IAM Access Analyzer Not Enabled
- Query id: 8d29754a-2a18-460d-a1ba-9509f8d359da
- Query name: IAM Access Analyzer Not Enabled
- Platform: CloudFormation
- Severity: Low
- Category: Best Practices
- URL: Github
Description¶
IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template 2
Resources:
myuseeer:
Type: AWS::IAM::Group
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
Analyzer:
Type: "AWS::AccessAnalyzer::Analyzer"
Properties:
AnalyzerName: MyAccountAnalyzer
Type: ACCOUNT
Tags:
- Key: Kind
Value: Dev
ArchiveRules:
- # Archive findings for a trusted AWS account
RuleName: ArchiveTrustedAccountAccess
Filter:
- Property: "principal.AWS"
Eq:
- "123456789012"
- # Archive findings for known public S3 buckets
RuleName: ArchivePublicS3BucketsAccess
Filter:
- Property: "resource"
Contains:
- "arn:aws:s3:::docs-bucket"
- "arn:aws:s3:::clients-bucket"