- Newest
- Most votes
- Most comments
Hi, Thank you for reaching out.
Most likely you are getting these SecurityHub findings from IAM Access Analyzer
. If that's true than in my view it sounds like the zone of trust
of IAM Access Analyzer is within the account not the organization. You may know this but below is short description on how IAM Access Analyzer analyse policies:
Access Analyzer does not examine access logs to determine whether an external entity accessed a resource within your zone of trust. It generates a finding when a resource-based policy allows access to a resource, even if the resource was not accessed by the external entity. Access Analyzer also does not consider the state of any external accounts when making its determination. That is, if it indicates that account 11112222333 can access your S3 bucket, it knows nothing about the state of users, roles, service control policies (SCP), and other relevant configurations in that account. This is for customer privacy – Access Analyzer doesn't consider who owns the other account. It is also for security – if the account is not owned by the Access Analyzer customer, it is still important to know that an external entity could gain access to their resources even if there are currently no principals in the account that could access the resources.
If SSO and OIDC roles are shared within the same organization then recreating IAM Access Analyzer zone of trust might help here to expand the trust boundary from an account to an organizational view. Below is a how-to document on the same, effectively remove the account level analyzer and create a organization wide analyzer from the delegated admin account (organization admin account):
https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html
HTH
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
This is awesome! I'll give it a go!
I also got this recommendation in a different forum:
archive AWS SSO roles automatically so things like this aren't flagged: