Ensure that Amazon IAM Access Analyzer is used within your AWS account to help protect your AWS cloud resources from unsolicited access. Access Analyzer is an Identity and Access Management (IAM) feature that helps you find potential security risks in your AWS cloud environment by analyzing the resource-based policies associated with the cloud resources within your zone of trust. The access initiated by the principals created within your zone of trust (i.e. your account or organization) is considered trusted. When IAM Access Analyzer identifies a resource-based policy that allows access to your resources from outside of your zone of trust, it generates a finding. You can use the information generated by the finding, such as the resource name and type, access level and the external principal that has access to the resource, to determine whether the access is intended or unintended. If the access is unintended, it represents a security risk, and therefore actions must be taken to mitigate the risk (e.g. remove the unwanted access). If the access is trusted and necessary for your applications and processes, you can archive the finding to mark it as safe and remove it from the list of active findings. Amazon IAM Access Analyzer continuously monitors for new or updated resource-based policies associated with resources that are shared with an external entity, such as S3 buckets, KMS Customer Master Keys, SQS queues, IAM roles, and Lambda functions. IAM Access Analyzer can provide detailed findings through the Identity and Access Management (IAM) management console, Amazon S3, Amazon Security Hub console, and through its API. Access Analyzer findings can also be exported as a report for auditing purposes.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Amazon IAM Access Analyzer helps you evaluate access permissions across your entire AWS cloud environment so that your security teams and administrators can quickly validate the resource-based policies that provide intended access to your resources and redefine the policies that allow unintended access by following the Principle of Least Privilege (i.e. the practice of providing the minimal amount of access required to perform the desired task). Once enabled, Amazon IAM Access Analyzer starts monitoring the access policies associated with S3 buckets, KMS CMKs, SQS queues, IAM roles, and Lambda functions for permissions changes so that you no longer need to rely on intermittent manual checks to catch access security issues when these type of policies are added or updated. The benefits of using IAM Access Analyzer include saving time required to analyze resource-based policies for public or cross-account accessibility, providing guidance to refine access permissions, continuous monitoring, and providing the highest levels of security assurance.
Audit
To determine if Amazon IAM Access Analyzer feature is used to help protect your cloud resources from unsolicited access, perform the following actions:
Remediation / Resolution
To make use of Amazon IAM Access Analyzer, you have to create and configure analyzers to actively monitor your AWS resources in your zone of trust, review, and resolve the active findings by modifying the policy to remove access to the specified resource. To get started and create the required access analyzers, perform the following actions:
Note 1: IAM Access Analyzer verifies only policies that are applied to cloud resources in the same AWS region that it`s enabled in. To monitor all resources in your AWS cloud environment, you must create an analyzer in each region where you`re using supported AWS resources.Note 2: To successfully enable Amazon IAM Access Analyzer, the account that you use must be granted the required permissions. To use all IAM Access Analyzer features, when you create an access analyzer using AWS Management Console, AWS CLI, or AWS API, the service automatically creates the required "AWSServiceRoleForAccessAnalyzer" role for you. The same service-linked role is used in all AWS regions in which you enable IAM Access Analyzer.
References
- AWS Documentation
- AWS IAM FAQs
- AWS IAM features
- AWS IAM access analysis features
- Using AWS IAM Access Analyzer
- Access Analyzer resource types
- How Access Analyzer works
- Getting started with AWS IAM Access Analyzer
- AWS Command Line Interface (CLI) Documentation
- accessanalyzer
- list-analyzers
- create-analyzer
- get-analyzer