Securing AWS with Powerful and Innovative IAM Access Analyzer

IAM Access Analyzer: An Overview

IAM Access Analyzer is a pivotal AWS security tool, providing real-time insights into access permissions for enhanced cloud security. The tool ensures continuous analysis and proactive identification of potential risks, allowing swift remediation. The tool’s granular permission analysis, integration with Security Hub, and automated remediation suggestions streamline security management. IAM Access Analyzer excels in cross-account analysis, ensuring consistent access control across multiple AWS accounts. Improved visibility and reporting empower organizations to maintain compliance and make informed security decisions. In a concise setup through the AWS Management Console, it delivers efficient, automated security measures for a robust cloud environment.

Legacy Feature: External Access

IAM Access Analyzer ensures external access security, employing the Zelkova framework to interpret IAM policies. Without inspecting access logs, it identifies findings based on resource-based policy permissions, prioritizing customer privacy. This tool focuses on potential external access, considering specific IAM condition keys impactful to authorization. While excluding AWS service and internal service accounts, IAM Access Analyzer emphasizes minimizing false negatives, providing a comprehensive overview of resource sharing and access in your AWS account.

New Feature: Unused Access

AWS IAM Access Analyzer introduces a new game-changing feature, enabling identifying and correcting unused access for roles. In conjunction with external access findings, this enhancement necessitates creating a dedicated analyzer to elevate AWS organization security. IAM Access Analyzer facilitates proactive detection and mitigation of unused permissions by scrutinizing the last accessed data for roles, access keys, and passwords. Leveraging advanced IAM service and action last accessed insights ensures precise identification of dormant access. This strategic advancement scales review processes and allows in-depth investigations, fortifying overall access governance.

New Feature: Custom Check Policy

AWS IAM Access Analyzer introduces powerful custom policy checks for validating policies against security standards. Users can run two checks: first, compare an updated policy against a reference policy to identify new access grants accessible through AWS CLI, IAM Access Analyzer API, or IAM console JSON policy editor. Second, ensuring specific IAM actions are disallowed by a policy, applicable during policy creation or editing using AWS CLI or API. This feature empowers users to align policies with security standards, enhancing the overall security posture of their AWS environment.

Use this feature from the AWS Management Console as given below: –

1. Open the IAM Console, and in the left pane, select Policy.
2. Then click Create Policy and specify permission to be added to the policy editor page using JSON or Visual editor.
3. Once completed again, select the ‘JSON’ tab (if using a visual editor), click on the ‘Check for new access’ tab, and then click the ‘Check Policy’ It checks this Policy with existing customer-managed Policy and shows the results, as shown in the figure.

Using Feature from AWS CLI: –

Check for No New Access-

aws accessanalyzer check-no-new-access --new-policy-document file://newpolicy.json --existing-policy-document file://refpolicy.json --policy-type IDENTITY_POLICY
Output after command execution-

Check for Access Not Granted-

aws accessanalyzer check-access-not-granted --policy-document file://newpolicy.json --actions s3:DeleteBucket,guardduty:DisableOrganizationAdminAccount --policy-type IDENTITY_POLICY
Output after command execution-

Creating an Analyzer for External or Unused Access

Follow the steps below to create an IAM access analyzer for external or unused access.

1. Open the IAM Console, and from the left pane under the ‘Access Report’ option, click on ‘Analyzer Settings.’
2. Now click on the ‘Create analyzer’ button.
3. Select the type of analyzer (External access analysis or unused access analysis) as shown in the figures below. Also, select whether you want this analysis scope only for your single AWS account or AWS organization. Keep other settings default and click the ‘Create analyzer’ button.

Creating Analyzer for External access-

Creating Analyzer for Unused Access-

Conclusion

AWS IAM Access Analyzer is a sentinel in AWS security, offering real-time insights into external access, identifying unused permissions, and enabling precise custom policy checks. This trifecta ensures a robust defense against threats, proactive access management, and adherence to stringent security standards within the dynamic cloud landscape.

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-custom-policy-checks.html

About CloudThat