AWS IAM Access Analyzer

AnyCompany was about to release a new application to the market to handle their e-commerce payment transactions. This workload has to be compliant with PCI DSS standards and it needs to be deployed on the current AWS Control Tower based Landing Zone. The security team assigned to get the environment ready for the QSA company that will conduct the audit. Audit company needs a way to know all the current principal who has access to all the AWS accounts in scope for PCI certification.


In this lab you will delegate the control of AWS IAM Access Analyzer to a designated account (most cases the Audit account). Then, you will enable an analyzer at the organization level to explore all the access-related findings.

IAM Access Analyzer performs policy checks that guide you to set secure and functional permissions. These checks analyze your policies and report errors, warnings, and suggestions with actionable recommendations to help you validate your policies. The analyzer evaluates permissions granted using policies for your Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions, and delivers detailed findings through the AWS IAM, Amazon S3, and AWS Security Hub consoles and also through its APIs.


  • This lab requires fully provisioned AWS Control Tower and administrator role access to AWS Control Tower management account.
  • Note down the AWS Organization id and the Audit account id, you will use it latter.

Task 1: Delegate the IAM Access Analyzer administration

On this section you will delegate the administration of the AWS IAM Access Analyzer to the AWS Control Tower Audit account, or any other you want to.

1.1 Sign in to AWS Control Tower Management account using the Administrator Access role.

1.2 Make sure you are in the AWS Control Tower Home Region.

1.3 Navigate to the AWS IAM console and then to the Access Analyzer on the left menu.

1.4 Choose Add delegated administrator and then Add delegated administrator again on the next screen. screenshot

1.5 Enter the account id of the AWS account you are delegating to (you noted down as part of pre-requisites) and choose Save changes screenshot

Task 2: Create an Analyzer

2.1 Go to AWS SSO portal and sign in to the Audit account with the Administrator Access role

2.2 Go to the analyzer screen of the AWS IAM Access Analyzer console and hit Create analyzer

2.3 Enter a Name for the analyzer and choose the current Organization as the Zone of Trust. Remember that there are no additional charges for this service, you don’t need to worry about the cost allocations tags. screenshot

2.4 Choose Create analyzer

2.5 After a few minutes you will be able to start see findings related to all the AWS Organization in the findings screen of the analyzer created on the previous step. screenshot

Task 3: Validate the configuration

In this section, we will create an out of compliance role for testing purposes.

3.1 You can do it yourself or use the following CloudFormation template to create a lambda role with all actions allowed over ec2.

3.1.1 Choose the Launch Stack button below to start deploying the stack. LaunchStack

3.1.2 While on Create Stack page, choose NEXT.

3.1.3 On Specify stack details page, choose Next.

3.1.4 On Configure stack options page, choose Next.

3.1.5 Under the Review page, scroll down, and select, I acknowledge that AWS CloudFormation might create IAM resources.. Under Capabilities. Then choose Create stack.

3.1.6 Wait for the stack state change to CREATE_COMPLETE

3.2 Once the analyzer runs the next scan it will appear on the findings, then, the administrator will be able to remediate the issue by taking either of these two actions: 1. Delete the role what will change the finding status to “Resolved”. You can do it by deleting the CloudFormation stack created on the previous step. 2. Change it to “Archive” because the access was indeed intended. Note that you can rescan for a single finding on the actual finding detail page, as shown in the next screenshot. screenshot

This way the AnyCompany security team will be able to detect and amend all but the minimum necessary required access to each AWS Accounts in scope for the PCI DSS certification.

Clean Up

The services used for this lab do not incur any additional costs. If you still need to delete, you can delete the access analyzer created in the Task-2 and revoke the administration delegation created on Task-1.