(IAM) Access Advisor

Question

We are making adjustments to permissions so that these users only have the necessary privileges. We use Access Advisor for this, however, we know that our applications use certain services like S3, Lambda, KMS, etc. and the permissions are not showing in the Access Advisor. We also checked CloudTrail and the use of these permissions are not being logged, which is making our analysis difficult and causing some operational incidents, as we are being forced to place permissions on demand as errors occur in the systems.

Something we noticed is that a user with recent access, in the access consultant, informs that a certain permission was used recently too, but when entering the detail the last permission used was more than 50 days ago. It's quite anomalous behavior. The evidence is attached.

The same behavior happens in the access advisor for roles. As evidence attached as well.

We would like support to understand why Access Consultant and CloudTrail are not showing some permissions to services that our applications consume.

Thanks in advance

Answer

Some things to check..

Cloud trail is per region, so you would have to make sure you are checking the correct region
The likes of S3 will not appear in cloud trail unless you have data events setup though still may not appear in AA
Invoke lambda function isnt captured either in cloudtrail as per https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html

Answer

Hey @rePost-User-9084476

Give a peek to IAM Access Analyzer
https://aws.amazon.com/iam/features/analyze-access/

**Set fine-grained permissions** <------

Policy generation with IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. This means that after you build and run an application, you can generate policies that grant only the required permissions to operate the application.

Policy validation with IAM Access Analyzer guides you to author and validate secure and functional policies with more than 100 policy checks. You can use these checks while creating new policies or to validate existing policies.

**Verify intended permissions**

Public and cross-account findings with IAM Access Analyzer guide you to verify that existing access meets your intent. IAM Access Analyzer uses provable security to analyze all access paths and provide comprehensive analysis of external access to your resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket is accessible by users from outside the account.

Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.

**Refine permissions by removing unused access** <-----

Last-accessed information provides data about when AWS services were last used, which helps you identify opportunities to tighten your permissions. With this information, you can compare the permissions that have been granted with when those permissions were last accessed to remove unused access and further refine your permissions.

You also can use last-used timestamps for your IAM roles and access keys to remove IAM entities that are no longer required.

========

In closing I would say Access Advisor is good, IAM Access Analyzer is way better!

Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

(IAM) Access Advisor

Relevant content