IAM Access Analyzer Not Enabled
- Query id: e592a0c5-5bdb-414c-9066-5dba7cdea370
- Query name: IAM Access Analyzer Not Enabled
- Platform: Terraform
- Severity: Low
- Category: Best Practices
- CWE: 710
- Risk score: 3.5
- URL: Github
Description¶
IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_organizations_organization" "example2" {
aws_service_access_principals = ["access-analyzer.amazonaws.com"]
}
Positive test num. 2 - json file
{
"format_version": "1.2",
"terraform_version": "1.14.3",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_organizations_organization.example2",
"mode": "managed",
"type": "aws_organizations_organization",
"name": "example2",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"aws_service_access_principals": [
"access-analyzer.amazonaws.com"
],
"enabled_policy_types": null,
"feature_set": "ALL",
"return_organization_only": null
},
"sensitive_values": {
"accounts": [],
"aws_service_access_principals": [
false
],
"non_master_accounts": [],
"roots": []
},
"identity_schema_version": 0,
"identity": {
"account_id": null,
"id": null
}
}
]
}
},
"resource_changes": [
{
"address": "aws_organizations_organization.example2",
"mode": "managed",
"type": "aws_organizations_organization",
"name": "example2",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"aws_service_access_principals": [
"access-analyzer.amazonaws.com"
],
"enabled_policy_types": null,
"feature_set": "ALL",
"return_organization_only": null
},
"after_unknown": {
"accounts": true,
"arn": true,
"aws_service_access_principals": [
false
],
"id": true,
"master_account_arn": true,
"master_account_email": true,
"master_account_id": true,
"master_account_name": true,
"non_master_accounts": true,
"roots": true
},
"before_sensitive": false,
"after_sensitive": {
"accounts": [],
"aws_service_access_principals": [
false
],
"non_master_accounts": [],
"roots": []
},
"after_identity": {
"account_id": null,
"id": null
}
}
}
],
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"full_name": "registry.terraform.io/hashicorp/aws"
}
},
"root_module": {
"resources": [
{
"address": "aws_organizations_organization.example2",
"mode": "managed",
"type": "aws_organizations_organization",
"name": "example2",
"provider_config_key": "aws",
"expressions": {
"aws_service_access_principals": {
"constant_value": [
"access-analyzer.amazonaws.com"
]
}
},
"schema_version": 0
}
]
}
},
"timestamp": "2026-02-02T17:26:25Z",
"applyable": true,
"complete": true,
"errored": false
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_organizations_organization" "example" {
aws_service_access_principals = ["access-analyzer.amazonaws.com"]
}
resource "aws_accessanalyzer_analyzer" "example2" {
depends_on = [aws_organizations_organization.example]
analyzer_name = "example"
type = "ORGANIZATION"
}
Negative test num. 2 - json file
{
"format_version": "1.2",
"terraform_version": "1.14.3",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_accessanalyzer_analyzer.example2",
"mode": "managed",
"type": "aws_accessanalyzer_analyzer",
"name": "example2",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"analyzer_name": "example",
"configuration": [],
"region": "eu-west-1",
"tags": null,
"type": "ORGANIZATION"
},
"sensitive_values": {
"configuration": [],
"tags_all": {}
}
},
{
"address": "aws_organizations_organization.example",
"mode": "managed",
"type": "aws_organizations_organization",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"aws_service_access_principals": [
"access-analyzer.amazonaws.com"
],
"enabled_policy_types": null,
"feature_set": "ALL",
"return_organization_only": null
},
"sensitive_values": {
"accounts": [],
"aws_service_access_principals": [
false
],
"non_master_accounts": [],
"roots": []
},
"identity_schema_version": 0,
"identity": {
"account_id": null,
"id": null
}
}
]
}
},
"resource_changes": [
{
"address": "aws_accessanalyzer_analyzer.example2",
"mode": "managed",
"type": "aws_accessanalyzer_analyzer",
"name": "example2",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"analyzer_name": "example",
"configuration": [],
"region": "eu-west-1",
"tags": null,
"type": "ORGANIZATION"
},
"after_unknown": {
"arn": true,
"configuration": [],
"id": true,
"tags_all": true
},
"before_sensitive": false,
"after_sensitive": {
"configuration": [],
"tags_all": {}
}
}
},
{
"address": "aws_organizations_organization.example",
"mode": "managed",
"type": "aws_organizations_organization",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"aws_service_access_principals": [
"access-analyzer.amazonaws.com"
],
"enabled_policy_types": null,
"feature_set": "ALL",
"return_organization_only": null
},
"after_unknown": {
"accounts": true,
"arn": true,
"aws_service_access_principals": [
false
],
"id": true,
"master_account_arn": true,
"master_account_email": true,
"master_account_id": true,
"master_account_name": true,
"non_master_accounts": true,
"roots": true
},
"before_sensitive": false,
"after_sensitive": {
"accounts": [],
"aws_service_access_principals": [
false
],
"non_master_accounts": [],
"roots": []
},
"after_identity": {
"account_id": null,
"id": null
}
}
}
],
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"full_name": "registry.terraform.io/hashicorp/aws"
}
},
"root_module": {
"resources": [
{
"address": "aws_accessanalyzer_analyzer.example2",
"mode": "managed",
"type": "aws_accessanalyzer_analyzer",
"name": "example2",
"provider_config_key": "aws",
"expressions": {
"analyzer_name": {
"constant_value": "example"
},
"type": {
"constant_value": "ORGANIZATION"
}
},
"schema_version": 0,
"depends_on": [
"aws_organizations_organization.example"
]
},
{
"address": "aws_organizations_organization.example",
"mode": "managed",
"type": "aws_organizations_organization",
"name": "example",
"provider_config_key": "aws",
"expressions": {
"aws_service_access_principals": {
"constant_value": [
"access-analyzer.amazonaws.com"
]
}
},
"schema_version": 0
}
]
}
},
"timestamp": "2026-02-02T17:30:58Z",
"applyable": true,
"complete": true,
"errored": false
}