Profile Applicability:

  • Level 1


Description:

This control ensures that IAM Access Analyzer is enabled in each AWS account and that it does not contain any unresolved findings. IAM Access Analyzer continuously monitors AWS Identity and Access Management (IAM) resources — such as roles, policies, S3 buckets, KMS keys, Lambda functions, and SQS queues — to detect resources shared outside the account or organization. Ensuring the analyzer is active and free of findings helps maintain least-privilege access and prevents unintentional data exposure.


Rationale:

IAM Access Analyzer enhances security posture by automatically identifying resources that are publicly accessible or shared with external entities. This allows administrators to remediate risky configurations promptly. Having no active findings ensures that all resource access policies adhere to internal governance and compliance standards (e.g., CIS, SOC 2, ISO 27001).

Impact:

  • Positive Impact:Provides continuous visibility into external access to AWS resources.Helps identify and remediate unintended public or cross-account sharing.Strengthens compliance with least-privilege and zero-trust principles.
  • Negative Impact:Enabling analyzers across multiple regions may incur minimal operational overhead.


Default Value:

By default, IAM Access Analyzer is not enabled in any region. Administrators must create an analyzer manually in each region where resources exist.


Pre-Requisite:

  • IAM permissions required:
    • access-analyzer:CreateAnalyzer
    • access-analyzer:ListAnalyzers
    • access-analyzer:ListFindings
    • access-analyzer:UpdateFindings
  • AWS CloudTrail should be enabled to record IAM Access Analyzer activity.

Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM → Access Analyzer.

  3. Verify that an analyzer exists for each region in use.

    • If no analyzer exists, you will see a prompt to create one.

  4. Check the Findings tab:

    • If any findings exist, review them and confirm whether external access is intentional.

    • Mark valid external access as Archived or Resolved.

  5. Ensure there are no active findings that indicate unintended access.


Implementation Plan

Using AWS Console:

  1. Navigate to IAM → Access Analyzer.

  2. Click Create analyzer.

  3. Enter an analyzer name (e.g., OrganizationAccessAnalyzer).

  4. Choose Analyzer type:

    • Organization (recommended if using AWS Organizations)

    • Account (for standalone accounts)

  5. Choose the region(s) where you want to enable the analyzer.

  6. Click Create analyzer.

  7. After creation, the analyzer automatically begins scanning resource-based policies for external access.

  8. Review any findings and take appropriate action to resolve them.


Backout Plan

Using AWS Console:

  1. Navigate to IAM → Access Analyzer.

  2. Select the analyzer and choose Delete if you want to disable it.

  3. Confirm deletion (this will stop all active analysis).

References: