AWS - AccessAnalyzer

This Integration is part of the AWS - AccessAnalyzer Pack.#

Amazon Web Services IAM Access Analyzer

For detailed instructions about setting up authentication, see: AWS Integrations - Authentication.

Configure AWS - AccessAnalyzer on Cortex XSOAR#

Navigate to Settings > Integrations > Servers & Services.
Search for AWS - AccessAnalyzer.

Click Add instance to create and configure a new integration instance.

Parameter	Description	Required
AWS Default Region		False
Role Arn		False
Role Session Name		False
Role Session Duration		False
Fetch incidents		False
Incident type		False
Access Key		False
Secret Key		False
Fetch Analyzer ARN (Required for fetching incidents)	The ARN to fetch findings for	False
Trust any certificate (not secure)	Trust any certificate (not secure).	False
Use system proxy settings	Use system proxy settings.	False
Timeout	The time in seconds till a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 second will be used.	False
Retries	The maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.	False

Click Test to validate the URLs, token, and connection.

Fetch Incidents#

The integration fetches findings, generated by the analyzer specified in the Fetch Analyzer ARN parameter, as incidents.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-access-analyzer-list-analyzers#

Retrieves a list of analyzers.

Base Command#

aws-access-analyzer-list-analyzers

Input#

Argument Name	Description	Required
region	The AWS Region, if not specified the default region will be used.	Optional
roleArn	The Amazon Resource Name (ARN) of the role to assume.	Optional
roleSessionName	An identifier for the assumed role session.	Optional
roleSessionDuration	The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.	Optional

Context Output#

Path	Type	Description
AWS.AccessAnalyzer.Analyzers	Unknown	List of Analyzers and their details.
AWS.AccessAnalyzer.Analyzers.arn	String	The analyzer ARN.

Command example#

!aws-access-analyzer-list-analyzers

Context Example#

{
    "AWS": {
        "AccessAnalyzer": {
            "Analyzers": {
                "arn": "arn:aws:access-analyzer:us-east-2:123456789012:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5",
                "createdAt": "2021-09-08T17:25:37",
                "lastResourceAnalyzed": "arn:aws:iam::123456789012:role/accessadvisor",
                "lastResourceAnalyzedAt": "2021-09-08T17:25:37",
                "name": "ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5",
                "status": "ACTIVE",
                "tags": {},
                "type": "ACCOUNT"
            }
        }
    }
}

Human Readable Output#

AWS Access Analyzer Analyzers#
Arn Created At Last Resource Analyzed Last Resource Analyzed At Name Status Tags Type
arn:aws:access-analyzer:us-east-2:123456789012:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 2021-09-08T17:25:37 arn:aws:iam::123456789012:role/XSOARCortexXDRReadOnlyRole 2021-09-08T17:25:37 ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898 ACTIVE ACCOUNT

Arn	Created At	Last Resource Analyzed	Last Resource Analyzed At	Name	Status	Tags	Type
arn:aws:access-analyzer:us-east-2:123456789012:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5	2021-09-08T17:25:37	arn:aws:iam::123456789012:role/XSOARCortexXDRReadOnlyRole	2021-09-08T17:25:37	ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898	ACTIVE		ACCOUNT

aws-access-analyzer-list-analyzed-resource#

Retrieves a list of resources that have been analyzed.

Base Command#

aws-access-analyzer-list-analyzed-resource

Input#

Argument Name	Description	Required
analyzerArn	The ARN of the analyzer to retrieve a list of analyzed resources from.	Required
maxResults	The maximum number of results to return in the response.	Optional
resourceType	Filter findings by one of the resource type. Possible values are: AWS::IAM::Role, AWS::KMS::Key, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::S3::Bucket, AWS::SQS::Queue.	Optional
region	The AWS Region, if not specified the default region will be used.	Optional
roleArn	The Amazon Resource Name (ARN) of the role to assume.	Optional
roleSessionName	An identifier for the assumed role session.	Optional
roleSessionDuration	The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.	Optional

Context Output#

Path	Type	Description
AWS.AccessAnalyzer.Resource	Unknown	List of analyzed resources.
AWS.AccessAnalyzer.Resource.resourceArn	String	The resource ARN.
AWS.AccessAnalyzer.Resource.analyzerArn	String	The analyzer ARN.

Command example#

!aws-access-analyzer-list-analyzed-resource analyzerArn=arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898

Context Example#

{
    "AWS": {
        "AccessAnalyzer": {
            "Resource": [
                {
                    "analyzerArn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898",
                    "resourceArn": "arn:aws:iam::123456789012:role/-TestRole",
                    "resourceOwnerAccount": "123456789012",
                    "resourceType": "AWS::IAM::Role"
                },
                {
                    "analyzerArn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898",
                    "resourceArn": "arn:aws:iam::123456789012:role/BishopFoxPlatformAssumeRole",
                    "resourceOwnerAccount": "123456789012",
                    "resourceType": "AWS::IAM::Role"
                }
            ]
        }
    }
}

Human Readable Output#

AWS Access Analyzer Resources#
Resource Arn Resource Owner Account Resource Type
arn:aws:iam::123456789012:role/-TestRole 123456789012 AWS::IAM::Role
arn:aws:iam::123456789012:role/BishopFoxPlatformAssumeRole 123456789012 AWS::IAM::Role

Resource Arn	Resource Owner Account	Resource Type
arn:aws:iam::123456789012:role/-TestRole	123456789012	AWS::IAM::Role
arn:aws:iam::123456789012:role/BishopFoxPlatformAssumeRole	123456789012	AWS::IAM::Role

aws-access-analyzer-list-findings#

Retrieves a list of findings generated by the specified analyzer.

Base Command#

aws-access-analyzer-list-findings

Input#

Argument Name	Description	Required
analyzerArn	The ARN of the analyzer to retrieve findings from.	Required
maxResults	The maximum number of results to return in the response.	Optional
resourceType	Filter findings by one of the resource type. Possible values are: AWS::IAM::Role, AWS::KMS::Key, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::S3::Bucket, AWS::SQS::Queue.	Optional
status	Filter findings by status. Possible values are: ACTIVE, ARCHIVED, RESOLVED.	Optional
region	The AWS Region, if not specified the default region will be used.	Optional
roleArn	The Amazon Resource Name (ARN) of the role to assume.	Optional
roleSessionName	An identifier for the assumed role session.	Optional
roleSessionDuration	The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.	Optional

Context Output#

Path	Type	Description
AWS.AccessAnalyzer.Finding	Unknown	Access Analyzer findings.
AWS.AccessAnalyzer.Finding.id	String	The finding ID.
AWS.AccessAnalyzer.Finding.analyzerArn	String	The analyzer ARN.

Command example#

!aws-access-analyzer-list-findings analyzerArn=arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898

Context Example#

{
    "AWS": {
        "AccessAnalyzer": {
            "Finding": [
                {
                    "action": [
                        "sts:AssumeRoleWithWebIdentity"
                    ],
                    "analyzedAt": "2023-02-28T07:47:01",
                    "analyzerArn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898",
                    "condition": {
                        "accounts.google.com:aud": "1234567890123456789012"
                    },
                    "createdAt": "2023-02-13T21:28:04",
                    "id": "03c44171-223c-4615-be8a-bf0b626f0b13",
                    "isPublic": false,
                    "principal": {
                        "Federated": "accounts.google.com"
                    },
                    "resource": "arn:aws:iam::123456789012:role/billing-bot-role",
                    "resourceOwnerAccount": "123456789012",
                    "resourceType": "AWS::IAM::Role",
                    "status": "ARCHIVED",
                    "updatedAt": "2023-02-23T10:08:54"
                },
                {
                    "action": [
                        "sts:AssumeRole"
                    ],
                    "analyzedAt": "2023-02-27T10:59:00",
                    "analyzerArn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898",
                    "condition": {},
                    "createdAt": "2023-02-13T21:28:04",
                    "id": "babbbe27-835e-4c34-8cbd-f19dc877fa31",
                    "isPublic": false,
                    "principal": {
                        "AWS": "252015767101"
                    },
                    "resource": "arn:aws:iam::123456789012:role/c7nSecurityAuditRole",
                    "resourceOwnerAccount": "123456789012",
                    "resourceType": "AWS::IAM::Role",
                    "status": "ACTIVE",
                    "updatedAt": "2023-02-13T21:28:04"
                }
            ]
        }
    }
}

Human Readable Output#

AWS Access Analyzer Findings#
Id Resource Principal Condition Updated At Status
03c44171-223c-4615-be8a-bf0b626f0b13 arn:aws:iam::123456789012:role/billing-bot-role Federated: accounts.google.com accounts.google.com:aud: 1234567890123456789012 2023-02-23T10:08:54 ARCHIVED
babbbe27-835e-4c34-8cbd-f19dc877fa31 arn:aws:iam::123456789012:role/c7nSecurityAuditRole AWS: 252015767101 2023-02-13T21:28:04 ACTIVE

Id	Resource	Principal	Condition	Updated At	Status
03c44171-223c-4615-be8a-bf0b626f0b13	arn:aws:iam::123456789012:role/billing-bot-role	Federated: accounts.google.com	accounts.google.com:aud: 1234567890123456789012	2023-02-23T10:08:54	ARCHIVED
babbbe27-835e-4c34-8cbd-f19dc877fa31	arn:aws:iam::123456789012:role/c7nSecurityAuditRole	AWS: 252015767101		2023-02-13T21:28:04	ACTIVE

aws-access-analyzer-get-analyzed-resource#

Retrieves information about an analyzed resource.

Base Command#

aws-access-analyzer-get-analyzed-resource

Input#

Argument Name	Description	Required
analyzerArn	The ARN of the analyzer to retrieve information from.	Required
resourceArn	The ARN of the resource to retrieve information about.	Required
region	The AWS Region, if not specified the default region will be used.	Optional
roleArn	The Amazon Resource Name (ARN) of the role to assume.	Optional
roleSessionName	An identifier for the assumed role session.	Optional
roleSessionDuration	The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.	Optional

Context Output#

Path	Type	Description
AWS.AccessAnalyzer.Resource	Unknown	Analyzed resource detail.
AWS.AccessAnalyzer.Resource.id	String	The resource ID.
AWS.AccessAnalyzer.Resource.analyzerArn	String	The analyzer ARN.

Command example#

!aws-access-analyzer-get-analyzed-resource analyzerArn=arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898 resourceArn=arn:aws:iam::123456789012:role/-TestRole

Context Example#

{
    "AWS": {
        "AccessAnalyzer": {
            "Resource": {
                "analyzedAt": "2023-02-27T10:59:00",
                "analyzerArn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898",
                "isPublic": false,
                "resourceArn": "arn:aws:iam::123456789012:role/-TestRole",
                "resourceOwnerAccount": "123456789012",
                "resourceType": "AWS::IAM::Role"
            }
        }
    }
}

Human Readable Output#

AWS Access Analyzer Resource#
Analyzed At Analyzer Arn Is Public Resource Arn Resource Owner Account Resource Type
2023-02-27T10:59:00 arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898 false arn:aws:iam::123456789012:role/-TestRole 123456789012 AWS::IAM::Role

Analyzed At	Analyzer Arn	Is Public	Resource Arn	Resource Owner Account	Resource Type
2023-02-27T10:59:00	arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898	false	arn:aws:iam::123456789012:role/-TestRole	123456789012	AWS::IAM::Role

aws-access-analyzer-get-finding#

Retrieves information about the specified finding.

Base Command#

aws-access-analyzer-get-finding

Input#

Argument Name	Description	Required
analyzerArn	The ARN of the analyzer to retrieve information from.	Required
findingId	The ID of the finding to retrieve.	Required
region	The AWS Region, if not specified the default region will be used.	Optional
roleArn	The Amazon Resource Name (ARN) of the role to assume.	Optional
roleSessionName	An identifier for the assumed role session.	Optional
roleSessionDuration	The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.	Optional

Context Output#

Path	Type	Description
AWS.AccessAnalyzer.Finding	Unknown	Finding details.
AWS.AccessAnalyzer.Finding.id	String	The finding ID.
AWS.AccessAnalyzer.Finding.analyzerArn	String	The analyzer ARN.

Command example#

!aws-access-analyzer-get-finding analyzerArn=arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898 findingId=03c44171-223c-4615-be8a-bf0b626f0b13

Context Example#

{
    "AWS": {
        "AccessAnalyzer": {
            "Finding": {
                "action": [
                    "sts:AssumeRoleWithWebIdentity"
                ],
                "analyzedAt": "2023-02-28T07:47:01",
                "analyzerArn": "arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898",
                "condition": {
                    "accounts.google.com:aud": "1234567890123456789012"
                },
                "createdAt": "2023-02-13T21:28:04",
                "id": "03c44171-223c-4615-be8a-bf0b626f0b13",
                "isPublic": false,
                "principal": {
                    "Federated": "accounts.google.com"
                },
                "resource": "arn:aws:iam::123456789012:role/billing-bot-role",
                "resourceOwnerAccount": "123456789012",
                "resourceType": "AWS::IAM::Role",
                "status": "ARCHIVED",
                "updatedAt": "2023-02-23T10:08:54"
            }
        }
    }
}

Human Readable Output#

AWS Access Analyzer Finding#
Action Analyzed At Analyzer Arn Condition Created At Id Is Public Principal Resource Resource Owner Account Resource Type Status Updated At
sts:AssumeRoleWithWebIdentity 2023-02-28T07:47:01 arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898 accounts.google.com:aud: 1234567890123456789012 2023-02-13T21:28:04 03c44171-223c-4615-be8a-bf0b626f0b13 false Federated: accounts.google.com arn:aws:iam::123456789012:role/billing-bot-role 123456789012 AWS::IAM::Role ARCHIVED 2023-02-23T10:08:54

Action	Analyzed At	Analyzer Arn	Condition	Created At	Id	Is Public	Principal	Resource	Resource Owner Account	Resource Type	Status	Updated At
sts:AssumeRoleWithWebIdentity	2023-02-28T07:47:01	arn:aws:access-analyzer:us-east-1:123456789012:analyzer/ConsoleAnalyzer-fc3b189d-f88a-48a5-9c2b-f42f9187c898	accounts.google.com:aud: 1234567890123456789012	2023-02-13T21:28:04	03c44171-223c-4615-be8a-bf0b626f0b13	false	Federated: accounts.google.com	arn:aws:iam::123456789012:role/billing-bot-role	123456789012	AWS::IAM::Role	ARCHIVED	2023-02-23T10:08:54

aws-access-analyzer-start-resource-scan#

Starts a scan of the policies applied to the specified resource.

Base Command#

aws-access-analyzer-start-resource-scan

Input#

Argument Name	Description	Required
analyzerArn	The ARN of the analyzer to use to scan the policies applied to the specified resource.	Required
resourceArn	The ARN of the resource to scan.	Required
region	The AWS Region, if not specified the default region will be used.	Optional
roleArn	The Amazon Resource Name (ARN) of the role to assume.	Optional
roleSessionName	An identifier for the assumed role session.	Optional
roleSessionDuration	The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.	Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-access-analyzer-start-resource-scan analyzerArn=arn:aws:access-analyzer:us-east-2:123456789012:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 resourceArn=arn:aws:iam::123456789012:role/OrganizationAccountAccessRole

Human Readable Output#

Resource scan request sent.

aws-access-analyzer-update-findings#

Updates findings with the new values provided in the request.

Base Command#

aws-access-analyzer-update-findings

Input#

Argument Name	Description	Required
analyzerArn	The ARN of the analyzer that generated the findings to update.	Required
findingIds	The IDs of the findings to update (comma separated).	Required
status	The ARN of the resource to scan. Possible values are: ACTIVE, ARCHIVED.	Required
region	The AWS Region, if not specified the default region will be used.	Optional
roleArn	The Amazon Resource Name (ARN) of the role to assume.	Optional
roleSessionName	An identifier for the assumed role session.	Optional
roleSessionDuration	The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.	Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-access-analyzer-update-findings analyzerArn=arn:aws:access-analyzer:us-east-2:123456789012:analyzer/ConsoleAnalyzer-k80aff71-2468-47l7-b24c-p8992b3f10d5 findingIds=78eb6782-5387-49k0-bpe5-39am61c3baee status=ACTIVE

Human Readable Output#

Findings updated