Monitor AWS IAM Access Analyzer Findings With Datadog | Datadog

Monitor AWS IAM Access Analyzer findings with Datadog

Author Jordan Obey

Last updated: November 27, 2023

As you monitor the health and performance of your infrastructure and applications, you also need to be able to identify potential threats to the security of those components. To help address this challenge, Datadog integrates with AWS Identity and Access Management (IAM) Access Analyzer. This integration provides critical visibility into the security of your IAM resources alongside all of your other AWS resources all within a single pane of glass.

AWS recently announced the release of a new analyzer with IAM Access Analyzer called unused access. Once the analyzer is enabled, this feature helps administrators and security teams identify unused permissions, passwords, IAM users and roles, and access keys. With Datadog’s IAM Access Analyzer integration, you can easily discover and review any unused access granted to IAM resources.

What is AWS IAM Access Analyzer?

AWS IAM Access Analyzer uses automated reasoning to analyze resource policies and determine whether any AWS resources (e.g., IAM roles, S3 buckets, KMS keys) can be accessed outside your account. If you use AWS and want to ensure your policies grant the proper permissions, IAM Access Analyzer can help you detect unintended access to supported AWS resources.

AWS IAM Access Analyzer automatically analyzes resource policies for S3 buckets, IAM roles, KMS keys, Lambda functions, Amazon Relational Database snapshots, SQS queues and other supported resource types in your environment, and then reports possible issues in the form of findings, allowing you to update your policies as needed. If you change any of your policies, AWS IAM Access Analyzer will continuously analyze those updates and generate new findings to keep pace with the rate of change across your dynamic infrastructure.

Configure AWS IAM Access Analyzer to forward findings to Datadog logs

Collect findings on unused access

Removing unused IAM access credentials such as access keys, usernames, and passwords is a critical security best practice that enables you to reduce the attack surface of your AWS resources. In a large organization, however, it’s common for employees to switch teams or find roles elsewhere, and it can be difficult to keep track of which credentials are no longer needed.

IAM Access Analyzer’s unused access feature enables you to discover and review unused access across your AWS accounts or AWS organization. You can view these findings through Datadog’s IAM Access Analyzer integration so you can easily discover any unused permissions, access keys, user passwords, and unused services and actions for active IAM users and roles. You can then remove unused credentials to strengthen your security posture and prevent unintended access events.

AWS IAM Access Analyzer findings delivered straight to your Datadog account

Datadog integrates with AWS IAM Access Analyzer through an AWS Lambda function to receive findings as CloudWatch Events (in JSON format). These findings are then forwarded to your Datadog account as logs. Once you’re aggregating all of these findings with Datadog, you can keep tabs on the state of your resource policies and get alerted about critical issues or misconfigurations (e.g., if any resources can be accessed from outside of your AWS account) and take quick actions to ensure compliance and reduce the blast radius of a security incident.

Enable alerts to notify you automatically when resource policies are misconfigured or not behaving as expected

Monitor and protect your AWS services with Datadog

If you already use Datadog to monitor the health and performance of AWS services like S3 and SQS, now you can correlate that data with AWS IAM Access Analyzer findings to ensure that you’ve properly configured access to those services. For instance, if an AWS IAM Access Analyzer finding indicates that a policy is not granting permissions to S3 buckets as expected, you can investigate by correlating the log with metrics on your S3 dashboard. If you see an unexpected uptick in requests to those resources, it could mean the security of your account has been compromised.

Correlate Access Analyzer findings with AWS resource metrics like S3 to troubleshoot effectively

Performance, health, and security all in one place

Our integration with AWS IAM Access Analyzer complements our existing support for Amazon GuardDuty, which forwards threat detection logs to Datadog to help you identify unauthorized activity. With Datadog Cloud SIEM and integrations with more than 700 other technologies, you can monitor your services and keep them protected.

For even greater visibility into potential identity and access management risks, Datadog plans to integrate its Cloud Infrastructure Entitlement Management (CIEM) solution with AWS IAM Access Analyzer. This integration will provide richer insights into your IAM posture and streamline your team’s journey toward the principle of least privilege.

If you’re already using Datadog, you can start monitoring the security of your infrastructure here. Otherwise, sign up for a 14-day .