What Is AWS IAM Access Analyzer?

Introduction to IAM

Identity and access management is a service that helps the user to control and access AWS resources. IAM users will have permission to authenticate and authorize their AWS services. Using IAM, the user can create multiple users and groups and grant and deny permission on accessing the services in AWS.

What is IAM Access Analyzer?

IAM Access Analyzer is used to analyse the resources and the policies that are accessed by an external user from an external account. The external users can be an AWS account, root user, IAM user, IAM role, federated user, AWS service, the anonymous user or any other entities.

The users and the resources within the access Analyzer are called trusted within the zone. The Analyzer generates findings if the resource is not within the zone.

Access Analyzer will analyse and update the policies within the region in which the resources are enabled. If you want to analyse the policies in all the regions, then you should create the access Analyzer in all the regions.

Why Access Analyzer?

IAM Access Analyzer helps the user to control and access the AWS service and the resources. It also grants complete permission to the user to access AWS services. IAM Analyzer gives you complete permission on the resources which you are sharing with the external principals. This functionality is achieved by using logic-based reasoning to analyse resource-based policies in the AWS environment.

User can create Access Analyzer for their account by enabling access Analyzer policy. Once the Analyzer is enabled, your account is the zone of trust for the Analyzer. The Analyzer can monitor all the resources and the services within the trusted zone.

The resources that are accessed within the trusted zone is can be called trusted resources. Once the access Analyzer is enabled, the Analyzer analyses the policies that are applied to all supported resources to your account. Once the Analyzer finishes analysing the policies for the first time, it keeps analysing the policies every 24 hours. If the policies are changed or any other new policies are updated the access Analyzer keep updating with policies for every 30 minutes.

While analysing the policies, if access Analyzer analyses the external principal who is not within the trusted zone, it automatically generates a finding, which includes resources and granted permissions to the user. So that the IAM user can take immediate action. Sometimes the Access Analyzer will not be notified when new policies are added, or policies are updated at that time. In that case, access Analyzer will analyse or update the policy in the next upcoming scan.

The benefit of using Access Analyzer:

• Access Analyzer saves time in analysing resource policies and cross-account accessibility to public
• IAM Analyzer gives a user complete permission on the resources which they are sharing with the external principals
• All the resources within the trusted zone can be easily monitored
• Access Analyzer generates findings if the resources are not within the trusted zones
• The Analyzer will analyse the policies for every 24 hours

How Access Analyzer work?

Access Analyzer in AWS generates finding for instances based on resource policies that grant access to the resources within the trusted zone. The operations within the trusted zone are considered to be safe and secure, therefore the Analyzer will not generate findings if the operation is safe.

If the user grants permission to S3 bucket from your AWS account to another AWS account, then Analyzer will generate findings, if you grant permission to S3 bucket from your AWS Account to an IAM role in your account, the Analyzer will not generate findings.

Access Analyzer supported resource types:

The following are the resource types that are supported by the IAM Access Analyzer:

Amazon Simple Storage Service Buckets: While Analysing S3 bucket, access Analyzer generates a finding when a bucket policy or ACL rule is applied to the bucket to grant access to an external principal. It creates a filter when an entity is not within a trusted zone.

Access Analyzer analyses the block bucket policy setting at the bucket level whenever the policies are changed or updated. Analyzer evaluates the bucket policy setting only once every 6 hours.

AWS Identity and Access Management roles: Access Analyzer analyses the trusted polices. In a role define policy, the IAM user will define the principal of the trusted role. Resource base policy is attached to the IAM role which is required for role trusted policy. The Analyzer will generate findings for a role within the trusted zone. Access Analyzer will generate the findings only in the enabled regions.

AWS Key Management Service Keys: In AWS KMS, Access Analyzer analyses the keys policies and grant applies to the key. The Analyzer will generate finding if the Analyzer analyses the external entities to access the key. The Analyzer reads the key metadata and lists the grant permission for the user to access KMS. If Key policy denies the Analyzer to read the key metadata, an access denied error finding will be generated.

AWS Lambda Functions and Layers:  Access Analyzer analyses the policies along with the condition statement in the policy that will grant the function to external entities.

Amazon Simple Queue Service Queues:  Access Analyzer analyses the polices along with the condition statement in the policy, that grant external access to the queue.

About CloudThat