Cleanup unused and unintended external access using IAM Access Analyzer or CIEM solutions

Discover resources shared outside of your account or organization with IAM Access Analyzer

(Free capability) It is recommended to review all your roles, to ensure that only the minimum required privileges are granted, to limit the scope of the threat in case of a compromise (blast radius)

Discover unused resources with IAM Access Analyzer

(paid capability)

It is recommended to clean up unused roles, access keys, and permissions that are not being used as it reduces the impact in case of a compromise.

Alternative to IAM Access Analyzer, Cloud Infrastructure Entitlement Management (CIEM) solutions

There are multiple solutions from our partners that assist with the task of cleaning up unused and unintended access, these solutions are called Cloud Infrastructure Entitlement Management (CIEM), such as Sonrai, Ermetic (tenable), Palo Alto Prisma, Wiz, etc. these capabilities are in some cases integrated into Cloud-Native Application Protection Platform (CNAPP) platforms.

Well Architected Framework Recommendation Mapping

Risk Mitigation

IAM Access analyzer can help you identify these risks

Guidance for assessments

  • Have you defined an external access analyzer for your organization ?
  • Have you used IAM Access Analyzer to identify unused permissions, IAM users and access keys?
  • Is someone on your organization working towards investigating and remediating the findings?
  • Are you using any Cloud Infrastructure Entitlement Management (CIEM) solutions ? What are the capabilities implemented?

Pricing

https://aws.amazon.com/iam/access-analyzer/pricing

IAM Access Analyzer external access analyzer is provided at no additional charge.