IAM Access Analyzer analyzer is active and has no active findings
accessanalyzer_enabled_without_findings
Severitylow
Serviceaccessanalyzer
IAM Access Analyzer analyzers are in Active state and currently report zero Active findings within their scope of monitored resources.
Risk
Unresolved Active findings indicate unintended external or internal access paths.
- Confidentiality: public/cross-account reads of data (buckets, snapshots, secrets)
- Integrity: rogue role assumption or KMS use enabling policy/data changes
- Lateral movement across accounts
Run this check with Prowler CLI
prowler aws --checks accessanalyzer_enabled_without_findings
Recommendation
Enable IAM Access Analyzer in all relevant Regions and org/account scopes. Triage every Active finding:
- Remove unintended access by tightening resource and trust policies
- Enforce least privilege and separation of duties
- Archive only validated, intended access
- Continuously monitor and automate reviews
Remediation
Native IAC
Resources:
example_resource:
Type: AWS::AccessAnalyzer::Analyzer
Properties:
AnalyzerName: example_resource
Type: ACCOUNT # This line fixes the security issue
Terraform
resource "aws_accessanalyzer_analyzer" "example_resource" {
analyzer_name = "example_resource"
type = "ACCOUNT" # This line fixes the security issue
}
Other
- In the AWS Console, go to IAM > Access analyzer
- If no analyzer exists, click Create analyzer, select Type: Account, name it example_resource, and click Create
- To clear active findings: under Resource analysis, select your analyzer, select all Active findings, choose Actions > Archive
- For unintended access findings, open the finding and follow the linked resource to remove the offending permission (edit the resource policy or role trust policy), then return to the finding and choose Rescan
- Confirm the dashboard shows 0 Active findings
Source Code
Resource Type
Other
References
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-remediate.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-view.html
- https://aws.amazon.com/iam/access-analyzer/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-concepts.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-dashboard.html
- https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html
- https://aws.amazon.com/blogs/security/automate-resolution-for-iam-access-analyzer-cross-account-access-findings-on-iam-roles/
- https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/AccessAnalyzer/findings.html