Setup AWS IAM Access Analyzer with Bearse

IAM Access Analyzer is an AWS service within AWS Identity Access Management (IAM). Access Analyzer provides a means for users to monitor and control access to other AWS service, resource and credentials. Further reading on the service can be found here. With this new feature we can deploy Access analyzer into multiple AWS account simultaneously.

The Bearse feature for access analyzer is minimal, comprising of two main objectives:

• (Optionally) Delegate administrative rights of Access Analyzer from the root account to another defined account.
• Enable and create an Analyzer (with a defined scope) in said account.

This leaves the user to simply login to the deployed account and create Archive Rules as they see fit. While it is desirable to create a default set of Archive Rules which most customers could use, we have found that the rules themselves are too specific to a particular customers environment and have decided to leave rule configuration for the customers desecration.

Usage

In accordance with other bearse features this feature can be deployed into any AWS account without any prior configuration. The feature can be deployed in a variety of configurations to best suit the customer and AWS environment:

• Deployed and managed in separate individual accounts.
• Deployed into an AWS Organization security account to collect data from other accounts and services within the organization.

More information on the working, deployment and configuration of the Access Analyzer bearse feature can be found here.

For more details on AWS IAM Access Analyzer checkout the AWS documentation.