StackZone Feature: IAM Access Analyzer

StackZone Baseline Services

Ryan Ware

Last Update 8 maanden geleden

AWS IAM Access Analyzer

AWS Access Analyzer helps identify resources within your AWS Organization and accounts which are shared with an external entity. This doesn't extend to just "public resources" but can cover a lot of the grey area that can sometimes arise when you have a resource which is thought to be private, but access remains to entities outside of your AWS Organization. This will allow you to identify unintended access which can be a potential security risk.


The supported Access Analyzer AWS resource types, include but are not limited to, S3 Buckets, IAM Roles, KMS Keys, Lambda Functions and Layers, SQS Queues and Secrets Manager Secrets.


StackZone will be able to enable AWS IAM Access Analyzer for you, and will deploy an analyzer for your entire organization. This is done within the designated Security Account. When this is performed, the Organization is known as the "zone of trust" for the Access Analyzer. Any access to resources by principals within your zone of trust is considered trusted.



When analyzing the policies, if Access Analyzer identifies one that grants access to an external principal that isn't within your zone of trust, it generates a finding. Each finding includes details about the resource, the external entity with access to it, and the permissions granted so that you can take appropriate action. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve. When you add a policy to a resource, or update an existing policy, Access Analyzer analyzes the policy. Access Analyzer also analyzes all resource-based policies periodically.


For more information about AWS IAM Access Analyzer, you can read up on their official documentation here, which goes into further depth and detail of how access is analyzed.


Access Analyzer Findings

Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. Remember, that your zone of trust is your entire AWS Organization. Any principal within your Organization is considered trusted. Any sharing of access that is within this zone of trust is considered safe and intended buy the Access Analyzer, so a finding is not generated.


For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an S3 bucket in one of your organization member accounts to a principal in another organization member account, Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, Access Analyzer generates a finding.

How to Enable StackZone IAM Access Analyzer

Below you will see an example of how you can enable IAM Access Analyzer within the StackZone Console.


First, head to your list of Core Accounts under Provisioning on the left hand side panel. From here, we want to take a look at the Security Account which is where this feature is enabled from.


From the list of resources available for the Security Account, choose IAM Access Analyzer. Once Edit Mode is enabled, you will need to then toggle the IAM Access Analyzer "on" and then save your settings. Also, you can enable additionally the Unused Access Analyzer which focuses on Unused IAM Access.


Note: We only deploy the Unused Access Analyzer to your Primary Region to stop global resources such as IAM being scanned multiple times as this can be a costly service.


Remember, once you have saved your settings you will need to go to Status -> Deploy Draft to push this StackZone Configuration to your AWS environment.


What does StackZone create for me when I enable this?

This is quite a lightweight application if you choose to enable this feature with StackZone. StackZone will create an Analyzer which is set to the scope of Organization. (There exists the option to create an Analyzer to the scope of an Account, but this is not what we want here. As StackZone creates an Organization for you, it's better to create one which is Org-wide and can be centralized in the Security account.)

And that's it! No extra pieces built. The Access Analyzer is built within your designated Security AWS Account. The unused Access Analyzer is also constructed here, but operates as a separate Analyzer in AWS so you can split the results between Used Access and Unused Access


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us