Introduction to IAM Access Analyzer
Analyze Resource-Access Risks
AWS IAM Access Analyzer is an incredibly important services within IAM used to identify potential resource-access risks. Instead of wondering who has access to which resources, IAM Access Analyzer helps you identify the resources in your organization and accounts that are shared with an external entity. It uses automated reasoning to look at all the possible scenarios and determine security risks. According to AWS, the main features of AWS IAM Access Analyzer include:
- Guided policy authoring with 100+ policy checks
- Comprehensive analyzes for public and cross-account access
- Continuously monitors and reduces permissions
- Provides the highest levels of security assurance
For more information on mitigating resource-access risks, visit the AWS documentation for using IAM Access Analyzer.
One of the important steps in any of the security frameworks that’s out there is to evaluate your access rights. What are the permissions levels that you’ve granted? Are they proper? Are they adequately assigned to the people who need access to it? You’ve heard about the principle of least privilege. No one should any have access to anything that’s beyond their business need for accessing that resource. It’s very difficult when you’re going through a security audit, as an auditor, to determine if the rights that are given to an individual or a group are proper. You have to ask questions, you have to investigate, you have to collaborate with others in order to determine if it’s appropriate or not.
AWS has come out with the IAM Access Analyzer and this greatly helps us, as auditors, to evaluate those access rights, but it also helps you to review your resource policies to understand if the people who have access to the resource should indeed have that. Access Analyzer gives you valuable insight into these resources by analyzing the resource itself, looking at the external entity that has access, and also looking at the permissions that are granted. This new capability is using something called automated reasoning to determine all the possible scenarios. This is very difficult to do during an audit, for just one person to consider all the different scenarios and “if this, then that” situations that occur in order to determine if the permissions are established properly. Access Analyzer does a lot of that work for you and it will provide you with this data in order to make a decision about if these permissions are what you expect to see. You can evaluate access rights to S3 buckets, to your IAM roles, to KMS keys, Lambda functions, Secrets Manager. You’re able to evaluate permissions on so many services like that within AWS that it allows you to do a lot more in less time using IAM Access Analyzer.