AWS IAM Access Analyzer got updated at AWS re:Invent 2023. We had Brigid Johnson, GM of IAM Access Analyzer, talk about IAM Access Analyzer, a critical tool for ensuring fine-grained permissions and robust security in AWS environments, how the service has evolved since its 2019 launch, how it integrates into the development process and practical advice on implementing Access Analyzer effectively in various business settings.
Questions asked:
00:00 Introduction
00:13 How to use AWS IAM Access Analyzer?
00:41 Why do you need AWS IAM Access Analyzer?
01:51 Recent updates to IAM Access Analyzer
03:10 Scaling Access Analyzer for Different Business Sizes
04:16 Use Cases for IAM Access Analyzer
07:03 Future of IAM Access Analyzer Updates
Ashish Rajan: [00:00:00] Welcome to Cloud Security Podcast and for people joining in this is at AWS re:Invent podcast studio.
I have a special guest here. Could you share your name for the audience?
Brigid Johnson: Yes, everyone. I am Brigid Johnson and I am the GM of IAM Access Analyzer here in AWS.
Ashish Rajan: Awesome. Brigid, for people who don't know what IAM Access Analyzer is. What is it?
Brigid Johnson: So IAM Access Analyzer what we do is we help customers get to the right fine grained permissions across AWS.
Access controls are really powerful in AWS and it's a really important part of your security. And so the way we like to think about it is helping customers set the right access controls, verify the right access controls, and then refine them further as they know more as their workloads progress.
Ashish Rajan: Wait, so what was it before this that you had to, because is it a new service?
Brigid Johnson: We actually launched in 2019. We've been adding tools and more capabilities since then. So I can talk a little bit more about that. We also just added two this week, which we're very excited about. But before 2019, policies control who has access to what you can specify which actions happen on which resources under which conditions.
You can get super fine grained in [00:01:00] AWS. And before what was happening is as developers build, they needed these policies and we found that customers were actually creating central teams to either create these policies, approve these policies, and it was really slowing down innovation. So insert Access Analyzer where what we heard from customers is, Hey, can we help get the engineers to manage their own permissions?
Oh, by the way, can then as a central security team, we want to verify those. We want to set some guardrails. And so that's what IAM, along with IAM Access Analyzer has been working to do to set the organizations up for success to really allow the developers to set their own permissions while the central security team can audit, verify and make sure that the right ones.
Ashish Rajan: A lot of the events that we talk about quite often is, hey, there was an over permission user. So they can actually use this to talk about what kind of over permission they have in their account? Is that how I would describe it?
Brigid Johnson: That's something we've been working on for a few years.
But we recently launched a feature to make this super easy. So on sunday IAM Access Analyzer launched [00:02:00] unused access findings. And so this means you can go turn it in on for your entire organization. And as IAM Access Analyzer does its job, it will go look at all of your unused. IAM Access keys, your unused IAM roles. Your unused IAM passwords. Now, here's the kicker. For your IAM roles that are active and you're still using, it will tell you specific services and actions that you no longer need because you're not using them. And so you'll get this whole list right in front of you and then, if you're turning them on as like a central security team, you get to figure out like, Oh, hey, that account needs some refining they better go refine access and you can go poke, poke, poke those dev teams to go refine access.
Then those dev teams can go into the account and Access Analyzer also has policy generation, it has all that last access data inside that account so they know what they can remove safely, what they don't need anymore.
Ashish Rajan: So I started my career and IAM and as someone listening to this, who probably talks to a lot of people about how identity is probably the most important thing in the cloud security context. It's [00:03:00] gonna make a lot of jobs easier, but also a lot of jobs going. Oh, I don't have to have that person focus a lot of energy on this.
They can focus on other things which are probably more important in the organization. I think I love this announcement as well. So for people who probably are trying to think about identity from a I guess a small to medium sized business versus a enterprise where there are dedicated teams for identity.
Do you find that the scale of Access Analyzer can handle that and like, how does that scale? I guess probably that's a better question.
Brigid Johnson: Yeah, and so when you're a smaller organization, we still encourage customers to use AWS organizations, right? You should split out your workloads into separate accounts.
Prod should be separate from dev, etc. And you want to set yourself up for success. to continue to grow in that way, because hopefully your business will grow. And so even if there's not a central team, you can scale by turning on Access Analyzer at the org level. The other thing that we did launch in 2019 is actually external access findings as well.
So as your developers are creating permissions on specific resources, it will identify public and [00:04:00] cross account resources so you can inspect those. So I think that it's all consolidated together in one place, whether it's a central security team or an IT admin, or even an engineer that's passionate about security.
You can go and inspect the list and just figure out where you need to refine and then use the tools to refine
Ashish Rajan: further.
Awesome. And what's some of the common things you hear from customers when they do use Access Analyzer? I can imagine already. Huge time saving huge increase in productivity are those the kind of things that you normally hear from people when they talk about Access Analyzer or is there something that maybe you haven't heard one use as an example for this is where Access Analyzer is amazing.
Brigid Johnson: So what we heard as we built out tools of the last few years, so this is prior to Sunday. What we ended up happening was a lot of customers were using our tools and running them continuously. Okay. And so what we did was said, oh, hey, we can do that for you. That was nice. So we just recently added that.
The other thing that we're continuously hearing from customers, and it's a place where we did have another launch on Sunday as well. But we will continue to invest is they really want to enable the developers to set the right permissions while adhering [00:05:00] to the organization's security standards.
And so what we have is we had policy validation, and those are AWS opinionated security checks for IAM policies. That was great. Customers use that and love that. But what they told us is, hey, we want custom checks. So we launched two new ways to check access in IAM Access Analyzer. And what we're hoping is what we're actually seeing is people will put that in their CICD pipelines. We've been working with partners to also put it in their tooling. The two checks you can do I think are really cool is one you can say check for new access. So if you're checking in a policy as new access, you might wanna question that. 'cause we want you to refine permissions.
Yeah. Security, best practice. Of course. And then you can also check for specific access not granted, right? So imagine you have some pretty powerful permissions you just don't want in most of your workflows. You can go in and say, Hey, I'm going to reject a policy that has any of these powerful actions.
Ashish Rajan: Awesome. That's most of the questions I had from Access Analyzer perspective for people who are listening in probably haven't used Access Analyzer yet. And then you mentioned that you can use a [00:06:00]service if you are a small to medium sized business. You can still use it if you're an enterprise as well, maybe with a dedicated identity team.
Is there anything that I have not spoken about Access Analyzer that you want to share with people?
Brigid Johnson: One thing we try to do with Access Analyzer is actually put the analysis and the information right where folks are modifying, authoring anything to do with IAM policies. So you, if you've been in the IAM console and you've edited a policy, you actually use Access Analyzer.
It is that thing that shows up the security warnings, the errors and the general suggestions and whatnot at the bottom of the console. We've also put this in Amazon S3. So you can, if you're editing a bucket policy which can grant public and cross account access. Yeah. Then you can actually.
Click a little preview button, and it will tell you if you modify the policy in a way , that actually adds public or cross account access. So we try to place Access Analyzer right where folks are managing their policies. Yeah. But then if you want the rolled up, all up version, you obviously have to go to the Access Analyzer and use it to find everything in one place.
Wow. So both.
Ashish Rajan: I've been using it. I didn't even realize I was using it.
Exactly. [00:07:00] You've added a policy. You've been using it.
That's pretty awesome. So where can people I guess be updated on what's upcoming with AWS IAM and Access Analyzer? What's the easiest way to keep up to date, not just from re:Invent, but I guess moving forward as well after the conference is over?
Brigid Johnson: Re:Inforce is another place that we like to talk. So we have a bunch of sessions and whatnot. The AWS security blog is where we're going to put all the solutions that we have for customers. AWS identity handle that's where we're going to post things. And you can follow me on Twitter, too, if you want.
Because I always post pictures and IAM Access Analyzer. They don't have to follow Amazon, they can just follow your Twitter as well. They're going to see a lot of horse pictures as well as permission pictures. Wait,
Ashish Rajan: What's your Twitter handle, so I can just put that in the show notes as well.
Brigid Johnson: bjohnso5y. I think that's the one.
Ashish Rajan: Sounds like an identity name. It was there a long time ago, then it just started growing. Is that one of those 007 at hotmail. com kind of emails? Yeah, fair enough. I'm not going to talk about my email from back in the day, but thank you so much for your time.
I really appreciate this. Thank you the show.
Brigid Johnson: Thanks for letting me talk about Access Analyzer.
Ashish Rajan: Thank you for coming. Alright, so everyone, I will see you next episode. Peace.