For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-iam-access-analyzer-not-enabled.md. A documentation index is available at /llms.txt.

IAM Access Analyzer not enabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-iam-access-analyzer-not-enabled

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Description

IAM Access Analyzer provides continuous monitoring of resource-based policies to detect unintended public or cross-account access. If an AWS::AccessAnalyzer::Analyzer is not defined, these permission issues can go undetected, increasing the risk of data exposure or privilege escalation.

The CloudFormation template must include an AWS::AccessAnalyzer::Analyzer resource. Templates missing this resource will be flagged. Set the Properties.Type to ACCOUNT to monitor a single account or ORGANIZATION to monitor an AWS Organization, and optionally provide an AnalyzerName for identification.

Secure configuration example:

MyAccessAnalyzer:
  Type: AWS::AccessAnalyzer::Analyzer
  Properties:
    AnalyzerName: my-access-analyzer
    Type: ACCOUNT

Compliant Code Examples

AWSTemplateFormatVersion: 2010-09-09
Resources:
  Analyzer:
    Type: "AWS::AccessAnalyzer::Analyzer"
    Properties:
      AnalyzerName: MyAccountAnalyzer
      Type: ACCOUNT
      Tags:
        - Key: Kind
          Value: Dev
      ArchiveRules:
        - # Archive findings for a trusted AWS account
          RuleName: ArchiveTrustedAccountAccess
          Filter:
            - Property: "principal.AWS"
              Eq:
                - "123456789012"
        - # Archive findings for known public S3 buckets
          RuleName: ArchivePublicS3BucketsAccess
          Filter:
            - Property: "resource"
              Contains:
                - "arn:aws:s3:::docs-bucket"
                - "arn:aws:s3:::clients-bucket"

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
      "Analyzer": {
        "Type": "AWS::AccessAnalyzer::Analyzer",
        "Properties": {
          "AnalyzerName": "MyAccountAnalyzer",
          "Type": "ACCOUNT",
          "Tags": [
            {
              "Key": "Kind",
              "Value": "Dev"
            }
          ],
          "ArchiveRules": [
            {
              "RuleName": "ArchiveTrustedAccountAccess",
              "Filter": [
                {
                  "Property": "principal.AWS",
                  "Eq": [
                    "123456789012"
                  ]
                }
              ]
            },
            {
              "RuleName": "ArchivePublicS3BucketsAccess",
              "Filter": [
                {
                  "Property": "resource",
                  "Contains": [
                    "arn:aws:s3:::docs-bucket",
                    "arn:aws:s3:::clients-bucket"
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  }

Non-Compliant Code Examples

AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template 2
Resources:
  myuseeer:
    Type: AWS::IAM::Group
    Properties:
      Path: "/"
      LoginProfile:
        Password: myP@ssW0rd

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "A sample template 2",
    "Resources": {
      "myuseeer": {
        "Type": "AWS::IAM::Group",
        "Properties": {
          "Path": "/",
          "LoginProfile": {
            "Password": "myP@ssW0rd"
          }
        }
      }
    }
  }