Amazon recently announced the AWS IAM Access Analyzer, a useful tool to help discover if you have granted unintended access to specific types of resources in your AWS account.
At the moment, an Access Analyzer needs to be created in each region of each account where you want to run it.
Since this manual requirement can be a lot of work, it is a common complaint from customers. Given that Amazon listens to customer feedback and since we currently have to specify a “type” of “ACCOUNT”, I expect at some point Amazon may make it easier to run Access Analyzer across all regions and maybe in all accounts in an AWS Organization. Until then…
This article shows how I created an AWS IAM Access Analyzer in all regions of all accounts in my AWS Organization using the aws-cli.
To make this easy, I use the bash helper functions that I defined in last week’s blog post here:
Please read the blog post to see what assumptions I make about the AWS Organization and account setup. You may need to tweak things if your setup differs from mine.
Here is my GitHub repo that makes it more convenient for me to install the bash functions. If your AWS account structure matches mine sufficiently, it might work for you, too:
IAM Access Analyzer In All Regions Of Single Account
To start, let’s show how to create an IAM Access Analyzer in all regions of a single account.
Here’s a simple command to get all the regions in the current AWS account:
aws ec2 describe-regions \ --output text \ --query 'Regions[RegionName]'
This command creates an IAM Access Analyzer in a specific region. We’ll tack on a UUID because that’s what Amazon does, though I suspect it’s not really necessary.
region=us-east-1 uuid=$(uuid -v4 -FSIV || echo "1") # may need to install "uuid" command analyzer="accessanalyzer-$uuid" aws accessanalyzer create-analyzer \ --region "$region" \ --analyzer-name "$analyzer" \ --type ACCOUNT
By default, there is a limit of a single IAM Access Analyzer per account region. The fact that this is a “default limit” implies that it may be increased by request, but for this guide, we’ll just not create an IAM Access Analyzer if one already exists.
This command lists the name of any IAM Access Analyzers that might already have been created in a region:
region=us-east-1 aws accessanalyzer list-analyzers \ --region "$region" \ --output text \ --query 'analyzers[name]'
We can put the above together, iterating over the regions, checking to see if an IAM Access Analyzer already exists, and creating one if it doesn’t: