Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The IAM Access Analyzer solution enables AWS IAM Access Analyzer by delegating administration to a member account within the Organization management account. It then configures Access Analyzer within the delegated administrator account for all the
existing and future AWS Organization accounts.
In addition to the organization deployment, the solution deploys AWS Access Analyzer to all the member accounts and regions for analyzing account level permissions.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- AWS Organizations is used to delegate an administrator account for AWS Access Analyzer Delegated Administrator Account
- See Common Register Delegated Administrator
AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Account zone of trust.
The example solutions use Audit Account instead of Security Tooling Account to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account SSM parameter is
populated from the SecurityAccountId parameter within the AWSControlTowerBP-BASELINE-CONFIG StackSet.
- AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Organization zone of trust.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
In the management account (home region), launch an AWS CloudFormation Stack using one of the options below:
-
Option 1: (Recommended) Use the sra-iam-access-analyzer-main-ssm.yaml template. This is a more automated approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml --stack-name sra-iam-access-analyzer-main-ssm --capabilities CAPABILITY_NAMED_IAM -
Option 2: Use the sra-iam-access-analyzer-main.yaml template. Input is required for the CloudFormation parameters where the default is not set.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main.yaml --stack-name sra-iam-access-analyzer-main --capabilities CAPABILITY_NAMED_IAM --parameter-overrides pAccessAnalyzerRegionsToEnable=<ACCESS_ANALYZER_REGIONS_TO_ENABLE> pAuditAccountId=<AUDIT_ACCOUNT_ID> pRootOrganizationalUnitId=<ROOT_ORGANIZATIONAL_UNIT_ID> pSRAStagingS3BucketName=<SRA_STAGING_S3_BUCKET_NAME>
- Log into the Audit account and navigate to the IAM Access Analyzer page
- Verify that there are 2 Access Analyzers (account and organization)
- Verify all existing accounts/regions have an account Access Analyzer
In the management account (home region), delete the AWS CloudFormation Stack (sra-iam-access-analyzer-main-ssm or sra-iam-access-analyzer-main) created above.