SEC03-BP07: Analyze public and cross-account access

Continually monitor your findings about public and cross-account access. Reduce public access and cross-account access to only the specific resources that require this access. For example, consider if your Amazon S3 buckets or AWS Lambda functions require public access, or if cross-account access is required.

Implementation guidance

Public and cross-account access can introduce security risks if not properly managed and monitored. By continuously analyzing and reducing unnecessary external access, you can minimize your attack surface while maintaining the functionality required for legitimate business needs.

Key steps for implementing this best practice:

1. Identify public and cross-account access:
   • Use AWS IAM Access Analyzer to identify resources shared externally
   • Inventory all resources with public access permissions
   • Document legitimate business requirements for external access
   • Identify cross-account access patterns and dependencies
   • Catalog third-party integrations requiring access
2. Implement continuous monitoring:
   • Set up AWS IAM Access Analyzer for ongoing analysis
   • Configure alerts for new public or cross-account access
   • Monitor changes to resource-based policies
   • Track access patterns and usage
   • Implement automated scanning for public resources
3. Establish access validation processes:
   • Create approval workflows for public access requests
   • Implement regular reviews of external access permissions
   • Validate business justification for cross-account access
   • Document and approve third-party access requirements
   • Establish expiration dates for temporary external access
4. Implement least privilege for external access:
   • Restrict public access to only necessary resources
   • Use specific conditions in cross-account policies
   • Implement time-based restrictions where appropriate
   • Use external IDs for cross-account role assumptions
   • Apply IP address restrictions when possible
5. Secure public resources:
   • Implement additional security controls for public resources
   • Use encryption for publicly accessible data
   • Implement rate limiting and DDoS protection
   • Monitor public resource usage and access patterns
   • Consider using CloudFront for public web content
6. Regularly audit and remediate:
   • Conduct quarterly reviews of public and cross-account access
   • Remove unnecessary external access permissions
   • Update access policies based on changing requirements
   • Implement automated remediation for policy violations
   • Generate compliance reports for management

Implementation examples

Example 1: Using AWS IAM Access Analyzer to identify external access

Code snippet hidden for website display

Example 2: S3 bucket policy with controlled public access

Code snippet hidden for website display

Example 3: Cross-account IAM role with external ID

Code snippet hidden for website display

Example 4: Automated monitoring and alerting for public access

Code snippet hidden for website display

AWS services to consider

AWS IAM Access Analyzer

Helps you identify resources in your organization and accounts that are shared with an external entity. Provides continuous monitoring and analysis of public and cross-account access.

AWS Config

Enables you to assess, audit, and evaluate the configurations of your AWS resources. Use Config rules to monitor for public access and policy changes.

AWS CloudTrail

Records API calls for your account and delivers log files to you. Use CloudTrail to monitor changes to resource policies and access permissions.

Amazon CloudWatch

Monitors your AWS resources and the applications you run on AWS in real time. Set up alerts for public access changes and unusual access patterns.

AWS Security Hub

Provides a comprehensive view of your security state in AWS. Aggregates findings from Access Analyzer and other security services for centralized monitoring.

Amazon GuardDuty

Provides intelligent threat detection for your AWS accounts and workloads. Can detect suspicious access patterns to public resources.

Benefits of analyzing public and cross-account access

• Reduced attack surface: Minimizes exposure by eliminating unnecessary public access
• Enhanced security posture: Provides visibility into external access patterns
• Improved compliance: Supports regulatory requirements for access control and monitoring
• Proactive risk management: Identifies potential security issues before they can be exploited
• Better governance: Ensures external access aligns with business requirements
• Operational efficiency: Automates monitoring and reduces manual review overhead
• Incident prevention: Helps prevent data breaches and unauthorized access

Related resources

Related Resources

• AWS Well-Architected Framework - Analyze public and cross-account access
• AWS IAM Access Analyzer User Guide
• AWS global condition context keys
• Providing access to an AWS account owned by a third party
• Identify unintended resource access with AWS IAM Access Analyzer
• How to use external ID when granting access to your AWS resources