🛡️ AWS Account IAM Access Analyzer is not enabled for all regions🟢

• Contextual name: 🛡️ IAM Access Analyzer is not enabled for all regions🟢
• ID: /ce/ca/aws/account/iam-external-access-analyzer-for-all-regions
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY, RELIABILITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 AWS Account
  • 🔌 AWS Account - object.extracts.yaml
  • 🔌 AWS Account Region - object.extracts.yaml
  • 🔌 AWS IAM Access Analyzer - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: IAM Access Analyzer in Use
• Internal: dec-x-ab7fc52e

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-ab7fc52e	1

Description

Open File

Description

Enable IAM Access analyzer for IAM policies about all resources in each active AWS region.

IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.

Rationale

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS (Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.

... see more

Remediation

Open File

Remediation

From Console

Perform the following to enable IAM Access analyzer for IAM policies:

1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Access analyzer.
3. Choose Create analyzer.
4. On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
5. Enter a name for the analyzer. (Optional as it will generate a name for you automatically).
6. Add any tags that you want to apply to the analyzer. (Optional).
7. Choose Create Analyzer.
8. Repeat these step for each active region.

From Command Line

Run the following command:

aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>

Repeat this command above for each active region.

Note: The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS AWS v1.3.0 → 💼 1.21 Ensure that IAM Access analyzer is enabled		1	1		no data
💼 CIS AWS v1.4.0 → 💼 1.20 Ensure that IAM Access analyzer is enabled for all regions		1	1		no data
💼 CIS AWS v1.5.0 → 💼 1.20 Ensure that IAM Access analyzer is enabled for all regions - Level 1 (Automated)		1	1		no data
💼 CIS AWS v2.0.0 → 💼 1.20 Ensure that IAM Access analyzer is enabled for all regions - Level 1 (Automated)		1	1		no data
💼 CIS AWS v3.0.0 → 💼 1.20 Ensure that IAM Access analyzer is enabled for all regions - Level 1 (Automated)		1	1		no data
💼 CIS AWS v4.0.0 → 💼 1.20 Ensure that IAM Access Analyzer is enabled for all regions (Automated)			1		no data
💼 CIS AWS v4.0.1 → 💼 1.20 Ensure that IAM Access Analyzer is enabled for all regions (Automated)			1		no data
💼 CIS AWS v5.0.0 → 💼 1.19 Ensure that IAM External Access Analyzer is enabled for all regions (Automated)			1		no data
💼 CIS AWS v6.0.0 → 💼 2.19 Ensure that IAM External Access Analyzer is enabled for all regions (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 Cloudaware Framework → 💼 System Configuration			45		no data
💼 FedRAMP High Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			16		no data
💼 FedRAMP High Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)		6	7		no data
💼 FedRAMP High Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)		1	2		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68		no data
💼 FedRAMP High Security Controls → 💼 AC-6(1) Authorize Access to Security Functions (M)(H)		4	4		no data
💼 FedRAMP High Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)		3	5		no data
💼 FedRAMP High Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)		7	26		no data
💼 FedRAMP High Security Controls → 💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)		1	4		no data
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	6	20	32		no data
💼 FedRAMP High Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)	2		65		no data
💼 FedRAMP High Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)	2	14	16		no data
💼 FedRAMP High Security Controls → 💼 CM-5(5) Privilege Limitation for Production and Operation (M)(H)		1	1		no data
💼 FedRAMP High Security Controls → 💼 SI-4(20) Privileged Users (H)		48	51		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)			24		no data
💼 FedRAMP Low Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Low Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)			8		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(4) Automated Audit Actions (M)(H)			16		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(7) Privileged User Accounts (M)(H)			7		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(12) Account Monitoring for Atypical Usage (M)(H)			2		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(1) Authorize Access to Security Functions (M)(H)			4		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(5) Privileged Accounts (M)(H)			5		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(9) Log Use of Privileged Functions (M)(H)			26		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)			4		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		32		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-12 Audit Record Generation (L)(M)(H)			65		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-5 Access Restrictions for Change (L)(M)(H)	2		16		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-5(5) Privilege Limitation for Production and Operation (M)(H)			1		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.3 Management of privileged access rights		3	12		no data
💼 ISO/IEC 27001:2013 → 💼 A.9.2.5 Review of user access rights		1	1		no data
💼 ISO/IEC 27001:2013 → 💼 A.16.1.2 Reporting information security events		9	10		no data
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		29	33		no data
💼 NIST CSF v1.1 → 💼 PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes		19	34		no data
💼 NIST CSF v1.1 → 💼 PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties		17	56		no data
💼 NIST CSF v1.1 → 💼 PR.DS-5: Protections against data leaks are implemented		47	91		no data
💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)		4	26		no data
💼 NIST CSF v1.1 → 💼 RS.CO-2: Incidents are reported consistent with established criteria		19	22		no data
💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans		16	18		no data
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33		no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events			145		no data
💼 NIST CSF v2.0 → 💼 DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events			85		no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events			142		no data
💼 NIST CSF v2.0 → 💼 PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization			42		no data
💼 NIST CSF v2.0 → 💼 PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties			116		no data
💼 NIST CSF v2.0 → 💼 PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected			148		no data
💼 NIST CSF v2.0 → 💼 PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected			125		no data
💼 NIST CSF v2.0 → 💼 PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected			142		no data
💼 NIST CSF v2.0 → 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging			22		no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			31		no data
💼 NIST CSF v2.0 → 💼 RS.CO-03: Information is shared with designated internal and external stakeholders			19		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(4) Account Management _ Automated Audit Actions		14	16		no data
💼 NIST SP 800-53 Revision 5 → 💼 AU-12 Audit Record Generation	4	47	65		no data
💼 PCI DSS v3.2.1 → 💼 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.		1	1		no data
💼 PCI DSS v3.2.1 → 💼 10.2.1 All individual user accesses to cardholder data.		4	14		no data
💼 PCI DSS v3.2.1 → 💼 10.2.4 Invalid logical access attempts.		4	14		no data
💼 PCI DSS v3.2.1 → 💼 10.5.2 Protect audit trail files from unauthorized modifications.		1	4		no data
💼 PCI DSS v3.2.1 → 💼 10.5.5 Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts.		1	2		no data
💼 PCI DSS v4.0.1 → 💼 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed.			1		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.1 Audit logs capture all individual user access to cardholder data.			14		no data
💼 PCI DSS v4.0.1 → 💼 10.2.1.4 Audit logs capture all invalid logical access attempts.			14		no data
💼 PCI DSS v4.0.1 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.			4		no data
💼 PCI DSS v4.0.1 → 💼 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.			2		no data
💼 PCI DSS v4.0 → 💼 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed.			1		no data
💼 PCI DSS v4.0 → 💼 10.2.1.1 Audit logs capture all individual user access to cardholder data.		1	14		no data
💼 PCI DSS v4.0 → 💼 10.2.1.4 Audit logs capture all invalid logical access attempts.		1	14		no data
💼 PCI DSS v4.0 → 💼 10.3.2 Audit log files are protected to prevent modifications by individuals.		2	4		no data
💼 PCI DSS v4.0 → 💼 10.3.4 File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts.		2	2		no data
💼 SOC 2 → 💼 CC6.1-8 Manages Identification and Authentication		18	24		no data
💼 SOC 2 → 💼 CC6.6-3 Requires Additional Authentication or Credentials		4	6		no data