Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

Access Analyzer

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents


Introduction

The IAM Access Analyzer solution enables AWS IAM Access Analyzer by delegating administration to a member account within the Organization management account. It then configures Access Analyzer within the delegated administrator account for all the existing and future AWS Organization accounts.

In addition to the organization deployment, the solution deploys AWS Access Analyzer to all the member accounts and regions for analyzing account level permissions.


Deployed Resource Details

Architecture

1.0 Organization Management Account

1.1 AWS CloudFormation

  • All resources are deployed via AWS CloudFormation as a StackSet and Stack Instance within the management account or a CloudFormation Stack within a specific account.
  • The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation StackSet.
  • For parameter details, review the AWS CloudFormation templates.

1.2 AWS Organizations

1.3 Account AWS IAM Access Analyzer

AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Account zone of trust.


2.0 Audit Account (Security Tooling)

The example solutions use Audit Account instead of Security Tooling Account to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account can be determined from the SecurityAccountId parameter within the AWSControlTowerBP-BASELINE-CONFIG StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).

2.1 AWS CloudFormation

2.2 Account AWS IAM Access Analyzer

2.3 Organization AWS IAM Access Analyzer

  • AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Organization zone of trust.

3.0 All Existing and Future Organization Member Accounts

3.1 AWS CloudFormation

3.2 Account AWS IAM Access Analyzer


Implementation Instructions

Pre-requisites

  1. Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
  2. Verify that the SRA Prerequisites Solution has been deployed.

Solution Deployment

Choose a Deployment Method:

AWS CloudFormation

In the management account (home region), launch the sra-iam-access-analyzer-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.

aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml --stack-name sra-iam-access-analyzer-main-ssm --capabilities CAPABILITY_NAMED_IAM

Verify Solution Deployment

  1. Log into the Audit account and navigate to the IAM Access Analyzer page
    1. Verify that there are 2 Access Analyzers (account and organization)
  2. Verify all existing accounts/regions have an account Access Analyzer

Solution Delete Instructions

In the management account (home region), delete the AWS CloudFormation Stack (sra-iam-access-analyzer-main-ssm or sra-iam-access-analyzer-main) created above.


References