IAM Access Analyzer should be enabled in all active regions

iam
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

AWS IAM Access Analyzer is an AWS service that analyzes permissions to your resources, helping you ensure they are configured following least-privilege principles. This is achieved through several key capabilities:

  • External Access Analysis: Continuously monitors resource-based policies to identify resources (like S3 buckets, IAM roles, KMS keys, Lambda functions, and SQS queues) that are shared with entities outside your defined zone of trust (account or organization).
  • Unused Access Analysis: Helps you refine permissions by identifying unused IAM roles, access keys, passwords for IAM users, and even specific unused permissions within policies.
  • Policy Validation & Generation: Offers tools to validate your IAM policies against AWS best practices and policy grammar during development, and can generate fine-grained IAM policies based on actual access activity logged in AWS CloudTrail.
  • Custom Policy Checks: Allows validation of IAM policies against your organization’s specific custom security standards.

You can utilize these IAM Access Analyzer features at the individual account level. For broader, centralized management, you can enable IAM Access Analyzer for your entire AWS Organization. When configured at the organization level, it operates as a regional service (requiring activation in each desired region) to provide unified findings and governance across all member accounts. Organization-level analyzers can be managed from the organization’s management account or through a designated delegated administrator account, which helps centralize the monitoring of access security in multi-account environments.

Remediation

For instructions on enabling IAM Access Analyzer, refer to Getting Started with IAM Access Analyzer.

PREVIEWING: flavien.darche/aap/istio-envoy