Many of the customers we work with look for ways to manage compliance and gain additional insights across their AWS multi-account organization from a central location. We often begin the discussion with AWS Control Tower, as it offers the easiest way to set up and govern a multi-account AWS environment. Control Tower is an AWS managed service that automates the creation of a well-architected multi-account AWS environment. This simplifies new account provisioning and centralized compliance for your AWS Organization. With Control Tower, builders can provision new AWS accounts that conform to your company-wide policies in a few clicks.

The conversation then leads to the other AWS services and features that enhance visibility and security posture.  Features such as AWS Identity and Access Management (IAM) Access Analyzer. IAM Access Analyzer makes it simpler for security teams and administrators to check that their policies only provide the intended access to resources.  IAM Access Analyzer helps you understand who can access your resources by analyzing permissions granted through policies. We call these analytical results provable security, a higher level of assurance for security in the cloud.

In this post, we walk you through the steps to enhance your organizational security visibility by enabling and centralizing IAM Access Analyzer findings across your Control Tower multi-account environment.

Solution overview

The organizational root account (master) controls IAM Access Analyzer for the entire organization. However, most customers designate a specific child account as their security master. By default, Control Tower creates a security-audit account for cross-account auditing and centralized security operations. We will use the audit account as our IAM Access Analyzer delegated administrator. This involves a two-step process.  First, you will delegate authority to your audit account. Then you will enable IAM Access Analyzer with the entire organization as the zone of trust. Once enabled, the IAM Access Analyzer findings from all member accounts will be aggregated into the audit account. This allows for effective monitoring of critical security events across the organization from one central location.

Prerequisites

This solution assumes that you have already deployed Control Tower, and that you have access to the Control Tower master account with administrative credentials.

Before enabling IAM Access Analyzer across the organization, you need the following information:

    • The account ID of your IAM Access Analyzer delegated administrator account. You can find your audit account number in the AWS Organizations console of your Control Tower master account. The account ID is in a 12-digit numeric format.

IAM Access Analyzer delegation

Only the master account can add, remove, or change a delegated administrator for IAM Access Analyzer.  From your Control Tower master account, navigate to the IAM console and select Access Analyzer Settings. From here, you can add a delegated administrator.  Add the 12-digit account ID of your audit account collected earlier, and save changes.

IAM Access Analyzer delegation

Enable Access Analyzer in your audit account

To enable Access Analyzer, you create an analyzer in the audit account. In this example, we create our analyzer with the entire organization as the zone of trust.

IAM Access Analyzer only analyzes policies attached to resources in the same AWS Region that it is enabled in.  To facilitate coverage of all Regions, we use an AWS CloudFormation StackSet to enable analyzers in all of the Regions.

The first step is to create an AWS CloudFormation template using your favorite text editor:

AWSTemplateFormatVersion: 2010-09-09
Description: Enables IAM Access Analyzer
Resources:
  Analyzer:
    Type: 'AWS::AccessAnalyzer::Analyzer'
    Properties:
      AnalyzerName: !Sub 'AccessAnalyzer-${AWS::Region}-${AWS::AccountId}'
      Type: ORGANIZATION

Next, from your Control Tower master account, launch the AWS CloudFormation StackSet

  1. Go to AWS CloudFormation in the AWS Management Console.
  2. Select StackSets, and choose Create StackSet
  3. Choose to use a sample template and upload the template file created earlier.
  4. On the Specify Stack Details page, give your stack a name such as “IAMAccessAnalyzer.”
  5. On Step 3, configure StackSet options.  Select Self-service permissions and ensure that the IAM admin role name is AWSControlTowerStackSetRole and the IAM execution role name is AWSControlTowerExecution

StackSet Permissions

 

  1. Select to deploy stacks in accounts and enter the 12-digit account ID of your audit account. You also specify the Regions in which to deploy the stacks. We choose to deploy to all Regions.

 

StackSet deployment options

You can then monitor the process and view the status of the deployment via the Operations tab of the StackSet. When it finishes deploying, move on to the next step.

 

Validation

Once the StackSet has finished deploying, log on to your audit account to view the findings inside the IAM console.

IAM Access Analyzer Validation

 

Additionally, if you have enabled Security Hub, the IAM Access Analyzer findings are automatically sent there as well.

Cleaning up

IAM Access Analyzer is a feature of your AWS account and is offered at no additional charge. However, if you would like to disable Access Analyzer you can delete the stacks, and your StackSet following instructions in the AWS CloudFormation Users guide and remove the Delegated administrator from the master account.

Conclusion

In this post, we demonstrated how you could enable IAM Access Analyzer across your Control Tower organization. We showed you how delegate administration of IAM Access Analyzer to the Control Tower audit account, and enable analyzers in all Regions. Implementing IAM Access Analyzer at an organizational level helps you quickly identify what resources in your organization can be accessed from outside of your AWS Organization increasing your organizations security posture.

Further information

IAM Access Analyzer
Control Tower governance
Multi Account Security Hub
Multi-Account Framework

About the Authors

Jason Moldan Photo

 

Jason Moldan is a Solutions Architect for AWS World-Wide Public Sector where he works with government customers to implement cloud solutions and solve technical problems.  He has been in technology for over 20 years and holds a Masters degree in Information Technology from the University of St. Thomas.  He loves to camp and travel with his family when not building in the cloud.

 

Andrew Gacek

 

Andrew Gacek is a Principal Applied Scientist in the Automated Reasoning for Identity group at Amazon Web Services. He works on applying automated reasoning to solve customer problems in the space of identity and access control. Andrew holds a PhD in Computer Science from the University of Minnesota.