Back to All Checks
High IAM Regional

IAM Access Analyzer external access analyzer should be enabled

CIS v5.0.0

Description

This control checks whether an AWS account has an IAM Access Analyzer external access analyzer enabled. It fails if the account does not have an external access analyzer enabled in the currently selected AWS Region. IAM Access Analyzer external access analyzers help identify resources, such as Amazon Simple Storage Service (Amazon S3) buckets or IAM roles, that are shared with an external entity. This helps prevent unintended access to resources and data. IAM Access Analyzer is Regional and must be enabled in each Region. To identify resources shared with external principals, an access analyzer uses logic-based reasoning to analyze resource-based policies in the AWS environment. When creating an external access analyzer, it can be enabled for an entire organization or individual accounts.

Remediation

To remediate missing IAM Access Analyzer external access analyzer, you need to create and enable an external access analyzer in each AWS Region.

Steps

  1. Navigate to the AWS IAM Access Analyzer console
  2. Select the AWS Region where you want to enable the analyzer
  3. Click 'Create analyzer'
  4. Select 'External access analyzer' as the analyzer type
  5. Choose the scope (organization or individual account)
  6. Configure the analyzer settings
  7. Review and create the analyzer
  8. Verify the analyzer is active and running
  9. Repeat for all required AWS Regions
  10. Set up monitoring and alerting for analyzer findings

Compliance

CIS v5.0.0
Start Your Free Security Check