Skip to main content

AWS - AccessAnalyzer (beta)

This Integration is part of the AWS - AccessAnalyzer (beta) Pack.#

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Amazon Web Services IAM Access Analyzer

For detailed instructions about setting up authentication, see: AWS Integrations - Authentication.

Configure AWS - AccessAnalyzer (beta) on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AWS - AccessAnalyzer (beta).

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    AWS Default RegionFalse
    Role ArnFalse
    Role Session NameFalse
    Role Session DurationFalse
    Fetch incidentsFalse
    Incident typeFalse
    Access KeyFalse
    Secret KeyFalse
    Trust any certificate (not secure)Trust any certificate (not secure).False
    Use system proxy settingsUse system proxy settings.False
    Fetch Analyzer ARN (Required for fetching incidents)The ARN to fetch findings forFalse
  4. Click Test to validate the URLs, token, and connection.

Fetch Incidents#

The integration fetches findings, generated by the analyzer specified in the Fetch Analyzer ARN parameter, as incidents.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-access-analyzer-list-analyzers#


Retrieves a list of analyzers.

Base Command#

aws-access-analyzer-list-analyzers

Input#

Argument NameDescriptionRequired
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.AccessAnalyzer.Analyzers.arnUnknownList of Analyzers and their details.

Command Example#

!aws-access-analyzer-list-analyzers

Context Example#

{
"AWS.AccessAnalyzer.Analyzers": [
{
"arn": "arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5",
"createdAt": "2021-09-08T17:25:37",
"lastResourceAnalyzed": "arn:aws:iam::120685635585:role/accessadvisor",
"lastResourceAnalyzedAt": "2021-09-08T17:25:37",
"name": "ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5",
"status": "ACTIVE",
"tags": {},
"type": "ACCOUNT"
}
]
}

Human Readable Output#

AWS Access Analyzer Analyzers#

arncreatedAtlastResourceAnalyzedlastResourceAnalyzedAtnamestatustagstype
arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d52021-09-08T17:25:37arn:aws:iam::120685635585:role/accessadvisor2021-09-08T17:25:37ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5ACTIVEACCOUNT

aws-access-analyzer-list-analyzed-resource#


Retrieves a list of resources that have been analyzed.

Base Command#

aws-access-analyzer-list-analyzed-resource

Input#

Argument NameDescriptionRequired
analyzerArnThe ARN of the analyzer to retrieve a list of analyzed resources from.Required
maxResultsThe maximum number of results to return in the response.Optional
resourceTypeFilter findings by one of the resource type. Possible values are: AWS::IAM::Role, AWS::KMS::Key, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::S3::Bucket, AWS::SQS::Queue.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.AccessAnalyzer.Analyzers.ResourceUnknownList of analyzed resources.

Command Example#

!aws-access-analyzer-list-analyzed-resource analyzerArn=arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5

Context Example#

{
"AWS.AccessAnalyzer.Analyzers": [
{
"resourceArn": "arn:aws:iam::120685635585:role/-TestRole",
"resourceOwnerAccount": "120685635585",
"resourceType": "AWS::IAM::Role",
"analyzerArn": "arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5"
}
]
}

Human Readable Output#

AWS Access Analyzer Resource#

analyzerArnresourceArnresourceOwnerAccountresourceType
arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5arn:aws:iam::120685635585:role/-TestRole120685635585AWS::IAM::Role

aws-access-analyzer-list-findings#


Retrieves a list of findings generated by the specified analyzer.

Base Command#

aws-access-analyzer-list-findings

Input#

Argument NameDescriptionRequired
analyzerArnThe ARN of the analyzer to retrieve findings from.Required
maxResultsThe maximum number of results to return in the response.Optional
resourceTypeFilter findings by one of the resource type. Possible values are: AWS::IAM::Role, AWS::KMS::Key, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::S3::Bucket, AWS::SQS::Queue.Optional
statusFilter findings by status. Possible values are: ACTIVE, ARCHIVED, RESOLVED.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.AccessAnalyzer.FindingsUnknownAccess Analyzer findings.

Command Example#

!aws-access-analyzer-list-findings analyzerArn=arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5

Context Example#

{
"AWS.AccessAnalyzer.Findings": [
{
"action": [
"sts:AssumeRole"
],
"analyzedAt": "2021-09-08T17:25:37",
"condition": {},
"createdAt": "2021-09-08T17:25:37",
"id": "78eb6782-5387-49k0-bpe5-39am61c3baee",
"isPublic": false,
"principal": {
"AWS": "232015767104"
},
"resource": "arn:aws:iam::120685635585:role/c7nSecurityAuditRole",
"resourceOwnerAccount": "120685635585",
"resourceType": "AWS::IAM::Role",
"status": "ACTIVE",
"updatedAt": "2021-09-08T17:25:37"
}
]
}

Human Readable Output#

AWS Access Analyzer Findings#

actionanalyzedAtconditioncreatedAtidisPublicprincipalresourceresourceOwnerAccountresourceTypestatusupdatedAt
sts:AssumeRole2021-09-08T17:25:372021-09-08T17:25:3778eb6782-5387-49k0-bpe5-39am61c3baeefalseAWS: 232015767104arn:aws:iam::120685635585:role/c7nSecurityAuditRole120685635585AWS::IAM::RoleACTIVE2021-09-08T17:25:37

aws-access-analyzer-get-analyzed-resource#


Retrieves information about an analyzed resource.

Base Command#

aws-access-analyzer-get-analyzed-resource

Input#

Argument NameDescriptionRequired
analyzerArnThe ARN of the analyzer to retrieve information from.Required
resourceArnThe ARN of the resource to retrieve information about.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.AccessAnalyzer.Analyzers.ResourceUnknownAnalyzed resource detail.

Command Example#

!aws-access-analyzer-get-analyzed-resource analyzerArn=arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 region=us-east-2 resourceArn=arn:aws:iam::120685635585:role/OrganizationAccountAccessRole

Context Example#

{
"AWS.AccessAnalyzer.Analyzers": {
"actions": [
"sts:AssumeRole"
],
"analyzedAt": "2021-09-08T17:25:37",
"createdAt": "2021-09-08T17:25:37",
"isPublic": false,
"resourceArn": "arn:aws:iam::120685635585:role/OrganizationAccountAccessRole",
"resourceOwnerAccount": "120685635585",
"resourceType": "AWS::IAM::Role",
"status": "ACTIVE",
"updatedAt": "2021-09-08T17:25:37",
"analyzerArn": "arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5"
}
}

Human Readable Output#

AWS Access Analyzer Resource#

actionsanalyzedAtanalyzerArncreatedAtisPublicresourceArnresourceOwnerAccountresourceTypestatusupdatedAt
sts:AssumeRole2021-09-08T17:25:37arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d52021-09-08T17:25:37falsearn:aws:iam::120685635585:role/OrganizationAccountAccessRole120685635585AWS::IAM::RoleACTIVE2021-09-08T17:25:37

aws-access-analyzer-get-finding#


Retrieves information about the specified finding.

Base Command#

aws-access-analyzer-get-finding

Input#

Argument NameDescriptionRequired
analyzerArnThe ARN of the analyzer to retrieve information from.Required
findingIdThe ID of the finding to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.AccessAnalyzer.Analyzers.FindingUnknownFinding details.

Command Example#

!aws-access-analyzer-get-finding analyzerArn=arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 findingId=78eb6782-5387-49k0-bpe5-39am61c3baee

Context Example#

{
"AWS.AccessAnalyzer.Analyzers": {
"action": [
"sts:AssumeRole"
],
"analyzedAt": "2021-09-08T17:25:37",
"condition": {},
"createdAt": "2021-09-08T17:25:37",
"id": "78eb6782-5387-49k0-bpe5-39am61c3baee",
"isPublic": false,
"principal": {
"AWS": "232015767104"
},
"resource": "arn:aws:iam::120685635585:role/c7nSecurityAuditRole",
"resourceOwnerAccount": "120685635585",
"resourceType": "AWS::IAM::Role",
"status": "ACTIVE",
"updatedAt": "2021-09-08T17:25:37",
"analyzerArn": "arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5"
}
}

Human Readable Output#

AWS Access Analyzer Resource#

actionanalyzedAtanalyzerArnconditioncreatedAtidisPublicprincipalresourceresourceOwnerAccountresourceTypestatusupdatedAt
sts:AssumeRole2021-09-08T17:25:37arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d52021-09-08T17:25:3778eb6782-5387-49k0-bpe5-39am61c3baeefalseAWS: 232015767104arn:aws:iam::120685635585:role/c7nSecurityAuditRole120685635585AWS::IAM::RoleACTIVE2021-09-08T17:25:37

aws-access-analyzer-start-resource-scan#


Starts a scan of the policies applied to the specified resource.

Base Command#

aws-access-analyzer-start-resource-scan

Input#

Argument NameDescriptionRequired
analyzerArnThe ARN of the analyzer to use to scan the policies applied to the specified resource.Required
resourceArnThe ARN of the resource to scan.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-access-analyzer-start-resource-scan analyzerArn=arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 resourceArn=arn:aws:iam::120685635585:role/OrganizationAccountAccessRole

Human Readable Output#

Resource scan request sent.

aws-access-analyzer-update-findings#


Updates findings with the new values provided in the request.

Base Command#

aws-access-analyzer-update-findings

Input#

Argument NameDescriptionRequired
analyzerArnThe ARN of the analyzer that generated the findings to update.Required
findingIdsThe IDs of the findings to update (comma separated).Required
statusThe ARN of the resource to scan. Possible values are: ACTIVE, ARCHIVED.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-access-analyzer-update-findings analyzerArn=arn:aws:access-analyzer:us-east-2:120685635585:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 findingIds=78eb6782-5387-49k0-bpe5-39am61c3baee status=ACTIVE

Human Readable Output#

Findings updated