This rule ensures IAM Access Analyzer is enabled for all regions.
Rule | Ensure that IAM Access analyzer is enabled for all regions |
Framework | cis_v150 |
Severity | ✔ Critical |
Ensure that IAM Access Analyzer is Enabled for All Regions for CIS v1.5.0
Definition
AWS Identity and Access Management (IAM) Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This feature enables you to review and monitor these shared resources to ensure that your policies provide the intended level of access. The Center for Internet Security (CIS) AWS Foundations Benchmark v1.5.0 recommends enabling the IAM Access Analyzer for all regions to ensure you are aware of and can review any shared resource relationships.
Access Analyzer can be configured to analyze the entire organization or individual accounts. For the purpose of CIS v1.5.0 compliance, the analyzer should be set up across all regions within your AWS Management account.
Troubleshooting Steps
In the event that Access Analyzer is not enabled or functioning correctly, follow these steps:
Verify IAM Access Analyzer Status
Check for Region-Specific Issues
Permissions
Service Quotas
Necessary CLI Commands for Remediation
To enable IAM Access Analyzer across all regions using AWS CLI, you can follow these steps:
List Existing Analyzers
aws accessanalyzer list-analyzers --region us-east-1
Create Analyzer for Each Region The following script loops through all AWS regions and creates an analyzer if not already present.
for region in `aws ec2 describe-regions --all-regions --query "Regions[].RegionName" --output text` do analyzers=$(aws accessanalyzer list-analyzers --region $region --output text --query "analyzers") if [ -z "$analyzers" ]; then aws accessanalyzer create-analyzer --region $region --analyzer-name "DefaultAnalyzer" --type "ORGANIZATION" --archive-rules '[]' else echo "Access Analyzer already exists in $region region" fi done
Verify Analyzers in All Regions Check if analyzers are correctly set up in all regions by re-running the list command.
Step-by-Step Guide for Remediation
Navigate to the IAM Console
Access Analyzer
Create Analyzer
Select Type
Apply Across Regions
Review and Create
Automate with CLI or Infrastructure as Code (IaC)
Monitor and Review
Implementing these steps will help maintain compliance with CIS AWS Foundations Benchmark and enhance your account's security posture. Additionally, by ensuring that IAM Access Analyzer is enabled across all regions, you will bolster the SEO by demonstrating adherence to industry-standard security practices which can instill a sense of trustworthiness within your online presence.