Skip to main content

πŸ“ AWS Account IAM Access Analyzer is not enabled for all regions 🟒

  • Contextual name: πŸ“ IAM Access Analyzer is not enabled for all regions 🟒
  • ID: /ce/ca/aws/account/iam-external-access-analyzer-for-all-regions
  • Located in: πŸ“ AWS Account

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY
    • RELIABILITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-ab7fc52e1

Logic​

Description​

Open File

Description​

Enable IAM Access analyzer for IAM policies about all resources in each active AWS region.

IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.

Rationale​

AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data. Access Analyzer identifies resources that are shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. IAM Access Analyzer continuously monitors all policies for S3 bucket, IAM roles, KMS (Key Management Service) keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.

... see more

Remediation​

Open File

Remediation​

From Console​

Perform the following to enable IAM Access analyzer for IAM policies:

  1. Open the IAM console at https://console.aws.amazon.com/iam/.
  2. Choose Access analyzer.
  3. Choose Create analyzer.
  4. On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
  5. Enter a name for the analyzer. (Optional as it will generate a name for you automatically).
  6. Add any tags that you want to apply to the analyzer. (Optional).
  7. Choose Create Analyzer.
  8. Repeat these step for each active region.

From Command Line​

Run the following command:

aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>

Repeat this command above for each active region.

Note: The IAM Access Analyzer is successfully configured only when the account you use has the necessary permissions.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS AWS v1.3.0 β†’ πŸ’Ό 1.21 Ensure that IAM Access analyzer is enabled11
πŸ’Ό CIS AWS v1.4.0 β†’ πŸ’Ό 1.20 Ensure that IAM Access analyzer is enabled for all regions11
πŸ’Ό CIS AWS v1.5.0 β†’ πŸ’Ό 1.20 Ensure that IAM Access analyzer is enabled for all regions - Level 1 (Automated)11
πŸ’Ό CIS AWS v2.0.0 β†’ πŸ’Ό 1.20 Ensure that IAM Access analyzer is enabled for all regions - Level 1 (Automated)11
πŸ’Ό CIS AWS v3.0.0 β†’ πŸ’Ό 1.20 Ensure that IAM Access analyzer is enabled for all regions - Level 1 (Automated)11
πŸ’Ό CIS AWS v4.0.0 β†’ πŸ’Ό 1.20 Ensure that IAM Access Analyzer is enabled for all regions (Automated)1
πŸ’Ό CIS AWS v4.0.1 β†’ πŸ’Ό 1.20 Ensure that IAM Access Analyzer is enabled for all regions (Automated)1
πŸ’Ό CIS AWS v5.0.0 β†’ πŸ’Ό 1.19 Ensure that IAM External Access Analyzer is enabled for all regions (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό System Configuration24
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)113
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)67
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(12) Account Monitoring for Atypical Usage (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)44
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)35
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)723
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)13
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62126
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)247
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)21517
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5(5) Privilege Limitation for Production and Operation (M)(H)11
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(20) Privileged Users (H)4648
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)23
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(4) Automated Audit Actions (M)(H)13
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(7) Privileged User Accounts (M)(H)7
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(12) Account Monitoring for Atypical Usage (M)(H)2
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(1) Authorize Access to Security Functions (M)(H)4
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(5) Privileged Accounts (M)(H)5
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(9) Log Use of Privileged Functions (M)(H)23
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-6(10) Prohibit Non-privileged Users from Executing Privileged Functions (M)(H)3
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)226
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)217
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5(5) Privilege Limitation for Production and Operation (M)(H)1
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.3 Management of privileged access rights34
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.9.2.5 Review of user access rights11
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.16.1.2 Reporting information security events910
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.DP-4: Event detection information is communicated3033
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1922
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1735
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4351
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)414
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-2: Incidents are reported consistent with established criteria2023
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.CO-3: Information is shared consistent with response plans1617
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-06: Information on adverse events is provided to authorized staff and tools33
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events83
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events59
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties58
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected82
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected69
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected67
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging23
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-02: Internal and external stakeholders are notified of incidents30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.CO-03: Information is shared with designated internal and external stakeholders17
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(4) Account Management _ Automated Audit Actions1113
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44547
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed.1
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed.1