IAM Access Analyzer Enabled Without Active Findings

Overview

This check verifies that IAM Access Analyzer is enabled and has no unresolved (active) findings. Access Analyzer continuously monitors your AWS resources for policies that grant access to external principals or contain unused permissions. When findings exist, it means potential security issues have been detected and need attention.

Risk

Active findings indicate potential security gaps in your AWS environment:

• Unintended External Access: Resources like S3 buckets, IAM roles, or KMS keys may be accessible to principals outside your organization
• Overly Permissive Policies: Trust policies or resource policies may grant broader access than intended
• Unused Permissions: IAM roles or users may have permissions they never use, violating least-privilege principles
• Lateral Movement Risk: Unauthorized cross-account access could enable attackers to move between AWS accounts

Leaving findings unresolved increases the window of opportunity for unauthorized access or data exposure.

Remediation Steps

Prerequisites

• AWS Console access with permissions to view and manage IAM Access Analyzer
• Permission to modify resource policies (S3 bucket policies, IAM role trust policies, etc.)

Required IAM permissions (for administrators)

To fully remediate findings, you need the IAMAccessAnalyzerFullAccess managed policy or equivalent permissions including:

• access-analyzer:ListAnalyzers
• access-analyzer:ListFindings
• access-analyzer:GetFinding
• access-analyzer:UpdateFindings
• Permissions to modify the affected resources (e.g., s3:PutBucketPolicy, iam:UpdateAssumeRolePolicy)

AWS Console Method

Step 1: Verify Access Analyzer is Enabled

1. Open the IAM Console
2. In the left navigation, click Access Analyzer
3. Check if you see an analyzer listed with status Active
4. If no analyzer exists, click Create analyzer and follow the prompts

Step 2: Review Active Findings

1. In the Access Analyzer section, click Findings in the left navigation
2. Filter by Status: Active to see unresolved findings
3. Review each finding to understand what access is being flagged

Step 3: Remediate Each Finding

For each active finding, you have three options:

Option A: Remove Unintended Access (Recommended)

1. Click on the finding to view details
2. Note the resource, principal, and actions involved
3. Navigate to the affected resource and modify its policy to remove the unintended access
4. Access Analyzer will automatically resolve the finding once the policy is updated (may take up to 30 minutes)

Option B: Archive Intentional Access

1. If the access is intentional and expected, click on the finding
2. Click Archive
3. Add a reason explaining why this access is expected
4. The finding moves to "Archived" status and won't trigger future alerts

Option C: Resolve Unused Access Findings

1. For unused permissions findings, review the recommended policy changes
2. Click Preview policy to see suggested modifications
3. Apply the recommended policies to reduce permissions to only what's needed

Step 4: Verify Resolution

1. Return to Findings and filter by Status: Active
2. Confirm no active findings remain
3. The check will pass once all findings are either resolved or archived

AWS CLI (optional)

List all analyzers in the region:

aws accessanalyzer list-analyzers --region us-east-1

Create an analyzer if none exists:

aws accessanalyzer create-analyzer \
    --analyzer-name my-account-analyzer \
    --type ACCOUNT \
    --region us-east-1

List active findings:

aws accessanalyzer list-findings \
    --analyzer-arn arn:aws:access-analyzer:us-east-1:<ACCOUNT_ID>:analyzer/<ANALYZER_NAME> \
    --filter '{"status": {"eq": ["ACTIVE"]}}' \
    --region us-east-1

Get details for a specific finding:

aws accessanalyzer get-finding \
    --analyzer-arn arn:aws:access-analyzer:us-east-1:<ACCOUNT_ID>:analyzer/<ANALYZER_NAME> \
    --id <FINDING_ID> \
    --region us-east-1

Archive a finding (for intentional access):

aws accessanalyzer update-findings \
    --analyzer-arn arn:aws:access-analyzer:us-east-1:<ACCOUNT_ID>:analyzer/<ANALYZER_NAME> \
    --ids <FINDING_ID> \
    --status ARCHIVED \
    --region us-east-1

Replace:

• <ACCOUNT_ID> with your AWS account ID
• <ANALYZER_NAME> with your analyzer name
• <FINDING_ID> with the specific finding ID

CloudFormation (optional)

This CloudFormation template creates an IAM Access Analyzer for your account:

AWSTemplateFormatVersion: '2010-09-09'
Description: Creates an IAM Access Analyzer for the AWS account

Resources:
  AccessAnalyzer:
    Type: AWS::AccessAnalyzer::Analyzer
    Properties:
      AnalyzerName: account-access-analyzer
      Type: ACCOUNT
      Tags:
        - Key: Purpose
          Value: SecurityMonitoring

Outputs:
  AnalyzerArn:
    Description: ARN of the Access Analyzer
    Value: !GetAtt AccessAnalyzer.Arn

Deploy the template:

aws cloudformation deploy \
    --template-file access-analyzer.yaml \
    --stack-name access-analyzer-stack \
    --region us-east-1

Note: CloudFormation creates the analyzer, but you must still manually review and remediate any findings that are generated.

Terraform (optional)

This Terraform configuration creates an IAM Access Analyzer:

resource "aws_accessanalyzer_analyzer" "account_analyzer" {
  analyzer_name = "account-access-analyzer"
  type          = "ACCOUNT"

  tags = {
    Purpose = "SecurityMonitoring"
  }
}

output "analyzer_arn" {
  description = "ARN of the Access Analyzer"
  value       = aws_accessanalyzer_analyzer.account_analyzer.arn
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Note: Terraform creates the analyzer, but you must still manually review and remediate any findings that are generated.

Verification

After remediation, verify the check passes:

1. Open the IAM Access Analyzer console
2. Confirm an analyzer exists with Active status
3. Click Findings and filter by Status: Active
4. Verify the count shows 0 active findings

CLI verification commands

Verify analyzer is active:

aws accessanalyzer list-analyzers --region us-east-1 \
    --query 'analyzers[?status==`ACTIVE`].name'

Verify no active findings:

aws accessanalyzer list-findings \
    --analyzer-arn arn:aws:access-analyzer:us-east-1:<ACCOUNT_ID>:analyzer/<ANALYZER_NAME> \
    --filter '{"status": {"eq": ["ACTIVE"]}}' \
    --region us-east-1 \
    --query 'findings[].id' \
    --output text

An empty result indicates no active findings.

Additional Resources

• Getting Started with IAM Access Analyzer
• Reviewing IAM Access Analyzer Findings
• Resolving IAM Access Analyzer Findings
• IAM Access Analyzer Pricing

Notes

• Regional Service: For external access analyzers, Access Analyzer must be enabled in each AWS region where you have resources. Unused access analyzers work across regions from a single analyzer.
• Scan Timing: After modifying a policy, it may take up to 30 minutes for Access Analyzer to rescan and update findings.
• Organization vs Account: If you're part of an AWS Organization, consider creating an organization-level analyzer for broader visibility across all member accounts.
• Archive Rules: You can create archive rules to automatically archive findings that match specific criteria (e.g., known federated identity providers). This is useful for expected access patterns.
• Cost: External access analysis is free. Unused access analysis has costs based on the number of IAM roles and users analyzed per month.