Profile Applicability

  • Level 1

Description:

The IAM External Access Analyzer is a security feature in AWS Identity and Access Management (IAM) that helps identify and manage the potential risks of external access to resources in your AWS environment. This service analyzes IAM policies, roles, and resource-based policies to detect unintended or unintentional access that can expose sensitive resources to the public internet or external users.

Enabling IAM External Access Analyzer across all AWS regions ensures that any unintended external access across your AWS environment is identified and can be remediated, improving security and reducing the potential attack surface.

Rationale:

Enabling IAM External Access Analyzer in all regions helps with:

  • Proactive security monitoring: Identifies risks associated with external access to AWS resources.

  • Compliance: Meets regulatory and security requirements that mandate monitoring and identifying external access to sensitive data.

  • Security best practices: Provides continuous monitoring of IAM policies and resource-based policies for misconfigurations or unintended access.

  • Reduced attack surface: Prevents inadvertent external exposure of resources, helping to avoid data breaches and unauthorized access.

Without enabling IAM External Access Analyzer in all regions, your environment may be vulnerable to unauthorized access from external sources, potentially exposing critical resources.

Impact:

Failure to enable IAM External Access Analyzer in all regions can result in:

  • Unidentified external access risks: Unintended external access to sensitive resources may go undetected.

  • Data breaches: Unauthorized users may gain access to sensitive data, potentially resulting in security incidents or regulatory violations.

  • Non-compliance: Failure to identify and restrict external access could lead to violations of regulatory standards that require continuous monitoring of AWS resources.

Enabling the analyzer ensures that all IAM policies and resource-based policies are examined for external access risks, enhancing security and compliance.

Default Value:

By default, IAM External Access Analyzer is not enabled in all regions. It must be explicitly configured to ensure that it is activated for all regions across your AWS environment.

Pre-Requisites:

  • AWS CLI installed and configured

  • IAM permissions:

    • iam:CreateAccessAnalyzer

    • iam:ListAccessAnalyzers

    • iam:DescribeAccessAnalyzer

    • iam:ListAnalyzedResources

  • IAM External Access Analyzer should be enabled and configured for all regions

Remediation:

Test Plan:

Using AWS Console:

  1. Go to the IAM Console.

  2. Navigate to Access Analyzer in the left-hand pane.

  3. Verify that IAM External Access Analyzer is enabled in all regions and that all IAM roles and resource policies are being analyzed for external access.

  4. Ensure that any identified external access risks are reviewed and mitigated.

Using AWS CLI:

aws iam list-access-analyzers --query "AccessAnalyzerSummaryList[].[AnalyzerName,Region]" --output table


To check if access analysis is being conducted in all regions:

aws iam list-analyzed-resources --analyzer-name <analyzer-name> --output table
Implementation Plan:

Using AWS Console:

  1. Enable IAM External Access Analyzer in all regions:

    • Go to the IAM Console.

    • In the Access Analyzer section, click Create analyzer.

    • Choose the Analyzer type as Account analyzer, then select All regions to ensure that the analyzer is activated for all regions.

    • Save the configuration to enable access analysis across all regions.

  2. Verify and monitor access analysis:

    • After enabling, regularly monitor the Findings in the IAM Access Analyzer dashboard to ensure that external access issues are identified and mitigated.

Using AWS CLI:

  1. Enable IAM External Access Analyzer for all regions:

aws iam create-access-analyzer --analyzer-name <analyzer-name> --type ACCOUNT --region <region-name>

  1. Verify access analysis status:

aws iam list-access-analyzers --query "AccessAnalyzerSummaryList[].[AnalyzerName,Region]" --output table

  1. Monitor findings:

aws iam list-findings --analyzer-name <analyzer-name> --output table

Backout Plan:

Using AWS Console:

  1. If enabling the IAM External Access Analyzer causes performance issues or unnecessary alerts:

    • Go to the IAM Console.

    • Disable the IAM External Access Analyzer in the Access Analyzer section by deleting the analyzer.

  2. Revert IAM roles and resource-based policies to their original configurations if needed, or modify them to reduce false alerts.

Using AWS CLI:

  1. Temporarily disable IAM External Access Analyzer:                                                                                

    aws iam delete-access-analyzer --analyzer-name <analyzer-name>

  2. Stop analyzing resources if necessary:

aws iam stop-analyzing-resources --analyzer-name <analyzer-name>

  1. Re-enable analysis once issues are resolved:

aws iam create-access-analyzer --analyzer-name <analyzer-name> --type ACCOUNT --region <region-name>


References:

CIS Controls Mapping:

CIS Control Version

Control ID

Control Description

CIS v8

4.9

Perform Continuous Security Monitoring and Incident Detection

CIS v7

6.3

Monitor Security Configurations for Compliance

CIS v7

5.2

Securely Manage and Monitor Cloud Accounts and Services