diff --git a/README.md b/README.md index 82ff55d..4500b89 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Each Section contains a number of units. **Below Table Link** containing informa - [VPC](sections/vpc.md) - VPC & Subnets Primer, Internet Gateway & NAT Gateways, Network ACL & Security Groups, VPC Flow Logs, VPC Peering, VPC Endpoints, Site to Site VPN & Direct Connect, Transit Gateway - [Security & Compliance](sections/security_compliance.md) - - AWS Shared Responsibility Model, DDOS Protection on AWS, AWS Shield, AWS WAF - Web Application Firewall, AWS KMS (Key Management Service), CloudHSM, AWS Certificate Manager (ACM), AWS Secrets Manager, AWS Artifact (not really a service), Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon Macie, AWS Security Hub, Amazon Detective, AWS Abuse, Root user privileges + - AWS Shared Responsibility Model, DDOS Protection on AWS, AWS Shield, AWS WAF - Web Application Firewall, AWS KMS (Key Management Service), CloudHSM, AWS Certificate Manager (ACM), AWS Secrets Manager, AWS Artifact (not really a service), Amazon GuardDuty, Amazon Inspector, AWS Config, Amazon Macie, AWS Security Hub, Amazon Detective, AWS Abuse, Root user privileges, IAM Access Analyzer - [Machine Learning](sections/machine_learning.md) - Amazon Rekognition, Amazon Transcribe, Amazon Polly, Amazon Translate, Amazon Lex & Connect, Amazon Comprehend, Amazon SageMaker, Amazon Forecast, Amazon Kendra, Amazon Personalize, Amazon Textract - [Account Management, Billing & Support](sections/account_management_billing_support.md) diff --git a/images/IAM_Access_Analyzer.png b/images/IAM_Access_Analyzer.png new file mode 100644 index 0000000..7bdb30d Binary files /dev/null and b/images/IAM_Access_Analyzer.png differ diff --git a/sections/security_compliance.md b/sections/security_compliance.md index c36f7aa..8fdae5a 100644 --- a/sections/security_compliance.md +++ b/sections/security_compliance.md @@ -28,6 +28,7 @@ - [Amazon Detective](#amazon-detective) - [AWS Abuse](#aws-abuse) - [Root user privileges](#root-user-privileges) + - [IAM Access Analyzer](#iam-access-analyzer) - [Summary](#summary) ## AWS Shared Responsibility Model @@ -312,6 +313,21 @@ - Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or VPC endpoint ID - Sign up for GovCloud +## IAM Access Analyzer + +- AWS IAM Access Analyzer is a tool that scans your AWS resource policies to find any unintended public or cross-account access. It helps you identify and fix security issues, ensuring that only authorized entities have access to your resources. +- Find out which resources are shared externally: + - S3 Buckets + - IAM Roles + - KMS Keys + - Lambda Functions and Layers + - SQS queues + - Secrets Manager Secrets +- Define Zone of Trust = AWS Account or AWS Organization. +- Access outside zone of trusts => findings + + + ## Summary - Shared Responsibility on AWS