The external access analyzer is a feature within Resource Access Management (RAM) that helps you proactively identify and review resources that are shared with external principals. It continuously monitors supported resources and generates findings when access is granted to an identity outside of your defined trust zone, helping you reduce unintended security risks.
How it works
Trust zone
A core concept of the external access analyzer is the trust zone. When you create an analyzer, you define its scope, which becomes the trust zone. Any access granted to a principal from within this zone is considered trusted. Access granted to any principal from outside this zone is considered external access and will generate a finding.
Current account: If the scope is set to the current account, only principals within that account are considered trusted. Access from any other Alibaba Cloud account is considered external.
Resource directory: If the scope is set to a resource directory, principals from any member account within that directory are considered trusted. Access from any account outside the directory is considered external.
Supported resources
The analyzer currently generates findings for the following resource types:
Object Storage Service (OSS) buckets: The analyzer inspects bucket policies and Access Control Lists (ACLs). If a bucket allows access from a principal outside the trust zone (including anonymous public access), a finding is generated.
RAM roles: The analyzer inspects the trust policy of a RAM role. If a principal from outside the trust zone is permitted to assume the role, a finding is generated.
Creating an external access analyzer
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
In the top navigation bar, select the region where you want to create the analyzer.
NoteThe external access analyzer is a regional service. It will only analyze resources within the region where it is created. To monitor resources in multiple regions, you must create an analyzer in each region. Global resources like RAM roles are analyzed by analyzers in any region.
On the Analyzers page, click Create Analyzer.
On the Create Analyzer page, configure the following:
Analyzer Type: Select External Access.
Analyzer Name: Enter a descriptive name for your analyzer.
Analyzer Scope: Choose to analyze the Current Account or your entire Resource Directory.
NoteThe Resource Directory option is only available to the management account.
Click Create Analyzer.
After creation, the analyzer begins to evaluate your resources. It may take some time before the initial findings are generated.
View and manage findings
You can view findings on the Analyzers page for a dashboard overview or on the Findings page for a detailed, filterable list.
Filter findings
On the Findings page, you can use filters to search for specific types of access. For example, to find all resources that are publicly accessible, you can add a filter where Public Access is True.
Take action on a finding
To investigate a specific finding, click its ID in the findings list. This opens the finding details page, which shows the shared resource, the external principal, and the granted permissions.
From the details page, you can perform one of the following actions:
Archive: If you have reviewed the finding and determined that the external access is necessary and intentional, you can archive it to remove it from the active list.
Go for Governance: If the access is unintended, click this button to navigate directly to the resource's configuration page to modify its permissions and remove the external access.
Create archival rules
To automatically suppress findings for known and approved external access, you can create an archive rule. An archive rule automatically archives any new findings that match its criteria.
On the Findings page, configure one or more filters that define the findings you want to automatically archive.
Click Save as Archive Rule.
To apply a new rule to findings that already exist, navigate to the Analyzers page, click your analyzer's name, select the Archive Rules tab, and click Apply Archive Rule for the desired rule.
