Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Ensure IAM Access Analyzer Rule

This rule ensures IAM Access Analyzer is enabled for all regions.

RuleEnsure that IAM Access analyzer is enabled for all regions
Frameworkcis_v150
Severity
Critical

Ensure that IAM Access Analyzer is Enabled for All Regions for CIS v1.5.0

Definition

AWS Identity and Access Management (IAM) Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This feature enables you to review and monitor these shared resources to ensure that your policies provide the intended level of access. The Center for Internet Security (CIS) AWS Foundations Benchmark v1.5.0 recommends enabling the IAM Access Analyzer for all regions to ensure you are aware of and can review any shared resource relationships.

Access Analyzer can be configured to analyze the entire organization or individual accounts. For the purpose of CIS v1.5.0 compliance, the analyzer should be set up across all regions within your AWS Management account.

Troubleshooting Steps

In the event that Access Analyzer is not enabled or functioning correctly, follow these steps:

  1. 1.

    Verify IAM Access Analyzer Status

    • Navigate to IAM Console > Access Analyzer.
    • Ensure that the analyzer is present. If not, create one.
  2. 2.

    Check for Region-Specific Issues

    • The Access Analyzer must be enabled in all regions regardless of resource presence.
    • Confirm that the analyzer is not just enabled for selective regions.
  3. 3.

    Permissions

    • Ensure that your IAM user or role has the necessary permissions to create and manage Access Analyzer.
  4. 4.

    Service Quotas

    • Check if there are any service quotas being hit that prevent Access Analyzer from being enabled.

Necessary CLI Commands for Remediation

To enable IAM Access Analyzer across all regions using AWS CLI, you can follow these steps:

  1. 1.

    List Existing Analyzers

    aws accessanalyzer list-analyzers --region us-east-1
    
  2. 2.

    Create Analyzer for Each Region The following script loops through all AWS regions and creates an analyzer if not already present.

    for region in `aws ec2 describe-regions --all-regions --query "Regions[].RegionName" --output text`
    do
        analyzers=$(aws accessanalyzer list-analyzers --region $region --output text --query "analyzers")
        if [ -z "$analyzers" ]; then
            aws accessanalyzer create-analyzer --region $region --analyzer-name "DefaultAnalyzer" --type "ORGANIZATION" --archive-rules '[]'
        else
            echo "Access Analyzer already exists in $region region"
        fi
    done
    
  3. 3.

    Verify Analyzers in All Regions Check if analyzers are correctly set up in all regions by re-running the list command.

Step-by-Step Guide for Remediation

  1. 1.

    Navigate to the IAM Console

    • Go to your AWS Management Console.
    • Open the IAM service.
  2. 2.

    Access Analyzer

    • In the IAM console, select "Access Analyzer" on the left panel.
  3. 3.

    Create Analyzer

    • Click “Create analyzer” if none exists.
    • Provide a name for the analyzer.
  4. 4.

    Select Type

    • When prompted for the type, select "Organization" if setting up at the organization level, or "Account" if at the account level.
  5. 5.

    Apply Across Regions

    • Ensure that you apply the settings across all regions.
  6. 6.

    Review and Create

    • Review your settings and create the analyzer.
  7. 7.

    Automate with CLI or Infrastructure as Code (IaC)

    • Optionally, automate the setup across all regions using the provided AWS CLI commands or leverage IaC tools like AWS CloudFormation or Terraform.
  8. 8.

    Monitor and Review

    • Regularly check the Access Analyzer for any findings and review the shared resources.

Implementing these steps will help maintain compliance with CIS AWS Foundations Benchmark and enhance your account's security posture. Additionally, by ensuring that IAM Access Analyzer is enabled across all regions, you will bolster the SEO by demonstrating adherence to industry-standard security practices which can instill a sense of trustworthiness within your online presence.

Is your System Free of Underlying Vulnerabilities?
Find Out Now