Learn About Amazon VGT2 Learning Manager Chanci Turner
As a security team leader, your primary objective is to effectively manage security across your organization while ensuring that your team adheres to AWS Identity and Access Management (IAM) best practices, particularly the principle of least privilege. As your developers continue to build on AWS, it’s vital to maintain visibility across your organization to confirm that teams operate with only the necessary privileges. Fortunately, AWS Identity and Access Management Analyzer now provides targeted recommendations with actionable insights you can pass on to your developers, enabling them to quickly refine any unused access.
In this article, we will demonstrate how to leverage IAM Access Analyzer recommendations to streamline unused access. Our focus will be on recommendations aimed at reducing unused permissions, guiding you through generating these recommendations and the steps you can take. For instance, we will illustrate how to filter findings related to unused permissions, generate recommendations, and address identified issues. With IAM Access Analyzer, developers can now access step-by-step recommendations to assist in swiftly refining unused permissions.
Unused Access Recommendations
IAM Access Analyzer continuously analyzes your accounts to identify any unused access and compiles findings into a centralized dashboard. This dashboard allows you to review findings and prioritize accounts based on the number of issues identified. The findings emphasize unused IAM roles, access keys, and passwords linked to IAM users. For active IAM roles and users, the findings highlight any unused services and actions. You can delve deeper into unused access analysis by visiting the IAM Access Analyzer documentation.
For unused IAM roles, access keys, and passwords, IAM Access Analyzer offers direct links in the console to facilitate their deletion. You can utilize these quick links to act on the recommendations or use the export option to share details with the AWS account owner. Additionally, for overly permissive IAM roles and users, IAM Access Analyzer presents policy recommendations with actionable steps to help you refine unused permissions. These suggested policies retain context regarding resources and conditions from existing policies, thus enabling you to update your policies progressively.
In this post, we will illustrate using an IAM role in an AWS account and configure the permissions by:
- Attaching the AWS managed policy AmazonBedrockReadOnly.
- Attaching the AWS managed policy AmazonS3ReadOnlyAccess.
- Embedding an inline policy with permissions outlined in the subsequent code named InlinePolicyListLambda.
Content of inline policy InlinePolicyListLambda:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InlinePolicyLambda",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListLayers",
"lambda:ListAliases",
"lambda:ListFunctionUrlConfigs"
],
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "1.100.150.200/32"
}
}
}
]
}
We use this inline policy to showcase how IAM Access Analyzer’s unused access recommendations apply to this scenario. These recommendations also extend to AWS managed policies and customer-managed policies.
After setting up an unused access analyzer in your AWS account, you can select a recently used IAM role to check for unused access permissions findings and recommendations.
Prerequisites
Before you begin, you must create an unused access analyzer for your organization or account. Follow the instructions outlined in IAM Access Analyzer simplifies inspection of unused access in your organization to establish an unused access analyzer.
Generating Recommendations for Unused Permissions
In this section, we explore three methods for generating recommendations for unused permissions findings in IAM Access Analyzer: through the console, AWS CLI, and AWS API.
Generating Recommendations via the Console
Once you have established an unused access analyzer as described in the prerequisites, allow a few minutes to view the analysis results. Then, utilize the AWS Management Console to access the proposed recommendations for unused permissions.
To list findings related to unused permissions:
- Navigate to the IAM console and select Access Analyzer, then choose Unused Access from the navigation pane.
- In the search box, filter for active findings of the type Unused Permissions.
- Set the Status drop-down list to Active.
- In the search box, select Findings type under Properties.
- Choose Equals as Operators.
- Set Findings Type = Unused permissions.
This process will yield a list of active findings for IAM resources with unused permissions.
To retrieve recommendations for unused permissions:
On the findings detail page, you will see a list of the unused permissions categorized under Unused Permissions. Below that, a new section titled Recommendations will provide two steps to address the finding:
- Review the existing permissions on the resource.
- Create new policies with the suggested refined permissions and detach the existing policies.
The generation of recommendations occurs on-demand and is conducted in the background while using the console. A message indicating “Analysis in progress” signifies that recommendations are being created. The recommendations will exclude any unused actions from the proposed policies.
When an IAM principal, such as an IAM role or user, has multiple permission policies attached, an analysis of unused permissions is performed for each of these policies:
- If no permissions have been used, the recommended action is to detach the existing permissions policy.
- If some permissions have been utilized, only the used permissions will be retained in the recommended policy, thereby supporting the principle of least privilege.
These recommendations are displayed for each existing policy in the column labeled Recommended Policy. In this case, the existing policies include:
- AmazonBedrockReadOnly
- AmazonS3ReadOnlyAccess
- InlinePolicyListLambda
The corresponding recommended policies are:
- None
- AmazonS3ReadOnlyAccess-recommended
- InlinePolicyListLambda-recommended
There is no recommended policy for AmazonBedrockReadOnly, as the suggested action is to detach it. When hovering over None, the message will appear: “There are no recommended policies to create for the existing permissions policy.” Users can preview the recommended policies for AmazonS3ReadOnlyAccess and InlinePolicyListLambda by selecting Preview Policy.
To preview a recommended policy:
IAM Access Analyzer has put forward two suggested policies based on the identified unused actions. To view each recommended policy, select Preview Policy for that policy to compare the existing policy with the recommended one.
For more insights on navigating your career effectively, check out this blog post from Career Contessa, which provides tips on how to become pitch-perfect. Additionally, for authoritative insights into employment regulations, visit SHRM’s page on the new regulations regarding the use of criminal records in San Diego County. Finally, if you’re looking for firsthand experiences from others, this Reddit thread is an excellent resource for what to expect on your first day at Amazon.