Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explained
Auto Checks Detailed Explanation
Enforce MFA on the AWS Root AccountVerify CloudTrail is logging management events across all AWS regionsEnsure no IAM AWS-managed policies grant full administrative accessConfirm that Amazon GuardDuty is enabled for threat detectionEnsure the root account does not have any active access keysConfirm IAM Access Analyzer is enabled to monitor access permissionsConfigure a log metric filter and alarm for unauthorized API callsConfigure a log metric filter and alarm for root account usageEnsure customer-managed IAM policies do not grant full administrative accessPrevent IAM identities from having inline policies with unrestricted accessMaintain accurate and up-to-date AWS account contact informationRegister a valid security contact in the AWS account settingsBlock IAM Inline Policies That Enable Privilege EscalationPrevent IAM Inline Policies from Granting Full CloudTrail AccessAvoid Full KMS Access in Inline IAM PoliciesPrevent Overly Permissive Role Assumption in Custom IAM PoliciesPrevent Privilege Escalation via Customer-Managed IAM PoliciesAvoid IAM Policies Granting Full CloudTrail AccessAvoid IAM Policies Granting Unrestricted KMS AccessPrevent IAM Roles from Assigning ReadOnlyAccess Permissions to External AWS AccountsProtect IAM Service Roles from Confused Deputy Attacks Using Proper Trust PoliciesAvoid Provisioning Access Keys During Initial IAM User Creation When Console Login is EnabledDetect IAM Users with Multiple Active Access Keys and Enforce Key Rotation

Confirm IAM Access Analyzer is enabled to monitor access permissions

Framework Reference: A.5.18 (Access Rights Management) Integration: AWS – IAM

Why this matters

IAM Access Analyzer is a built-in AWS tool that detects resources in your account—such as IAM roles, KMS keys, or S3 buckets—that are accessible from outside your organization. This helps identify unintended exposure and supports implementation of the least privilege principle.

Without Access Analyzer, externally shared permissions can go unnoticed, increasing the risk of data leaks or unauthorized actions by third parties.

Access Analyzer provides visibility into external access paths and helps maintain tight control over cross-account permissions.

What this check does

This Auto Check verifies that:

An IAM Access Analyzer of type ACCOUNT is active in each AWS region where your account is used

The check passes if:

A valid analyzer is detected in every region in scope

The check fails if:

One or more active regions are missing an analyzer instance

How to fix it

📍 The IAM Access Analyzer must be created per region. Repeat the setup for every AWS region where resources are used.

Using AWS Console

Go to the IAM Console

In the left navigation, click Access Analyzer

Click Create analyzer

Confirm the current region in the top bar

Enter a name for the analyzer (e.g., external-access-check)

Set the type to Account (leave Organization unless using delegated admin)

Click Create analyzer

Repeat for each region where resources exist

Using AWS CLI

aws accessanalyzer create-analyzer \  --analyzer-name access-checker \  --type ACCOUNT \  --region <region-name>

Be sure to run this in each region. The analyzer only detects access to resources in its own region.

Exceptions

If your AWS account uses centralized policy review through an Organization-level analyzer, this check may be Not Applicable for member accounts. In that case:

Ensure the delegated admin account has the analyzer set to ORGANIZATION type

Document the roles and accounts that are covered

Further Resources

What is IAM Access Analyzer?

Getting Started with Access Analyzer

AWS CLI – Create Analyzer

Was this article helpful?

Powered by Product Fruits