- Newest
- Most votes
- Most comments
Some things to check..
Cloud trail is per region, so you would have to make sure you are checking the correct region The likes of S3 will not appear in cloud trail unless you have data events setup though still may not appear in AA Invoke lambda function isnt captured either in cloudtrail as per https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html
Hey @rePost-User-9084476
Give a peek to IAM Access Analyzer https://aws.amazon.com/iam/features/analyze-access/
Set fine-grained permissions <------
Policy generation with IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. This means that after you build and run an application, you can generate policies that grant only the required permissions to operate the application.
Policy validation with IAM Access Analyzer guides you to author and validate secure and functional policies with more than 100 policy checks. You can use these checks while creating new policies or to validate existing policies.
Verify intended permissions
Public and cross-account findings with IAM Access Analyzer guide you to verify that existing access meets your intent. IAM Access Analyzer uses provable security to analyze all access paths and provide comprehensive analysis of external access to your resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket is accessible by users from outside the account.
Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.
Refine permissions by removing unused access <-----
Last-accessed information provides data about when AWS services were last used, which helps you identify opportunities to tighten your permissions. With this information, you can compare the permissions that have been granted with when those permissions were last accessed to remove unused access and further refine your permissions.
You also can use last-used timestamps for your IAM roles and access keys to remove IAM entities that are no longer required.
========
In closing I would say Access Advisor is good, IAM Access Analyzer is way better!
Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)
Relevant content
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 17 days ago
- AWS OFFICIALUpdated 10 months ago