AWS-IAM-Access-Analyzer

Severity: High

Description: This control ensures that the IAM Access analyzer is enabled for all regions. AWS IAM Access Analyzer continously examines the aws resources such as Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions to resources that are shared with an external entity. IAM access analyzer should be enabled to identify and monitor such resources regularly and any unintentional access to external entities should be revoked from such resources.

Remediation Steps:

Perform following to update IAM policy for IAM user :

1. Login to the AWS Management Console at https://console.aws.amazon.com.

2. Navigate to IAM console.

3. In the navigation pane, click Access analyzer.

4. Click Create analyzer button.

5. Add Name as required.

6. Click Create analyzer button.

7. Repeat for all regions with access analyzer not setup.

Important:

Reference:

• CIS Amazon Web Services Foundations Benchmark v1.3.0 - 08-07-2020: Recommendation #1.21

• https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html

• https://aws.amazon.com/about-aws/whats-new/2019/12/introducing-aws-identity-and-access-management-access-analyzer/

• https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html