Name: Introduction to IAM Access Analyzer
Uploaded: 2021-02-11T15:45:28Z
Duration: 139
Description: AWS IAM Access Analyzer is an incredibly important services within IAM used to identify potential resource-access risks.

Introduction to IAM Access Analyzer

Analyze Resource-Access Risks

AWS IAM Access Analyzer is an incredibly important services within IAM used to identify potential resource-access risks. Instead of wondering who has access to which resources, IAM Access Analyzer helps you identify the resources in your organization and accounts that are shared with an external entity. It uses automated reasoning to look at all the possible scenarios and determine security risks. According to AWS, the main features of AWS IAM Access Analyzer include:

Guided policy authoring with 100+ policy checks
Comprehensive analyzes for public and cross-account access
Continuously monitors and reduces permissions
Provides the highest levels of security assurance

For more information on mitigating resource-access risks, visit the AWS documentation for using IAM Access Analyzer.

Transcription

One of the important steps in any of the security frameworks that’s out there is to evaluate your access rights. What are the permissions levels that you’ve granted? Are they proper? Are they adequately assigned to the people who need access to it? You’ve heard about the principle of least privilege. No one should any have access to anything that’s beyond their business need for accessing that resource. It’s very difficult when you’re going through a security audit, as an auditor, to determine if the rights that are given to an individual or a group are proper. You have to ask questions, you have to investigate, you have to collaborate with others in order to determine if it’s appropriate or not.

AWS has come out with the IAM Access Analyzer and this greatly helps us, as auditors, to evaluate those access rights, but it also helps you to review your resource policies to understand if the people who have access to the resource should indeed have that. Access Analyzer gives you valuable insight into these resources by analyzing the resource itself, looking at the external entity that has access, and also looking at the permissions that are granted. This new capability is using something called automated reasoning to determine all the possible scenarios. This is very difficult to do during an audit, for just one person to consider all the different scenarios and “if this, then that” situations that occur in order to determine if the permissions are established properly. Access Analyzer does a lot of that work for you and it will provide you with this data in order to make a decision about if these permissions are what you expect to see. You can evaluate access rights to S3 buckets, to your IAM roles, to KMS keys, Lambda functions, Secrets Manager. You’re able to evaluate permissions on so many services like that within AWS that it allows you to do a lot more in less time using IAM Access Analyzer.

Introduction to IAM Access Analyzer

Related Videos

AWS Controls for Implementing a DMZ

AWS Functions to Restrict Database Access

AWS Password Best Practices

AWS Password Expiration Policies

AWS Password Reuse Policy

AWS Tools for Your SDLC

Access Control Using IAM Instance Roles

Assign Access Based on Business Need to Know

Attaching IAM Policies to Groups or Roles

Avoid Use of the Root Account

Basics of Role Assumption

Best Practices for Change Management in AWS

Best Practices for Password Parameters

Cloud Attacks on the Rise

Configuring Network Border Controls

Creating a Data Flow Diagram

Creating a Network Diagram

Define Acceptable Use of Technology Part 1

Defining Resources in IAM Policies

Defining Resources in S3 Bucket Policies

Defining Roles and Responsibilities in AWS

Developing a Process for User Authentication

Disabling Insecure Ports and Protocols

Disabling Unused Credentials

Do All Keys Have Resources Attached?

Documenting a Systems Inventory in AWS

Enabling MFA for All IAM Users

Encrypting Traffic In and Out of AWS

Encryption Decisions for Your Technology Stack

Encryption Opportunities

Encryption for EBS Volumes

Encryption for S3 Buckets

Enforce Separation with Access Controls

Enforcing Strong Encryption in AWS

Enforcing Strong TLS Ciphers

Events that Drive Key Rotation

House Accounts in CloudTrail

How to Attach IAM Policies to Groups or Roles

How to Check MFA in a Credential Report

How to Check Use of the Root Account

How to Configure Encryption for EBS Volumes on Existing EC2 Instances

How to Configure Encryption for EBS Volumes on New EC2 Instances

How to Configure Encryption for RDS

How to Configure Encryption for S3 Buckets

How to Find Administrative Privileges in IAM Policies

How to House Multiple Accounts Within an AWS Organization

How to Modify Password Complexity in a Password Policy

How to Modify Permissions to EBS Snapshots

How to Prevent Password Reuse in a Password Policy

How to Restrict Public Access to S3 Buckets

How to Use S3 Bucket Policies

IAM Policies for Account Authentication

IAM Policies that Address Administrative Privileges

Identifying Unused Credentials in a Credential Report

Industry Best Practices for Configuration Standards

Introduction to AWS Network Firewall

Introduction to Amazon EKS

Introduction to Amazon S3 Access Points

Key Rotation and Management

Load Balancers Must Require TLS 1.2

MFA for API Calls

Meeting Firewall and Router Configuration Standards

Network Segmentation for AWS

Performing Code Review Prior to Release

Physical Security Responsibilities for AWS

Physical Security Responsibilities for AWS Users

Physical Security Threats for AWS

Prevent Shared, Group, or Generic Accounts in AWS

Preventing Public Accessibility on DB Instances

Preventing Publicly Available CloudTrail Logs

Preventing Publicly Available S3 Buckets

Protecting Web Applications in AWS

Publish and Maintain an Information Security Policy

Quarterly Reviews of Your Security Program

Restricting Access to EBS Snapshots

Reviewing Firewall and Router Configurations

Rotating Access Keys

Route 53 Support for DNSSEC