AWS

3 Mins Read

Securing AWS with Powerful and Innovative IAM Access Analyzer

Voiced by Amazon Polly

IAM Access Analyzer: An Overview

IAM Access Analyzer is a pivotal AWS security tool, providing real-time insights into access permissions for enhanced cloud security. The tool ensures continuous analysis and proactive identification of potential risks, allowing swift remediation. The tool’s granular permission analysis, integration with Security Hub, and automated remediation suggestions streamline security management. IAM Access Analyzer excels in cross-account analysis, ensuring consistent access control across multiple AWS accounts. Improved visibility and reporting empower organizations to maintain compliance and make informed security decisions. In a concise setup through the AWS Management Console, it delivers efficient, automated security measures for a robust cloud environment.

 

Expertly Migrate diverse Microsoft Workloads to AWS with CloudThat, Your Advanced AWS Migration Partner

  • Seamless Migration
  • Cost Optimization
  • Usage Efficiency
Talk to Expert

Legacy Feature: External Access

IAM Access Analyzer ensures external access security, employing the Zelkova framework to interpret IAM policies. Without inspecting access logs, it identifies findings based on resource-based policy permissions, prioritizing customer privacy. This tool focuses on potential external access, considering specific IAM condition keys impactful to authorization. While excluding AWS service and internal service accounts, IAM Access Analyzer emphasizes minimizing false negatives, providing a comprehensive overview of resource sharing and access in your AWS account.

 

New Feature: Unused Access

AWS IAM Access Analyzer introduces a new game-changing feature, enabling identifying and correcting unused access for roles. In conjunction with external access findings, this enhancement necessitates creating a dedicated analyzer to elevate AWS organization security. IAM Access Analyzer facilitates proactive detection and mitigation of unused permissions by scrutinizing the last accessed data for roles, access keys, and passwords. Leveraging advanced IAM service and action last accessed insights ensures precise identification of dormant access. This strategic advancement scales review processes and allows in-depth investigations, fortifying overall access governance.

 

 

New Feature: Custom Check Policy

AWS IAM Access Analyzer introduces powerful custom policy checks for validating policies against security standards. Users can run two checks: first, compare an updated policy against a reference policy to identify new access grants accessible through AWS CLI, IAM Access Analyzer API, or IAM console JSON policy editor. Second, ensuring specific IAM actions are disallowed by a policy, applicable during policy creation or editing using AWS CLI or API. This feature empowers users to align policies with security standards, enhancing the overall security posture of their AWS environment.

Use this feature from the AWS Management Console as given below: –

  1. Open the IAM Console, and in the left pane, select Policy.
  2. Then click Create Policy and specify permission to be added to the policy editor page using JSON or Visual editor.
  3. Once completed again, select the ‘JSON’ tab (if using a visual editor), click on the ‘Check for new access’ tab, and then click the ‘Check Policy’ It checks this Policy with existing customer-managed Policy and shows the results, as shown in the figure.

Using Feature from AWS CLI: –

Check for No New Access-

aws accessanalyzer check-no-new-access --new-policy-document file://newpolicy.json --existing-policy-document file://refpolicy.json --policy-type IDENTITY_POLICY
Output after command execution-

Check for Access Not Granted-

aws accessanalyzer check-access-not-granted --policy-document file://newpolicy.json --actions s3:DeleteBucket,guardduty:DisableOrganizationAdminAccount --policy-type IDENTITY_POLICY
Output after command execution-

 

Creating an Analyzer for External or Unused Access

Follow the steps below to create an IAM access analyzer for external or unused access.

  1. Open the IAM Console, and from the left pane under the ‘Access Report’ option, click on ‘Analyzer Settings.’
  2. Now click on the ‘Create analyzer’ button.
  3. Select the type of analyzer (External access analysis or unused access analysis) as shown in the figures below. Also, select whether you want this analysis scope only for your single AWS account or AWS organization. Keep other settings default and click the ‘Create analyzer’ button.

Creating Analyzer for External access-

Creating Analyzer for Unused Access-

 

Conclusion

AWS IAM Access Analyzer is a sentinel in AWS security, offering real-time insights into external access, identifying unused permissions, and enabling precise custom policy checks. This trifecta ensures a robust defense against threats, proactive access management, and adherence to stringent security standards within the dynamic cloud landscape.

 

Drive Business Growth with AWS's Machine Learning Solutions

  • Scalable
  • Cost-effective
  • User-friendly
Connect Today

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

WRITTEN BY Abhijit Dilip Powar

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!