This rule ensures that IAM Access Analyzer is enabled in all regions for improved security and compliance.
Rule | Ensure that IAM Access analyzer is enabled for all regions |
Framework | cis_v140 |
Severity | ✔ Critical |
Ensure that IAM Access Analyzer is Enabled for All Regions for CIS v1.4.0
Description of the Rule
IAM Access Analyzer is an AWS service that helps you identify the resources in your organization and accounts that are shared with an external entity. This is important for maintaining the principle of least privilege and ensuring that your AWS resources are not unintentionally exposed. According to the Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0, IAM Access Analyzer should be enabled in all regions to monitor for unintended resource sharing.
By enabling IAM Access Analyzer, you will:
Troubleshooting Steps
If IAM Access Analyzer isn’t enabled in all regions, you may have compliance issues regarding the CIS benchmark. To check the status of Access Analyzer and troubleshoot:
Necessary Codes or CLI Commands
To enable IAM Access Analyzer for all regions using the AWS CLI, follow these steps:
Step 1: Verify Current IAM Access Analyzer Status
Run the following AWS CLI command to list all analyzers:
aws accessanalyzer list-analyzers --region REGION_NAME
Replace
REGION_NAME
with your specific AWS region.Step 2: Enable IAM Access Analyzer
If no analyzer is configured for a specific region, use the following command to create one:
aws accessanalyzer create-analyzer --analyzer-name "GlobalAnalyzer" --type "ACCOUNT" --archive-rules '[]' --region REGION_NAME
Repeat this command for all regions where an analyzer is not present. Replace
REGION_NAME
with each region name and make sure GlobalAnalyzer
is a unique name for your analyzer.Step by Step Guide for Remediation
Step 1: Sign into the AWS Management Console
Sign into the AWS Management Console and open the IAM Access Analyzer console at https://console.aws.amazon.com/access-analyzer/.
Step 2: Verify Analyzers
In the Access Analyzer console, check the list of analyzers to ensure they cover all regions.
Step 3: Create a New Analyzer
If there isn't an analyzer that covers all regions, click on "Create analyzer."
Step 4: Review Findings
Once the analyzer is created, it will start analyzing resources and generate findings. Monitor and review these regularly to ensure no unwanted external access:
This step-by-step guide ensures that IAM Access Analyzer is enabled across all regions, helping adhere to the CIS AWS Foundations Benchmark v1.4.0 and enhancing your AWS security posture. Remember that maintaining IAM Access Analyzer is critical for ongoing security compliance. Regularly check for and remediate any findings that IAM Access Analyzer reports.