Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
36Dashboards
1598Benchmarks
674Queries
9Variables
GitHub

Control: 2.19 Ensure that IAM External Access Analyzer is enabled for all regions

Description

Enable the IAM External Access Analyzer regarding all resources in each active AWS region.

IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. The results allow you to determine whether an unintended user is permitted, making it easier for administrators to monitor least privilege access. Access Analyzer analyzes only the policies that are applied to resources in the same AWS Region.

Remediation

From Console:

Perform the following to enable IAM Access Analyzer for IAM policies:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. Choose Access analyzer.
  3. Choose Create external access analyzer.
  4. On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
  5. Optionally enter a name for the analyzer.
  6. Optionally add any tags that you want to apply to the analyzer.
  7. Choose Create Analyzer.
  8. Repeat these step for each active region

From Command Line:

Run the following command:

aws accessanalyzer list-analyzers --type ORGANIZATION

Repeat this command for each active region.

Note: The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.

Default Value:

By default, IAM External Access Analyzer is not enabled in any region. An analyzer must be explicitly created and activated for each region where monitoring is required.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cis_v600_2_19

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cis_v600_2_19 --share

SQL

This control uses a named query:

select
  'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,
  case
    -- Skip any regions that are disabled in the account.
    when r.opt_in_status = 'not-opted-in' then 'skip'
    when aa.arn is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'
    when aa.arn is not null then aa.name ||  ' enabled in ' || r.region || '.'
    else 'Access Analyzer not enabled in ' || r.region || '.'
  end as reason
  , r.region, r.account_id
from
  aws_region as r
  left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region;

Tags

category = Compliance
cis = true
cis_item_id = 2.19
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v6.0.0
plugin = aws
service = AWS/IAM