Check for Amazon IAM Access Analyzer findings in order to review and take all the necessary actions to resolve public or untrusted cross-account access security issues identified within your Amazon Web Services (AWS) cloud environment. Access Analyzer is a new AWS Identity and Access Management (IAM) feature that helps you find potential security risks in your AWS environment by analyzing the resource-based policies associated with the cloud resources within your zone of trust. The access initiated by the principals created within your zone of trust (i.e. your AWS account) is considered trusted. When IAM Access Analyzer identifies a policy that allows access to your resources from outside of your zone of trust, it generates a finding. You can use the details generated by the finding, such as the resource name and type, access level and the external principal that has access to the resource, to determine whether the access is intended or unintended. If the access is unintended, it represents a security risk, and therefore actions must be taken to remove the unwanted access. If the access is trusted and necessary for your applications and processes, you can archive the finding to mark it as safe and remove it from the list of active findings. AWS IAM Access Analyzer continuously monitors for new or updated resource-based policies associated with resources such as Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles and Amazon Lambda functions. IAM Access Analyzer can provide detailed findings through the AWS IAM management console, Amazon S3 and AWS Security Hub console and also through its APIs. Access Analyzer findings can also be exported as a report for auditing purposes.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon IAM Access Analyzer helps you evaluate access permissions across your AWS cloud environments in order that your security teams and administrators can quickly validate the resource-based policies that provide intended access to your resources and redefine the policies that allow unintended access to adhere to the principle of least privilege. Once enabled, Amazon IAM Access Analyzer starts monitoring the access policies associated with S3 buckets, KMS keys, SQS queues, IAM roles and Lambda functions for permissions changes so that you no longer need to rely on intermittent manual checks to catch access security issues when these type of policies are added or updated.
Audit
To check your AWS account for IAM Access Analyzer findings, perform the following actions:
Remediation / Resolution
To access, review and solve the IAM Access Analyzer findings identified within your AWS trust zone, perform the following actions:
Note: As an example, this conformity rule demonstrates how to review and solve an AWS IAM Access Analyzer finding detected for an Amazon S3 bucket that is configured to allow anonymous (unintended) access to anyone on the Internet through the bucket's Access Control List (ACL) - i.e. publicly exposed S3 bucket.References
- AWS Documentation
- AWS Identity and Access Management (IAM)
- AWS IAM features
- AWS IAM access analysis features
- What Is IAM Access Analyzer?
- Supported Resource Types
- How Access Analyzer Works
- Access Analyzer Findings
- Working with Findings
- Review Findings
- Archiving Findings
- Resolving Findings
- How Do I Block Public Access to S3 Buckets?
- Using Amazon S3 Block Public Access
- Archive Rules
- AWS Command Line Interface (CLI) Documentation
- accessanalyzer
- list-analyzers
- list-findings
- create-archive-rule
- start-resource-scan
- get-finding
- s3api
- put-public-access-block