Use the Conformity Knowledge Base AI to help improve your Cloud Posture

IAM Access Analyzer in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: IAM-065

Ensure that Amazon IAM Access Analyzer is used within your AWS account to help protect your AWS cloud resources from unsolicited access. Access Analyzer is an Identity and Access Management (IAM) feature that helps you find potential security risks in your AWS cloud environment by analyzing the resource-based policies associated with the cloud resources within your zone of trust. The access initiated by the principals created within your zone of trust (i.e. your account or organization) is considered trusted. When IAM Access Analyzer identifies a resource-based policy that allows access to your resources from outside of your zone of trust, it generates a finding. You can use the information generated by the finding, such as the resource name and type, access level and the external principal that has access to the resource, to determine whether the access is intended or unintended. If the access is unintended, it represents a security risk, and therefore actions must be taken to mitigate the risk (e.g. remove the unwanted access). If the access is trusted and necessary for your applications and processes, you can archive the finding to mark it as safe and remove it from the list of active findings. Amazon IAM Access Analyzer continuously monitors for new or updated resource-based policies associated with resources that are shared with an external entity, such as S3 buckets, KMS Customer Master Keys, SQS queues, IAM roles, and Lambda functions. IAM Access Analyzer can provide detailed findings through the Identity and Access Management (IAM) management console, Amazon S3, Amazon Security Hub console, and through its API. Access Analyzer findings can also be exported as a report for auditing purposes.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Amazon IAM Access Analyzer helps you evaluate access permissions across your entire AWS cloud environment so that your security teams and administrators can quickly validate the resource-based policies that provide intended access to your resources and redefine the policies that allow unintended access by following the Principle of Least Privilege (i.e. the practice of providing the minimal amount of access required to perform the desired task). Once enabled, Amazon IAM Access Analyzer starts monitoring the access policies associated with S3 buckets, KMS CMKs, SQS queues, IAM roles, and Lambda functions for permissions changes so that you no longer need to rely on intermittent manual checks to catch access security issues when these type of policies are added or updated. The benefits of using IAM Access Analyzer include saving time required to analyze resource-based policies for public or cross-account accessibility, providing guidance to refine access permissions, continuous monitoring, and providing the highest levels of security assurance.


Audit

To determine if Amazon IAM Access Analyzer feature is used to help protect your cloud resources from unsolicited access, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access analyzer, choose Analyzers to access the list of analyzers available within the current AWS region. An access analyzer monitors all of the supported resources in your zone of trust (i.e. account or organization). If there are no analyzers listed on the Analyzers page, instead a Getting started page is displayed, the Amazon IAM Access Analyzer feature is not used to protect your cloud resources from unintended access within the current AWS region.

04 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-analyzers command (OSX/Linux/UNIX) with custom query filters to describe the Amazon Resource Name (ARN) of each access analyzer created for the selected AWS region (in this case US East - N. Virginia region):

aws accessanalyzer list-analyzers
	--region us-east-1
	--query 'analyzers[*].arn'

02 The command output should return the requested Amazon Resource Name(s) (ARN(s)):

[]

If the list-analyzers command output returns an empty array, as shown in the example above, there are no access analyzers available in the region, therefore the Amazon IAM Access Analyzer feature is not used to protect your cloud resources from unintended access in the selected AWS region.

03 Change the AWS region by updating the --region command parameter value and repeat the audit process for other regions.

Remediation / Resolution

To make use of Amazon IAM Access Analyzer, you have to create and configure analyzers to actively monitor your AWS resources in your zone of trust, review, and resolve the active findings by modifying the policy to remove access to the specified resource. To get started and create the required access analyzers, perform the following actions:

Note 1: IAM Access Analyzer verifies only policies that are applied to cloud resources in the same AWS region that it`s enabled in. To monitor all resources in your AWS cloud environment, you must create an analyzer in each region where you`re using supported AWS resources.

Note 2: To successfully enable Amazon IAM Access Analyzer, the account that you use must be granted the required permissions. To use all IAM Access Analyzer features, when you create an access analyzer using AWS Management Console, AWS CLI, or AWS API, the service automatically creates the required "AWSServiceRoleForAccessAnalyzer" role for you. The same service-linked role is used in all AWS regions in which you enable IAM Access Analyzer.

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

03 In the navigation panel, under Access analyzer, select Analyzers, and choose Create analyzer to initiate the setup process.

04 On the Create analyzer setup page, perform the following:

  1. In the Name box, provide a unique name for your new access analyzer.
  2. For Zone of trust, choose the organization or the individual account that you want to configure as the zone of trust for the new analyzer. Resource-based policies for all the supported cloud resources within your zone of trust are analyzed to identify access allowed from outside the zone of trust.
  3. (Optional) For Tags, choose Add tag to add tags to the analyzer. Tags are words or phrases that act as metadata for identifying and organizing your AWS cloud resources. Each tag consists of a key and one optional value.
  4. Click on Create analyzer to create your new access analyzer. After the analyzer is created, navigate back to the Analyzers page and make sure that your access analyzer's status is set to Active. The analyzer is now actively monitoring resources within the selected zone of trust. It may take up to 30 minutes after a policy is modified for the new analyzer to check the resource and generate findings for that resource.

05 To review and resolve any active findings identified by your access analyzer within the current AWS region, follow the steps outlined in the IAM Access Analyzer Findings conformity rule.

06 Change the AWS region from the navigation bar and repeat steps no. 3 – 5 to enable and configure Amazon IAM Access Analyzer for other regions.

Using AWS CLI

01 Run create-analyzer command (OSX/Linux/UNIX) to create your new access analyzer and enable Amazon IAM Access Analyzer in the selected AWS region. The following command example creates an access analyzer which uses the current AWS account as zone of trust, in the US East (N. Virginia) region. To use an organization as zone of trust replace ACCOUNT with ORGANIZATION for the --type parameter value:

aws accessanalyzer create-analyzer
	--region us-east-1
	--analyzer-name cc-us-east-1-access-analyzer
	--type ACCOUNT

02 The command output should return the Amazon Resource Name (ARN) of the new access analyzer:

{
    "arn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-access-analyzer"
}

03 The command output should return the Amazon Resource Name (ARN) of the new access analyzer:

{
    "arn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/cc-us-east-1-access-analyzer"
}

04 Run get-analyzer command (OSX/Linux/UNIX) using the name of the newly created analyzer as identifier parameter, to describe the status of the specified access analyzer:

aws accessanalyzer get-analyzer
	--region us-east-1
	--analyzer-name cc-us-east-1-access-analyzer
	--query 'analyzer.status'

05 If successful, the command output should return "ACTIVE" for the current status of the analyzer. The access analyzer is now actively monitoring resources available in the selected zone of trust. It may take up to 30 minutes after a policy is modified for the new analyzer to check the resource and generate findings for that resource:

"ACTIVE"

06 To review and resolve any active findings identified by your access analyzer in the selected AWS region, follow the steps outlined in the IAM Access Analyzer Findings conformity rule.

07 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to the enable and configure Amazon IAM Access Analyzer for other regions.

References

Publication date Oct 28, 2020