IAM Access Analyzer is Enabled

Overview

IAM Access Analyzer continuously monitors your AWS resources to identify unintended access. It detects when resources like S3 buckets, IAM roles, KMS keys, or Lambda functions are shared with external accounts or made publicly accessible.

Think of it as an automated auditor that watches for risky sharing configurations so you can fix them before they become security incidents.

Risk

Without an active Access Analyzer:

• Exposed resources go unnoticed - S3 buckets, snapshots, or KMS keys shared publicly or with external accounts may not be detected
• Unused permissions accumulate - Overly permissive IAM policies remain in place, expanding your attack surface
• Cross-account access is invisible - You lose visibility into which resources can be accessed from outside your account
• Compliance gaps - Many frameworks (CIS, ISO27001, NIS2, C5) require continuous access monitoring

Attackers can exploit these blind spots for data exfiltration or privilege escalation.

Remediation Steps

Prerequisites

You need IAM permissions to create Access Analyzers. Specifically, you need access-analyzer:CreateAnalyzer permission.

Required IAM permissions

The following IAM policy provides the minimum permissions needed:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "access-analyzer:CreateAnalyzer",
        "access-analyzer:ListAnalyzers",
        "access-analyzer:GetAnalyzer"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "arn:aws:iam::*:role/aws-service-role/access-analyzer.amazonaws.com/*"
    }
  ]
}

AWS Console Method

1. Sign in to the AWS Management Console
2. Navigate to IAM (search for "IAM" in the top search bar)
3. In the left sidebar, click Access Analyzer under "Access reports"
4. Click Analyzer settings
5. Confirm you are in the US East (N. Virginia) us-east-1 region (check the region selector in the top-right)
6. Click Create analyzer
7. For "Analysis type", select External access analysis
8. Enter a name (e.g., external-access-analyzer)
9. For "Zone of trust", select Current account
10. Click Create analyzer

The analyzer will immediately begin scanning your resources. Findings will appear within a few minutes.

AWS CLI

Create an Access Analyzer for the current account:

aws accessanalyzer create-analyzer \
  --analyzer-name external-access-analyzer \
  --type ACCOUNT \
  --region us-east-1

To create an organization-wide analyzer (requires AWS Organizations):

aws accessanalyzer create-analyzer \
  --analyzer-name org-external-access-analyzer \
  --type ORGANIZATION \
  --region us-east-1

To also enable unused access analysis (identifies unused permissions):

aws accessanalyzer create-analyzer \
  --analyzer-name unused-access-analyzer \
  --type ACCOUNT_UNUSED_ACCESS \
  --region us-east-1

CloudFormation

AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Access Analyzer for external access analysis

Parameters:
  AnalyzerName:
    Type: String
    Default: external-access-analyzer
    Description: Name for the IAM Access Analyzer

Resources:
  AccessAnalyzer:
    Type: AWS::AccessAnalyzer::Analyzer
    Properties:
      AnalyzerName: !Ref AnalyzerName
      Type: ACCOUNT
      Tags:
        - Key: Environment
          Value: production

Outputs:
  AnalyzerArn:
    Description: ARN of the created analyzer
    Value: !GetAtt AccessAnalyzer.Arn

Deploy the template:

aws cloudformation deploy \
  --template-file access-analyzer.yaml \
  --stack-name access-analyzer-stack \
  --region us-east-1

Terraform

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_accessanalyzer_analyzer" "external_access" {
  analyzer_name = "external-access-analyzer"
  type          = "ACCOUNT"

  tags = {
    Environment = "production"
  }
}

output "analyzer_arn" {
  description = "ARN of the Access Analyzer"
  value       = aws_accessanalyzer_analyzer.external_access.arn
}

Apply the configuration:

terraform init
terraform apply

Verification

After creating the analyzer, verify it is active:

1. In the IAM console, go to Access Analyzer
2. Confirm your analyzer shows Status: Active
3. Check the Findings tab - any external access issues will appear here

CLI verification

List all analyzers and check their status:

aws accessanalyzer list-analyzers \
  --region us-east-1 \
  --query 'analyzers[*].[name,status,type]' \
  --output table

Expected output shows ACTIVE status:

---------------------------------------------------------
|                     ListAnalyzers                     |
+---------------------------+--------+-----------------+
|  external-access-analyzer |  ACTIVE|  ACCOUNT        |
+---------------------------+--------+-----------------+

View any findings:

aws accessanalyzer list-findings \
  --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/external-access-analyzer \
  --region us-east-1

Additional Resources

• What is IAM Access Analyzer?
• Getting Started with Access Analyzer
• Access Analyzer Findings
• Unused Access Analysis

Notes

• Regional scope: Access Analyzer operates per-region. You should enable it in all regions where you have resources, or use an organization-level analyzer.
• Multiple analyzer types: AWS offers different analyzer types:
  • ACCOUNT / ORGANIZATION - External access analysis (detects public/cross-account sharing)
  • ACCOUNT_UNUSED_ACCESS / ORGANIZATION_UNUSED_ACCESS - Unused access analysis (detects unused permissions)
• No additional cost: IAM Access Analyzer for external access is free. Unused access analysis has associated costs.
• Service-linked role: AWS automatically creates a service-linked role (AWSServiceRoleForAccessAnalyzer) when you create your first analyzer.
• Archive rules: Use archive rules sparingly to auto-dismiss expected findings - over-archiving can hide real issues.