IAM Access Analyzer not enabled

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: 8d29754a-2a18-460d-a1ba-9509f8d359da

Cloud Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Description

IAM Access Analyzer provides continuous monitoring of resource-based policies to detect unintended public or cross-account access. If an AWS::AccessAnalyzer::Analyzer is not defined, these permission issues can go undetected, increasing the risk of data exposure or privilege escalation.

The CloudFormation template must include an AWS::AccessAnalyzer::Analyzer resource. Templates missing this resource will be flagged. Set the Properties.Type to ACCOUNT to monitor a single account or ORGANIZATION to monitor an AWS Organization, and optionally provide an AnalyzerName for identification.

Secure configuration example:

MyAccessAnalyzer:
  Type: AWS::AccessAnalyzer::Analyzer
  Properties:
    AnalyzerName: my-access-analyzer
    Type: ACCOUNT

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Analyzer:
    Type: "AWS::AccessAnalyzer::Analyzer"
    Properties:
      AnalyzerName: MyAccountAnalyzer
      Type: ACCOUNT
      Tags:
        - Key: Kind
          Value: Dev
      ArchiveRules:
        - # Archive findings for a trusted AWS account
          RuleName: ArchiveTrustedAccountAccess
          Filter:
            - Property: "principal.AWS"
              Eq:
                - "123456789012"
        - # Archive findings for known public S3 buckets
          RuleName: ArchivePublicS3BucketsAccess
          Filter:
            - Property: "resource"
              Contains:
                - "arn:aws:s3:::docs-bucket"
                - "arn:aws:s3:::clients-bucket"

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
      "Analyzer": {
        "Type": "AWS::AccessAnalyzer::Analyzer",
        "Properties": {
          "AnalyzerName": "MyAccountAnalyzer",
          "Type": "ACCOUNT",
          "Tags": [
            {
              "Key": "Kind",
              "Value": "Dev"
            }
          ],
          "ArchiveRules": [
            {
              "RuleName": "ArchiveTrustedAccountAccess",
              "Filter": [
                {
                  "Property": "principal.AWS",
                  "Eq": [
                    "123456789012"
                  ]
                }
              ]
            },
            {
              "RuleName": "ArchivePublicS3BucketsAccess",
              "Filter": [
                {
                  "Property": "resource",
                  "Contains": [
                    "arn:aws:s3:::docs-bucket",
                    "arn:aws:s3:::clients-bucket"
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  }

Non-Compliant Code Examples

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "A sample template 2",
    "Resources": {
      "myuseeer": {
        "Type": "AWS::IAM::Group",
        "Properties": {
          "Path": "/",
          "LoginProfile": {
            "Password": "myP@ssW0rd"
          }
        }
      }
    }
  }
  

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template 2
Resources:
  myuseeer:
    Type: AWS::IAM::Group
    Properties:
      Path: "/"
      LoginProfile:
        Password: myP@ssW0rd