Master AWS IAM with our guide on using Condition Context Keys to enhance security. Learn how to restrict actions and safeguard your AWS environment.
How to Use AWS Config & AWS IAM Access Analyzer to Detect Public-Facing Resources in AWS
This blog guides you through using AWS Config and Access Analyzer for efficient auditing and control, ensuring compliance in your AWS environment.
The situation: Identifying public-facing AWS resources
If you have ever wanted to scan your AWS account for resources that are publicly accessible, this blog post is for you. It is preferable to implement AWS Config auto-remediation for real-time response, and tools like the Open Policy Agent and Service Control Policies to prevent public access ahead of time.
However, it is sometimes necessary to audit an account for publicly accessible resources that may have slipped through the cracks.
Tools for detecting public resources
1. AWS Config
2. Access Analyzer
AWS IAM Access Analyzer was launched in 2019. It is one of the few services that uses a mathematical form of analysis called Automated Reasoning . Although it only works with resources that have resource policies, IAM Access Analyzer offers a helpful interface for identifying unwanted public access.
Walkthrough: using AWS config for public resources detection
The AWS config setup
AWS maintains a set of Managed Config Rules for AWS Config. At the time of this writing, there are 276 managed rules. For our use case, we are only interested in the rules that help us detect public access. Fortunately, a list of this subset of rules can be found in the Operational Best Practices For Publicly Accessible Resources conformance pack. Here they are, listed out:
AWS Config is a regional service, so you will need to create these rules in all regions. This would be tedious to do by hand, so it is recommended to use Infrastructure as Code like Terraform or CloudFormation StackSets for a multi-region rollout of the AWS Config Rules.
To address this need, I created Terraform Public Access Detection Example , which will get you started with a multi-region deployment of these config rules.
After enabling your config rules, the AWS Console will list the Compliance status for each rule that you enabled:
However, there is no reporting functionality built into the Console. In order to generate a report, you can use the AWS configservice list-discovered-resources command. See this example script which loops through AWS regions and resource types and lists any resources that are non-compliant:
for x in us-east-1 us-east-2 us-west-1 us-west-2; do for y in AWS::EC2::Instance AWS::ApiGateway::RestApi AWS::CloudFront::Distribution AWS::S3::Bucket; do echo $x aws configservice list-discovered-resources --resource-type $y --region=$x | jq -e '(select(.resourceIdentifiers | length > 0))' done done
Utilizing AWS Access Analyzer to detect public resources
In contrast to AWS Config, the Access Analyzer is simple to configure and use.
Again though, it is regional, so you will need to create an analyzer in every region you work in. The Access Analyzer works with a limited set of resources, which is why it works well as a complement to the AWS Config rules listed earlier. At the time of this writing, the Access Analyzer supports S3, IAM Roles, KMS keys, Lambda functions, SQS queues, and Secrets Manager secrets.
To get started, navigate to the Access Analyzer within the IAM dashboard and click Create Analyzer:
You will only have one analyzer per region. If you are a member of an organization, you can create an analyzer to monitor resources in all of your linked accounts. Once you create the analyzer you can easily search for resources that allow for public access:
Once you have a list of findings, they can easily be exported into a CSV, or you can mark them as Archived to prevent them from showing up in the result set.
StratusGrid can help with AWS Config and AWS IAM Access Analyzer!
Although it is better to prevent publicly accessible resources from being created in the first place, if they do get created to auto-remediate the situation, you now have a starting point for using AWS Config and Access Analyzer to detect public-facing resources that you may not be aware of.
If you need assistance with this approach, feel free to reach out to the StratusGrid Growth Team and we can connect you with a technical teammate who can help. If you would like to see more posts similar to this one, consider following me on Twitter .