Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The IAM Access Analyzer solution enables AWS IAM Access Analyzer by delegating administration to a member account within the Organization management account. It then configures Access Analyzer within the delegated administrator account
for all the
existing and future AWS Organization accounts.
In addition to the organization deployment, the solution deploys AWS Access Analyzer to all the member accounts and regions for analyzing account level permissions.
- All resources are deployed via AWS CloudFormation as a
StackSet
andStack Instance
within the management account or a CloudFormationStack
within a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet
. - For parameter details, review the AWS CloudFormation templates.
- AWS Organizations is used to delegate an administrator account for AWS Access Analyzer Delegated Administrator Account
- See Common Register Delegated Administrator
AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Account zone of trust.
The example solutions use Audit Account
instead of Security Tooling Account
to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account
can be determined from the SecurityAccountId
parameter within the AWSControlTowerBP-BASELINE-CONFIG
StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
- AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Organization zone of trust.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
In the management account (home region)
, launch the sra-iam-access-analyzer-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml --stack-name sra-iam-access-analyzer-main-ssm --capabilities CAPABILITY_NAMED_IAM
- Log into the Audit account and navigate to the IAM Access Analyzer page
- Verify that there are 2 Access Analyzers (account and organization)
- Verify all existing accounts/regions have an account Access Analyzer
In the management account (home region)
, delete the AWS CloudFormation Stack (sra-iam-access-analyzer-main-ssm
or sra-iam-access-analyzer-main
) created above.