Description:
IAM Access Analyzer is a technology introduced at AWS Reimagine 2019. After the analyzer is enabled in IAM, scan results are displayed on the console, showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So, the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privilege access. Access Analyzer analyzes only policies that are applied to resources in the same AWS region.
Rationale:
When the IAM Access Analyzer identifies one that grants access to an external principal that isn't within your zone of trust, it generates a finding. Each finding includes details about the resource, the external entity with access to it, and the permissions granted so that you can take appropriate action. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve.
Impact:
It allows you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access.
Pre-Requisite:
Login as administrator or IAM user with
IAMAccessAnalyzerFullAccess - Allows full access to IAM Access Analyzer for administrators.
IAMAccessAnalyzerReadOnlyAccess - Allows read-only access to IAM Access Analyzer. You must add additional policies to your IAM identities (users, groups of users, or roles) to allow them to view their findings.
Remediation
Test Plan
AWS Console Process
Sign in to AWS Management Console.
Open the IAM console at https://console.aws.amazon.com/iam/
Choose Access analyzer
- Click 'Analyzers'
- Ensure that at least one analyzer is present
- Ensure that the STATUS is set to Active.
- Repeat these steps for each active region
Using AWS CLI
aws accessanalyzer list-analyzers
Repeat the steps above for each active region.
Implementation Plan:
AWS Console Process
Open the IAM console at https://console.aws.amazon.com/iam/.
Choose Access analyzer.
Choose Create analyzer.
On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
Enter a name for the analyzer. Optional as it will generate a name for you automatically.
Add any tags that you want to apply to the analyzer. Optional.
Choose Create Analyzer.
Repeat these steps for each active region.
Using AWS CLI:
aws accessanalyzer create-analyzer --analyzer-name <name> --type <ACCOUNT|ORGANIZATION>
Repeat this command above for each active region
Backout Plan:
AWS Console Process
Open the IAM console at https://console.aws.amazon.com/iam/.
In the Access reports section, under Access analyzer, choose Analyzers.
Choose the check box on the top left above the list of analyzers in the Analyzers table to select all analyzers.
Choose Delete.
To confirm that you want to delete the analyzers, enter
delete
, and then choose Delete.
Using AWS CLI
aws accessanalyzer delete-analyzer
--analyzer-name <value>