Unused Access Analyzer is an AWS IAM Access Analyzer service feature. It monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. It is a paid per IAM role or IAM user analyzed $0.20 per month It is a region-based feature if you want to use resources in different regions in your account or organization so you have to create different Unused Access Analyzer in different regions. It is used for now to unused granted access to your organization account.
It generates findings like unused roles, unused IAM user access keys and passwords, unused permission, etc.
Primary Terminologies
- AWS Identity and Access Management (IAM): AWS IAM is a service provided by Amazon Web Services that enables secure access control to AWS resources. It helps create and manage individual users, roles, and policies, defining who can access what within an AWS account.
- Access Analyzer: Access Analyzer is a feature in AWS IAM that evaluates permissions associated with IAM roles and users. It helps in identifying unused or overly permissive access, providing insights for improving security within AWS environments.
- Unused Access Analyzer: A specific capability of Access Analyzer designed to detect unused IAM roles, permissions, access keys, and user passwords. This allows administrators to identify and remove unnecessary access, enhancing overall security.
- IAM Roles: IAM roles allow you to delegate specific permissions to entities such as users or AWS services. These permissions define what actions the entities are allowed to perform on AWS resources, ensuring controlled access.
- IAM Users: IAM users are individual accounts that represent people or services interacting with AWS resources. Permissions assigned to these users dictate their level of access to AWS resources.
- Permissions: Permissions refer to rules or policies that specify what actions are permitted or denied for users or roles. These are essential for controlling what resources a user or role can access in AWS.
- Access Keys: Access keys are a set of credentials used by applications or services to interact with AWS resources programmatically. These keys consist of an access key ID and a secret access key.
- Region-Based Monitoring: AWS services, including Access Analyzer, operate on a region-specific basis. If resources are deployed across multiple regions, separate analyzers must be created in each region to ensure unused access is identified everywhere.
- Findings: Findings are the results generated by Access Analyzer after assessing roles, permissions, access keys, and user passwords. They help highlight unused access points or security risks that require attention.
- Tracking Period: The tracking period defines the length of time (between 1 to 90 days) Access Analyzer monitors IAM roles, users, and permissions. The period selected influences the analysis by showing which permissions were unused during that time frame.
- Tags: Tags are labels applied to AWS resources to help organize and manage them. For Access Analyzer, tags can be used to categorize and manage analyzers, making it easier to track their purpose and configuration.
- Archiving Findings: Archiving findings in Access Analyzer allows you to mark specific findings as reviewed or resolved. This changes the status of the finding, indicating that no further action is required for that specific issue.
Importance Of Unused Access Analyzer
- Identify unused role
- Identify unused user password
- Identify unused permissions
- Identify unused access keys
- Take appropriate action on it
Step-By-Step Guide: How To Activate Unused Access Analyzer
Step 1: Navigate to Access Analyzer Console
- To Activate Unused Access Analyzer go to IAM services and click on “Access Analyzer” and click on “Create Analyzer”.
Step 2: Select the Analyzer
- There are two options in Findings Type. We select Unused Access Analysis.
Step 3: Enable Unused Analyzer
- Now, Enter Analyzer name, select tracking period which is between 1 to 90 days you select according to your requirement how many days to monitor unused access of role, user, permissions etc.
- Check Region it your used region, select accounts organization or account.
Step 4: Review Configuration
- Now if you have to add tag or click on “Create analyzer”.
Step 5: Monitor Analysis
- Now your unused access analyzer is created. After some time it show a finding of your whole accounts Unused Role, Unused Permissions, Unused Access Keys, Unused Password.
Step 6: Take Action
- Now to see about finding click on finding id you see all information about particular finding with full details and take appropriate action on it
- If this finding is necessary so click on archive to change status of finding
- If you have finding type unused permissions it shows all permissions about that user which are not used time of period which you enter at creation time.
In the above screenshot you see there are 367 permissions which are not use in certain period of time.
Conclusion
The Unused Access feature in AWS IAM Access Analyzer is essential for maintaining security by detecting and highlighting unused permissions and roles. Regularly reviewing and resolving these access points helps safeguard your AWS environment from potential security risks by eliminating unnecessary or excessive permissions. This proactive approach ensures that only necessary access is maintained, reducing the chances of unauthorized use or vulnerabilities.
How to secure our AWS Services and Accounts?
Securing AWS services and accounts involves several best practices:
- Use IAM Roles and Policies: Assign least privilege permissions to users and services. Avoid using root credentials for everyday tasks.
- Enable Multi-Factor Authentication (MFA): Require MFA for sensitive operations, especially for root accounts.
- Regularly Review IAM Roles and Permissions: Use tools like Access Analyzer to identify unused or excessive permissions and remove them to reduce potential attack surfaces.
- Enable Logging and Monitoring: Use AWS CloudTrail and AWS Config to track changes in your AWS environment and monitor for suspicious activity.
- Encrypt Data: Ensure that sensitive data is encrypted at rest and in transit using AWS encryption services such as AWS KMS.
What is IAM?
AWS Identity and Access Management (IAM) is a service that helps manage and control access to AWS resources securely. It allows administrators to create users, groups, and roles, and assign permissions that define what resources those entities can access. With IAM, you can ensure that only authorized users or services can interact with specific AWS resources, thereby enhancing the security of your infrastructure.