Introduction to AWS IAM Access Analyzer
IAM Access Analyzer is a service provided by AWS (Amazon Web Services) that helps you analyze and evaluate the resource policies in your AWS environment. It helps to identify any unintended or overly permissive access permissions that might exist.
Resource policies in AWS define who can access and perform actions on AWS resources such as S3 buckets, IAM roles, Lambda functions, and more. These policies can sometimes contain misconfigurations or unintended access, which can pose security risks. IAM Access Analyzer helps you proactively detect such issues and provides recommendations for remediation.
The primary goal of IAM Access Analyzer is to simplify and automate the process of analyzing resource policies, making it easier for you to identify and rectify any potential security vulnerabilities.
IAM Access Analyzer continuously monitors the resource policies, validates the policies and provides recommendations in real time.
In this tutorial you can find the step by step procedure to create access analyzer, how to review the findings from access analyzer and correct the permissions for a resource.
Note: IAM access analyzer should be configured for all the enabled regions in your AWS account.
How to Create Access Analyzer
Now, we will look at the step by step procedure to configure IAM access analyzer.
- Login to your AWS console and search for the IAM service. Open the IAM service page
- Click on Access Analyzer in the left side menu
- In the next page click on Create Analyzer
- Once analyzer is created, you will see the following in the next screen. So far there are no findings from Access Analyzer. A finding shows if any policy is configured with higher level of privileges that is not intended to be given
In the next page, enter the name of analyzer details and click on create analyzer
Review Findings from Access Analyzer
Example Finding from Access Analyzer
AWS Resource used for Example: S3 Bucket
In this example, we will assume that there is a S3 bucket that is configured to allow public access for all principals and for all the objects in the S3 bucket. This is not a intended configuration for any S3 bucket because public access is not recommended unless and until it is required for any special situations. Below are the resource details.
S3 bucket: iam-analyzer-test
Objects Access: Public
Bucket Access: Publicly accessible
Policy of the S3 bucket:
This policy is added to the S3 bucket already and it allows Public access for all principals and all actions on this bucket. This is not a recommended policy. It is added for testing purpose.
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “AllowPublicAccess”,
“Effect”: “Allow”,
“Principal”: “*”,
“Action”: “*”,
“Resource”: “arn:aws:s3:::iam-analyzer-test/*”,
“Condition”: {
“Bool”: {
“aws:SecureTransport”: “false”
}
}
}
]
}
Now, when the access analyzer is enabled, then it will show this S3 bucket in the finding as below.
Review IAM Access analyzer Findings from S3 Console
For S3 bucket, there is an option to review the access analyzer findings from the S3 console itself.
Preview Access provided by Policy before applying for S3 Bucket
In a S3 bucket, when we add or edit a policy, there is an option available to preview the permissions provided by the policy through IAM access analyzer.
- In the S3 console, select the bucket for which you want to edit the policy. Navigate to the permissions tab and scroll down to bucket policy section
- Click on edit and add the required policy json settings. Below, you will find option to preview external access. Click on it to find the results for external access
- Preview external access will validate for external access for the resource by reviewing the policy. So for this bucket, the policy allows external access and it is shown in the report below
Now you could decide whether this policy can be assigned to the resource or not.
How to Delete IAM Access Analyzer
In the IAM console, click on Analyzers in the left side menu. This will list the IAM access analyzers configured. Select the analyzer to delete and click on “delete”. When access analyzer is deleted, all the findings generated by analyzer will also be deleted.
Conclusion
In this tutorial, we have looked at how to create IAM access analyzer, review the findings and delete access analyzer. Also, access analyzer can be used to review external connections even while creating a policy to a resource so that we can know if there is any unintended access provided by the policy. IAM access analyzer is available at no additional cost and will be a very helpful service to keep the AWS environment secure from overly permissive access permissions.
Read More:
AWS for Beginners: Overview of AWS RDS (Amazon Relational Database Service): Part 28
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
