Voiced by Amazon Polly |
Overview
In a multi-account AWS environment, it’s common to grant external entities—such as users from another AWS account, third-party services, or identity providers—access to resources via IAM roles. These roles include:
- Trust Policies (who can assume the role)
- Permissions Policies (what actions the role can perform)
To ensure security, it’s crucial to apply the principle of least privilege. This blog post show how to use IAM Access Analyzer and IAM action last accessed data to identify and refine overly permissive roles.
Train your workforce to leverage the cloud
- Contemplating Migrating Workload to Cloud?
- Here is a Hassle Free Solution
Use IAM roles to securely grant access to an external entity in AWS.
This allows users, applications, or services outside your AWS account—such as another AWS account, a third-party service, or an external identity provider—to access your resources without sharing long-term credentials.
You can create an IAM role to grant an external entity access to resources in your AWS account. For example, as an application developer, you might enable cross-account access by attaching a trust policy to a role.
To do this, first, create a role with a trust policy that allows external entities to assume it. Then, define a permissions policy that specifies the actions that the role can perform. Once role can be assumed, the external entity can access your resources based on the permissions assigned to the role.
It’s very essential to limit the permissions of externally accessible roles to only allow the permissions what is necessary for the specific task.
How to Grant Access Using IAM Roles:
- Create an IAM Role:
- Go to the IAM Console → Roles → Create role.
- Select the trusted entity type (AWS account, web identity, SAML, or custom trust).
- Define a Trust Policy:
- Specify which external entities can assume the role.
- Example trust policy for cross-account access:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] } |
- Attach a Permissions Policy:
- Define the actions and resources the role can access.
- Example policy to allow S3 read-only access:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-bucket/*" } ] } |
- Provide Role Details to the External Entity:
- Share the role ARN so the external entity can assume it using AWS Security Token Service (STS).
Monitor and Refine Access:
Use IAM Access Analyzer to detect unintended access.
AWS IAM Access Analyzer is a security tool that helps identify and analyze access permissions for AWS resources. It detects unintended external access and assists in refining IAM policies to follow the principle of least privilege.
Key Features of IAM Access Analyzer
- Detects External Access – Identifies resources (S3 buckets, IAM roles, KMS keys, etc.) that are accessible from outside your AWS account.
- Analyzes IAM Policies – Helps validate and refine IAM roles, trust policies, and permissions.
- Findings & Recommendations – Provides detailed findings on risky permissions and suggests actions to secure resources.
- Policy Validation – Flags overly permissive policies and offers security improvements.
How to Use IAM Access Analyzer
- Enable IAM Access Analyzer
- Go to IAM Console → Access Analyzer.
- Create an analyzer for your AWS account or organization.
- AWS automatically scans IAM policies for risky access.
- Review Findings
- Findings highlight resources that allow external access (e.g., IAM roles, S3 buckets, Lambda functions).
- Check if the access is intended or unintentional.
- Refine Permissions
- Use the IAM action last accessed to remove unnecessary permissions.
- Restrict access using least privilege policies.
- Update trust policies to limit external entities.
- Validate IAM Policies
- Use IAM Access Analyzer’s policy validation to identify misconfigurations.
- Modify policies based on AWS security recommendations.
Best Practices for IAM Access Analyzer
- Regularly review findings to identify security risks.
- Use IAM policy validation to avoid overly permissive access.
- Implement least privilege access by refining IAM roles.
- Monitor and log access using AWS CloudTrail.
Want to save money on IT costs?
- Migrate to cloud without hassles
- Save up to 60%
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

WRITTEN BY Avinash Singh Bundela
Comments