Tech Blog: Become smarter with IAM Access Analyzer


rom a security best practice point of view, it is important to look at how permissions are actually being used over time with the principle of least privilege. IAM enables you to easily identify who has access to your resource, improve your security posture by stopping the permissions not necessary for the user, group, or role to perform a specific task. AWS recently has created a tool, “ IAM Access Analyzer” to help on this. It validates that resource policies (on IAM Roles, S3 buckets, Lambda Functions, KMS Keys, SQS Queues, etc) provide intended public access and cross-account access.

The principle is that principals and resources within the zone of trust are considered trusted. Access allowed to principals outside the zone of trust is reported as findings and you can take actions accordingly.

First of all, create an analyzer.

Go IAM console > Access reports > Access analyzer > create Analyzer. IAM Access Analyzer is regional. Currently you can create one analyzer per region in an account. It allows the AWS account of the analyzer to be the zone of trust. Currently, you can opt to create the analyzer with “AWS Organization” or “AWS Account” as the zone of trust. Take note that you need to login as master account to choose AWS Organization as zone of trust.

Second, run the analysis.

The analysis will be run automatically and continuously. Normally it will take a couple of minutes before you see the first finding in your IAM console. This analyzer will continuously monitor policy changes on access to your resources, make quick analysis and reflect the finding in about 30 minutes after any supported policy change happened. Or you can trigger a manual rescan in the Access analyzer page.

Third, Review the findings, take remediation or archive it.

The findings can be seen with AWS Command Line Interface, AWS SDK, AWS Cloudwatch events, AWS Security Hub and AWS S3 console (applicable to S3 resources).

In the above example, the analyzer has found out that my S3 bucket “testforiamanalyser” has been granted “read access” to “All Principals”.

Based on the report, you can review what external entity has got access to your AWS resources. However, IAM Access Analyzer is not equipped to remediate nor to make changes to your resources permission setting. If there exists any unwanted access granted, you have to either manually make your changes or you can rely on other 3rd party tools. Airwalk has developed a Continuous Compliance Framework (CCF) to complement IAM Access Analyzer, which employs native AWS Cloudwatch and Lambda technology to do remediation for you. CCF not only focuses on IAM, it also works on other compliance area such as VPC, EC2, RDS, ALB etc. CCF will compare your existing AWS infrastructure against your pre-defined rulesets and identify those resources that are not compliant with your ruleset. Notification can be sent out and remediation can be automatically carried out, covering you round the clock.

On the other hand, if the finding is what you intended for your setup, you can select the finding and archive it so that analyzer won’t make alert of it next time.

Security is not a one time job but requires continuous monitoring. It is absolutely worthwhile to turn IAM Access Analyzer on because it is available for free.