Intro to AWS IAM Access

Analyzer

Ujjwal Pugalia, Senior Product Manager – AWS Automated Reasoning Group (ARG)

March 23rd, 2020

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are we going to do today?
• Learn about AWS IAM Access Analyzer
• Who, when, and why use this feature
• How to get started

• Console Walkthrough – See it live in action!

• Learn how IAM Access Analyzer compares to other policy evaluation tools

• Sneak peek into our next big launch 

• Q&A

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Access Analyzer

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is AWS IAM Access Analyzer?

• Monitoring and reporting tool

• Resource-centric policy evaluations

• Identifies supported AWS resources

that allow public and cross-account
access

• Generates findings

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What AWS IAM Access Analyzer is not?

• Doesn’t grant additional permissions

• Doesn’t evaluate principal-centric

policies

• Doesn’t use log analysis or pattern-

matching techniques

• Doesn’t auto-remediate findings

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Who should use IAM Access
Analyzer?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who should use IAM Access Analyzer?

Least Privilege Security conscious

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who should use IAM Access Analyzer?

Least Privilege Security conscious

Everyone!
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 When should I use IAM Access
Analyzer?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shared resources

Amazon API Gateway Amazon S3 Glacier Amazon Simple Email AWS Cloud9 Amazon Simple Queue
Service Service

Amazon CloudWatch AWS Key Management Amazon Simple AWS Lambda

Service Notification Service

Amazon Elastic Amazon AWS Secrets AWS Identity and Access

Amazon Simple Storage
Container Registry Elasticsearch Service Manager Management
Service

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is shared outside an account?

Project XYZ Account Website Account

Amazon Simple Storage

Project ABC Account
Amazon API Gateway Amazon Simple Queue AWS Key Management
Service Service Service

Amazon CloudWatch AWS Identity and Access

Management
AWS Lambda Audit Account

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Access across different accounts

Project XYZ Account Website Account

Amazon Simple Storage

Project ABC Account
Amazon API Gateway Amazon Simple Queue AWS Key Management
Service Service Service

Amazon CloudWatch AWS Identity and Access

Management
AWS Lambda Audit Account

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is the access intended?

Project XYZ Account Website Account

Amazon Simple Storage

Project ABC Account
Amazon API Gateway Amazon Simple Queue AWS Key Management
Service Service Service

Amazon CloudWatch AWS Identity and Access

Management
AWS Lambda Audit Account

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is the access intended?

Project XYZ Account Website Account

Amazon Simple Storage

Project ABC Account
Amazon API Gateway Amazon Simple Queue AWS Key Management
Service Service Service

Amazon CloudWatch AWS Identity and Access

Management
AWS Lambda Audit Account

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is the access intended?

Project XYZ Account Website Account

Amazon Simple Storage

Project ABC Account
Amazon API Gateway Amazon Simple Queue AWS Key Management
Service Service Service

Amazon CloudWatch AWS Identity and Access

Management
AWS Lambda Audit Account

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Why should I use IAM Access
Analyzer?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why should I use IAM Access Analyzer?
Analyze access continuously

Identify resources with public or cross-account

access in your AWS account

The highest levels of security assurance

Uses automated reasoning, a form of mathematical
logic & inference, to determine all access paths

Remediate broad access

Resolve or archive findings based on your security
requirements
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why should I use IAM Access Analyzer?

Available for FREE!!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 How do I get started?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to get started?
Administrators
and security
Account teams

Resource-based policies
Analyzer Findings
Who has
access
to what

IAM S3 Lambda Functions KMS Keys SQS Queues

Roles Buckets

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zone of trust

The zone of trust defines the scope

of the analysis

Principals and resources within the

zone of trust are considered trusted

Access allowed to principals outside

the zone of trust is reported as
findings

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Finding Types
Active Archived Resolved

Review active Resource is shared Resource is not

findings to identify outside your zone of longer shared outside
resources that are trust but you have your zone of trust
shared outside your deemed it intended because you took an
zone of trust action that removed
Manually archive or the access from the
Archive or resolve the use archive rules policy
finding

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Things to remember while creating an analyzer!
• IAM Access Analyzer is regional

• IAM Access Analyzer currently only allows an analyzer with the

AWS account as the zone of trust

• IAM Access Analyzer currently allows only 1 analyzer per region in

an account

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How do I create analyzers in all my accounts?

IAM Console Public APIs AWS

CloudFormation

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Where can I view my findings?

IAM Console Public APIs Amazon

CloudWatch
Events

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integrations with other service consoles

Amazon S3 AWS Security

Console Hub
Access analyzer for S3 One finding for each
highlights buckets with resource with public or
public and cross- cross-account access
account access and for alerting security
allows remediation on teams
the same page

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Integrations with AWS Partners

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Console Walkthrough

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Console
• Create an analyzer with account as the zone of trust

• Review active findings and archive findings for intended access

• Review active findings and resolve findings for unintended access

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
S3 Console
• View S3 buckets in us-east-1 that allow access from outside the
account

• View findings in IAM Access Analyzer associated to a specific

bucket

• Understand how finding updates work between the IAM and S3

consoles
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Not your traditional analyzer!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Comparison

IAM Access Analyzer Traditional Tools

• Automated Reasoning • Log analysis/pattern-
matching
• Continuous analysis
• Targeted analysis
• Comprehensive
• Limited scope

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Provable security!

https://aws.amazon.com/security/provable-security/

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s under the hood and how
we got here!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Zelkova works

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova: Asking the right questions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova: Asking the right questions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova: Asking the right questions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova: Asking the right questions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova: Asking the right questions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova: Asking the right questions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zelkova: Asking the right questions

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is this policy what I intend?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is this policy what I intend?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who has access to what?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who has access to what?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who has access to what?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who has access to what?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Access Analyzer

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Access Analyzer

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM Access Analyzer

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Twenty Questions
Does * have * access?

Does 111122223333 Does vpc-abc Does *

have * access? have * access? have GetObject access?

Does 111122223333 with vpc-abc Does 111122223333 Does vpc-abc

have * access? have GetObject access? have GetObject access?

Does 111122223333 with vpc-abc have

GetObject access?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is this policy what I intend?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Is this policy finding what I intend?

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What’s Next!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Coming Soon! Organization-level analyzers
Administrators
and security
Account / Organization teams

Resource-based policies
Analyzer Findings
Who has
access
to what

IAM S3 Lambda Functions KMS Keys SQS Queues

Roles Buckets

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Coming Soon! Organization-level analyzers
• Create an analyzer with an organization as the zone of trust

• All resources across all member accounts in the organization are

continuously monitored

• Principals and resources within the organization are considered trusted

while principals outside the organization are deemed external

• You can create multiple organization-level analyzers in the AWS

Organizations master account or a delegated member account within the
organization

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Coming Soon! Organization-level analyzers

Available for FREE!!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 What is not included in the upcoming launch?

• Analyzer with an organizational unit (OU) as the zone of trust

• Cross-region aggregation of findings for the AWS organization. IAM Access

Analyzer is regional.

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Takeaways!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 What you learned today

• You can start using IAM Access Analyzer for free with a few clicks through
the console, API, or CloudFormation template

• IAM Access Analyzer uses automated reasoning to provide comprehensive

findings for supported resources that allow access from outside the zone
of trust

• You can create an analyzer with an account or (soon!) your entire

organization as the zone of trust

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Q&A!

Ujjwal Pugalia Dan Peebles

Sr. Product Manager Sr. Software Engineer
AWS ARG AWS ARG

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
 Thank you!
If you liked this talk and this feature, do spread the word!

© 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved.