Building an AWS Organization? Be sure to integrate….AWS IAM Access Analyzer


If you’re building an AWS Organization, or getting ready to deploy a new organization using AWS Control Tower, be advised that there are very helpful AWS services that can be integrated into your organization. In this “Be sure to integrate…” series, we’ll look at 3 baseline services that should be enabled and integrated into your AWS Organization….AWS Security Hub, AWS GuardDuty, and AWS IAM Access Analyzer.

In the first post, we took a look at AWS Security Hub. In the second post, we took a look at AWS GuardDuty. On this post, we’ll cover AWS IAM Access Analyzer.

AWS IAM Access Analyzer

IAM Access Analyzer is a regional AWS service that helps you analyze if certain resource types have been shared with external entities outside of your defined “zone of trust”. Access Analyzer supports the following resource types:

  • S3 Buckets
  • IAM Roles
  • Key Management Service (KMS) keys
  • Lambda functions and layers
  • SQS Queues
  • Secrets Manager Secrets

To get started with Access Analyzer, you must first create an Analyzer and define its zone of trust. The zone of trust determines the scope of analyzed resources and can be set to either Organization or Account. If, for example, organization is selected as the zone of trust, principals within that organization with access to a given resource(s) will be considered trusted. Principals hosted within any another AWS organization would be considered to be untrusted.

Figure 1: Setting the Zone of trust for IAM Access Analyzer

When an analysis determines that a supported resource is accessible outside of the zone of trust, Access Analyzer generates a finding. The finding provides details concerning the principal and its level of access. The information contained within the finding should be used to determine if the access is valid or a security risk requiring remediation.

Integrating IAM Access Analyzer with AWS Organizations

Like Security Hub and GuardDuty, IAM Access Analyzer can be integrated with AWS Organizations. This allows you to set an AWS Account as the Delegated Administrator to which all Access Analyzer findings would be sent, allowing you to manage your organization from a single account.

  1. To get started, identify the AWS Account that will serve as the Access Analyzer Delegated Administrator and notate its account ID. In this example case, the account ID will be 123456789123.

2. Login to the Organization Management Account and launch the IAM dashboard.

3. Under the Access analyzer options, click Settings. On the Settings page, click Add delegated administrator.

Figure 2: Add Delegated Administrator

4. On the Change delegated administrator page, enter the delegated administrator account ID and click Save changes

Figure 3: Specify Delegated Administrator and Save Changes

5. The Delegated administrator account is specified as shown below:

Figure 4: The Delegated Administrator for the Organization is specified

6. Next, you will need to create an Analyzer in the delegated administrator account so login to that account and launch the IAM dashboard. Click Access analyzer | Create analyzer

Figure 5: Access Analyzer page for the Delegated Administrator Account

7. On the Create analyzer page, enter a Name for the analyzer, specify the Zone of trust, and then any relevant tags. Click Create analyzer.

Figure 6: Create Analyzer

8. Once the organization has been scanned, any Active Findings will be displayed as shown below:

Figure 7: Access Analyzer Active Findings

9. Select to open a finding to review its details. If the finding details are expected, then click Archive to mark the finding as intended access. If the access is not intended, you must edit the properties/policies of the noted resource to resolve any potential security risks.

Figure 8: Access Analyzer Finding Details

Want to use the CLI?

If you desire, here are the relevant CLI commands required to integrate Access Analyzer with AWS Organizations. In detailing the commands, let me list the following assumptions:

  • The Delegated Administrator ID is 234598760742
  • The .aws\credentials file includes 2 profiles/credentials
    • Mgmt = Management Account
    • Security = for the Security account, which is the Delegated Administrator

Next, there are 3 basic commands:

  • Under the Management Account Profile
    • Enable the service principal
    • Specify the Access Analyzer Delegated Administrator Account
  • As the Delegated Administrator Profile
    • Create an Analyzer

To enable the service principal and specify the delegated administrator account:

  • aws organizations enable-aws-service-access –service-principal -profile Mgmt
  • aws organizations register-delegated-administrator –account-id 234598760742 –service-principal -profile Mgmt

To create an Analyzer:

aws accessanalyzer create-analyzer –analyzer-name <name> –type Organization –profile DelegatedAdminAcct

Want to use the API?

This is just a little extra bonus coverage here but at one point, I thought I “had to” enable the service principal using the AWS API based on something I read online. To this end, I started messing with the AWS SDK for Python via CloudShell. I’m not going to go into too much detail here, but I’ll just drop some basic sample code here and you can customize it for your purposes as your homework.

In the Mgmt Account:

Figure 9: Python Code to Specify the Access Analyzer Delegated Administrator Account

Create the Analyzer in the Delegated Admin Account:

Figure 10: Create an Access Analyzer in the Delegated Administrator Account

Final Thoughts….

Enable and use IAM Access Analyzer as a tool to track and if necessary, adjust access to resources with principal outside your zone of trust. Like Security Hub and GuardDuty, Access Analyzer can be a valuable part of your overall security defense system, especially with its ability to integrate with AWS Organizations. It will be exciting to see how AWS adds to the functionality of all 3 of these tools as we move forward.

Leave a Reply

Your email address will not be published. Required fields are marked *