Check if IAM Access Analyzer is enabled without findings
accessanalyzer_enabled_without_findings
Check if IAM Access Analyzer is enabled without findings
Risk
AWS IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy.
Run this check with Prowler CLI
prowler aws --checks accessanalyzer_enabled_without_findings
ARN template
arn:partition:access-analyzer:region:account-id:analyzer/resource-id
Remediation
aws accessanalyzer create-analyzer --analyzer-name <NAME> --type <ACCOUNT|ORGANIZATION>
Enable IAM Access Analyzer for all accounts, create analyzer and take action over it is recommendations (IAM Access Analyzer is available at no additional cost).
Source Code
Resource Type
Other