AWS Identity and Access Management (IAM) is a crucial part of the AWS ecosystem. The service allows you to control access to different parts of your cloud environment. In fact, IAM has gotten so advanced that it can interact with pods and nodes—and even services running inside containers—directly, allowing for easier identification and access management.
That granular approach to access management, however, is not without its challenges. When you run a complex architecture on top of Amazon’s services, it is easy to miss key details in your identity and access management setup. A minor mistake in granting privileges could easily lead to serious security issues in today’s cyberattack-filled world.
Monitor Resource Policies
This is where IAM Access Analyzer comes in handy. Instead of allowing access management and security to limit your agility, IAM Analyzer simplifies the process of monitoring resource policies and access management. There are several reasons why this is a tool you want to activate and use right now, which we’ll review in this article.
AWS IAM Access Analyzer helps you identify the resources in your account, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. AWS Access Analyzer identifies the findings by using logic-based reasoning to analyze the resources based policies.
As of now, IAM Access Analyzer supports this service for only limited resources including:
- AWS IAM Identity and Access Management Roles
- AWS S3 buckets
- AWS KMS Keys
- AWS LAMBDA Functions and Layers
- Amazon Simple Queue Service Queues
Simplifying Access Management
AWS IAM Access Analyzer performs three main tasks, the first one being analyzing your entire AWS environment and gathering details about access management. After creating an analyzer – which we will get to in a bit – the service will scan supported resource policies inside your AWS account.
It will then generate a report detailing how access to different resources are organized in its present state. You can get details about resources that are accessible to certain users. You can also find information about resources that are accessible from outside the AWS account.
Using the report as your guide, you can immediately disable policies that are not meant to be present. This means you can control access in a holistic and secure way without having to go through every policy individually.
Analyzer provides a bird’s-eye view of the environment without the usual complication. It saves a lot of time too since you don’t have to analyze your resource policies manually. On top of that, you can use the analyzer across all AWS services, including S3, KMS, and AWS Lambda.
The initial analysis gives you immediate access to your resource policies. Any incorrect configurations and privileges can be identified immediately. It is also much easier to take corrective actions and strengthen your cloud security once the analysis is completed.
That said, manual analysis isn’t the only thing provided by Access Analyzer. The tool will also scan your cloud environment continuously. You will even receive details such as when a certain service was last accessed; you can disable access privileges that are no longer in use.
The detailed report can be accessed through AWS IAM directly. You also get the same findings on Amazon S3 console as well as the AWS Security Hub since both services are closely related to IAM and the Access Analyzer itself.
What’s interesting about Access Analyzer is how it employs automated reasoning for policy analysis. In simple terms, Amazon uses logic and algorithms to identify connections between resources and identify resource behaviors. The use of logic allows for deeper and more accurate mapping and analysis of cloud resources within the AWS ecosystem.
You can still define your zone of trust by configuring your IAM correctly. Access Analyzer will automatically accept the privileges you have defined while still making valuable findings available. If there are security risks involving access management or incorrect policies, the tool will include them in its reports.
As an added bonus, there is a way to trigger manual rescan of the entire ecosystem either through the console or via command line. A rescan helps you confirm anomalies. The logic behind analyzer will determine if the policies identified as incorrect or unsecured are actually breaking your security policies. The only downside is that you have to create an analyzer for every AWS region you use.
Let’s see an example process.
We might have multiple accounts for a project, as shown below. So, we usually need to provide some resources to communicate with the other accounts.
In the above image, we have given access to the required resources for Project XYZ Account to the Website Account and the Audit Account.
Here though, a scan has discovered that we have, unfortunately, and unintendedly, given resource access to the Project ABC Account to a resource. Thankfully, such findings can be found here and fixed accordingly.
After enabling IAM Access Analyzer, it will continuously scan your environment every 30minutes to check if there are any changes in supported resources.
The reported findings that AWS IAM Access Analyzer covers include the following:
For IAM roles, Access Analyzer analyzes trust policies.
- AWS S3 Buckets:
Access Analyzer analyzes bucket policies.
- AWS KMS Keys:
Access Analyzer analyzes the key policies and grants applied to a key. Access Analyzer generates a finding if a key policy or grant allows an external entity to access the key.
- AWS Lambda & AWS SQS:
Access Analyzer analyzes policies and includes conditions statements in a policy that grant access to the function to an external entity.
AWS IAM Access Analyzer Features
Archive rules automatically archive the latest Analyzer findings that meet the conditions you set when you configure a rule. For example, you can configure an archive rule to automatically archive any findings for a particular Amazon S3 bucket that you regularly grant access to.
In the Archive rule, we will specify the criteria. If any findings meet these criteria, the finding automatically goes under the ARCHIVED stage. This will be helpful when you are giving rules continuously to particular resources.
As of now AWS IAM Access Analyzer only supports service for a single AWS Account but later on it will support multi-accounts at an organization level.
We can create a cloud watch event to get notified when any findings occurred.
- Quickly analyze thousands of resource policies across your account.
- Continuously monitor the changes in policies.
Getting Started with AWS IAM Access Analyzer
You can enable Access Analyzer from the IAM console. Go to Access Analyzer > Create Analyzer to get started. You can then name the analyzer, define its region, and add tags if needed. A service role is automatically created when you create your first analyzer.
You also want to add the right privileges to the account used to create and access your analyzers. IAMAccessAnalyzerFullAccess is the default policy; it grants all permissions by default. Naturally, you have the ability to customize permissions by creating a custom policy.
Keep in mind that the policy you define for your analyzer will take up to 30 minutes to come into effect. If your analyzer doesn’t read policies immediately, give it time to adjust its privilege level and perform a complete analysis of your cloud environment.
Steps to Implement
- Once the service is enabled, we can configure it to start searching for findings in our chosen five areas. See below.
- The search has come back with two findings as you can see from the image, one is for S3 Bucket policy and one is showing the created cross-account role.
- Open a finding to see the entire details of the search.
- There, you will see two options called ‘Intended access’ and ‘Non intended [access]’.
- For access that has been intentionally created, we can simply click the correct option and archive the finding where it will be stored under the archived dashboard.
- Here, you can see an archived S3 bucket policy finding.
- If the finding is actually ‘Non-intended access’, we can redirect it to a required role or policy etc., and we can delete it.
And that’s all there is to it. Getting started with Analyzer is really that simple. As the AWS ecosystem becomes more mature, tools like Access Analyzer gives you the ability to construct complex cloud architecture for your apps without overcomplicating cloud identity and access management.
To optimize your security even further with AWS, don’t miss our post on Security Information Event Management (SIEM) in AWS
Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.