-
Notifications
You must be signed in to change notification settings - Fork 34
IT-4431: Activate IAM Access Analyzer on all accounts #1455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
brucehoff
wants to merge
21
commits into
Sage-Bionetworks-IT:master
Choose a base branch
from
brucehoff:IT-4431
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
21 commits
Select commit
Hold shift + click to select a range
c55cf2d
Run nessus script installation daily, not hourly
brucehoff da1dfef
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 5b04ff6
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 3b977ee
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 7eba7ec
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 2a39c53
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff ddc45d7
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff dedce36
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 81c6261
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 0bb1257
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff e3e4379
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff ef16296
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff e968c04
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 2425330
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 88f9cc9
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 6b52705
Merge remote-tracking branch 'upstream/master'
brucehoff 89fad2d
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 73fcb5c
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff 43f17dc
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff c2f44d1
Merge branch 'master' of https://github.com/Sage-Bionetworks-IT/organ…
brucehoff fd299e5
IT-4431: Activate IAM Access Analyzer on all accounts
brucehoff File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| ### Purpose of these templates | ||
| The templates in this folder enable | ||
| [IAM Access Analyzer](https://aws.amazon.com/iam/access-analyzer/) | ||
| across our AWS organization. | ||
|
|
||
| IAM Access Analyzer is a security feature in AWS that helps you identify | ||
| and analyze potential access risks within your AWS environment by examining | ||
| your IAM policies and resource policies. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| Parameters: | ||
| <<: !Include '../_parameters.yaml' | ||
|
|
||
| appName: | ||
| Type: String | ||
| Default: 'access_analyzer' | ||
|
|
||
| AccessAnalyzer: | ||
| Type: update-stacks | ||
| Template: access_analyzer.yaml | ||
| StackName: !Sub '${resourcePrefix}-${appName}' | ||
| StackDescription: Setup IAM Access Analyzer service | ||
| DefaultOrganizationBindingRegion: !Ref primaryRegion | ||
| DefaultOrganizationBinding: | ||
| Account: '*' | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| AWSTemplateFormatVersion: "2010-09-09" | ||
| Description: "Setup IAM Access Analyzer" | ||
| Resources: | ||
| AccessAnalyzer: | ||
| Type: AWS::AccessAnalyzer::Analyzer | ||
| Properties: | ||
| # External access analyzers help you identify potential risks of accessing | ||
| # resources by enabling you to identify any resource policies that grant access | ||
| # to an external principal. | ||
| Type: ACCOUNT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is the wrong approach. The recommended approach is to enable access analyzer from a delegated admin account.
here's the blog post: https://aws.amazon.com/blogs/aws/new-use-aws-iam-access-analyzer-in-aws-organizations/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zaro0508 I read the links you shared, which seem to describe how to configure Access Analyzers that function at the organization level. In contrast, this PR create an access analyzer at the account level. Since MS Defender is examining the Synapse Prod account specifically, I believe the PR is correct.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your PR description says..
activate access analyzer on all accounts. Are saying that you only want to enable access analyzer for Synapse Prod account?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zaro0508 That's a good question: To satisfy MS Defender I think we would only have to active it on the Synapse Prod account, but my thought is to just activate it in all accounts so it's available if needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't activating for all accounts is basically the same as enabling at the organziation level? if yes, then the latter is the recommended approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, since each has a different "zone of trust" as mentioned in the blog you linked above:
https://aws.amazon.com/blogs/aws/new-use-aws-iam-access-analyzer-in-aws-organizations/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the
zone of trustis just a access analyzer configuration. You can create multiple analyzers with different zone of trust levels. So I guess the real question is what is your intention for thezone of trust? Is your intention to create an access analyzer in each AWS account with azone of trustset to just that account? Just be aware that we do have use AWS services that accesses resources across accounts for example: identity center, security hub, guard duty, etc..There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can only create an analyzer with an organization level 'zone of trust' in the organization account (or perhaps in the delegated management account -- I haven't tried that.).
Yes.