Why you shouldn't trust AWS IAM Access Analyzer to generate permission policies

Everyone who is familiar with cloud infrastructure permission management knows that implementing and achieving least-privilege access permissions in cloud infra is one of the hardest tasks to complete - AWS introduced the "AWS IAM Access Analyzer" service in March 2020 in an effort to address this problem.

AWS has added a new capability in April 2021 to generate IAM policy permissions based on the identity access activity of AWS CloudTrail logs.

What AWS Doesn't Tell You

AWS IAM Access Analyzer does not provide the entire picture - or to put it simply, AWS IAM Access Analyzer does not cover all AWS services; this can lead customers to make false permission configurations which can impact the accessibility of users and roles to access AWS services.

Here's how we'll prove it.

The Process

Using the AWS console, we've made several actions in one of our AWS demo accounts, such as resource creation, resource deletion, and general movement around different AWS services under our demo account.

One hour later, we've gone to AWS IAM in order to generate a policy based on CloudTrail events which were recorded on this account (as you can see in the image below):

The Outputs

Once the task has finished, we examined the output which we received from AWS as you can see in the image below:

Then, we examined the output which has been recorded on the same account by the Portspark Cloud Platform, Using Portspark EAE:

The Results

When we compare the outputs by both AWS and Portspark, we were amazed to find out that AWS IAM Access Analyzer presents only 75% of the activity that we made on our demo account - meaning that 25% of the activities weren't showing up in the output, this can lead customers to generate wrong and insufficient permission policy for users and roles across AWS accounts and cause access errors and even service disruption!

Output Comparison

Based on both outputs, we've identified that AWS IAM Access Analyzer has missed 8 different services from its output.

When we compare the list of the event names (actions) we were amazed to find out that AWS has missed 40 different actions!

Takeaways

TBH we didn't spend too much time making too many actions in our demo account, it was briefly a 15 minutes work time on our demo account - the end results are that the identification rate of AWS IAM Access Analyzer was 25% less than the Portspark Cloud Platform, we believe that if we would compare both services based on a greater work time, we can find our a much greater gap between the finding of AWS IAM Access Analyzer to Portspark Cloud Platform.

Additionally, You need to know that in order to use AWS IAM Access Analyzer, there are several configurations that AWS you need to make ahead per account and per region in order to use AWS IAM Access Analyzer Policy Generation - this takes additional time and expertise in order to make use of this service.

Looking for a deeper intelligence about what's happening in your cloud? Get started with Portspark today.