyzer is a feature in the IAM Service.
By default IAM Access Analyzer is not enabled.
Pre-Requisite:
Access Analyzer analyzes only policies that are applied to resources in the same AWS Region that it's enabled in. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources.
Amazon Simple Storage Service Buckets
AWS Identity and Access Management Roles
AWS Key Management Service Keys
AWS Lambda Functions and Layers
Amazon Simple Queue Service Queues
Remediation:
Test Plan:
Log in to the AWS console using the master account for your organization.
Open the IAM console at https://console.aws.amazon.com/iam/
Click on Access Analyzer in the left navigation pane under the Access Report Column
If there is a “Create Analyzer” button on the right of the page it means Access Analyzer is not defined in that region
Follow steps 1 to 4 for every region
Implementation Steps:
To enable Access Analyzer in a Region, you must create an analyzer in that Region. You must create an analyzer in each Region in which you want to monitor access to your resources.
To create an analyzer with the account as the zone of trust
Open the IAM console at https://console.aws.amazon.com/iam/.'
Choose the Region where you want to deploy the Access analyzer
Click on Access analyzer in the left navigation pane
Choose to Create analyzer.
- On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer from top right corner.
- Enter a name for the analyzer or can just go with the default one.
- Choose the account as the zone of trust for the analyzer.
Note: If your account is not the AWS Organizations management account or delegated administrator account, you can create only one analyzer with your account as the zone of trust. Optional) Add any tags that you want to apply to the analyzer.
Click on Create Analyzer.
If the Analyzer is created successfully a pop appears “Analyzer creation is complete”
Backout Plan:
Open the IAM console at https://console.aws.amazon.com/iam/.
Choose Access analyzer.
Click on Analyzers under the Access analyzer column
Choose the analyzer you want to delete
Click on delete
Type in “delete” to confirm
A pop-up will appear confirming that the analyzer has been deleted
Note:
If your account is not the AWS Organizations management account or delegated administrator account, you can create only one analzyer with your account as the zone of trust.
When you create an analyzer for your entire organization or your account the account you choose is known as the zone of trust for the analyzer
When you create an analyzer to enable Access Analyzer, a service-linked role named
AWSServiceRoleForAccessAnalyzer
is created in your account.When you create an analyzer with the organization as the zone of trust, a service-linked role named
AWSServiceRoleForAccessAnalyzer
is created in each account of your organization.
Reference:
Using service-linked roles for AWS IAM Access Analyzer - AWS Identity and Access Management
Getting started with AWS IAM Access Analyzer - AWS Identity and Access Management
Using AWS IAM Access Analyzer - AWS Identity and Access Management