Ensure that IAM Access analyzer is enabled for all regions

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment

Risk Level: Low
Cloud Entity: Region
CloudGuard Rule ID: D9.AWS.IAM.74
Category: Global

GSL LOGIC

Region should have accessAnalyzers contain-any [ status='ACTIVE' ]

REMEDIATION

From Portal
Perform the following to create access analyzer for each region:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. Choose Access analyzer.
  3. Choose Create analyzer.
  4. On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
  5. Enter a name for the analyzer.
  6. Choose the account as the zone of trust for the analyzer.
  7. Choose Create Analyzer.

To create an analyzer with the organization as the zone of trust

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. Choose Access analyzer.
  3. Choose Create analyzer.
  4. On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
  5. Enter a name for the analyzer.
  6. Choose your organization as the zone of trust for the analyzer.
  7. Choose Create Analyzer.

From TF
Create access analyzer for each region as:

resource "aws_accessanalyzer_analyzer" "example_analyzer" {
	analyzer_name = "example"
}

From Command Line
To create an access analyzer, run:

aws accessanalyzer create-analyzer --analyzer-name ANALYZER-NAME --type ANALYZER-TYPE

References

  1. https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer
  3. https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html

Region

Each Amazon EC2 Region is designed to be completely isolated from the other Amazon EC2 Regions. This achieves the greatest possible fault tolerance and stability.

Compliance Frameworks

  • AWS CIS Foundations v. 1.3.0
  • AWS CIS Foundations v. 1.4.0
  • AWS CIS Foundations v. 1.5.0
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS HITRUST v11.0.0
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-53 Rev 5