Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure IAM Access Analyzer Enabled for All Regions Rule

This rule ensures that IAM Access Analyzer is enabled in all regions for improved security and compliance.

RuleEnsure that IAM Access analyzer is enabled for all regions
Frameworkcis_v140
Severity
Critical

Ensure that IAM Access Analyzer is Enabled for All Regions for CIS v1.4.0

Description of the Rule

IAM Access Analyzer is an AWS service that helps you identify the resources in your organization and accounts that are shared with an external entity. This is important for maintaining the principle of least privilege and ensuring that your AWS resources are not unintentionally exposed. According to the Center for Internet Security (CIS) AWS Foundations Benchmark v1.4.0, IAM Access Analyzer should be enabled in all regions to monitor for unintended resource sharing.

By enabling IAM Access Analyzer, you will:

  • Automatically analyze permissions granted using policies.
  • Identify resources that can be accessed publicly or from other accounts and services.
  • Receive findings that describe the intended external access to your resources.

Troubleshooting Steps

If IAM Access Analyzer isn’t enabled in all regions, you may have compliance issues regarding the CIS benchmark. To check the status of Access Analyzer and troubleshoot:

  1. 1.
    Navigate to the IAM Access Analyzer console.
  2. 2.
    Review if an analyzer exists and if it's set to cover all regions. If not, create a new analyzer with the correct settings.

Necessary Codes or CLI Commands

To enable IAM Access Analyzer for all regions using the AWS CLI, follow these steps:

Step 1: Verify Current IAM Access Analyzer Status

Run the following AWS CLI command to list all analyzers:

aws accessanalyzer list-analyzers --region REGION_NAME

Replace

REGION_NAME
with your specific AWS region.

Step 2: Enable IAM Access Analyzer

If no analyzer is configured for a specific region, use the following command to create one:

aws accessanalyzer create-analyzer --analyzer-name "GlobalAnalyzer" --type "ACCOUNT" --archive-rules '[]' --region REGION_NAME

Repeat this command for all regions where an analyzer is not present. Replace

REGION_NAME
with each region name and make sure
GlobalAnalyzer
is a unique name for your analyzer.

Step by Step Guide for Remediation

Step 1: Sign into the AWS Management Console

Sign into the AWS Management Console and open the IAM Access Analyzer console at https://console.aws.amazon.com/access-analyzer/.

Step 2: Verify Analyzers

In the Access Analyzer console, check the list of analyzers to ensure they cover all regions.

Step 3: Create a New Analyzer

If there isn't an analyzer that covers all regions, click on "Create analyzer."

  • Set the analyzer name (e.g., GlobalAnalyzer).
  • Choose "All regions" under "Scope of analysis."
  • Click "Create."

Step 4: Review Findings

Once the analyzer is created, it will start analyzing resources and generate findings. Monitor and review these regularly to ensure no unwanted external access:

  • Navigate to the Access Analyzer console.
  • Click on "Findings."
  • Inspect each finding to understand the external access and take necessary actions to remediate.

This step-by-step guide ensures that IAM Access Analyzer is enabled across all regions, helping adhere to the CIS AWS Foundations Benchmark v1.4.0 and enhancing your AWS security posture. Remember that maintaining IAM Access Analyzer is critical for ongoing security compliance. Regularly check for and remediate any findings that IAM Access Analyzer reports.

Is your System Free of Underlying Vulnerabilities?
Find Out Now