AWS IAM Access Analyzer
This repo contains a Module for creating and enabling IAM Access Analyzer
This module is not meant to be used directly. Instead, it’s used under the hood in the account-baseline-root
& account-baseline-security
modules. Please see those modules and their respective examples for specific configuration and usage.
Features
-
Create an IAM Access Analyzer service for different regions in one module
-
Enable the IAM Access Analyzer service for a given AWS account
Learn
Note
This repo is a part of the Gruntwork Infrastructure as Code Library, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Infrastructure as Code Library before, make sure to read How to use the Gruntwork Infrastructure as Code Library!
Core concepts
Repo organization
-
modules: the main implementation code for this repo, broken down into multiple standalone, orthogonal submodules.
-
examples: This folder contains working examples of how to use the submodules.
-
test: Automated tests for the modules and examples.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this out for experimenting and learning, check out the following resources:
- examples folder: The
examples
folder contains sample code optimized for learning, experimenting, and testing (but not production usage).
Manage
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S IAM-ACCESS-ANALYZER-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
module "iam_access_analyzer_multi_region" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/iam-access-analyzer-multi-region?ref=v0.75.3"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# A feature flag to enable or disable this module.
create_resources = true
# The name of the IAM Access Analyzer module
iam_access_analyzer_name = "iam-access-analyzer"
# If set to ACCOUNT, the analyzer will only be scanning the current AWS
# account it's in. If set to ORGANIZATION - will scan the organization AWS
# account and the child accounts.
iam_access_analyzer_type = "ACCOUNT"
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S IAM-ACCESS-ANALYZER-MULTI-REGION MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/iam-access-analyzer-multi-region?ref=v0.75.3"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The AWS Account ID the template should be operated on. This avoids
# misconfiguration errors caused by environment variables.
aws_account_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# A feature flag to enable or disable this module.
create_resources = true
# The name of the IAM Access Analyzer module
iam_access_analyzer_name = "iam-access-analyzer"
# If set to ACCOUNT, the analyzer will only be scanning the current AWS
# account it's in. If set to ORGANIZATION - will scan the organization AWS
# account and the child accounts.
iam_access_analyzer_type = "ACCOUNT"
}