If you’re building an AWS Organization, or getting ready to deploy a new organization using AWS Control Tower, be advised that there are very helpful AWS services that can be integrated into your organization. In this “Be sure to integrate…” series, we’ll look at 3 baseline services that should be enabled and integrated into your AWS Organization….AWS Security Hub, AWS GuardDuty, and AWS IAM Access Analyzer.
AWS IAM Access Analyzer
IAM Access Analyzer is a regional AWS service that helps you analyze if certain resource types have been shared with external entities outside of your defined “zone of trust”. Access Analyzer supports the following resource types:
- S3 Buckets
- IAM Roles
- Key Management Service (KMS) keys
- Lambda functions and layers
- SQS Queues
- Secrets Manager Secrets
To get started with Access Analyzer, you must first create an Analyzer and define its zone of trust. The zone of trust determines the scope of analyzed resources and can be set to either Organization or Account. If, for example, organization is selected as the zone of trust, principals within that organization with access to a given resource(s) will be considered trusted. Principals hosted within any another AWS organization would be considered to be untrusted.
When an analysis determines that a supported resource is accessible outside of the zone of trust, Access Analyzer generates a finding. The finding provides details concerning the principal and its level of access. The information contained within the finding should be used to determine if the access is valid or a security risk requiring remediation.
Integrating IAM Access Analyzer with AWS Organizations
Like Security Hub and GuardDuty, IAM Access Analyzer can be integrated with AWS Organizations. This allows you to set an AWS Account as the Delegated Administrator to which all Access Analyzer findings would be sent, allowing you to manage your organization from a single account.
- To get started, identify the AWS Account that will serve as the Access Analyzer Delegated Administrator and notate its account ID. In this example case, the account ID will be 123456789123.
2. Login to the Organization Management Account and launch the IAM dashboard.
3. Under the Access analyzer options, click Settings. On the Settings page, click Add delegated administrator.
4. On the Change delegated administrator page, enter the delegated administrator account ID and click Save changes
5. The Delegated administrator account is specified as shown below:
6. Next, you will need to create an Analyzer in the delegated administrator account so login to that account and launch the IAM dashboard. Click Access analyzer | Create analyzer
7. On the Create analyzer page, enter a Name for the analyzer, specify the Zone of trust, and then any relevant tags. Click Create analyzer.
8. Once the organization has been scanned, any Active Findings will be displayed as shown below:
9. Select to open a finding to review its details. If the finding details are expected, then click Archive to mark the finding as intended access. If the access is not intended, you must edit the properties/policies of the noted resource to resolve any potential security risks.
Want to use the CLI?
If you desire, here are the relevant CLI commands required to integrate Access Analyzer with AWS Organizations. In detailing the commands, let me list the following assumptions:
- The Delegated Administrator ID is 234598760742
- The .aws\credentials file includes 2 profiles/credentials
- Mgmt = Management Account
- Security = for the Security account, which is the Delegated Administrator
Next, there are 3 basic commands:
- Under the Management Account Profile
- Enable the access-analyzer.amazonaws.com service principal
- Specify the Access Analyzer Delegated Administrator Account
- As the Delegated Administrator Profile
- Create an Analyzer
To enable the service principal and specify the delegated administrator account:
- aws organizations enable-aws-service-access –service-principal access-analyzer.amazonaws.com -profile Mgmt
- aws organizations register-delegated-administrator –account-id 234598760742 –service-principal access-analyzer.amazonaws.com -profile Mgmt
To create an Analyzer:
aws accessanalyzer create-analyzer –analyzer-name <name> –type Organization –profile DelegatedAdminAcct
Want to use the API?
This is just a little extra bonus coverage here but at one point, I thought I “had to” enable the service principal using the AWS API based on something I read online. To this end, I started messing with the AWS SDK for Python via CloudShell. I’m not going to go into too much detail here, but I’ll just drop some basic sample code here and you can customize it for your purposes as your homework.
In the Mgmt Account:
Create the Analyzer in the Delegated Admin Account:
Enable and use IAM Access Analyzer as a tool to track and if necessary, adjust access to resources with principal outside your zone of trust. Like Security Hub and GuardDuty, Access Analyzer can be a valuable part of your overall security defense system, especially with its ability to integrate with AWS Organizations. It will be exciting to see how AWS adds to the functionality of all 3 of these tools as we move forward.