☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Access the Findings Dashboard
  • External Access Findings
  • Unused Access Findings
  • Managing Findings
  1. Logging Reference
  2. Access Analyzer

Review Findings

Overview

The following section goes over reviewing IAM Access Analyzer Findings

Access the Findings Dashboard

  • Open the IAM console and navigate to Access Analyzer.

  • View findings filtered by status:

    • Active: Unaddressed findings that need review.

    • Archived: Findings marked as expected or approved.

    • Resolved: Findings where access has been removed.

    • All: Displays all findings regardless of status.

Resolved findings are deleted 90 days after the last update.

External Access Findings

External access findings display details about shared resources and the policy granting external access. Key information includes:

  • Finding ID: Unique identifier with additional resource details.

  • Resource: The resource with an external access policy.

  • External Principal: The external entity with access (e.g., AWS account, IAM role, or user).

  • Condition: Conditions from the policy (e.g., access limited to a VPC).

  • Shared Through: The mechanism granting access (e.g., bucket policy, ACL, or access point).

  • Access Level: Access types (e.g., List, Read, Write, Permissions, Tagging).

  • Updated: Timestamp of the latest finding update or creation.

  • Status: Active, Archived, or Resolved.

Findings are generated based on policy changes, with updates taking up to 30 minutes to reflect.

Unused Access Findings

Unused access findings help identify inactive IAM roles, permissions, keys, or passwords. Key information includes:

  • Finding ID: Identifier with details about the IAM entity.

  • Finding Type: Unused access key, password, permission, or role.

  • IAM Entity: The affected IAM user or role.

  • AWS Account ID: (For organization analyzers) The account owning the IAM entity.

  • Last Updated: Timestamp of the latest update or when the entity was created.

  • Status: Active, Archived, or Resolved.

Managing Findings

  • Archiving Findings: Marks approved access as expected, moving it from active to archived. Archived findings are not deleted and remain available for review.

  • Resolving Findings: Happens when access is removed. Resolved findings are deleted after 90 days.

PreviousExternal Access and Unused Access Analyzer FindingsNextAccess Analyzer Resources

Last updated 8 months ago