What is the process for utilizing IAM Access Analyzer to identify and validate unused access and policies in TypeScript

Question

Pulumi · Accepted Answer

To utilize AWS IAM Access Analyzer for identifying and validating unused access and policies with Pulumi in TypeScript, you'll need to create an Analyzer resource and configure it with specific criteria.

IAM Access Analyzer is a feature that analyzes resource-based policies in your AWS environment to help you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. It does so by analyzing policies to determine where your resources can be accessed from outside of your AWS account.

Here's a step-by-step breakdown of the process before we dive into the code:

1. **Create an Analyzer**: An Analyzer is a resource that analyzes the resource-based policies attached to your resources to identify shared access.

2. **Configure Archive Rules**: Archive rules are used to automatically archive findings that meet the criteria you define. This simplifies ongoing analysis by hiding findings that you have reviewed and deemed benign.

3. **Review Findings**: After the Analyzer has run, you will need to manually review the findings to understand what access exists. This can be done through the AWS console, CLI, or SDK, but is not directly available as a part of Pulumi resource configuration.

4. **Take Action**: If you find unused or unnecessary permissions, you can modify the resource policies directly in AWS to adjust or remove access. This step cannot be automated with Pulumi as it requires analysis and decisions by an administrator.

Let's go ahead and create a Pulumi program that sets up an AWS IAM Access Analyzer. We will not directly identify and validate the unused access and policies within Pulumi, but we'll put an Analyzer in place for AWS to start analyzing policies.

```typescript
import * as aws from "@pulumi/aws";

// Create an IAM Access Analyzer to find potentially unused access.
const analyzer = new aws.accessanalyzer.Analyzer("myAnalyzer", {
    analyzerName: "my-org-analyzer",
    type: "ORGANIZATION", // This can also be `ACCOUNT` based on your use case.
    // Tags are optional metadata for resource identification
    tags: {
        Environment: "production",
    },
});

// Optionally, you can configure an Archive Rule if you have specific conditions
// that you know you want to automatically ignore in the findings.
const archiveRule = new aws.accessanalyzer.ArchiveRule("myArchiveRule", {
    analyzerName: analyzer.name,
    filter: {
        // Example criterion: "A finding with a resolved status is archived."
        status: {
            eq: ["resolved"],
        },
    },
    ruleName: "ignore-resolved-findings",
});

// Output the ARN of the Analyzer so it can be accessed in AWS afterwards
export const analyzerArn = analyzer.arn;
```

1. **aws.accessanalyzer.Analyzer**: This resource creates the Access Analyzer, where we specify if it’s for the organization or a specific account.

2. **aws.accessanalyzer.ArchiveRule**: This optional resource helps to define rules to automatically archive certain findings. It filters based on specified conditions.

Remember that after setting up the Access Analyzer, you would use the AWS Management Console, AWS CLI, or AWS SDKs to interact with it and examine findings. The IAM Access Analyzer will begin analyzing policies and provide you with findings that show which resources are accessible from outside your AWS account and organization. Review these findings manually and adjust policies as needed.