Risk Level: Low
Cloud Entity: Region
CloudGuard Rule ID: D9.AWS.IAM.74
Covered by Spectral: No
Category: Global

GSL LOGIC

Region should have accessAnalyzers contain-any [ status='ACTIVE' ]

REMEDIATION

From Portal
Perform the following to create access analyzer for each region:

Open the IAM console at https://console.aws.amazon.com/iam/.
Choose Access analyzer.
Choose Create analyzer.
On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
Enter a name for the analyzer.
Choose the account as the zone of trust for the analyzer.
Choose Create Analyzer.

To create an analyzer with the organization as the zone of trust

Open the IAM console at https://console.aws.amazon.com/iam/.
Choose Access analyzer.
Choose Create analyzer.
On the Create analyzer page, confirm that the Region displayed is the Region where you want to enable Access Analyzer.
Enter a name for the analyzer.
Choose your organization as the zone of trust for the analyzer.
Choose Create Analyzer.

From TF
Create access analyzer for each region as:

resource "aws_accessanalyzer_analyzer" "example_analyzer" {
	analyzer_name = "example"
}

From Command Line
To create an access analyzer, run:

aws accessanalyzer create-analyzer --analyzer-name ANALYZER-NAME --type ANALYZER-TYPE

References

Region

Each Amazon EC2 Region is designed to be completely isolated from the other Amazon EC2 Regions. This achieves the greatest possible fault tolerance and stability.

Compliance Frameworks

AWS CIS Foundations v. 1.3.0
AWS CIS Foundations v. 1.4.0
AWS CIS Foundations v. 1.5.0
AWS CIS Foundations v. 2.0.0
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
CloudGuard AWS All Rules Ruleset