Profile Applicability:

Level 1

Description:

IAM Access Analyzer is an AWS security tool that helps identify unintended access to AWS resources across IAM roles, S3 buckets, KMS keys, Lambda functions, and SQS queues. IAM Access Analyzer is region-specific, meaning analyzer instances must be enabled for each AWS region separately.

Rationale:

  • Identifies IAM roles, S3 buckets, KMS keys, Lambda functions, and SQS queues that are shared with external accounts.

  • Provides continuous monitoring to detect misconfigurations.

  • Improves compliance with security policies and standards.

 Impact:

  • Failing to enable IAM Access Analyzer in all active regions increases the risk of unauthorized access to AWS resources.

  • Access misconfigurations can go undetected without continuous monitoring.

  • Regulatory compliance may be affected, especially for standards like SOC 2, ISO 27001, and PCI DSS.

Default Value:

By default:

  • IAM Access Analyzer is not enabled in AWS regions.

  • AWS does not automatically create analyzers; they must be manually created or scripted.

Pre-Requisites:

  1. IAM Permissions Required:

    • access-analyzer:CreateAnalyzer

    • access-analyzer:ListAnalyzers

    • access-analyzer:GetAnalyzer

    • access-analyzer:ListFindings

  2. AWS CLI Installed (optional for automation).

  3. Ensure IAM Access Analyzer is enabled for all active AWS regions.

Remediation:

Test Plan:

Using AWS Console

  1. Login to AWS Console as an IAM Administrator.

  2. Navigate to IAM Console → Click Access Analyzer.

                         

  1. Click Analyzers to check the list of existing analyzers

  2. Ensure at least one analyzer is present and status is set to "Active".

  3. Repeat these steps for each active AWS region.

Using AWS CLI

  • List all IAM Access Analyzers in a region:
 aws accessanalyzer list-analyzers --region <region-name>
  • Verify at least one analyzer exists and has an "ACTIVE" status:
aws accessanalyzer list-analyzers --query 'analyzers[*].[name,status,arn]' --region <region-name>
Example Output:
[
    [
        "IAMAnalyzer1",
        "ACTIVE",
        "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/IAMAnalyzer1"
    ]
]

  1. Repeat the audit for each active AWS region.

Implementation Steps:

Step 1: Enable IAM Access Analyzer for Each Active Region

Using AWS Console 

  1. Login to AWS Console as an IAM Administrator.

  2. Open IAM Console → Click Access Analyzer.

                     

  1. Click Create Analyzer.

                     

  1. On the Create Analyzer page:

    • Enter a name for the analyzer.                  

    • Select Type: Account (or Organization if managing multiple AWS accounts).

    • Confirm the Region is correct.

  2. Click Create Analyzer.

  3. Repeat for each active AWS region.

Using AWS Command Line

  • Get a list of AWS active regions:
aws ec2 describe-regions --query "Regions[].RegionName" --output text
  • Create an IAM Access Analyzer in each region: 
for region in $(aws ec2 describe-regions --query "Regions[].RegionName" --output text); do
    aws accessanalyzer create-analyzer --analyzer-name "IAMAnalyzer-$region" --type ACCOUNT --region $region
done
  • Verify the analyzer creation in each region:
aws accessanalyzer list-analyzers --query 'analyzers[*].[name,status,arn]' --region <region-name>


Backout Plan:

If IAM Access Analyzer was mistakenly deleted:
Recreate the analyzer using the same commands:

aws accessanalyzer create-analyzer --analyzer-name "IAMAnalyzer" --type ACCOUNT --region <region-name>

  1. Ensure the analyzer is active and monitoring access policies.

References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

3.3

Configure access control lists based on user need-to-know.

CIS v7

14.6

Protect information through access control lists.