...
| Excerpt |
|---|
This hands-on exercise shows how to find non-compliant resources in AWS Config and how to whitelist them for Configreview IAM Access Analyzer Findings and take actions with those findings. |
Part 1 – Remove Outside Access to a Resource
...
We have prepared the cu-training AWS account with roles named example-role-NETID, one role for each of the training participants.
...
- Repeat the steps in Part 1B to find the Finding about "your" example-role-NETID Role.
- Drill into the finding details.
- Click on Rescan to tell Access Analyzer to review the Finding and check whether the access still exists.
- If the access remains unchanged, so will the Finding details.
- If you have successfully deleted "your" example-role-NETID Role, or changed the trust policy so that it no longer trusts the bad-actor Role, then the status of the Finding will be changed to
ResolvedResolved.
Part 2 – Archive a Finding
...
In this exercise, you will use Access Analyzer to archive a finding allowing public access to an S3 bucket. This indicates one-time review and approval for that access.
We have prepared the cu-training AWS account with S3 buckets named my-public-web-site-NETID, one bucket for each participant. We used these same publicly readble buckets readable buckets in AWS Config - Hands-on Exercise.
Part 2A – Login an get to Access Analyzer
...
In this exercise scenario, we have decided that it is indeed our intention that my-public-web-site-NETID be publicly readable. Therefore we just need to tell Access Analyzer that this is intended access.
- Under Nest Next steps click on the Archive button.
- The status of the Finding will turn to Archived.
- If you wish, you can now navigate back to the main Access analyzer page , and click on the Archived tab to search for your S3 bucket and confirm that the related finding is indeed archived.
...