In this blog, you will learn about leveraging Access Analyzer in IAM. Discover how this powerful tool helps analyze resource access policies to identify and mitigate security risks effectively.
What is Access Analyzer in IAM
The purpose of this tool is to assist users in finding and controlling access rules in their AWS system.
It lets users look at their resource rules and make sure that the permissions given are right for them and meet their security and compliance needs.
Policy Analysis
External Access Detection: Access Analyzer checks resource-based rules (like IAM roles, S3 buckets, KMS keys, etc.) to see if any of these resources can be accessed from outside the AWS account. This helps find public or cross-account access that wasn’t meant to happen.
Continuous Monitoring: It checks policies all the time and sends alerts when it finds a change that could let someone in without permission. This lets you control resource permissions proactively.
Findings and Recommendations
Findings: When Access Analyzer finds a possible problem, it generates results that describe the resources that were impacted and the type of access that happened. These results help people understand and look into problems with entry.
Remediation Advice: For each result, Access Analyzer gives advice on what can be done to fix the access problems, such as changing the policy to limit access in the right way.
Steps to use Access Analyzer in IAM
Sign in to the AWS Management Console.
- Navigate to the IAM console.
Access the Access Analyzer
- In the navigation pane, click on Access Analyzer . Click on the Create analyzer button.
There are two types of analyzer which you can see
- External access analysis (It is free to use aka there is no cost associated with it)
- Unused access analysis (It will cost you $0.20 per IAM user or role monthly)
You have to select on External access analysis.
And then click on create analyzer
In external access you can see the findings if there are any. It will take some time in order to generate the findings.
Here you can see the findings from the external access analyzer. According to this IAM Access Analyzer result, the S3 bucket static-website-hosting-3242354 is widely accessible. This means that anyone with the s3:GetObject permission can read its contents. The state is “active,” which means that anyone can access it right now.
Based on the findings you can take the appropriate action such as blocking the access of that S3 bucket or deleting that bucket which is widely accessible.
In the same way you can also create the unused access analyzer. First of all you have to give the name, then the tracking period like how many days you want to track. It can starts from 1 day to upto 180 days.
Third thing you have specify on which account you want to apply. At the organization level or for a particular account. Then you have to click on the create analyzer.
After using the analyzer you can delete it by going to the analyzer settings.
Conclusion
In conclusion, Access Analyzer in IAM serves as a valuable asset in enhancing security by thoroughly analyzing resource access policies. By identifying and addressing potential security risks, organizations can fortify their AWS environments and maintain robust protection against unauthorized access.
If you like this blog, you can share it with your friends or colleague. You can connect with me on social media profiles like LinkedIn, Twitter, and Instagram. If you have any doubt feel free to comment.
🔔 Follow Me: LinkedIn| Youtube | Instagram | Twitter
👏 Like for this article and subscribe to our newsletter
📰 View more content on my DataSpoof website
Great guide on IAM Access Analyzer! Clear steps and very helpful.
good