Profile Applicability:

  • Level 1


Description:

This control ensures that IAM Access Analyzer is enabled in every AWS account and region. IAM Access Analyzer helps identify resources that are shared externally — either with other AWS accounts, AWS Organizations, or the public. Enabling Access Analyzer provides continuous visibility into potential unintended access, helping administrators enforce least-privilege and secure resource-sharing practices.


Rationale:

IAM Access Analyzer is a preventive security mechanism that continuously evaluates resource-based policies to detect risky configurations. When enabled, it helps organizations:

  • Detect resources (e.g., S3 buckets, KMS keys, IAM roles, Lambda functions) shared publicly or with external accounts.
  • Identify policy misconfigurations that violate access control standards.
  • Improve compliance with frameworks like CIS, SOC 2, and ISO 27001.

Without IAM Access Analyzer enabled, administrators lack automated detection for misconfigured access policies, increasing the risk of data exposure and compliance violations.


Impact:

  • Positive Impact:Enables proactive detection of unintended resource sharing.Improves overall visibility and governance of access permissions.Strengthens compliance posture with continuous monitoring.
  • Negative Impact:Minimal additional operational overhead or CloudTrail log activity due to ongoing analysis.


Default Value:

By default, IAM Access Analyzer is not enabled in any region. Administrators must create an analyzer manually in each region or at the organization level.


Pre-Requisite:

  • IAM permissions required:
    • access-analyzer:CreateAnalyzer
    • access-analyzer:ListAnalyzers
    • access-analyzer:ListFindings
  • AWS CloudTrail should be enabled to record analyzer activity.
  • AWS Organizations permissions if creating an organization-level analyzer.


Remediation

Test Plan

Using AWS Console:

  1. Sign in to the AWS Management Console.
  2. Navigate to IAM → Access Analyzer.
  3. Check whether an analyzer already exists.
  4. If no analyzer exists, a banner will appear prompting to create one.
  5. Ensure that at least one active analyzer is present in each region where resources exist.
  6. Confirm the analyzer status is Active.


Implementation Plan

Using AWS Console:

  1. Navigate to IAM → Access Analyzer.

  2. Click Create analyzer.

  3. Enter a name (e.g., OrgAccessAnalyzer or AccountAccessAnalyzer).

  4. Choose Analyzer type:

    • Organization (recommended if using AWS Organizations — covers all member accounts).

    • Account (if standalone account).

  5. Select the region where you want to enable it.

  6. Click Create analyzer.

  7. Once active, Access Analyzer will automatically begin analyzing resource-based policies for external access.

Backout Plan

Using AWS Console:

  1. Navigate to IAM → Access Analyzer.

  2. Select the analyzer you wish to remove.

  3. Choose Delete analyzer, and confirm the action.

References: