AWS Cloud Security: IAM Access Analyzer for Access Cleanup

AWS Cloud Security: IAM Access Analyzer for Access Cleanup

AWS Cloud Security: IAM Access Analyzer for Access Cleanup

AWS Identity and Access Management (IAM) is a core service that enables you to manage access to your AWS resources. However, managing access can be challenging, especially when you have multiple users, roles, policies, and permissions across your AWS accounts and organization.  

AWS Cloud Security: IAM Access Analyzer for Access Cleanup

How do you ensure that you are granting the right level of access to the right entities, and not exposing your resources to unauthorized or unintended access? 

This is where AWS IAM Access Analyzer comes in. IAM Access Analyzer is a security feature that helps you identify and remediate any access issues in your AWS environment. It does so by analyzing the resource-based policies that you apply to your AWS resources, such as Amazon S3 buckets, IAM roles, AWS KMS keys, AWS Lambda functions, and Amazon SQS queues.  

IAM Access Analyzer can detect two types of access issues:

    • External access findings: These are findings that indicate that your resources are shared with an external entity, such as another AWS account, a root user, an IAM user or role, a federated user, an AWS service, an anonymous user, or any other principal that is outside of your zone of trust. Sharing resources with external entities can pose a security risk if you are not aware of it or if you do not intend to do so. 
    • Unused access findings: These are findings that indicate that your IAM users and rules have permissions that are not used for a specified period. Unused permissions can increase the attack surface and the potential impact of a compromised credential. Therefore, it is best practice to remove or restrict any permissions that are not needed. 

In this blog post, we will show you how to use IAM Access Analyzer to create an analyzer for unused access findings and how to review and resolve the findings to clean up your access permissions. By doing so, you can enhance the security of your cloud infrastructure and ensure compliance with your security standards. 

How to create an analyzer for unused access findings

To create an analyzer for unused access findings, follow these steps: 

With Power Automate, you can:  

1. Navigate to the IAM console dashboard.
2. Select “Access reports” on the left side of the navigation panel.
3. Choose “Access Analyzer.”
4. Click “Create analyzer.
As you can see in the below image:

Create analyser

5. Enter a name for your analyzer, such as “Unused Access Analyzer”.
6. Select the type of analyzer you want to create. For this example, we will choose “Unused access findings”.

Name Analyser

7. Specify the tracking period for your analyzer. This is the period that IAM Access Analyzer will use to determine if a user or role has used a permission or not. For example, if you select a tracking period of 90 days (about 3 months), IAM Access Analyzer will highlight the users and roles that have not used a permission in the last 90 days (about 3 months). You can choose from 30, 60, or 90 days (about 3 months), or enter a custom value between 1 and 365 days (about 12 months).

Tracking Period

8. Click “Create analyzer.”

Last step

By following the above steps, you can successfully create the IAM Analyzer.  

How to review and resolve unused access findings

After you create an analyzer for unused access findings, IAM Access Analyzer will start scanning your IAM users and roles and generate findings for any unused permissions. You can view the findings on the IAM Access Analyzer dashboard, or on the IAM console under “Users” or “Roles”. 

1.  On the IAM Access Analyzer dashboard, click on the “Unused access findings” tab.

2. You will see a list of findings for each user and role that has unused permissions. You can filter the findings by resource type, resource name, last accessed date, or finding status.

3. Click on a finding to see the details, such as the resource name, the policy name, the policy statement, the permission, and the last accessed date.

4. To resolve a finding, you have two options: 

    • Remove the permission: This option will remove the permission from the policy statement and update the policy accordingly. This is the recommended option if you are sure the user or role does not need permission. 
    • Restrict the permission: This option will add a condition to the policy statement that restricts the permission to a specific resource, action, or principal. This is the preferred option if you want to keep the permission but limit its scope. 

5. After you choose an option, IAM Access Analyzer will show you the proposed policy change and ask you to confirm. Review the policy change and click “Apply changes”.

6. IAM Access Analyzer will apply the policy change and mark the finding as “Resolved”. You can also mark a finding as “Resolved” manually if you have made the policy change outside of IAM Access Analyzer.

The following image shows the steps to review and resolve unused access findings. 

IAM Access Analyser summary

Conclusion

IAM Access Analyzer is a powerful tool that helps you improve the security and compliance of your AWS environment by identifying and resolving any access issues. By using IAM Access Analyzer to create an analyzer for unused access findings, you can easily find and clean up any permissions that are not used by your IAM users and roles. This way, you can reduce the attack surface and the potential impact of a compromised credential and follow the principle of least privilege. 

Share:

More Posts