Use an external access analyzer to detect resources shared with identities outside your resource directory or account.
Overview
What is an external access analyzer?
An external access analyzer identifies resources shared with external accounts in your account or resource directory. Some Alibaba Cloud resources, such as OSS buckets and RAM roles, support resource-based policies that grant access to external identities. The analyzer continuously monitors these resources and generates findings for any external sharing. Each finding describes the external identity and its granted permissions.
Trust zone
When you create an analyzer, you select an analysis scope of either Current Account or Resource Directory. This scope defines the analyzer's trust zone. The analyzer monitors supported resources within the trust zone and treats access from any identity inside this zone as trusted. If the trust zone is the Current Account, only identities within this account are trusted. If the trust zone is the Resource Directory, identities from all accounts within that directory are trusted, while identities outside the directory are not.
Supported resource types
-
OSS buckets
The analyzer evaluates ACLs and bucket policies against the Block Public Access setting. If a bucket allows access from an entity outside the trust zone, such as an anonymous user, the analyzer generates an active finding.
-
RAM roles
The analyzer evaluates trust policies of RAM roles. A trust policy specifies which entities can assume the role. If an entity outside the trust zone can assume a RAM role within the trust zone, the analyzer generates an active finding.
Create an external access analyzer
-
Log on to the RAM console as a RAM user who has administrative rights.
-
In the left-side navigation pane, choose .
-
In the top navigation bar, select a region.
NoteAn analyzer only monitors resources in its own region. To cover other regions, create an analyzer in each region. Resources deployed in the central region, such as RAM roles, can be analyzed from any region.
-
Click Create Analyzer, enter a name, select External Access as the type, set the scope, and then click Create Analyzer.
NoteAn analyzer with a scope of Resource Directory can only be created by using the management account of a resource directory.
You must also select a Region, such as China (Hangzhou). This action automatically creates the service-linked role
AliyunServiceRoleForAccessAnalyzer.
After creation, the analyzer begins detecting external access within its scope. Findings may take some time to generate.
View and manage findings
View the findings
View findings on the Analyzers page or the Findings page.
On the Analyzers page, click an analyzer name to view its details. The page displays the Analyzer Name, running status, Analyzer Type, Analyzer Scope, creation time, ARN, and last analysis time. The Findings tab lists findings with columns for Finding ID, Resource, resource owner, status, Update Time, and Actions (such as archive). You can filter findings by filter key and match type.
On the Findings page, in the Findings tab, set filter criteria by using a filter key and match type (for example, status equals active). The results table shows Finding ID, Resource, resource owner, status, Update Time, and Actions. Click archive to archive a finding, or click Save as Archive Rule to save the current filter as a rule.
Filter the findings
Filter findings by Resource, Resource Type, Resource Owner, or Status.
The filter conditions shown in the console prevail.
For example, to check for public access:
Set the filter key to public access, the match type to equals, and the filter value to true. Then, add a filter condition where status is equal to active.
View the details of a finding
In the list of findings, click a Finding ID to view its details.
The finding details page shows Basic Information and Details sections. Basic Information includes the Analyzer Name, Finding Type, status, Resource Type, Resource ARN, resource owner, and the creation, analysis, and update times. The Details tab shows whether the resource Is Public and lists an External Principal table with columns for principal type, identifier, allowed actions, and access conditions. A Rescan button is available in the upper-right corner.
Based on the finding, take one of the following actions:
-
If the sharing is intended, click Archive to archive the finding.
-
If the sharing is unintended, click Go for Governance (for resources in the current account) or Copy Resource URL (for resources outside the current account) to navigate to the resource page and correct the access settings.
Automatically archive the findings
In addition to manually archiving individual findings, you can create archive rules to automatically archive findings that do not require governance.
Create and save archive rules on the Findings page. New findings that match a rule's criteria are automatically archived.
On the Findings List page, set filter criteria by using the filter key, match type, and filter value dropdowns, then click Save as Archive Rule.
This rule does not apply to existing findings. To apply it retroactively, go to the details page of an Analyzers and click Apply Archive Rule in the Actions column of the archive rules list.