Skip to content

Latest commit

 

History

History
 
 

iam_access_analyzer

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
customizations_for_aws_control_tower
customizations_for_aws_control_tower
 
 
documentation
documentation
 
 
templates
templates
 
 
README.md
README.md
 
 

README.md

Access Analyzer

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents

Introduction

The IAM Access Analyzer solution enables AWS IAM Access Analyzer by delegating administration to a member account within the Organization management account. It then configures Access Analyzer within the delegated administrator account for all the existing and future AWS Organization accounts.

In addition to the organization deployment, the solution deploys AWS Access Analyzer to all the member accounts and regions for analyzing account level permissions.

Deployed Resource Details

Architecture

1.0 Organization Management Account

1.1 AWS CloudFormation

  • All resources are deployed via AWS CloudFormation as a StackSet and Stack Instance within the management account or a CloudFormation Stack within a specific account.
  • The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation StackSet.
  • For parameter details, review the AWS CloudFormation templates.

1.2 AWS Organizations

1.3 Account AWS IAM Access Analyzer

AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Account zone of trust.

2.0 Audit Account

2.1 AWS CloudFormation

2.2 Account AWS IAM Access Analyzer

2.3 Organization AWS IAM Access Analyzer

  • AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Organization zone of trust.

3.0 All Existing and Future Organization Member Accounts

3.1 AWS CloudFormation

3.2 Account AWS IAM Access Analyzer

Implementation Instructions

Pre-requisites

  1. Register a delegated administrator using the Common Register Delegated Administrator solution
    1. pServicePrincipalList = "access-analyzer.amazonaws.com"

Customizations for AWS Control Tower

CloudFormation StackSets

Solution Deployment

AWS Control Tower

AWS CloudFormation

  1. In the management account (home region), launch an AWS CloudFormation Stack Set and deploy to All active accounts in all Governed Regions using the sra-iam-access-analyzer-account.yaml template file as the source. Note: Include the management account in the account list so that the IAM service-linked role is created, which is required for the next step.
  2. In the management account (home region), launch an AWS CloudFormation Stack Set and deploy to the Audit account in all Governed Regions using the sra-iam-access-analyzer-org.yaml template file as the source.

Verify Solution Deployment

  1. Log into the Audit account and navigate to the IAM Access Analyzer page
    1. Verify that there are 2 Access Analyzers (account and organization)
    2. Verify all existing accounts/regions have an account Access Analyzer

Solution Delete Instructions

  1. In the management account (home region), delete the AWS CloudFormation StackSet created in step 2 of the solution deployment. Note: there should not be any stack instances associated with this StackSet.
  2. In the management account (home region), delete the AWS CloudFormation StackSet created in step 1 of the solution deployment. Note: there should not be any stack instances associated with this StackSet.
  3. Clean up the delegated administrator registered in the Prerequisites

References