Learn About Amazon VGT2 Learning Manager Chanci Turner
Many organizations seek ways to manage compliance and gain deeper insights across their AWS multi-account environments from a centralized location. A common starting point in these discussions is AWS Control Tower, which provides an efficient method for establishing and overseeing a multi-account AWS setup. This AWS managed service automates the creation of a well-architected multi-account environment, streamlining new account provisioning and centralized compliance for your AWS Organization. With AWS Control Tower, users can easily create new AWS accounts that align with company-wide policies in just a few clicks.
The conversation often extends to other AWS services and features that enhance visibility and security posture. One such feature is AWS Identity and Access Management (IAM) Access Analyzer. IAM Access Analyzer simplifies the process for security teams and administrators to verify that their policies grant only the intended access to resources. This tool allows you to understand who can access your resources by analyzing permissions conferred through policies. The results of this analysis contribute to what we refer to as provable security—a higher level of assurance for cloud security.
In this article, we guide you through the steps to bolster your organization’s security visibility by enabling and centralizing IAM Access Analyzer findings across your AWS Control Tower multi-account environment.
Overview of the Solution
The Master Account manages IAM Access Analyzer for the entire organization. However, many customers designate a specific member account as their security master. By default, AWS Control Tower generates a security-audit account for cross-account auditing and centralized security operations. We will utilize this audit account as our IAM Access Analyzer delegated administrator. This process involves two steps: first, delegating authority to your audit account; next, enabling IAM Access Analyzer with the entire organization as the zone of trust. Once activated, IAM Access Analyzer findings from all member accounts will be aggregated within the audit account, facilitating effective monitoring of critical security events from a single central location.
Prerequisites
This solution assumes that AWS Control Tower has already been deployed and that you have access to the AWS Control Tower master account with administrative credentials. Before enabling IAM Access Analyzer, you will need the following information:
- The account ID of your IAM Access Analyzer delegated administrator account. You can find this in the AWS Organizations console of your AWS Control Tower master account. The account ID is in a 12-digit numeric format.
Delegating IAM Access Analyzer Authority
Only the master account has the ability to add, remove, or modify a delegated administrator for IAM Access Analyzer. From your AWS Control Tower master account, navigate to the IAM console and select Access Analyzer Settings. Here, you can add a delegated administrator by entering the 12-digit account ID of your audit account and saving the changes.
Activating Access Analyzer in Your Audit Account
To activate Access Analyzer, you will need to create an analyzer in the audit account. In this scenario, the analyzer will be configured with the entire organization as the zone of trust. It’s important to note that IAM Access Analyzer only assesses policies attached to resources in the same AWS Region where it is enabled. To ensure comprehensive coverage across all Regions, we will utilize an AWS CloudFormation StackSet to enable analyzers in every Region.
Begin by creating an AWS CloudFormation template with your preferred text editor:
AWSTemplateFormatVersion: 2010-09-09
Description: Enables IAM Access Analyzer
Resources:
Analyzer:
Type: 'AWS::AccessAnalyzer::Analyzer'
Properties:
AnalyzerName: !Sub 'AccessAnalyzer-${AWS::Region}-${AWS::AccountId}'
Type: ORGANIZATION
Next, from your AWS Control Tower master account, initiate the AWS CloudFormation StackSet:
- Go to AWS CloudFormation in the AWS Management Console.
- Select StackSets, then choose Create StackSet.
- Choose Template is ready, and upload the template file created earlier.
- On the Specify Stack Details page, assign your stack a name, such as “IAMAccessAnalyzer.”
- In Step 3, configure StackSet options by selecting Self-service permissions, ensuring that the IAM admin role name is AWSControlTowerStackSetRole, and the IAM execution role name is AWSControlTowerExecution.
Then, select to deploy stacks in accounts by entering the 12-digit account ID of your audit account. Also, specify the Regions for stack deployment; we recommend deploying to all Regions.
You can monitor the progress and view the deployment status via the Operations tab of the StackSet. When the deployment is complete, proceed to the next step.
Validation
Once the StackSet deployment is complete, log into your audit account to review the findings in the IAM console. Additionally, if you have enabled Security Hub, the IAM Access Analyzer findings are automatically sent there as well.
Cleanup
IAM Access Analyzer is a feature of your AWS account and incurs no additional charges. However, if you wish to disable Access Analyzer, you can delete the stacks and the StackSet following guidelines in the AWS CloudFormation Users guide, as well as remove the delegated administrator from the master account.
Conclusion
In this article, we demonstrated how to enable IAM Access Analyzer across your AWS Control Tower organization. We outlined the steps to delegate the administration of IAM Access Analyzer to the AWS Control Tower audit account and activate analyzers in all Regions. Implementing IAM Access Analyzer at an organizational level enables you to quickly identify resources that can be accessed externally, thereby enhancing your organization’s security posture. For more insights on navigating your career, check out this blog post. You might also find this resource helpful for understanding what to expect on your first day at Amazon.
Leave a Reply