Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The IAM Access Analyzer solution enables AWS IAM Access Analyzer by delegating administration to a member account within the Organization management account. It then configures Access Analyzer within the delegated administrator account for all the
existing and future AWS Organization accounts.
In addition to the organization deployment, the solution deploys AWS Access Analyzer to all the member accounts and regions for analyzing account level permissions.
- All resources are deployed via AWS CloudFormation as a
StackSetandStack Instancewithin the management account or a CloudFormationStackwithin a specific account. - The Customizations for AWS Control Tower solution deploys all templates as a CloudFormation
StackSet. - For parameter details, review the AWS CloudFormation templates.
- AWS Organizations is used to delegate an administrator account for AWS Access Analyzer Delegated Administrator Account
- See Common Register Delegated Administrator
AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Account zone of trust.
The example solutions use Audit Account instead of Security Tooling Account to align with the default account name used within the AWS Control Tower setup process for the Security Account. The Account ID for the Audit Account can be determined from the SecurityAccountId parameter within the AWSControlTowerBP-BASELINE-CONFIG StackSet in AWS Control Tower environments, but is specified manually in other environments, and then stored in an SSM parameter (this is all done in the common prerequisites solution).
- AWS IAM Access Analyzer is configured to monitor supported resources for the AWS Organization zone of trust.
- Download and Stage the SRA Solutions. Note: This only needs to be done once for all the solutions.
- Verify that the SRA Prerequisites Solution has been deployed.
Choose a Deployment Method:
In the management account (home region), launch the sra-iam-access-analyzer-main-ssm.yaml template. This uses an approach where some of the CloudFormation parameters are populated from SSM parameters created by the SRA Prerequisites Solution.
aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/iam/iam_access_analyzer/templates/sra-iam-access-analyzer-main-ssm.yaml --stack-name sra-iam-access-analyzer-main-ssm --capabilities CAPABILITY_NAMED_IAM- Log into the Audit account and navigate to the IAM Access Analyzer page
- Verify that there are 2 Access Analyzers (account and organization)
- Verify all existing accounts/regions have an account Access Analyzer
In the management account (home region), delete the AWS CloudFormation Stack (sra-iam-access-analyzer-main-ssm or sra-iam-access-analyzer-main) created above.