AWS IAM Access Analyzer deleted
Description
AlphaSOC detected that an AWS Identity and Access Management (IAM) Access Analyzer was deleted. IAM Access Analyzer is a critical security control that identifies resources accessible outside AWS organizations and validates IAM policies. Its deletion permanently deletes all security findings and disables ongoing analysis in the affected region. The finding may indicate an attempt to hide unauthorized access and bypass security monitoring by removing automated policy analysis.
Impact
Removing IAM Access Analyzer eliminates automated detection of externally accessible resources, overly permissive IAM policies, unused access and permissions, and non-compliant configurations. This deletion can obscure unauthorized access to AWS resources and conceal policy violations.
Severity
| Severity | Condition |
|---|---|
Low | AWS IAM Access Analyzer deleted |
Investigation and Remediation
Review CloudTrail logs to identify the user who deleted the analyzer, time of deletion, and associated API calls. Recreate IAM Access Analyzer, review resource policies for unauthorized changes, audit existing IAM permissions, and enable AWS Config rules to monitor analyzer's status.