IAM Access Analyzer Findings

01 Sign in to AWS Management Console.

02 Navigate to IAM Access Analyzer dashboard at https://console.aws.amazon.com/access-analyzer/.

03 In the navigation panel, under Access reports, choose Access analyzer to access the page with the IAM Access Analyzer findings identified within the current AWS region.

04 On the Access Analyzer page, select the Active tab to view all the active findings identified by the IAM Access Analyzer in your trust zone. If no active findings are found in the verified region, the following confirmation message is shown: "No findings to display". If one or more active access findings are returned, i.e.

there are AWS IAM Access Analyzer findings that need to be solved available within the current AWS region.

05 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run list-analyzers command (OSX/Linux/UNIX) with custom query filters to describe the Amazon Resource Name (ARN) of the IAM Access Analyzer created for the selected AWS region (in this case US East - N. Virginia region):

aws accessanalyzer list-analyzers
    --region us-east-1
    --query 'analyzers[*].arn'

02 The command output should return the Amazon Resource Name (ARN) of the requested AWS resource:

[
    "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer"
]

03 Run list-findings command (OSX/Linux/UNIX) using the ARN of the IAM Access Analyzer that you want to examine as identifier parameter to retrieve the ID(s) of the active access finding(s) identified in the selected AWS region:

aws accessanalyzer list-findings
    --region us-east-1
    --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer
    --query 'findings[?(status==`ACTIVE`)].id'

04 The command output should return the ID(s) of the active finding(s) or an empty array (i.e. []) if there are no active access security issues found:

[
    "abcdabcd-1234-1234-1234-abcdabcdabcd",
    "abcd1234-abcd-1234-abcd-1234abcd1234",
    "1234abcd-1234-abcd-1234-abcd1234abcd"
]

05 Change the AWS region by updating the --region command parameter value and repeat the entire audit process for other regions.

01 Sign in to AWS Management Console.

02 Navigate to IAM Access Analyzer dashboard at https://console.aws.amazon.com/access-analyzer/.

03 In the navigation panel, under Access reports, choose Access analyzer to access the page with all your IAM Access Analyzer findings.

04 On the Access Analyzer page, select the Active tab to view all the active findings identified within the current AWS region.

05 Choose the access finding that you want to review and resolve, then click on its identifier link available in the Finding ID column to access the information generated for the finding.

06 On the selected finding page, in the Details section, review the security finding by analyzing its attributes:

1. Finding ID – the unique ID assigned to the selected access finding.
2. Resource – the Amazon Resource Name (ARN) of the AWS resource associated with the policy that grants access to an external entity outside of your trust zone. The zone of trust used by the IAM Access Analyzer is your AWS account.
3. External principal – the untrusted principal, the one outside of your zone of trust, that the analyzed policy grants access to. The valid values available for the External principal attribute are:
   • All principals – all AWS principals that meet the conditions included in the Conditions column have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC network can access the resource.
   • AWS account – all principals in the listed AWS account, with permissions from the account's administrator, can access the resource.
   • Canonical user – all principals within the AWS account with the listed canonical user ID have permission to access the resource.
   • IAM role – the listed AWS IAM role has permission to access the resource.
   • IAM user – the listed AWS IAM user has permission to access the resource.
4. Condition – the condition from the policy statement that grants the access. For example, if the Condition attribute includes source VPC, it means that the resource is shared with a principal that has access to the specified VPC network. Conditions can be global or service-specific. A global condition key contains the "aws:" prefix.
5. Access level - the level of access granted to the external entity by the actions within the verified resource-based policy. Access level values include the following:
   • List – the permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.
   • Read – the permission to read but not edit the contents and attributes of resources available in the service.
   • Write – the permission to create, delete or modify resources in the service.
   • Permissions – the permission to grant or modify resource permissions in the service.
   • Tagging – the permission to perform actions that only change the state of the resource tags.
6. Status – the status of the access finding. The valid values are Active, Archived or Resolved.
7. Updated – a timestamp for the most recent update to the finding status, or the date/time when the finding was generated if no updates have been made since it was generated.

07 Based on the information reviewed at the previous step you can analyze the selected security finding and choose whether the access to the specified AWS resource is intended or not. On the finding page, in the Next steps section, choose one of the following actions:

1. If the access is intended and necessary for your business processes, click Archive button inside the Intended access section to archive the selected finding. This action helps you focus only on findings that are related to potential security risks. When you archive a security finding, the AWS IAM Access Analyzer removes it from the Active findings list and changes its status to Archived.
2. If the access is not intended, it indicates a potential security risk. To solve the access security risk identified by the selected IAM Access Analyzer finding, click Go to <aws-resource> console button available in the Not intended section to access the AWS resource associated with the policy that grants the unintended access. Once the AWS Management Console redirects you to the right resource (in this case an S3 bucket), perform the following actions:
   • Select the Permissions tab from the S3 dashboard top menu to access bucket permissions.
   • On the Permissions panel, under Block public access (bucket settings), click Edit.
   • Select Block all public access checkbox to enable the S3 Public Access Block feature and restrict public (unintended) access to the selected S3 bucket.
   • Click Save to save the permission changes.
   • Within Edit block public access (bucket settings) confirmation box, type confirm in the appropriate field, then click Confirm to apply the changes.
   • To confirm that the selected security finding removed the unintended access, go back to the finding details page and choose Rescan. If the untrusted access has been successfully removed, the finding status should change to Resolved.

08 Repeat steps no. 5 – 7 for each IAM Access Analyzer finding identified within the current AWS region.

09 Change the AWS region from the navigation bar and repeat the process for other regions.

01 Run list-findings command (OSX/Linux/UNIX) using the ARN of the IAM Access Analyzer that you want to verify as identifier parameter (see Audit section part II to identify the right resource) to describe all the active security findings identified by the IAM Access Analyzer feature in the selected AWS region:

aws accessanalyzer list-findings
    --region us-east-1
    --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer
    --query 'findings[?(status==`ACTIVE`)]'

02 The command output should return all the active security findings identified in the selected region, e.g.:

[
    {
        "status": "ACTIVE",
        "resource": "arn:aws:s3:::cc-project5-log-data",
        "resourceType": "AWS::S3::Bucket",
        "isPublic": true,
        "analyzedAt": "2019-12-09T14:39:36Z",
        "condition": {},
        "updatedAt": "2019-12-09T14:29:50Z",
        "action": [
            "s3:DeleteObject",
            "s3:GetBucketAcl",
            "s3:ListBucket",
            "s3:ListBucketByTags",
            "s3:ListBucketMultipartUploads",
            "s3:ListBucketVersions",
            "s3:PutObject"
        ],
        "id": "abcdabcd-1234-1234-1234-abcdabcdabcd",
        "createdAt": "2019-12-09T12:35:51Z",
        "principal": {
            "AWS": "*"
        }
    },
    {
        "status": "ACTIVE",
        "resource": "arn:aws:sqs:us-east-1:123456789012:cc-staging-queue",
        "resourceType": "AWS::SQS::Queue",
        "isPublic": true,
        "analyzedAt": "2019-12-09T11:04:54Z",
        "condition": {},
        "updatedAt": "2019-12-09T11:04:54Z",
        "action": [
            "sqs:ChangeMessageVisibility",
            "sqs:ChangeMessageVisibilityBatch",
            "sqs:DeleteMessage",
            "sqs:DeleteMessageBatch",
            "sqs:GetQueueAttributes",
            "sqs:GetQueueUrl",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:PurgeQueue",
            "sqs:ReceiveMessage",
            "sqs:SendMessage",
            "sqs:SendMessageBatch"
        ],
        "id": "abcd1234-abcd-1234-abcd-1234abcd1234",
        "createdAt": "2019-12-09T11:04:54Z",
        "principal": {
            "AWS": "*"
        }
    },
    {
        "status": "ACTIVE",
        "resource": "arn:aws:sqs:us-east-1:123456789012:cc-project5-app-queue",
        "resourceType": "AWS::SQS::Queue",
        "isPublic": false,
        "analyzedAt": "2019-12-09T11:04:54Z",
        "condition": {},
        "updatedAt": "2019-12-09T11:04:54Z",
        "action": [
            "sqs:ChangeMessageVisibility",
            "sqs:ChangeMessageVisibilityBatch",
            "sqs:DeleteMessage",
            "sqs:DeleteMessageBatch",
            "sqs:GetQueueAttributes",
            "sqs:GetQueueUrl",
            "sqs:ListDeadLetterSourceQueues",
            "sqs:PurgeQueue",
            "sqs:ReceiveMessage",
            "sqs:SendMessage",
            "sqs:SendMessageBatch"
        ],
        "id": "1234abcd-1234-abcd-1234-abcd1234abcd",
        "createdAt": "2019-12-09T11:04:54Z",
        "principal": {
            "AWS": "123412341234"
        }
    }
]

03 For the list-findings command output returned at the previous step, review each security issue by analyzing its properties:

1. "id" – the unique ID assigned to the selected access finding. You can use the finding ID to display additional details about the resource and the policy statement that generated the finding.
2. "resource" – the Amazon Resource Name (ARN) of the AWS resource associated with the policy that grants access to an external entity outside of your trust zone. The zone of trust used by the IAM Access Analyzer is your AWS account.
3. "resourceType" – the type of the AWS resource associated with the policy that allows access to a principal outside of your zone of trust.
4. "principal" – the external principal, the one outside of your trust zone, that the analyzed policy grants access to. The valid values available for the External principal attribute are:
   • All principals – all AWS principals that meet the conditions included in the "condition" property have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC network can access the resource.
   • AWS account – all principals in the listed AWS account, with permissions from the account's administrator, can access the resource.
   • Canonical user – all principals within the AWS account with the listed canonical user ID have permission to access the resource.
   • IAM role – the listed AWS IAM role has permission to access the resource.
   • IAM user – the listed AWS IAM user has permission to access the resource.
5. "condition" – the condition from the policy statement that grants the access. For example, if the Condition attribute includes source VPC, it means that the resource is shared with a principal that has access to the specified VPC network. Conditions can be global or service-specific. A global condition key contains the "aws:" prefix.
6. "isPublic" – indicates whether the resource-based policy that generated the security finding allows public access to the verified resource. Valid values: true (public access is allowed) and false (public access is denied).
7. "action" – the action or set of actions defined in the analyzed policy statement that an external principal has permission to use. This action/action set represents the level of access found for the associated resource-based policy. Access level values include the following:
   • List – the permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.
   • Read – the permission to read but not edit the contents and attributes of resources available in the service.
   • Write – the permission to create, delete or modify resources in the service.
   • Permissions – the permission to grant or modify resource permissions in the service.
   • Tagging – the permission to perform actions that only change the state of the resource tags.
8. "status" – the status of the access finding. The valid values are ACTIVE, ARCHIVED or RESOLVED.
9. "updatedAt" – a timestamp for the most recent update to the finding status, or the date/time when the finding was generated if no updates have been made since it was generated.

04 Based on the information reviewed at the previous step you can analyze the selected security finding and choose whether the access to the specified AWS resource is intended or not:

1. If the access is intended and necessary for your business processes, create a rule to automatically archive new findings that meet the conditions defined within the rule. To create the required archive rule, execute the following commands:
   • Define the criteria for the new rule. In this case the criteria used is the ARN of an Amazon S3 bucket that you regularly grant public access to:
     {
         "resource": {
               "eq": ["arn:aws:s3:::cc-project5-log-data"]
         }
     }
     

   • Run create-archive-rule command (OSX/Linux/UNIX) using the name of the analyzer and the JSON document that contains the rule criteria defined at the previous step (i.e. rule-criteria.json) as parameters to create the archive rule that automatically archives new findings based on the specified criteria (the command does not produce an output).
     aws aws accessanalyzer create-archive-rule
         --region us-east-1
         --analyzer-name cc-us-east-1-iam-analyzer
         --rule-name cc-publicly-accessible-s3bucket-rule
         --filter file://rule-criteria.json
     

2. If the access is not intended (untrusted), it indicates a potential security risk. To solve the access security risk identified by the selected IAM Access Analyzer finding, execute the following commands:
   • Run put-public-access-block command (OSX/Linux/UNIX) using the name of the S3 bucket that you want to reconfigure as identifier parameter to enable and configure the S3 Public Access Block feature for the specified bucket (the command should not return an output):
     aws s3api put-public-access-block
         --region us-east-1
         --bucket cc-project5-log-data
         --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
     

   • Run start-resource-scan command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the analyzer and the ARN of the specified resource (in this case an S3 bucket) as identifier parameters to rescan the selected AWS resource in order to confirm that the change made at the previous step removed the public access (the command does not produce an output):
     aws accessanalyzer start-resource-scan
         --region us-east-1
         --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer                                                               --resource-arn arn:aws:s3:::cc-project5-log-data
     

   • Run get-finding command (OSX/Linux/UNIX) with custom query filters to describe the status of the specified IAM Access Analyzer finding in order to confirm that the selected security finding has been solved:
     aws accessanalyzer get-finding
         --region us-east-1
         --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-iam-analyzer
         --id abcdabcd-1234-1234-1234-abcdabcdabcd
         --query 'finding.status'
     

   • The command output should return the status of the selected finding. If the status is set to "RESOLVED", the security finding has been successfully solved:
     "RESOLVED"
     

05 Repeat steps no. 1 – 4 for each IAM Access Analyzer finding identified in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.