Access Analyzer
๐ฆ Overviewโ
This Terraform module provisions an AWS IAM Access Analyzer, enhancing your visibility into which AWS resources are accessible externally.
Use this module to proactively detect and reduce unintended external access across your environment โ a vital building block for least-privilege and zero-trust architectures.
โ Key Featuresโ
- Creates an Access Analyzer at the account or organization level
- Detects exposure of sensitive resources like IAM roles, S3 buckets, and KMS keys
- Includes tagging support for environment/resource tracking
- Designed for security auditing, compliance, and governance
๐ผ Use Casesโ
- Security teams conducting periodic audits of AWS environments
- Organizations aiming for CIS, NIST, or SOC 2 readiness
- DevSecOps pipelines enforcing least-privilege by design
- Central visibility across multiple accounts or organizations
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
region | string | AWS region to deploy the analyzer |
analyzer_name | string | Name for the IAM Access Analyzer |
analyzer_type | string | Type of analyzer (ACCOUNT or ORGANIZATION) |
environment | string | Tag to specify the deployment environment (e.g., dev/prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
analyzer_name | The name of the created IAM Access Analyzer |
analyzer_arn | The ARN of the created analyzer |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Tested with the AWS provider 5.x
- ๐งช Use in isolated test environments or as part of a larger security baseline
๐ ๏ธ Example Usageโ
module "access-analyzer-deployment" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//identity/access-analyzer?ref=v1.0.0"
region = "us-east-1"
analyzer_name = "archiphire-analyzer"
analyzer_type = "ACCOUNT"
environment = "dev"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanup Optionsโ
For testing:
terraform destroy
or
tofu destroy
For production:
Delete the analyzer manually via the AWS Console or CLI to avoid accidental teardown of integrated components.
๐ก๏ธ Notesโ
This module is part of Archiphire's Level 1 security governance toolkit. It helps organizations enforce least privilege and establish audit readiness early in their cloud journey.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.