IAM Access Analyzer Not Enabled

  • Query id: 8d29754a-2a18-460d-a1ba-9509f8d359da
  • Query name: IAM Access Analyzer Not Enabled
  • Platform: CloudFormation
  • Severity: Low
  • Category: Best Practices
  • URL: Github

Description

IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template 2
Resources:
  myuseeer:
    Type: AWS::IAM::Group
    Properties:
      Path: "/"
      LoginProfile:
        Password: myP@ssW0rd

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  Analyzer:
    Type: "AWS::AccessAnalyzer::Analyzer"
    Properties:
      AnalyzerName: MyAccountAnalyzer
      Type: ACCOUNT
      Tags:
        - Key: Kind
          Value: Dev
      ArchiveRules:
        - # Archive findings for a trusted AWS account
          RuleName: ArchiveTrustedAccountAccess
          Filter:
            - Property: "principal.AWS"
              Eq:
                - "123456789012"
        - # Archive findings for known public S3 buckets
          RuleName: ArchivePublicS3BucketsAccess
          Filter:
            - Property: "resource"
              Contains:
                - "arn:aws:s3:::docs-bucket"
                - "arn:aws:s3:::clients-bucket"