IAM Access Analyzer Overview

IAM Access Analyzer is a feature within the AWS Identity and Access Management (IAM) console designed to identify resources shared outside your AWS account or organization, potentially exposing them to security risks. It supports AWS resources like S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and Secrets Manager secrets.

Key Features

• Resource Sharing Insights: Help identify AWS resources shared externally, which might include sharing with other AWS accounts, users, roles, and external clients by IP or VPC endpoints.
• Zone of Trust Definition: Allows defining a "zone of trust," which typically includes your AWS account(s) or the entire organization. Resources shared outside this zone are flagged.
• Findings for Potential Security Risks: Generates findings for resources accessed outside the trust zone, helping you take necessary actions to mitigate potential security risks.

Steps to Use IAM Access Analyzer

1. Access IAM Console: Navigate to the IAM console and select Access Analyzer.
2. Create an Analyzer: Name your analyzer (e.g., "console analyzer") and define your trust zone to your current account. The creation of an analyzer is free.
3. Review Findings: Review the findings for resources shared outside your trust zone after the analyzer scans.
4. Take Action on Findings: Consider whether the access is intended for each finding. If not, adjust the resource's access policy and rescan. Resolved findings will no longer appear in active findings.

Real-world Application Example

• SQS Queue Shared Externally: An SQS queue named "demo S3 notification" allows external accounts to send messages. This is identified as a security risk. The recommended action is to review the access policy in the SQS console, remove unwanted permissions, and rescan to resolve the finding.
• S3 Buckets Public Access: Findings may include S3 buckets with public access. Depending on whether this access is intended, actions can include archiving the finding or adjusting the bucket's access policy.

Archiving and Resolving Findings

• Archiving Findings: If a finding is determined to be intended or not a risk, it can be archived.
• Automating Archive Rules: You can set rules to automatically archive findings based on specific criteria, aiding in managing expected public access or shared resources.

This overview of IAM Access Analyzer emphasizes its role in enhancing security posture by identifying and allowing remediation of unintended resource sharing within AWS environments.