IAM Access Analyzer Disabled

This plugin confirms if the Access Analyzer is enabled for all regions.

Risk Level: LOW

Description: 

This plugin confirms if the Access Analyzer is enabled for all regions. AWS IAM (Identity and Access Management) Access Analyzer finds possible security vulnerabilities in your organization and accounts, by evaluating resource-based(such as Amazon S3 buckets or IAM roles) policies linked with cloud resources in the zone of trust that may be shared with an external entity. This enables the detection of unauthorized access to your resources and data, which is a security concern. PingSafe strongly recommends enabling Access Analyzer for all regions.

About the Service :

The AWS Identity and Access Management (IAM) Access Analyzer is a really handy plug-in that eases the task of scanning and reporting the incident of unauthorized access of policies and grants to an external entity that is out of our zone of trust. On top of it, the Access analyzer also helps in securing the AWS S3 bucket, AWS KMS keys, AWS SQS queues, and AWS Secrets Management secrets. 

Impact : 

The disabled Identity and Access Management(IAM) Access Analyzer may lead to unfavorable consequences by giving malicious actors access to resources and accounts such as Amazon S3 buckets or IAM roles without the organization knowing of any such accesses. This will not only make resources accessible to malicious hackers but also provide them with a means to hack the organization or eavesdrop on the organization.

Steps to reproduce :

 

  1. Login to your AWS console.
  2. Navigate to the IAM services and then under Access Reports select Access Analyzer.
  3. On the homepage of the Access Analyzer, we observe that there are no active Analyzers.
  4. No active analyzers isn’t a good sign, because no new findings will be generated and there will be no active monitoring by the access analyzer.

Steps for remediation :

  1. Login to your AWS console.
  2.  Navigate to the IAM services and then under Access Reports select Access Analyzer.
  3. On the homepage of the Access Analyzer, we observe that there are no active Analyzers.
  4. Since there are no active analyzers, we create a new Analyzer by clicking on the Create Analyzer button that takes us to Create Analyzer page.


  5. On moving to the Create Analyzer page we will fill in the details of the analyzer we are creating and then select Create Analyzer.
  6. On the creation of the analyzer, we come across Analyzer Findings, which displays the active findings, archived findings as well as resolved findings.
  7. On moving to the Analyzers section of Access Reports we can look for the active as well as inactive analyzers.
  8. You can not only resolve and look out for findings using access analyzers but also can create multiple access analyzers for your organization.

 

References: