☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • Key IAM Permissions:
  • Service-Linked Role:
  • Types of Analyzers:
  • Analyzer Status:
  • Managing Findings and Permissions:
  1. Logging Reference
  2. Access Analyzer

Setup

Overview

IAM Access Analyzer helps monitor and manage access to AWS resources by identifying external access and unused access permissions. It uses service-linked roles to analyze resources and requires proper IAM permissions to operate.

Key IAM Permissions:

  • IAMAccessAnalyzerFullAccess: Full access for administrators, including the ability to create service-linked roles.

  • IAMAccessAnalyzerReadOnlyAccess: Read-only access to view findings.

Service-Linked Role:

IAM Access Analyzer uses AWSServiceRoleForAccessAnalyzer to analyze resource-based policies and identify unused access.

Types of Analyzers:

  1. External Access Analyzer:

    • Purpose: Identifies resources that are shared outside of your zone of trust (AWS account or organization).

    • Findings Update: It may take up to 30 minutes to reflect changes after a policy modification.

    • Creation Steps:

      1. Open the IAM console and go to Access Analyzer.

      2. Create a new analyzer for external access.

      3. Choose either Current AWS account or Current organization as the zone of trust.

      4. Optionally, apply tags for management.

    • Scope: An analyzer is Region-specific, meaning you must create one in each Region to monitor external access.

  2. Unused Access Analyzer:

    • Purpose: Identifies unused IAM roles, permissions, passwords, or access keys within a defined time frame.

    • Creation Steps:

      1. Open the IAM console and create a new Unused Access Analyzer.

      2. Specify the tracking period (1–180 days).

      3. Choose whether the analyzer applies to Current account or Current organization.

      4. Optionally, apply tags to the analyzer.

    • Scope: Findings are not Region-specific. One analyzer can monitor all unused permissions across multiple Regions.

Analyzer Status:

  • Active: Monitoring is in progress, and new findings are generated.

  • Creating: Analyzer creation is underway.

  • Disabled: The analyzer is disabled, often due to administrative actions.

  • Failed: Creation failed due to configuration issues—requires deletion and re-creation.

Managing Findings and Permissions:

  • Viewing Findings: Permissions are required to use the following API actions:

    • GetAnalyzer

    • ListAnalyzers

    • GetFindingsStatistics

  • Dashboards and Refresh Delays: Findings may take time to appear after analyzer creation or updates; manual browser refreshes may be necessary.

PreviousAccess AnalyzerNextExternal Access and Unused Access Analyzer Findings

Last updated 8 months ago