Skip to main content

IAM Access Analyzer is Enabled

Overview

This check verifies that AWS IAM Access Analyzer is enabled and active in your account. Access Analyzer helps you identify resources in your organization and accounts that are shared with external entities, find unused access, and validate IAM policies against security best practices.

Risk

Without IAM Access Analyzer enabled:

  • Unintended external access to your resources (S3 buckets, KMS keys, IAM roles, etc.) may go unnoticed
  • Overly permissive policies granting public or cross-account access could be exploited for data exfiltration
  • Unused permissions expand your attack surface, violating the principle of least privilege
  • You lose visibility into who can access your sensitive resources

Remediation Steps

Prerequisites

  • AWS account access with permission to create Access Analyzer resources
  • Administrator or IAM permissions that include access-analyzer:CreateAnalyzer

AWS Console Method

  1. Sign in to the AWS Management Console
  2. Navigate to IAM (Identity and Access Management)
  3. In the left navigation pane, under Access Analyzer, click Analyzer settings
  4. Click Create analyzer
  5. For Analyzer name, enter a descriptive name (e.g., account-analyzer)
  6. For Type, select Account (analyzes resources in the current account only)
  7. Optionally, add tags to help identify this analyzer
  8. Click Create analyzer

The analyzer will begin analyzing your resources immediately. A service-linked role named AWSServiceRoleForAccessAnalyzer will be created automatically.

AWS CLI (optional)

Create an Access Analyzer using the AWS CLI:

aws accessanalyzer create-analyzer \
    --analyzer-name my-account-analyzer \
    --type ACCOUNT \
    --region us-east-1

Analyzer types:

  • ACCOUNT - Analyzes resources within a single AWS account
  • ORGANIZATION - Analyzes resources across all accounts in your AWS Organization (requires AWS Organizations)

To verify the analyzer was created successfully:

aws accessanalyzer list-analyzers --region us-east-1
CloudFormation (optional)

Deploy an Access Analyzer using CloudFormation:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable IAM Access Analyzer for the account

Resources:
  AccessAnalyzer:
    Type: AWS::AccessAnalyzer::Analyzer
    Properties:
      AnalyzerName: account-access-analyzer
      Type: ACCOUNT
      Tags:
        - Key: Purpose
          Value: SecurityMonitoring

Deploy the template:

aws cloudformation deploy \
    --template-file access-analyzer.yaml \
    --stack-name access-analyzer-stack \
    --region us-east-1
Terraform (optional)

Create an Access Analyzer using Terraform:

resource "aws_accessanalyzer_analyzer" "account_analyzer" {
  analyzer_name = "account-access-analyzer"
  type          = "ACCOUNT"

  tags = {
    Purpose = "SecurityMonitoring"
  }
}

For organization-wide analysis (requires AWS Organizations):

resource "aws_accessanalyzer_analyzer" "org_analyzer" {
  analyzer_name = "organization-access-analyzer"
  type          = "ORGANIZATION"

  tags = {
    Purpose = "SecurityMonitoring"
  }
}

Verification

After enabling Access Analyzer, verify it is working:

  1. Go to IAM > Access Analyzer > Analyzer settings in the AWS Console
  2. Confirm your analyzer shows a status of Active
  3. Navigate to Findings to see any access issues detected
CLI verification commands

List all analyzers and verify status:

aws accessanalyzer list-analyzers --region us-east-1

Expected output shows status: ACTIVE:

{
    "analyzers": [
        {
            "arn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/my-account-analyzer",
            "name": "my-account-analyzer",
            "type": "ACCOUNT",
            "status": "ACTIVE",
            "createdAt": "2024-01-15T10:30:00Z"
        }
    ]
}

View any existing findings:

aws accessanalyzer list-findings --analyzer-arn <analyzer-arn> --region us-east-1

Additional Resources

Notes

  • One analyzer per type per region: You can have one ACCOUNT analyzer and one ORGANIZATION analyzer per region
  • Multi-region consideration: Access Analyzer works per-region. Consider enabling it in all regions where you have resources
  • Service-linked role: AWS automatically creates AWSServiceRoleForAccessAnalyzer when you create your first analyzer
  • No additional cost: Basic external access analysis is included at no extra charge. Unused access and custom policy checks have separate pricing
  • Findings review: After enabling, review the generated findings regularly and remediate any unintended access