Ensure that IAM Access analyzer is enabled for all regions
AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment
Risk Level: Low
Cloud Entity: Region
CloudGuard Rule ID: D9.AWS.IAM.74
Category: Global
GSL LOGIC
Region should have accessAnalyzers contain-any [ status='ACTIVE' ]
REMEDIATION
From Portal
Perform the following to create access analyzer for each region:
- Open the IAM console at https://console.aws.amazon.com/iam/.
- Choose Access analyzer.
- Choose Create analyzer.
- On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
- Enter a name for the analyzer.
- Choose the account as the zone of trust for the analyzer.
- Choose Create Analyzer.
To create an analyzer with the organization as the zone of trust
- Open the IAM console at https://console.aws.amazon.com/iam/.
- Choose Access analyzer.
- Choose Create analyzer.
- On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
- Enter a name for the analyzer.
- Choose your organization as the zone of trust for the analyzer.
- Choose Create Analyzer.
From TF
Create access analyzer for each region as:
resource "aws_accessanalyzer_analyzer" "example_analyzer" {
analyzer_name = "example"
}
From Command Line
To create an access analyzer, run:
aws accessanalyzer create-analyzer --analyzer-name ANALYZER-NAME --type ANALYZER-TYPE
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer
- https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html
Region
Each Amazon EC2 Region is designed to be completely isolated from the other Amazon EC2 Regions. This achieves the greatest possible fault tolerance and stability.
Compliance Frameworks
- AWS CIS Foundations v. 1.3.0
- AWS CIS Foundations v. 1.4.0
- AWS CIS Foundations v. 1.5.0
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST v11.0.0
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
Updated over 1 year ago