Control: 2.19 Ensure that IAM External Access Analyzer is enabled for all regions
Description
Enable the IAM External Access Analyzer regarding all resources in each active AWS region.
IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. The results allow you to determine whether an unintended user is permitted, making it easier for administrators to monitor least privilege access. Access Analyzer analyzes only the policies that are applied to resources in the same AWS Region.
Remediation
From Console:
Perform the following to enable IAM Access Analyzer for IAM policies:
- Open the IAM console at https://console.aws.amazon.com/iam/.
- Choose
Access analyzer.
- Choose
Create external access analyzer.
- On the
Create analyzer
page, confirm that the Region displayed is the Region where you want to enable Access Analyzer. - Optionally enter a name for the analyzer.
- Optionally add any tags that you want to apply to the analyzer.
- Choose
Create Analyzer.
- Repeat these step for each active region
From Command Line:
Run the following command:
aws accessanalyzer list-analyzers --type ORGANIZATION
Repeat this command for each active region.
Note: The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.
Default Value:
By default, IAM External Access Analyzer is not enabled in any region. An analyzer must be explicitly created and activated for each region where monitoring is required.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cis_v600_2_19
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cis_v600_2_19 --share
SQL
This control uses a named query:
select 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, case -- Skip any regions that are disabled in the account. when r.opt_in_status = 'not-opted-in' then 'skip' when aa.arn is not null then 'ok' else 'alarm' end as status, case when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' when aa.arn is not null then aa.name || ' enabled in ' || r.region || '.' else 'Access Analyzer not enabled in ' || r.region || '.' end as reason , r.region, r.account_idfrom aws_region as r left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region;