Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Automating IAM Access Analyzer Deployment Across Your Organization

4 minute read
Content level: Intermediate
0

A practical guide to implementing external access analysis using CloudFormation StackSets

The Challenge

Organizations with multiple AWS accounts need visibility into resources shared with external entities to identify unintended access and potential security risks. IAM Access Analyzer identifies resources with policies that grant access to principals outside your account, but manual deployment across hundreds of accounts and regions becomes impractical. Organizations need automated deployment that scales with their AWS footprint and satisfies compliance requirements.

This best practice is supported by CIS AWS Foundations Benchmark v3.0.0 IAM.28 control, which requires an IAM Access Analyzer external access analyzer to be enabled.

Understanding Access Analyzer Scope

IAM Access Analyzer can be configured with different zones of trust:

Account-Level Analyzer (Type: ACCOUNT):

  • Analyzes resources within a single account
  • Generates findings for access from any external principal (including other accounts in your organization)
  • Required for Security Hub IAM.28 compliance check per account per region

Organization-Level Analyzer (Type: ORGANIZATION):

  • Analyzes resources across all accounts in the organization
  • Generates findings only for access from principals outside the organization
  • Provides centralized visibility but does not satisfy per-account compliance checks

For CIS compliance, deploy account-level analyzers to each account. Findings consolidate in Security Hub when organization integration is enabled.

Implementation Approach

CloudFormation StackSets provide scalable deployment using the native AWS::AccessAnalyzer::Analyzer resource. The solution deploys consistently across all accounts and regions, automatically applying to new accounts when configured with automatic deployment.

CloudFormation Template

AWSTemplateFormatVersion: '2010-09-09'
Description: Deploy IAM Access Analyzer for external access analysis

Parameters:
  AnalyzerNamePrefix:
    Type: String
    Description: Prefix for the analyzer name
    Default: "ExternalAccessAnalyzer"

Resources:
  ExternalAccessAnalyzer:
    Type: AWS::AccessAnalyzer::Analyzer
    Properties:
      AnalyzerName: !Sub "${AnalyzerNamePrefix}-${AWS::Region}"
      Type: ACCOUNT
      Tags:
        - Key: Purpose
          Value: CIS-Compliance
        - Key: Control
          Value: IAM.28
        - Key: ManagedBy
          Value: CloudFormation-StackSet

Outputs:
  AnalyzerArn:
    Description: ARN of the created Access Analyzer
    Value: !GetAtt ExternalAccessAnalyzer.Arn
  AnalyzerName:
    Description: Name of the created Access Analyzer
    Value: !Sub "${AnalyzerNamePrefix}-${AWS::Region}"

Deployment Strategy

Deploy using CloudFormation StackSets from the management account or delegated administrator. Target organizational units and multiple regions to ensure coverage across your AWS footprint.

# Create StackSet with auto-deployment enabled
aws cloudformation create-stack-set \
  --stack-set-name access-analyzer-stackset \
  --template-body file://access-analyzer.yaml \
  --permission-model SERVICE_MANAGED \
  --auto-deployment Enabled=true,RetainStacksOnAccountRemoval=false

# Deploy to organization across multiple regions
aws cloudformation create-stack-instances \
  --stack-set-name access-analyzer-stackset \
  --deployment-targets OrganizationalUnitIds=<YOUR_ROOT_OU_ID> \
  --regions us-east-1 us-west-2 eu-west-1 ap-southeast-1 \
  --operation-preferences MaxConcurrentPercentage=100

Note: Replace <YOUR_ROOT_OU_ID> with your organization's root OU ID (format: r-abcd1234). Find this using:

aws organizations list-roots --query 'Roots[0].Id' --output text

Region Selection: Deploy to all regions where you have resources or where Security Hub is enabled. Common approach is to deploy to all enabled regions for comprehensive coverage.

Findings Consolidation

Access Analyzer findings from account-level analyzers consolidate through Security Hub when organization integration is enabled:

  1. Enable Security Hub organization integration in the delegated administrator account
  2. Access Analyzer automatically sends findings to Security Hub in each account
  3. Security Hub aggregates findings from all member accounts to the delegated administrator
  4. Centralized visibility without needing organization-level analyzers

This provides both CIS compliance (per-account analyzers) and centralized visibility (Security Hub aggregation).

What Access Analyzer Monitors

External access analyzers continuously monitor the following resource types:

  • Amazon S3 buckets and access points
  • IAM roles (trust policies)
  • AWS KMS keys
  • AWS Lambda functions and layers
  • Amazon SQS queues
  • AWS Secrets Manager secrets
  • Amazon SNS topics
  • Amazon EBS volume snapshots
  • Amazon RDS DB snapshots
  • Amazon ECR repositories
  • Amazon EFS file systems
  • Amazon DynamoDB tables and streams

Limitations and Considerations

Regional Deployment:

  • Access Analyzer is regional; deploy to each region requiring coverage
  • StackSets handle multi-region deployment efficiently

Analyzer Naming:

  • Each account can have one analyzer per type per region
  • Template uses region suffix to ensure unique names

Findings Volume:

  • Large organizations may generate many findings initially
  • Use archive rules to automatically archive expected access patterns

Cost:

  • External access analysis is free
  • Unused access and internal access analysis incur charges

This implementation supports security best practices and satisfies CIS AWS Foundations Benchmark v3.0.0 IAM.28 control requirements.

Topics
Security, Identity, & Compliance
Tags
AWS Cloud SecurityAWS Identity and Access ManagementAWS IAM Access Analyzer
Language
English
AWS
EXPERT
published 5 months ago255 views
No comments

Relevant content