IAM Access Analyzer Not Enabled
- Query id: 8d29754a-2a18-460d-a1ba-9509f8d359da
- Query name: IAM Access Analyzer Not Enabled
- Platform: CloudFormation
- Severity: Low
- Category: Best Practices
- URL: Github
Description¶
IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template 2
Resources:
myuseeer:
Type: AWS::IAM::Group
Properties:
Path: "/"
LoginProfile:
Password: myP@ssW0rd
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "A sample template 2",
"Resources": {
"myuseeer": {
"Type": "AWS::IAM::Group",
"Properties": {
"Path": "/",
"LoginProfile": {
"Password": "myP@ssW0rd"
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
Analyzer:
Type: "AWS::AccessAnalyzer::Analyzer"
Properties:
AnalyzerName: MyAccountAnalyzer
Type: ACCOUNT
Tags:
- Key: Kind
Value: Dev
ArchiveRules:
- # Archive findings for a trusted AWS account
RuleName: ArchiveTrustedAccountAccess
Filter:
- Property: "principal.AWS"
Eq:
- "123456789012"
- # Archive findings for known public S3 buckets
RuleName: ArchivePublicS3BucketsAccess
Filter:
- Property: "resource"
Contains:
- "arn:aws:s3:::docs-bucket"
- "arn:aws:s3:::clients-bucket"
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"Analyzer": {
"Type": "AWS::AccessAnalyzer::Analyzer",
"Properties": {
"AnalyzerName": "MyAccountAnalyzer",
"Type": "ACCOUNT",
"Tags": [
{
"Key": "Kind",
"Value": "Dev"
}
],
"ArchiveRules": [
{
"RuleName": "ArchiveTrustedAccountAccess",
"Filter": [
{
"Property": "principal.AWS",
"Eq": [
"123456789012"
]
}
]
},
{
"RuleName": "ArchivePublicS3BucketsAccess",
"Filter": [
{
"Property": "resource",
"Contains": [
"arn:aws:s3:::docs-bucket",
"arn:aws:s3:::clients-bucket"
]
}
]
}
]
}
}
}
}