Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Access Analyzer Findings

Trend Cloud Oneβ„’ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High
Rule ID: AccessAnalyzer-001

Check for Amazon IAM Access Analyzer findings in order to review and take all the necessary actions to resolve public or untrusted cross-account access security issues identified within your Amazon Web Services (AWS) cloud environment. Access Analyzer is a new AWS Identity and Access Management (IAM) feature that helps you find potential security risks in your AWS environment by analyzing the resource-based policies associated with the cloud resources within your zone of trust. The access initiated by the principals created within your zone of trust (i.e. your AWS account) is considered trusted. When IAM Access Analyzer identifies a policy that allows access to your resources from outside of your zone of trust, it generates a finding. You can use the details generated by the finding, such as the resource name and type, access level and the external principal that has access to the resource, to determine whether the access is intended or unintended. If the access is unintended, it represents a security risk, and therefore actions must be taken to remove the unwanted access. If the access is trusted and necessary for your applications and processes, you can archive the finding to mark it as safe and remove it from the list of active findings. AWS IAM Access Analyzer continuously monitors for new or updated resource-based policies associated with resources such as Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles and Amazon Lambda functions. IAM Access Analyzer can provide detailed findings through the AWS IAM management console, Amazon S3 and AWS Security Hub console and also through its APIs. Access Analyzer findings can also be exported as a report for auditing purposes.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon IAM Access Analyzer helps you evaluate access permissions across your AWS cloud environments in order that your security teams and administrators can quickly validate the resource-based policies that provide intended access to your resources and redefine the policies that allow unintended access to adhere to the principle of least privilege. Once enabled, Amazon IAM Access Analyzer starts monitoring the access policies associated with S3 buckets, KMS keys, SQS queues, IAM roles and Lambda functions for permissions changes so that you no longer need to rely on intermittent manual checks to catch access security issues when these type of policies are added or updated.


Audit

To check your AWS account for IAM Access Analyzer findings, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM Access Analyzer dashboard at https://console.aws.amazon.com/access-analyzer/.

03 In the navigation panel, under Access reports, choose Access analyzer to access the page with the IAM Access Analyzer findings identified within the current AWS region.

04 On the Access Analyzer page, select the Active tab to view all the active findings identified by the IAM Access Analyzer in your trust zone. If no active findings are found in the verified region, the following confirmation message is shown: "No findings to display". If one or more active access findings are returned, i.e.

If one or more active access findings are returned

there are AWS IAM Access Analyzer findings that need to be solved available within the current AWS region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-analyzers command (OSX/Linux/UNIX) with custom query filters to describe the Amazon Resource Name (ARN) of the IAM Access Analyzer created for the selected AWS region (in this case US East - N. Virginia region):

aws accessanalyzer list-analyzers
    --region us-east-1
    --query 'analyzers[*].arn'

02 The command output should return the Amazon Resource Name (ARN) of the requested AWS resource:

[
    "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer"
]

03 Run list-findings command (OSX/Linux/UNIX) using the ARN of the IAM Access Analyzer that you want to examine as identifier parameter to retrieve the ID(s) of the active access finding(s) identified in the selected AWS region:

aws accessanalyzer list-findings
    --region us-east-1
    --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer
    --query 'findings[?(status==`ACTIVE`)].id'

04 The command output should return the ID(s) of the active finding(s) or an empty array (i.e. []) if there are no active access security issues found:

[
    "abcdabcd-1234-1234-1234-abcdabcdabcd",
    "abcd1234-abcd-1234-abcd-1234abcd1234",
    "1234abcd-1234-abcd-1234-abcd1234abcd"
]

If the array returned by the list-findings command output contains the ID of one or more security findings, as shown in the example above, there are AWS IAM Access Analyzer findings that need to be resolved available in the selected AWS region.

05 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

Remediation / Resolution

To access, review and solve the IAM Access Analyzer findings identified within your AWS trust zone, perform the following actions:

Note: As an example, this conformity rule demonstrates how to review and solve an AWS IAM Access Analyzer finding detected for an Amazon S3 bucket that is configured to allow anonymous (unintended) access to anyone on the Internet through the bucket's Access Control List (ACL) - i.e. publicly exposed S3 bucket.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to IAM Access Analyzer dashboard at https://console.aws.amazon.com/access-analyzer/.

03 In the navigation panel, under Access reports, choose Access analyzer to access the page with all your IAM Access Analyzer findings.

04 On the Access Analyzer page, select the Active tab to view all the active findings identified within the current AWS region.

05 Choose the access finding that you want to review and resolve, then click on its identifier link available in the Finding ID column to access the information generated for the finding.

06 On the selected finding page, in the Details section, review the security finding by analyzing its attributes:

  1. Finding ID – the unique ID assigned to the selected access finding.
  2. Resource – the Amazon Resource Name (ARN) of the AWS resource associated with the policy that grants access to an external entity outside of your trust zone. The zone of trust used by the IAM Access Analyzer is your AWS account.
  3. External principal – the untrusted principal, the one outside of your zone of trust, that the analyzed policy grants access to. The valid values available for the External principal attribute are:
    • All principals – all AWS principals that meet the conditions included in the Conditions column have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC network can access the resource.
    • AWS account – all principals in the listed AWS account, with permissions from the account's administrator, can access the resource.
    • Canonical user – all principals within the AWS account with the listed canonical user ID have permission to access the resource.
    • IAM role – the listed AWS IAM role has permission to access the resource.
    • IAM user – the listed AWS IAM user has permission to access the resource.
  4. Condition – the condition from the policy statement that grants the access. For example, if the Condition attribute includes source VPC, it means that the resource is shared with a principal that has access to the specified VPC network. Conditions can be global or service-specific. A global condition key contains the "aws:" prefix.
  5. Access level - the level of access granted to the external entity by the actions within the verified resource-based policy. Access level values include the following:
    • List – the permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.
    • Read – the permission to read but not edit the contents and attributes of resources available in the service.
    • Write – the permission to create, delete or modify resources in the service.
    • Permissions – the permission to grant or modify resource permissions in the service.
    • Tagging – the permission to perform actions that only change the state of the resource tags.
  6. Status – the status of the access finding. The valid values are Active, Archived or Resolved.
  7. Updated – a timestamp for the most recent update to the finding status, or the date/time when the finding was generated if no updates have been made since it was generated.

07 Based on the information reviewed at the previous step you can analyze the selected security finding and choose whether the access to the specified AWS resource is intended or not. On the finding page, in the Next steps section, choose one of the following actions:

  1. If the access is intended and necessary for your business processes, click Archive button inside the Intended access section to archive the selected finding. This action helps you focus only on findings that are related to potential security risks. When you archive a security finding, the AWS IAM Access Analyzer removes it from the Active findings list and changes its status to Archived.
  2. If the access is not intended, it indicates a potential security risk. To solve the access security risk identified by the selected IAM Access Analyzer finding, click Go to <aws-resource> console button available in the Not intended section to access the AWS resource associated with the policy that grants the unintended access. Once the AWS Management Console redirects you to the right resource (in this case an S3 bucket), perform the following actions:
    • Select the Permissions tab from the S3 dashboard top menu to access bucket permissions.
    • On the Permissions panel, under Block public access (bucket settings), click Edit.
    • Select Block all public access checkbox to enable the S3 Public Access Block feature and restrict public (unintended) access to the selected S3 bucket.
    • Click Save to save the permission changes.
    • Within Edit block public access (bucket settings) confirmation box, type confirm in the appropriate field, then click Confirm to apply the changes.
    • To confirm that the selected security finding removed the unintended access, go back to the finding details page and choose Rescan. If the untrusted access has been successfully removed, the finding status should change to Resolved.

08 Repeat steps no. 5 – 7 for each IAM Access Analyzer finding identified within the current AWS region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

Using AWS CLI

01 Run list-findings command (OSX/Linux/UNIX) using the ARN of the IAM Access Analyzer that you want to verify as identifier parameter (see Audit section part II to identify the right resource) to describe all the active security findings identified by the IAM Access Analyzer feature in the selected AWS region:

aws accessanalyzer list-findings
    --region us-east-1
    --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer
    --query 'findings[?(status==`ACTIVE`)]'

02 The command output should return all the active security findings identified in the selected region, e.g.:

[
    {
        "status": "ACTIVE",
        "resource": "arn:aws:s3:::cc-project5-log-data",
        "resourceType": "AWS::S3::Bucket",
        "isPublic": true,
        "analyzedAt": "2019-12-09T14:39:36Z",
        "condition": {},
        "updatedAt": "2019-12-09T14:29:50Z",
        "action": [
            "s3:DeleteObject",
            "s3:GetBucketAcl",
            "s3:ListBucket",
            "s3:ListBucketByTags",
            "s3:ListBucketMultipartUploads",
            "s3:ListBucketVersions",
            "s3:PutObject"
        ],
        "id": "abcdabcd-1234-1234-1234-abcdabcdabcd",
        "createdAt": "2019-12-09T12:35:51Z",
        "principal": {
            "AWS": "*"
        }
    },
    {
        "status": "ACTIVE",
        "resource": "arn:aws:sqs:us-east-1:123456789012:cc-staging-queue",
        "resourceType": "AWS::SQS::Queue",
        "isPublic": true,
        "analyzedAt": "2019-12-09T11:04:54Z",
        "condition": {},
        "updatedAt": "2019-12-09T11:04:54Z",
        "action": [
            "sqs:ChangeMessageVisibility",
            "sqs:ChangeMessageVisibilityBatch",
            "sqs:DeleteMessage",
            "sqs:DeleteMessageBatch",
            "sqs:GetQueueAttributes",
            "sqs:GetQueueUrl",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:PurgeQueue",
            "sqs:ReceiveMessage",
            "sqs:SendMessage",
            "sqs:SendMessageBatch"
        ],
        "id": "abcd1234-abcd-1234-abcd-1234abcd1234",
        "createdAt": "2019-12-09T11:04:54Z",
        "principal": {
            "AWS": "*"
        }
    },
    {
        "status": "ACTIVE",
        "resource": "arn:aws:sqs:us-east-1:123456789012:cc-project5-app-queue",
        "resourceType": "AWS::SQS::Queue",
        "isPublic": false,
        "analyzedAt": "2019-12-09T11:04:54Z",
        "condition": {},
        "updatedAt": "2019-12-09T11:04:54Z",
        "action": [
            "sqs:ChangeMessageVisibility",
            "sqs:ChangeMessageVisibilityBatch",
            "sqs:DeleteMessage",
            "sqs:DeleteMessageBatch",
            "sqs:GetQueueAttributes",
            "sqs:GetQueueUrl",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:PurgeQueue",
            "sqs:ReceiveMessage",
            "sqs:SendMessage",
            "sqs:SendMessageBatch"
        ],
        "id": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "createdAt": "2019-12-09T11:04:54Z",
        "principal": {
            "AWS": "123412341234"
        }
    }
]

03 For the list-findings command output returned at the previous step, review each security issue by analyzing its properties:

  1. "id" – the unique ID assigned to the selected access finding. You can use the finding ID to display additional details about the resource and the policy statement that generated the finding.
  2. "resource" – the Amazon Resource Name (ARN) of the AWS resource associated with the policy that grants access to an external entity outside of your trust zone. The zone of trust used by the IAM Access Analyzer is your AWS account.
  3. "resourceType" – the type of the AWS resource associated with the policy that allows access to a principal outside of your zone of trust.
  4. "principal" – the external principal, the one outside of your trust zone, that the analyzed policy grants access to. The valid values available for the External principal attribute are:
    • All principals – all AWS principals that meet the conditions included in the "condition" property have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC network can access the resource.
    • AWS account – all principals in the listed AWS account, with permissions from the account's administrator, can access the resource.
    • Canonical user – all principals within the AWS account with the listed canonical user ID have permission to access the resource.
    • IAM role – the listed AWS IAM role has permission to access the resource.
    • IAM user – the listed AWS IAM user has permission to access the resource.
  5. "condition" – the condition from the policy statement that grants the access. For example, if the Condition attribute includes source VPC, it means that the resource is shared with a principal that has access to the specified VPC network. Conditions can be global or service-specific. A global condition key contains the "aws:" prefix.
  6. "isPublic" – indicates whether the resource-based policy that generated the security finding allows public access to the verified resource. Valid values: true (public access is allowed) and false (public access is denied).
  7. "action" – the action or set of actions defined in the analyzed policy statement that an external principal has permission to use. This action/action set represents the level of access found for the associated resource-based policy. Access level values include the following:
    • List – the permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.
    • Read – the permission to read but not edit the contents and attributes of resources available in the service.
    • Write – the permission to create, delete or modify resources in the service.
    • Permissions – the permission to grant or modify resource permissions in the service.
    • Tagging – the permission to perform actions that only change the state of the resource tags.
  8. "status" – the status of the access finding. The valid values are ACTIVE, ARCHIVED or RESOLVED.
  9. "updatedAt" – a timestamp for the most recent update to the finding status, or the date/time when the finding was generated if no updates have been made since it was generated.

04 Based on the information reviewed at the previous step you can analyze the selected security finding and choose whether the access to the specified AWS resource is intended or not:

  1. If the access is intended and necessary for your business processes, create a rule to automatically archive new findings that meet the conditions defined within the rule. To create the required archive rule, execute the following commands:
    • Define the criteria for the new rule. In this case the criteria used is the ARN of an Amazon S3 bucket that you regularly grant public access to:
      {
          "resource": {
                "eq": ["arn:aws:s3:::cc-project5-log-data"]
          }
      }
      
    • Run create-archive-rule command (OSX/Linux/UNIX) using the name of the analyzer and the JSON document that contains the rule criteria defined at the previous step (i.e. rule-criteria.json) as parameters to create the archive rule that automatically archives new findings based on the specified criteria (the command does not produce an output).
      aws aws accessanalyzer create-archive-rule
          --region us-east-1
          --analyzer-name cc-us-east-1-iam-analyzer
          --rule-name cc-publicly-accessible-s3bucket-rule
          --filter file://rule-criteria.json
      
  2. If the access is not intended (untrusted), it indicates a potential security risk. To solve the access security risk identified by the selected IAM Access Analyzer finding, execute the following commands:
    • Run put-public-access-block command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure as identifier parameter to enable and configure the S3 Public Access Block feature for the specified bucket (the command should not return an output):
      aws s3api put-public-access-block
          --region us-east-1
          --bucket cc-project5-log-data
          --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
      
    • Run start-resource-scan command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the analyzer and the ARN of the specified resource (in this case an S3 bucket) as identifier parameters to rescan the selected AWS resource in order to confirm that the change made at the previous step removed the public access (the command does not produce an output):
      aws accessanalyzer start-resource-scan
          --region us-east-1
          --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer                                                               --resource-arn arn:aws:s3:::cc-project5-log-data
      
    • Run get-finding command (OSX/Linux/UNIX) with custom query filters to describe the status of the specified IAM Access Analyzer finding in order to confirm that the selected security finding has been solved:
      aws accessanalyzer get-finding
          --region us-east-1
          --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer
          --id abcdabcd-1234-1234-1234-abcdabcdabcd
          --query 'finding.status'
      
    • The command output should return the status of the selected finding. If the status is set to "RESOLVED", the security finding has been successfully solved:
      "RESOLVED"
      

05 Repeat steps no. 1 – 4 for each IAM Access Analyzer finding identified in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.

References

Publication date Dec 10, 2019