MEDIUM IAM · CIS 1.20

IAM Access Analyzer enabled

Check ID: aws-iam-012

AWS-IAM-012 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if IAM Access Analyzer is enabled in all active regions. Access Analyzer identifies resources shared with external entities (S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues).

Why it matters

IAM Access Analyzer uses automated reasoning (Zelkova) to identify resource policies that grant access to external principals. Without it, you have no automated way to detect S3 buckets shared with unknown AWS accounts, IAM roles assumable by external entities, KMS keys accessible cross-account, or Lambda functions invokable from outside your organization. These external access paths are the exact configurations attackers look for during reconnaissance. Access Analyzer found publicly accessible resources in 35% of AWS accounts when first enabled, according to AWS re:Invent 2022 data. It also provides policy validation and policy generation based on CloudTrail activity, helping teams build least-privilege policies without guesswork.

Common causes

IAM Access Analyzer must be enabled per-region and is not activated by default, so accounts created before the feature launched (December 2019) never had it enabled. Organizations using AWS Control Tower may have Access Analyzer only in governed regions, missing resources in opt-in regions. Teams assume that S3 Block Public Access and SCPs provide sufficient external access controls without realizing that Access Analyzer catches a broader class of cross-account sharing.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws accessanalyzer create-analyzer --analyzer-name account-analyzer --type ACCOUNT --region REGION

Remediation: Terraform

resource "aws_accessanalyzer_analyzer" "account" {
  analyzer_name = "account-analyzer"
  type          = "ACCOUNT"
}

Compliance mapping

This check maps to CIS 1.20 in the CIS AWS Foundations Benchmark. The CIS Benchmark provides prescriptive guidance for configuring security options for a subset of AWS services.

This check is part of cloud-audit - install with pip install cloud-audit

Related article

CIS AWS v3.0 in 60 Seconds: Automate Compliance with Terraform →

Related IAM checks

CRITICAL aws-iam-001

Root account MFA

HIGH aws-iam-002

IAM users MFA

MEDIUM aws-iam-003

Access key rotation

← All checks