chanciturnervgt2

Refining Unused Access with IAM Access Analyzer Recommendations

by

VGT2 Las Vegas
in

Refining Unused Access with IAM Access Analyzer RecommendationsLearn About Amazon VGT2 Learning Manager Chanci Turner

As the leader of a security team, your mission is to efficiently manage security across your organization while ensuring adherence to AWS Identity and Access Management (IAM) best practices, particularly the principle of least privilege. As your developers progress on AWS, gaining visibility into their access is crucial to guarantee they operate with only necessary permissions. Fortunately, the IAM Access Analyzer now provides tailored recommendations with actionable guidance that can be shared with developers to swiftly refine unused access.

In this article, we will guide you through utilizing IAM Access Analyzer recommendations to streamline unused access. Our focus will be on identifying unused permissions and detailing how to generate recommendations alongside the actions you can implement. For instance, we will show you how to filter findings related to unused permissions, generate recommendations, and address any issues. Thanks to IAM Access Analyzer, you can now furnish developers with step-by-step recommendations to quickly eliminate redundant permissions.

Unused Access Recommendations

IAM Access Analyzer actively monitors your accounts to pinpoint unused access, consolidating its findings in a centralized dashboard. This dashboard aids in reviewing findings and prioritizing accounts based on the volume of issues detected. The findings indicate unused IAM roles, along with unused access keys and passwords associated with IAM users. For active IAM roles and users, the findings also provide insights into unused services and actions. More information about unused access analysis can be found in the IAM Access Analyzer documentation.

For IAM roles, access keys, and passwords identified as unused, IAM Access Analyzer offers convenient links within the console to facilitate their deletion. You can utilize these quick links to act on the recommendations or export the details to share with the AWS account owner. For roles and users with excessive permissions, IAM Access Analyzer provides policy recommendations with actionable steps to guide you in refining unused permissions. These recommended policies retain the resource and condition context from existing policies, allowing for an iterative update process.

Throughout this discussion, we will use an IAM role within an AWS account and configure permissions as follows:

  • Attaching the AWS managed policy AmazonBedrockReadOnly.
  • Attaching the AWS managed policy AmazonS3ReadOnlyAccess.
  • Embedding an inline policy with permissions outlined in the code snippet named InlinePolicyListLambda.

Content of inline policy InlinePolicyListLambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "InlinePolicyLambda",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "lambda:ListLayers",
                "lambda:ListAliases",
                "lambda:ListFunctionUrlConfigs"
            ],
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "1.100.150.200/32"
                }
            }
        }
    ]
}

We employ an inline policy to illustrate that IAM Access Analyzer’s recommendations for unused access are relevant for this scenario. The recommendations apply equally to AWS managed policies and customer-managed policies.

In your AWS account, once you have set up an unused access analyzer, you can select a recently utilized IAM role to check for findings and recommendations related to unused access permissions.

Prerequisites

Before starting, ensure you have created an unused access analyzer for your organization or account. Follow the instructions in the IAM Access Analyzer documentation to set up your unused access analyzer.

Generating Recommendations for Unused Permissions

This article explores three methods for generating recommendations based on IAM Access Analyzer’s findings regarding unused permissions: the console, AWS CLI, and AWS API.

Using the Console to Generate Recommendations

After establishing an unused access analyzer as mentioned in the prerequisites, wait a few minutes for the analysis results to appear. Then, use the AWS Management Console to view proposed recommendations for unused permissions.

To list findings related to unused permissions:

  1. Navigate to the IAM console and select Access Analyzer from the navigation pane.
  2. Choose Unused access.
  3. In the search box, look for active findings of the type Unused permissions.
  4. Set the Status drop-down menu to Active.
  5. In the search box, select Findings type under Properties.
  6. Choose Equals as Operators.
  7. Set Findings Type = Unused permissions.

This list will display the active findings for IAM resources with unused permissions.

Select a finding to delve deeper into the unused permissions allocated to a specific role or user.

Obtaining Recommendations for Unused Permissions

On the findings detail page, a list of unused permissions will be visible under Unused permissions. Below this, you will find a new section labeled Recommendations, which outlines two steps to remediate the finding:

  1. Review the existing permissions on the resource.
  2. Create new policies with the suggested refined permissions and detach the existing policies.

The generation of recommendations is done in the background while using the console. A message indicating “Analysis in progress” signifies that recommendations are being formulated. These recommendations will exclude the unused actions from the suggested policies.

When an IAM principal—such as an IAM role or user—has multiple permissions policies attached, an analysis of unused permissions will be conducted for each policy:

  • If no permissions have been used, the recommended action is to detach the existing permissions policy.
  • If some permissions have been used, only the utilized permissions will remain in the recommended policy, reinforcing the principle of least privilege.

The recommendations will be displayed for each existing policy in the Recommended policy column. For example, the existing policies might include:

  • AmazonBedrockReadOnly
  • AmazonS3ReadOnlyAccess
  • InlinePolicyListLambda

Correspondingly, the recommended policies would be:

  • None
  • AmazonS3ReadOnlyAccess-recommended
  • InlinePolicyListLambda-recommended

There is no recommended policy for AmazonBedrockReadOnly, as the action advised is to detach it. Hovering over None will reveal the message: “There are no recommended policies to create for the existing permissions policy.” You can preview AmazonS3ReadOnlyAccess and InlinePolicyListLambda along with their recommended policies by selecting Preview policy.

To preview a recommended policy, IAM Access Analyzer has suggested two policies based on the unused actions.

For more on effective presentations, check out this blog post. They have some great insights to help you engage your audience.

Also, for best practices in employee-led training, visit SHRM’s guide. They are an authority on this topic.

If you’re interested in a role that involves fostering learning and development, take a look at this job posting. It’s an excellent resource for anyone looking to take their career in this direction.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *