IAM Entry Analyzer Replace: Extending customized coverage checks & guided revocation

We’re making IAM Entry Analyzer much more highly effective, extending customized coverage checks and including quick access to steering that may aid you to fine-tune your IAM insurance policies. Each of those new options construct on the Customized Coverage Checks and the Unused Entry evaluation that had been launched at re:Invent 2023. Right here’s what we’re launching:

New Customized Coverage Checks – Utilizing the facility of automated reasoning, the brand new checks aid you to detect insurance policies that grant entry to particular, vital AWS assets, or that grant any sort of public entry. Each of the checks are designed for use forward of deployment, presumably as a part of your CI/CD pipeline, and can aid you proactively detect updates that don’t conform to your group’s safety practices and insurance policies.

Guided Revocation – IAM Entry Analyzer now provides you steering which you could share together with your builders in order that they will revoke permissions that grant entry that isn’t truly wanted. This contains unused roles, roles with unused permissions, unused entry keys for IAM customers, and unused passwords for IAM customers. The steering contains the steps wanted to both take away the additional objects or to exchange them with extra restrictive ones.

New Customized Coverage Checks
The brand new coverage checks will be invoked from the command line or by calling an API perform. The checks study a coverage doc that’s equipped as a part of the request and return a PASS or FAIL worth. In each circumstances, PASS signifies that the coverage doc correctly disallows the given entry, and FAIL signifies that the coverage would possibly permit some or all the permissions. Listed below are the brand new checks:

Examine No Public Entry – This examine operates on a useful resource coverage, and checks to see if the coverage grants public entry to a specified useful resource sort. For instance, you may examine a coverage to see if it permits public entry to an S3 bucket by specifying the AWS::S3::Bucket useful resource sort. Legitimate useful resource sorts embody DynamoDB tables and streams, EFS file methods, OpenSearch domains, Kinesis streams and stream shoppers, KMS keys, Lambda capabilities, S3 buckets and entry factors, S3 Specific listing buckets, S3 Outposts buckets and entry factors, Glacier, Secrets and techniques Supervisor secrets and techniques, SNS matters and queues, and IAM coverage paperwork that assume roles. The record of legitimate useful resource sorts will broaden over time and will be discovered within the CheckNoPublicAccess documentation,

Let’s say that I’ve a coverage which by accident grants public entry to an Amazon Easy Queue Service (Amazon SQS) queue. Right here’s how I examine it:

$ aws accessanalyzer check-no-public-access --policy-document file://useful resource.json 
  --resource-type AWS::SQS::Queue --output json

And right here is the end result:

{
    "end result": "FAIL",
    "message": "The useful resource coverage grants public entry for the given useful resource sort.",
    "causes": [
        {
            "description": "Public access granted in the following statement with sid: SqsResourcePolicy.",
            "statementIndex": 0,
            "statementId": "SqsResourcePolicy"
        }
    ]
}

I edit the coverage to take away the entry grant and check out once more, and this time the examine passes:

{
    "end result": "PASS",
    "message": "The useful resource coverage doesn't grant public entry for the given useful resource sort."
}

Examine Entry Not Granted – This examine operates on a single useful resource coverage or id coverage at a time. It additionally accepts an record of actions and assets, each within the type which are acceptable as a part of an IAM coverage. The examine sees if the coverage grants unintended entry to any of the assets within the record by means of the listed actions. For instance, this examine may very well be used to be sure that a coverage doesn’t permit a vital CloudTrail path to be deleted:

$ aws accessanalyzer check-access-not-granted --policy-document file://ct.json 
  --access assets="arn:aws:cloudtrail:us-east-1:123456789012:path/MySensitiveTrail" 
  --policy-type IDENTITY_POLICY --output json

IAM Entry Analyzer signifies that the examine fails:

{
    "end result": "FAIL",
    "message": "The coverage doc grants entry to carry out a number of of the listed actions or assets.",
    "causes": [
        {
            "description": "One or more of the listed actions or resources in the statement with index: 0.",
            "statementIndex": 0
        }
    ]
}

I repair the coverage and check out once more, and this time the examine passes, indicating that the coverage doesn’t grant entry to the listed assets:

{
    "end result": "PASS",
    "message": "The coverage doc doesn't grant entry to carry out the listed actions or assets."
}

Guided Revocation
In my earlier publish I confirmed you the way IAM Entry Analyzer discovers and lists IAM objects that grant entry which isn’t truly wanted. With at this time’s launch, you now get steering that can assist you (or your developer group) to resolve these findings. Listed below are the most recent findings from my AWS account:

A few of these are leftovers from instances after I was given early entry to a service in order that I may use after which weblog about it; others are on account of my common ineptness as a cloud admin! Both means, I want to scrub these up. Let’s begin with the second, Unused entry key. I click on on the merchandise and might see the brand new Suggestions part on the backside:

I can observe the steps and delete the entry key or I can click on Archive to take away the discovering from the record of lively findings and add it to the record of archived ones. I also can create an archive rule that may do the identical for comparable findings sooner or later. Comparable suggestions are offered for unused IAM customers, IAM roles, and passwords.

Now let’s check out a discovering of Unused permissions:

The advice is to exchange the present coverage with a brand new one. I can preview the brand new coverage side-by-side with the present one:

As within the first instance I can observe the steps or I can archive the discovering.

The findings and the suggestions are additionally obtainable from the command line. I generate the advice by specifying an analyzer and a discovering from it:

$ aws accessanalyzer generate-finding-recommendation 
  --analyzer-arn arn:aws:access-analyzer-beta:us-west-2:123456789012:analyzer/MyAnalyzer 
  --id 67110f3e-05a1-4562-b6c2-4b009e67c38e

Then I retrieve the advice. On this instance, I’m filtering the output to solely present the steps because the complete JSON output is pretty wealthy:

$ aws accessanalyzer get-finding-recommendation 
  --analyzer-arn arn:aws:access-analyzer-beta:us-west-2:123456789012:analyzer/MyAnalyzer 
  --id 67110f3e-05a1-4562-b6c2-4b009e67c38e --output json | 
  jq .recommendedSteps[].unusedPermissionsRecommendedStep.recommendedAction
"CREATE_POLICY"
"DETACH_POLICY"

You need to use these instructions (or the equal API calls) to combine the suggestions into your personal instruments and methods.

Accessible Now
The brand new checks and the decision steps can be found now and you can begin utilizing them at this time in all public AWS areas!

— Jeff;