turbot/aws_compliance

Control: IAM Access analyzer should be enabled without findings

Description

This control checks whether the IAM Access analyzer is enabled without findings. If you grant permissions to an S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.iam_access_analyzer_enabled_without_findings

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.iam_access_analyzer_enabled_without_findings --share

SQL

This control uses a named query:

iam_access_analyzer_enabled_without_findings

Tags