AWS IAM Analyzer

Analyzer: AWS IAM

Purpose

The AWS IAM analyzer provides detailed insights into Identity and Access Management (IAM) within your AWS environment. IT Ops and Sec Ops engineers can leverage this analyzer to understand user, group, and role access across systems. From a security perspective, it helps identify potential risks such as excessive privileges, unused roles, and cross-account access. It ensures compliance by monitoring and enforcing access policies, aligning with regulatory standards. Operationally, this analyzer aids in optimizing resource access configurations and managing user lifecycles effectively. The value lies in improving visibility, reducing risks, and streamlining the management of IAM policies and entities.

List of Sightlines and Widgets

IAM Roles

Significance: The IAM Roles sightline provides insights into role usage and configurations. For Sec Ops engineers, it helps identify roles with excessive permissions or those linked to administrative access, enabling proactive risk mitigation. IT Ops engineers benefit by ensuring that role configurations align with best practices and operational needs.

Widgets

• IAM Roles

• Unused IAM Roles

• Chained IAM Roles

• Roles with Admin Access

• Roles with Cross-Account Roles Access

• Role Type Distribution

• Distribution of Policies Attached to Roles

IAM Users

Significance: The IAM Users sightline offers visibility into the users within the AWS environment, helping Sec Ops engineers identify users with excessive privileges, admin access, or unused accounts. IT Ops engineers benefit by efficiently managing user permissions, ensuring that only authorized individuals have access to sensitive systems and resources.

Widgets

• IAM Users

• Users Without Groups

• Users with Admin Access Directly

• Users with Admin Access via Group

• Service Account Users with Admin Privileges

• Distribution of Policies

• IAM Users With Console Access Without MFA Enabled

OKTA Users

Significance: The OKTA Users sightline is designed to provide a comprehensive view of the users within your Okta environment. This sightline focuses on various aspects such as user statistics, group membership, and administrative access. For Sec Ops teams, this sightline is invaluable for monitoring and identifying potential security risks like unauthorized access or users with excessive privileges. It allows engineers to easily pinpoint outliers or unusual activity patterns that may indicate a breach or misconfiguration. From an IT Ops perspective, this sightline enables efficient management of user roles and permissions, ensuring that only authorized individuals have access to sensitive systems. Additionally, it helps identify and eliminate orphaned or inactive accounts, reducing the risk of compromised credentials.

Widgets

• All Users

• Users with AWS Access

• Users with only built-in Groups

• Users with Direct Admin Access

• Users with admin access via Group

• Distribution of Policy

• Distribution of users across IAM roles

IAM Identity Center

Significance: The IAM Identity Center sightline focuses on the management of IAM instances, users, and groups within a centralized authentication service. It enables IT Ops engineers to monitor user and group assignments while Sec Ops engineers ensure secure, region-based access management.

Widgets

• All Instances

• All Users

• All Groups

• Users By Region

• Groups By Region

IAM Groups

Significance: The IAM Groups sightline monitors group configurations and their associated policies. Sec Ops engineers can identify groups with overly permissive admin access or misconfigured group names, improving security posture. IT Ops engineers benefit from efficiently managing groups and ensuring they align with organizational access requirements.

Widgets

• IAM Groups

• Empty Groups

• Groups with Admin Access

• Groups with Admin Access but Missing Admin String in Its Name

• Distribution of Policies

IAM Policies

Significance: The IAM Policies sightline tracks the usage and distribution of policies within the AWS environment. Sec Ops engineers can quickly identify policies with excessive permissions, particularly those granting admin access, while IT Ops engineers ensure policies are aligned with organizational needs and security best practices.

Widgets

• IAM Policies

• Unused IAM Policies

• Policies with Admin Access

• Policies Attached to Only Groups and Roles

• IAM Policies that Allow Wildcard Access to Resources

• Distribution of Policy Type

• Distribution of Policy Statement Effect

• IAM Policies with Admin SageMaker Access

• IAM Policies That Allow Assume Role Permission Across All Services

• Top 5 Policies by Usage

IAM Inline Policies

Significance: The IAM Inline Policies sightline focuses on monitoring inline policies attached to roles, users, or groups. Sec Ops engineers can ensure that inline policies adhere to the principle of least privilege, while IT Ops engineers can verify the efficiency and appropriateness of inline policy use across the environment.

Widgets

• IAM Inline Policies

• Distribution of Policy Type

IAM Password Policies

Significance: The IAM Password Policies sightline helps Sec Ops engineers ensure that password configurations comply with security best practices, such as the AWS CIS Foundations Benchmark standard. It also aids in auditing password policies for potential weaknesses or non-compliance.

Widgets

• All IAM Password Policies

• Password Policies that Do Not Meet or Exceed the AWS CIS Foundations Benchmark Standard

• Password Policy Audit Result

IAM Access Keys

Significance: The IAM Access Keys sightline provides visibility into the status and usage of IAM access keys. Sec Ops engineers can track unrotated or unused access keys, while IT Ops engineers can monitor key age and usage trends to ensure efficient key management and minimize security risks.

Widgets

• All IAM Access Keys

• Unrotated IAM Access Keys

• Access Keys Not Used in the Last 30 Days

• IAM Access Keys Created in the Past Week

• Users with Unused Keys

• Histogram of Access Key Age

IAM Policies for Storage

Significance: The IAM Policies for Storage sightline monitors policies attached to AWS storage services such as S3, DynamoDB, and RDS. Sec Ops engineers can identify policies granting excessive privileges on sensitive storage resources, while IT Ops engineers can ensure appropriate access configurations for storage-related services.

Widgets

• Admin Policies Attached to S3 Resources

• Admin Policies Attached to DynamoDB Resources

• Admin Policies Attached to RDS Resources

• Admin Policies Attached to Redshift Resources

• Distribution of Policy Type for Storage

IAM Policies for Streaming

Significance: The IAM Policies for Streaming sightline focuses on policies attached to streaming services such as SNS, Kinesis, and SQS. Sec Ops engineers can ensure that streaming resources have the proper access controls, reducing the risk of overexposure. IT Ops engineers benefit from monitoring the policy configurations specific to streaming services.

Widgets

• Admin Policies Attached to SNS Resources

• Admin Policies Attached to Kinesis Resources

• Admin Policies Attached to SQS Resources

• Distribution of Policy Type for Streaming

IAM Policies for Compute

Significance: The IAM Policies for Compute sightline monitors policies attached to compute services such as Lambda, ECS, EC2, ELB, and ECR. Sec Ops engineers ensure that compute resources are securely configured, minimizing the risk of unauthorized access to computing power. IT Ops engineers benefit from monitoring the policies assigned to compute resources for operational efficiency.

Widgets

• Admin Policies Attached to Lambda Resources

• Admin Policies Attached to ECS Resources

• Admin Policies Attached to EC2 Resources

• Admin Policies Attached to ELB Resources

• Admin Policies Attached to ECR Resources

• Distribution of Policy Type for Compute

IAM Policies for CloudWatch

Significance: The IAM Policies for CloudWatch sightline focuses on policies related to monitoring and logging resources such as CloudWatch and CloudWatch Logs. Sec Ops engineers can ensure that monitoring services are properly secured and that only authorized users have access to log data. IT Ops engineers benefit by ensuring that CloudWatch-related policies align with operational monitoring requirements.

Widgets

• Admin Policies Attached to CloudWatch Resources

• Admin Policies Attached to CloudWatch Logs Resources

• Distribution of Policy Type for CloudWatch

IAM Users Password Policies

Significance: The IAM Users Password Policies sightline monitors the status of user passwords within the AWS environment. Sec Ops engineers use this to ensure that password policies are being followed, reducing the risk of weak passwords. IT Ops engineers benefit by quickly identifying users with non-compliant passwords and taking corrective action.

Widgets

• IAM Users that Recently Changed Password

• Users that Have a Password Older than 90 Days

• Users that Have Password Enabled but MFA Not Enabled

• Users Without MFA

• Access Denied Events for Users Across All Resources

• Access Denied Events for All Resources Across All Users

IAM Users Access Patterns

Significance: The IAM Users Access Patterns sightline provides visibility into user login and activity patterns. Sec Ops engineers can quickly identify suspicious activity, such as users who haven't logged in for an extended period, or users accessing accounts from unauthorized locations. IT Ops engineers can use these insights to ensure efficient user management and enforce security policies.

Widgets

• Users with Cross Account Role Access

• Users that Have Not Logged into Console for More Than 90 Days

• Users with Inline Policies Directly Attached

• Users that Accessed Account in the Past Week

• IAM Users Inactive for Last 30 Days

• Users Who Have Never Logged In

• Resources That Were Accessed Last by Users

IAM Users Access Keys

Significance: The IAM Users Access Keys sightline provides visibility into the status and usage of access keys attached to IAM users. Sec Ops engineers can track inactive or unused keys, while IT Ops engineers can ensure key rotation practices are followed to minimize risks from compromised keys.

Widgets

• Users with Two Active Access Keys

• Users with Console Login Password and Access Key Enabled

• Users with No Access Keys Enabled

• Users that Have Access Key Enabled but Never Used

• Users with Password and Keys Enabled

• Distribution of Access Key Status

IAM Access to KMS

Significance: The IAM Access to KMS sightline tracks KMS access permissions across users, groups, and roles. Sec Ops engineers monitor for excessive permissions, especially for users with direct or group-based KMS access. IT Ops engineers benefit by ensuring proper encryption practices are in place for sensitive resources.

Widgets

• IAM Users KMS

• IAM Groups KMS

• IAM Roles KMS

• Users with Direct KMS Access vs via Group

IAM Service-Linked Roles

Significance: The IAM Service-Linked Roles sightline monitors service-linked roles to ensure that only necessary permissions are granted. Sec Ops engineers can ensure that these roles do not expose the system to security risks. IT Ops engineers can use these insights for efficient role management.

Widgets

• IAM Service Linked Roles

• IAM Roles by Type

IAM Across Systems

Significance: The IAM Across Systems sightline tracks user permissions across various AWS services. Sec Ops engineers monitor and analyze the spread of user permissions, while IT Ops engineers ensure that access to services is well-managed across the organization.

Widgets

• User Permissions Across Systems

• Users Per System

IAM Policy Impact Analysis

Significance: The IAM Policy Impact Analysis sightline identifies which IAM policies are attached to resources and those that are not. Sec Ops engineers use this to identify orphaned policies or those attached to unnecessary resources. IT Ops engineers benefit from ensuring efficient resource management and compliance.

Widgets

• IAM Policies Attached to Resources

• IAM Policies Not Attached to Resources

IAM Access to CloudTrail

Significance: The IAM Access to CloudTrail sightline helps monitor who has access to CloudTrail logs. Sec Ops engineers ensure that logging and monitoring data are protected, while IT Ops engineers can use these insights to optimize logging configurations.

Widgets

• IAM Users CloudTrail

• IAM Groups CloudTrail

• IAM Roles CloudTrail

• IAM Users Direct, Via Group, and Via Role Access to CloudTrail

IAM Managed Policies

Significance: The IAM Managed Policies sightline tracks managed policies within the AWS environment, ensuring that they adhere to the principle of least privilege. Sec Ops engineers identify excessive permissions or policies with broad access, while IT Ops engineers benefit from managing and enforcing policy usage best practices.

Widgets

• Least Privileged IAM Managed Policies

• IAM Managed Policies That Do Not Follow the Principle of Least Privilege

• Distribution of IAM Managed Policies

User Impact Analysis

Significance: The User Impact Analysis sightline provides a comprehensive view of user impact across the AWS environment. It helps Sec Ops engineers identify potential security risks by monitoring users with excessive permissions or unusual access patterns. IT Ops engineers benefit from understanding user behavior and resource utilization, enabling more effective user management and resource allocation.

Widgets

• User Impact Analysis

List of Alerts

• Unauthorized Access Attempts: This alert flags any suspicious login attempts, such as failed login spikes or login attempts from unusual locations or IP addresses. For Sec Ops teams, this alert is critical for quickly identifying and mitigating potential security threats, such as brute force attacks or credential stuffing attempts. By alerting on unauthorized access attempts in real time, teams can take immediate action to prevent unauthorized access to critical systems.

• Inactive Users Detected: This alert identifies accounts that have been inactive for a set period, highlighting potential security risks posed by dormant accounts. Inactive accounts are often targets for attackers, as they may not be monitored as closely as active accounts. By flagging inactive users, IT Ops and Sec Ops can take proactive steps to either re-enable or deactivate these accounts, improving the security posture of the organization.

• Users Without MFA: This alert highlights users who do not have multi-factor authentication enabled, which could expose the organization to significant security vulnerabilities. Sec Ops teams rely on this alert to enforce MFA policies and ensure that all users, especially those with access to sensitive resources, are using stronger authentication mechanisms.

• Deprovisioned Users Activity: This alert monitors any activity or access attempts by users who have been deprovisioned, ensuring that accounts that should no longer have access are not used maliciously. For Sec Ops teams, this alert helps prevent unauthorized access by ensuring that deprovisioned accounts are fully removed from the system and cannot be used to gain entry.

• Admin Role Misuse: This alert triggers if there is any unusual activity related to users with administrative privileges, such as unexpected access to sensitive systems or configurations. Admin accounts are high-value targets for attackers, and this alert helps Sec Ops teams quickly identify potential misuse or security breaches involving privileged accounts, ensuring that sensitive data and resources remain secure.

• Unused IAM Roles: This alert identifies IAM roles that are not being actively used. Unused roles present potential security risks as they may remain assigned to users or applications, providing access without the need for oversight. This alert enables Sec Ops and IT Ops teams to clean up unused roles, improving access control hygiene.

• IAM Roles with Wildcard Access: This alert flags any IAM roles that grant wildcard access (e.g., "Action": "*"), which may provide overly permissive access to AWS resources. For Sec Ops teams, this alert is crucial for identifying excessive privileges and ensuring that roles are adhering to the principle of least privilege.

• IAM Roles with Cross-Account Access: This alert flags roles with cross-account permissions, which could present a security risk if not properly managed. It allows Sec Ops teams to monitor roles that could be used to escalate privileges or gain unauthorized access across different AWS accounts.

• Expired IAM Passwords: This alert monitors IAM users with expired passwords, which can pose a security risk if the credentials are not promptly updated. Sec Ops teams can use this alert to enforce password hygiene policies and ensure that users are compliant with password expiration requirements.

• Unrotated IAM Access Keys: This alert identifies IAM access keys that have not been rotated in a specified time frame. Unrotated keys are a security risk because they could be exposed or compromised. Sec Ops teams can leverage this alert to enforce key rotation policies and minimize the risk of long-lived access keys being misused.

• IAM Users with Weak Passwords: This alert flags IAM users whose passwords do not meet established security standards, such as length or complexity requirements. It is crucial for Sec Ops teams to proactively address weak passwords and ensure that users are adhering to password security policies.

• Service Account with Admin Access: This alert identifies service accounts with admin privileges, which may have excessive permissions compared to their actual needs. For Sec Ops teams, this alert is critical to reduce the risk of service accounts being exploited to perform unauthorized actions or escalate privileges.

• Users without Groups: This alert highlights users who are not assigned to any groups, potentially indicating a misconfiguration or overlooked access policy. IT Ops teams can use this alert to ensure that users are properly grouped and assigned relevant permissions for their role.

• Users with Admin Access: This alert flags users who have direct admin access, which can be a potential security risk if not properly managed. Sec Ops teams can use this alert to ensure that only authorized individuals have admin privileges and that the principle of least privilege is followed.

• Users with Unused Access Keys: This alert identifies IAM users who have access keys that have not been used within a specified time period. Sec Ops teams can take proactive measures to revoke these unused keys, reducing the attack surface.

• Users with Elevated Privileges via IAM Policies: This alert identifies users with elevated privileges via policies, which may include overly permissive access to critical AWS resources. Sec Ops teams can ensure that these users follow the least privilege principle and that unnecessary privileges are revoked.

• IAM Policies that Allow Wildcard Resource Access: This alert flags IAM policies that allow wildcard access to resources (e.g., "Resource": "*"). Sec Ops teams need to address these policies to prevent excessive access and ensure tighter resource control.

• IAM Policies Attached to Critical Resources: This alert monitors IAM policies that are attached to critical resources (e.g., EC2, S3) and grants admin access. It helps Sec Ops teams identify potential over-permissioned policies and ensure that the least privilege model is enforced.

• IAM Users with Inline Policies: This alert identifies IAM users who have inline policies attached to their accounts. Sec Ops teams can review these policies to ensure they do not provide excessive permissions and to maintain compliance with security best practices.

• IAM Policies for High-Risk Resources: This alert identifies IAM policies that provide admin-level access to high-risk resources like S3, EC2, and Lambda. Sec Ops teams can use this alert to ensure these policies are carefully reviewed and tightened, preventing unauthorized access.

• IAM Policies Allowing Cross-Service Role Assumption: This alert flags policies that allow IAM roles to assume roles across multiple AWS services. It allows Sec Ops teams to track and limit cross-service role assumption, ensuring that only necessary permissions are granted.

• IAM Policies Violating Least Privilege Principle: This alert identifies IAM policies that violate the least privilege principle by granting unnecessary access to users, groups, or roles. Sec Ops teams can take action to ensure these policies are refined to grant only the necessary permissions.

• IAM Roles with Full Access to Sensitive Services: This alert identifies roles that grant full access to sensitive services like KMS, CloudTrail, or IAM. Sec Ops teams can use this alert to mitigate security risks by ensuring only trusted roles have access to these critical services.

• IAM Access to KMS: This alert monitors IAM roles, users, and groups that have direct or indirect access to AWS KMS. Sec Ops teams need this alert to ensure that only authorized entities have access to cryptographic keys used for encryption.

• IAM Users with CloudTrail Access: This alert identifies IAM users and groups that have access to AWS CloudTrail logs, which contain sensitive operational data. Sec Ops teams can ensure that only authorized users can access CloudTrail for auditing purposes.

• IAM Users Accessing Unused Resources: This alert identifies IAM users accessing unused or underutilized resources, which could indicate misconfigurations or potential security risks. IT Ops teams can use this alert to optimize resource usage and reduce the attack surface.

• IAM Roles with Broad Permissions: This alert identifies IAM roles that grant broad permissions (e.g., full access to all EC2 instances). Sec Ops teams can take proactive steps to limit these permissions and ensure roles adhere to the least privilege model.