Cloud Security Index
aws

high

Compliance Frameworks

BETA
CIS AWS Foundations Benchmark v3.0
1.17
NIST 800-53 Rev 5
AC-3, CA-7
ISO 27001:2022
A.8.3
SOC 2
CC6.3
AWS Foundational Security Best Practices
IAM.8

// Beta Mapping Disclaimer

Framework mappings are currently in beta. These references are generated based on technical specifications and common industry alignments. Mappings may be incomplete or inaccurate; always consult with a qualified auditor for official compliance validation.

Overview

Enable a single IAM Access Analyzer with zone of trust set to the AWS Organization from the delegated administrator account, providing continuous detection of external access across all member accounts.

IAM Access Analyzer evaluates resource-based policies - including IAM role trust policies, S3 bucket policies, KMS key policies, and SQS queue policies - and generates findings whenever a policy grants access to a principal outside the configured zone of trust. When configured at organization level, a single analyzer covers all member accounts without requiring per-account setup. Findings are surfaced in the Access Analyzer console of the delegated administrator account and are automatically ingested by Security Hub when both services are active. This control is a prerequisite for AWS-IAM-002 (cross-account role trust detection) and other controls that rely on Access Analyzer findings.

A single organization-level analyzer provides complete visibility into external access across every account at no per-evaluation cost. Without it, external trust relationships and public resource policies in member accounts are invisible to the central security team. Enabling this control is a zero-disruption, low-effort prerequisite that unlocks the detective capability for multiple downstream controls.

Remediation Strategy

Deploy an organization-level IAM Access Analyzer from the delegated administrator account. Verify that the delegated administrator is registered in AWS Organizations before applying.

1.

Register a delegated administrator account for Access Analyzer from the Management account.

2.

Deploy the organization-level analyzer from the delegated administrator account.

3.

Confirm the analyzer status is Active and findings are visible in the console.

# Run from the Management account
aws organizations register-delegated-administrator \
  --account-id "<SECURITY-ACCOUNT-ID>" \
  --service-principal access-analyzer.amazonaws.com

# Run from the delegated administrator (Security) account
aws accessanalyzer create-analyzer \
  --analyzer-name org-external-access-analyzer \
  --type ORGANIZATION

# Verify status
aws accessanalyzer list-analyzers \
  --query "analyzers[*].{Name:name,Type:type,Status:status}" \
  --output table
SPEC_METADATA

Complexity
low
Impact
none
Likelihood
medium
Residual Risk
low
Scope
root
Environment
production, non-production, sandbox
Resources
Access Analyzer
Remediation
organization
Auto-Remediate
Available
Category
iam
Enforcement
mandatory
Tags
iamaccess-analyzercross-accounttrust-relationshipsvisibilitylanding-zone

Owner
cloud-security-team
Type
team
Frequency
quarterly

// EXCEPTION

No exceptions are permitted. A single organization-level analyzer has no operational cost and no impact on existing resources or policies. There is no valid reason to omit it from any landing zone deployment.

// SYSTEM_NOTE

Only one organization-level analyzer is needed per region. Each AWS region requires its own analyzer - deploy to all regions where resources exist, or at minimum to the primary and DR regions. The delegated administrator must be registered before attempting to create an ORGANIZATION-type analyzer; creating it from a non-delegated account will fail with an error. Access Analyzer findings are regional - a role trust policy in eu-west-1 will only appear in the analyzer deployed to eu-west-1. For multi-region coverage, automate deployment across all enabled regions via a Terraform for_each over the region list.