Introducing Access Analyzer
Overview
IAM Access Analyzer automates authorization analysis, minimizing the risk of unintended access to your resources.
Access Analyzer can:
- Identify resources shared with external principals in your organization or account.
Access Analyzer automatically analyzes resource policies to identify resources shared with external principals in your organization or account, helping you quickly identify and handle external access risks.
- Identify unused access in your organization or account.
Identify unused access in your organization or account within a custom time range, including passwords, access keys, users, agencies, trust agencies, and actions. You can clear unnecessary access authorizations in a timely manner to reduce potential security risks.
- Identify configurations that do not comply with security best practices in your account.
IAM Access analyzers can quickly detect configurations that do not comply with security best practices in your account. IAM Access Analyzer automatically scans the configurations in your account and generate risk analysis reports, helping you mitigate potential access risks in a timely manner.
- Validate custom policies against policy grammar.
Access analyzers validate policies using the policy checks and generate findings that include security warnings, general warnings, errors, and suggestions.
Identifying Resources Shared with External Principals in Your Organization or Account
Access Analyzer uses logic-based reasoning to identity resources shared with external principals including but not limited to agencies, trust agencies, OBS buckets, and KMS keys. For each resource shared outside your account, Access Analyzer will generate a finding. The finding includes information about the resource, the external principals with access to it, and the permissions granted to it. You can review the findings to determine if the access is intended or a security risk. For unintended access, you can adjust the policy, such as removing the permissions that allow the access.
In addition to helping you identify resources shared with external principals, Access Analyzer allows you to preview how your policy affects access to your resources before you configure resource permissions.
When enabling Access Analyzer, you need to specify an organization or account as the zone of trust for the analyzer. The analyzer will analyze all supported resources within the zone of trust. Table 1 lists the supported resources. Any access to resources by principals within your zone of trust is considered trusted. Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust. After the first analysis, it analyzes these policies periodically. If you add a new policy or change an existing policy, Access Analyzer analyzes the new or updated policy within about 30 minutes. On certain rare occasions, Access Analyzer cannot receive notifications of an added or updated policy. You can rescan the resource and obtain the latest findings.
Even if the resource is not accessed by the external principal, Access Analyzer still generates a finding when a policy allows access to a resource. For security purposes, Access Analyzer will not expose the external principal details, such as agencies, trust agencies, SCPs, or other configurations.
|
Cloud Service |
Resource Name |
|---|---|
|
IAM |
Agency and trust agency |
|
OBS |
Bucket |
|
DEW |
Key |
|
Software Repository for Container (SWR) |
Image service |
|
Cloud Backup and Recovery (CBR) |
Backup |
|
Image Management Service (IMS) |
Image |
Identifying Unused Access in Your Organization or Account
IAM Access Analyzer helps you identify and review unused access in your organization or account. IAM Access Analyzer continuously monitors all IAM users, agencies, and trust agencies in the zone of trust and generates findings for unused access. The findings display unused permissions, agencies, trust agencies, passwords, and access keys within the zone of trust.
You can view external access findings and unused access findings on the dashboard. Users with the most access findings will be explicitly displayed, and details of the findings are displayed by type of the access analyzer. For details, see Viewing the Findings Overview.
Identifying Configurations That Do Not Comply with Security Best Practices in Your Account
An IAM Access Analyzer can identify IAM users, agencies, and trust agencies that do not comply with security best practices in your account. You can adjust the security configuration based on the analysis result to reduce the risk of account password leakage and access risks caused by granting high-risk permissions to IAM users, agencies, and trust agencies. For details about the supported check items, see Table 2.
|
Item |
Best Practices |
Console Version |
|---|---|---|
|
Access keys bound to the root user |
You are advised to disable and delete the access keys of the root user. |
New Console/Old Console |
|
API access with a password |
You are advised to use the AK/SK to access APIs. |
New Console/Old Console |
|
Login protection not enabled |
You are advised to enable login protection for users to prevent malicious attackers from using leaked passwords to access the console. |
Old Console |
|
MFA device not added |
You are advised to add an MFA device to a user. |
New Console |
|
High-risk system-defined policies or roles attached to the user |
You are advised not to attach the FullAccess, Tenant Administrator, or Security Administrator policy or role to a user. |
Old Console |
|
High-risk system-defined identity policies attached to the user |
You are advised not to attach the IAMFullAccessPolicy or AdministratorAccessPolicy policy to a user. |
New Console |
|
High-risk system-defined policies or roles attached to the agency |
You are advised not to attach the FullAccess, Tenant Administrator, or Security Administrator policy or role to an agency. |
Old Console |
|
High-risk system-defined identity policies attached to the agency |
You are advised not to attach the IAMFullAccessPolicy or AdministratorAccessPolicy policy to an agency or trusted agency. |
New Console |
The "Login protection not enabled" check item does not support the root user of a Huawei account.
Validating Policies Against Policy Grammar
IAM Access Analyzer helps you check custom policies against policy grammar, and provides findings that include security warnings, general warnings, errors, and suggestions. These findings help you create policies that are functional and comply with security requirements. For more information about policy validation, see Validating Policies.
Notes and Constraints
IAM Access Analyzer analyzes the permissions associated with the service-linked agency authorized by a tenant. It can be created only on the new IAM console.
|
Category |
Restriction Item |
Default Quota |
Modifiable |
|---|---|---|---|
|
Account-level external access analyzer |
Number of analyzers can be created |
1 |
No |
|
Organization-level external access analyzer |
Number of analyzers can be created (by organization administrator) |
1 |
No |
|
Organization-level external access analyzer |
Number of analyzers can be created (by organization delegated administrator) |
1 |
No |
|
Account-level unused access analyzer |
Number of analyzers can be created |
1 |
No |
|
Organization-level unused access analyzer |
Number of analyzers can be created (by organization administrator) |
1 |
No |
|
Organization-level unused access analyzer |
Number of analyzers can be created (by organization delegated administrator) |
1 |
No |
|
Account-level best practice access analyzer |
Number of analyzers can be created |
1 |
No |
|
Access analyzer |
Number of tags |
20 |
No |
|
Access analyzer |
Number of archive rules |
100 |
No |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
