Securing AWS with Powerful and Innovative IAM Access Analyzer

IAM Access Analyzer: An Overview

IAM Access Analyzer is a pivotal AWS security tool, providing real-time insights into access permissions for enhanced cloud security. The tool ensures continuous analysis and proactive identification of potential risks, allowing swift remediation. The tool’s granular permission analysis, integration with Security Hub, and automated remediation suggestions streamline security management. IAM Access Analyzer excels in cross-account analysis, ensuring consistent access control across multiple AWS accounts. Improved visibility and reporting empower organizations to maintain compliance and make informed security decisions. In a concise setup through the AWS Management Console, it delivers efficient, automated security measures for a robust cloud environment.

Legacy Feature: External Access

IAM Access Analyzer ensures external access security, employing the Zelkova framework to interpret IAM policies. Without inspecting access logs, it identifies findings based on resource-based policy permissions, prioritizing customer privacy. This tool focuses on potential external access, considering specific IAM condition keys impactful to authorization. While excluding AWS service and internal service accounts, IAM Access Analyzer emphasizes minimizing false negatives, providing a comprehensive overview of resource sharing and access in your AWS account.

New Feature: Unused Access

AWS IAM Access Analyzer introduces a new game-changing feature, enabling identifying and correcting unused access for roles. In conjunction with external access findings, this enhancement necessitates creating a dedicated analyzer to elevate AWS organization security. IAM Access Analyzer facilitates proactive detection and mitigation of unused permissions by scrutinizing the last accessed data for roles, access keys, and passwords. Leveraging advanced IAM service and action last accessed insights ensures precise identification of dormant access. This strategic advancement scales review processes and allows in-depth investigations, fortifying overall access governance.

New Feature: Custom Check Policy

AWS IAM Access Analyzer introduces powerful custom policy checks for validating policies against security standards. Users can run two checks: first, compare an updated policy against a reference policy to identify new access grants accessible through AWS CLI, IAM Access Analyzer API, or IAM console JSON policy editor. Second, ensuring specific IAM actions are disallowed by a policy, applicable during policy creation or editing using AWS CLI or API. This feature empowers users to align policies with security standards, enhancing the overall security posture of their AWS environment.

Use this feature from the AWS Management Console as given below: –

1. Open the IAM Console, and in the left pane, select Policy.
2. Then click Create Policy and specify permission to be added to the policy editor page using JSON or Visual editor.
3. Once completed again, select the ‘JSON’ tab (if using a visual editor), click on the ‘Check for new access’ tab, and then click the ‘Check Policy’ It checks this Policy with existing customer-managed Policy and shows the results, as shown in the figure.

Using Feature from AWS CLI: –

Check for No New Access-

aws accessanalyzer check-no-new-access --new-policy-document file://newpolicy.json --existing-policy-document file://refpolicy.json --policy-type IDENTITY_POLICY
Output after command execution-

Check for Access Not Granted-

aws accessanalyzer check-access-not-granted --policy-document file://newpolicy.json --actions s3:DeleteBucket,guardduty:DisableOrganizationAdminAccount --policy-type IDENTITY_POLICY
Output after command execution-

Creating an Analyzer for External or Unused Access

Follow the steps below to create an IAM access analyzer for external or unused access.

1. Open the IAM Console, and from the left pane under the ‘Access Report’ option, click on ‘Analyzer Settings.’
2. Now click on the ‘Create analyzer’ button.
3. Select the type of analyzer (External access analysis or unused access analysis) as shown in the figures below. Also, select whether you want this analysis scope only for your single AWS account or AWS organization. Keep other settings default and click the ‘Create analyzer’ button.

Creating Analyzer for External access-

Creating Analyzer for Unused Access-

Conclusion

AWS IAM Access Analyzer is a sentinel in AWS security, offering real-time insights into external access, identifying unused permissions, and enabling precise custom policy checks. This trifecta ensures a robust defense against threats, proactive access management, and adherence to stringent security standards within the dynamic cloud landscape.

References

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-custom-policy-checks.html

About CloudThat

Established in 2012, CloudThat is a leading Cloud Training and Cloud Consulting services provider in India, USA, Asia, Europe, and Africa. Being a pioneer in the Cloud domain, CloudThat has special expertise in catering to mid-market and enterprise clients in all the major Cloud service providers like AWS, Microsoft, GCP, VMware, Databricks, HP, and more. Uniquely positioned to be a single source for both training and consulting for cloud technologies like Cloud Migration, Data Platforms, DevOps, IoT, and the latest technologies like AI/ML, it is a top-tier partner with AWS and Microsoft, winning more than eight awards combined in 11 years. Recently, it was awarded the prestigious AWS Training Partner of the Year 2023 and won the Microsoft Superstars FY 2023 award in Asia & India. Leveraging their position as a leader in the market, CloudThat has trained 650k+ professionals in 500+ cloud certifications and delivered 300+ consulting projects for 100+ corporates in 28+ countries.