This topic describes how to use an external access analyzer to identify allowed external access to resources in your resource directory or in the current account.
Overview
What is an external access analyzer?
An external access analyzer helps identify the resources that are shared with external accounts in the current account or your resource directory. Several Alibaba Cloud resources, such as Object Storage Service (OSS) buckets and Resource Access Management (RAM) roles, support resource-based policies that are attached to external identities. An external access analyzer continuously monitors shared resources in your resource directory or in the current account and generates findings for the resources. This helps identify unexpected resource sharing and reduce security risks of enterprises. Each finding contains information about the external identity that accesses the shared resources and the granted operation permissions.
Trust zone
When you create an analyzer, you can set the analyzer scope to Current Account or Resource Directory. The scope that you specify is the trust zone of the analyzer. The analyzer monitors the resources that can be analyzed in the trust zone. If an internal identity accesses the resources in the trust zone, the analyzer considers the access trusted. For example, if the trust zone is Current Account, the identities in the current account are considered trusted. The identities in other accounts are considered untrusted. If the trust zone is Resource Directory, the identities in the resource directory to which the current account belongs are considered trusted. The identities outside the resource directory are considered untrusted.
Types of resources that support an external access analyzer
OSS buckets
An external access analyzer analyzes the access control lists (ACLs) and bucket policies of OSS buckets and generates findings based on the value of the Block Public Access parameter. If a bucket in the trust zone allows access from an entity outside the trust zone, such as an anonymous user, the analyzer generates an active finding for the bucket.
RAM roles
An external access analyzer analyzes the trust policies of RAM roles. A trust policy is a resource-based policy that is specified when you create a RAM role. In a trust policy, you can specify the trusted entities that can assume the RAM role. If an entity outside the trust zone can assume the RAM role in the trust zone, the analyzer generates an active finding for the RAM role.
Create an external access analyzer
Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose .
In the top navigation bar, select a region.
NoteAn external access analyzer analyzes only resources in the region where the analyzer resides. To analyze resources in other regions, you must create an analyzer in the regions. Resources that are deployed in the central region, such as RAM roles, can be monitored and analyzed by analyzers in any region.
On the Analyzers page, click Create Analyzer. On the Create Analyzer page, enter an analyzer name, set Analyzer Type to External Access, and select an analyzer scope. Then, click Create Analyzer.
NoteOnly the management account of a resource directory can set Analyzer Scope to Resource Directory.
After you create the analyzer, the analyzer detects external access to the resources in the analyzer scope. The system requires a specific period of time to generate findings.
View and handle the external access findings
View the findings
You can view the findings on the Analyzers or Findings page.
The following figure shows the Analyzers page.
The following figure shows the Findings page.
Filter the findings
You can search for specific findings based on filter conditions, such as Resource, Resource Type, Resource Owner, and Status.
The filter conditions in the console prevail.
For example, you can configure the following conditions to check whether public access exists.
View the details of a finding
In the finding list, find the finding that you want to manage and click the ID in the Finding ID column.
You can perform one of the following operations based on the finding:
If the resource sharing is expected, click Archive to archive the finding.
If the resource sharing is unexpected, click Go for Governance or Copy Resource URL to perform governance operations on the corresponding page. If the resource involved belongs to the current account, click Go for Governance. Otherwise, click Copy Resource URL.
Automatically archive the findings
Apart from manually archiving a single finding, you can create archive rules to automatically archive findings that do not require governance.
On the Findings page, configure filter conditions and click Save as Archive Rule to create an archive rule. After you create the archive rule, new findings are automatically archived.
Findings that are generated before the archive rule is created are not automatically archived. To archive the findings, perform the following operations: Go to the Analyzers page, click the name in the Analyzer Name column, click the Archive Rules tab, find the required archive rule, and then click Apply Archive Rule in the Actions column.
