aws-accessanalyzer

Analyze AWS resource access policies for security

TLDR

Create a new Access Analyzer

$ aws accessanalyzer create-analyzer --analyzer-name [analyzer_name] --type [type] --tags [tags]

Delete an existing Access Analyzer

$ aws accessanalyzer delete-analyzer --analyzer-arn [analyzer_arn]

Get details of a specific Access Analyzer

$ aws accessanalyzer get-analyzer --analyzer-arn [analyzer_arn]

List all Access Analyzers

$ aws accessanalyzer list-analyzers

Update settings of an Access Analyzer

$ aws accessanalyzer update-analyzer --analyzer-arn [analyzer_arn] --tags [new_tags]

Create a new Access Analyzer archive rule

$ aws accessanalyzer create-archive-rule --analyzer-arn [analyzer_arn] --rule-name [rule_name] --filter [filter]

Delete an Access Analyzer archive rule

$ aws accessanalyzer delete-archive-rule --analyzer-arn [analyzer_arn] --rule-name [rule_name]

List all Access Analyzer archive rules

$ aws accessanalyzer list-archive-rules --analyzer-arn [analyzer_arn]

aws accessanalyzer command [options]

Examples:
aws accessanalyzer create-analyzer --analyzer-name MyOrgAnalyzer --type ORGANIZATION
aws accessanalyzer list-findings --analyzer-arn arn:aws:access-analyzer:us-east-1:123456789012:analyzer/MyOrgAnalyzer
aws accessanalyzer validate-policy --policy-type RESOURCE_POLICY --policy-document file://my-s3-policy.json

PARAMETERS

Common AWS CLI Options
These are general options applicable across most AWS CLI commands, including `accessanalyzer` subcommands:
--region value: Specifies the AWS region to use for the command.
--output value: Sets the output format of the command (e.g., json, text, table).
--profile value: Uses a specific named profile from your credentials file.
--endpoint-url value: Overrides the default service endpoint URL.

accessanalyzer Subcommands
The `accessanalyzer` service provides various subcommands to interact with the service. Each subcommand has its own specific options and arguments.
create-analyzer: Creates an analyzer for your account or organization.
list-analyzers: Retrieves a list of existing analyzers.
get-analyzer: Retrieves detailed information about a specific analyzer.
delete-analyzer: Deletes an analyzer.
start-resource-scan: Initiates a scan of the policy of a specific resource.
list-findings: Retrieves a list of access analyzer findings generated by an analyzer.
get-finding: Retrieves detailed information about a specific finding.
update-findings: Updates the status of findings (e.g., ACTIVE, ARCHIVED).
apply-archive-rule: Applies an archive rule to an analyzer to automatically archive certain findings.
create-archive-rule: Creates a new archive rule for an analyzer.
delete-archive-rule: Deletes an archive rule.
validate-policy: Validates an IAM policy against AWS Access Analyzer policy grammar and best practices, identifying potential security risks or errors.

DESCRIPTION

The `aws-accessanalyzer` (invoked as `aws accessanalyzer` via the AWS Command Line Interface) provides programmatic access to AWS Access Analyzer, a security service that helps you identify resources in your AWS accounts and organization that are shared with an external entity. It uses logic-based reasoning to analyze resource policies, such as IAM policies, S3 bucket policies, or KMS key policies, and generates findings that highlight unintended access. This enables you to proactively review and refine access to your resources, adhering to the principle of least privilege. The CLI allows you to create and manage analyzers, view and update findings, and integrate with your security workflows, enhancing your security posture and compliance.

CAVEATS

Using `aws accessanalyzer` requires the AWS CLI to be installed and properly configured with AWS credentials. It also demands the necessary IAM permissions to perform Access Analyzer actions, typically related to `access-analyzer:*` permissions. Findings are generated asynchronously and may take some time to appear or update after resource policy changes. While Access Analyzer identifies potential unintended access, it does not prevent or remediate access directly; it only flags findings for review and action. The service has a free tier, but usage beyond that may incur costs.

ANALYZED RESOURCE TYPES

Access Analyzer supports analyzing policies for various AWS resource types, helping to secure your cloud environment. These include:
Amazon S3 buckets
IAM roles and policies
AWS KMS keys
Amazon SQS queues
AWS Lambda functions
AWS Secrets Manager secrets
Amazon ECR repositories

HOW ACCESS ANALYZER WORKS

Access Analyzer uses automated reasoning, a form of mathematical logic, to determine all possible access paths to your resources. It doesn't rely on logs or actual traffic patterns. Instead, it mathematically analyzes the policies attached to resources (e.g., resource-based policies, IAM permission policies) to identify if any external entity (e.g., another AWS account, an anonymous user, or a public IP address) can access them. Findings are generated when such unintended access is detected, providing actionable insights into your security posture.

HISTORY

AWS Access Analyzer was officially launched by Amazon Web Services at re:Invent 2019 as a new security service. Its introduction aimed to provide customers with an automated, proactive tool to identify and fix unintended resource access, leveraging automated reasoning to go beyond traditional static policy analysis and provide precise security findings.