Scribd Logo
Upload

Welcome to Scribd!

  • Using AWS Identity and Access Management Access Analyzer

    Uploaded by

    feelingnap
    1 views2 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    1 views2 pages

    Using AWS Identity and Access Management Access Analyzer

    Uploaded by

    feelingnap

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 2

    Using AWS Identity and Access

    Management Access Analyzer


    PDFRSS

    AWS Identity and Access Management Access Analyzer provides the following capabilities:

     IAM Access Analyzer external access analyzers help identify resources in your organization
    and accounts that are shared with an external entity.
     IAM Access Analyzer unused access analyzers help identify unused access in your
    organization and accounts.
     IAM Access Analyzer validates IAM policies against policy grammar and AWS best
    practices.
     IAM Access Analyzer custom policy checks help validate IAM policies against your
    specified security standards.
     IAM Access Analyzer generates IAM policies based on access activity in your AWS
    CloudTrail logs.

    Identifying resources shared with an external entity


    IAM Access Analyzer helps you identify the resources in your organization and accounts,
    such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you
    identify unintended access to your resources and data, which is a security risk. IAM Access
    Analyzer identifies resources shared with external principals by using logic-based reasoning
    to analyze the resource-based policies in your AWS environment. For each instance of a
    resource shared outside of your account, IAM Access Analyzer generates a finding. Findings
    include information about the access and the external principal granted to it. You can review
    findings to determine if the access is intended and safe or if the access is unintended and a
    security risk. In addition to helping you identify resources shared with an external entity, you
    can use IAM Access Analyzer findings to preview how your policy affects public and cross-
    account access to your resource before deploying resource permissions. The findings are
    organized in a visual summary dashboard. The dashboard highlights the split between public
    and cross-account access findings, and provides a breakdown of findings by resource type.
    To learn more about the dashboard, see Viewing the IAM Access Analyzer findings
    dashboard.

    Note
    An external entity can be another AWS account, a root user, an IAM user or role, a federated
    user, an AWS service, an anonymous user, or other entity that you can use to create a filter.
    For more information, see AWS JSON Policy Elements: Principal.

    When you enable IAM Access Analyzer, you create an analyzer for your entire organization
    or your account. The organization or account you choose is known as the zone of trust for the
    analyzer. The analyzer monitors all of the supported resources within your zone of trust. Any
    access to resources by principals within your zone of trust is considered trusted. Once
    enabled, IAM Access Analyzer analyzes the policies applied to all of the supported resources
    in your zone of trust. After the first analysis, IAM Access Analyzer analyzes these policies
    periodically. If you add a new policy , or change an existing policy, IAM Access Analyzer
    analyzes the new or updated policy within about 30 minutes.

    When analyzing the policies, if IAM Access Analyzer identifies one that grants access to an
    external principal that isn't within your zone of trust, it generates a finding. Each finding
    includes details about the resource, the external entity with access to it, and the permissions
    granted so that you can take appropriate action. You can view the details included in the
    finding to determine whether the resource access is intentional or a potential risk that you
    should resolve. When you add a policy to a resource, or update an existing policy, IAM
    Access Analyzer analyzes the policy. IAM Access Analyzer also analyzes all resource-based
    policies periodically.

    On rare occasions under certain conditions, IAM Access Analyzer does not receive
    notification of an added or updated policy, which can cause delays in generated findings.
    IAM Access Analyzer can take up to 6 hours to generate or resolve findings if you create or
    delete a multi-region access point associated with an Amazon S3 bucket, or update the policy
    for the multi-region access point. Also, if there is a delivery issue with AWS CloudTrail log
    delivery, the policy change does not trigger a rescan of the resource reported in the finding.
    When this happens, IAM Access Analyzer analyzes the new or updated policy during the
    next periodic scan, which is within 24 hours. If you want to confirm a change you make to a
    policy resolves an access issue reported in a finding, you can rescan the resource reported in a
    finding by using the Rescan link in the Findings details page, or by using
    the StartResourceScan operation of the IAM Access Analyzer API. To learn more,
    see Resolving findings.

    You might also like