Ensure IAM Access Analyzer is enabled in all active regions

AWS Remediation

Service-wide fix (recommended): enable an analyzer in every approved AWS region as part of account vending, region enablement, or Control Tower / landing-zone baselines.

When to use service-wide remediation

Use the service-wide path when many accounts or regions are affected. It is faster and prevents the same gap from reappearing when new regions are activated.

Console

1. Open IAM in the target region.
2. Select Access Analyzer.
3. Choose Create analyzer.
4. Select Account for a single-account analyzer, or Organization if you manage findings centrally for AWS Organizations.
5. Enter a name and create the analyzer.
6. Repeat in every in-scope region.

AWS CLI

Create an account-level analyzer in a region:

aws accessanalyzer create-analyzer \
  --region <region> \
  --analyzer-name external-access \
  --type ACCOUNT

Create an organization-level analyzer in a region:

aws accessanalyzer create-analyzer \
  --region <region> \
  --analyzer-name org-external-access \
  --type ORGANIZATION

Validate that the analyzer exists and is active:

aws accessanalyzer list-analyzers \
  --region <region> \
  --query 'analyzers[].{name:name,type:type,status:status}'

Operational notes

• ORGANIZATION analyzers require the right AWS Organizations permissions and are usually created from the management account or a delegated administrator.
• AWS allows only one account-level analyzer per analyzer type per account and region, so standardize the analyzer name and rollout process.

References

• https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
• https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/create-analyzer.html
• https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-quotas.html