Skip to content

[BUG] IAM Access Analyzer solution does not fully deploy to all enabled regions in the management account #309

New issue
New issue
Open
Open
[BUG] IAM Access Analyzer solution does not fully deploy to all enabled regions in the management account#309
Labels
bugSomething isn't working
@julian-price

Description

@julian-price
julian-price
opened on Aug 7, 2025

Describe the bug

When deploying the solution to a multi-region org, the access analyzer is only deployed to the home region of the management account, rather than to all enabled regions. This is because the sra-iam-access-analyzer-account.yaml template is deployed via a Stack rather than a StackSet. Accounts other than the Organization management account have the sra-iam-access-analyzer-account.yaml template deployed via a Stacket, so all regions get included.

To Reproduce

  1. Set up an Organization with multiple regions enabled - e.g. us-east-1 and ca-central-1
  2. Deploy the SRA IAM Access Analyzer solution via StackSets (I used the CfCT) in the Org management home region (e.g. us-east-1)
  3. Verify that an Access Analyzer has been deployed in all region for accounts other than the management accoutn
  4. Verify that an Access Analyzer has only been deployed to us-east-1 for the management account (this will also get flagged by SecurityHub CSPM, if enabled

Expected behavior

An Access Analyzer should be deployed to all enabled regions for the Org managment account.

Deployment Environment (please complete the following information)

  • Deployment Framework: CfCT
  • Deployment Framework Version: version 2.8.1

Additional context

I worked around this by customising my own sra-iam-access-analyzer-main-ssm.yaml to use a StackSet:

  rIAMAccessAnalyzerMgmtAccountStackSet:
    Type: AWS::CloudFormation::StackSet
    Properties:
      StackSetName: sra-iam-access-analyzer-mgmt-account
      AdministrationRoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${pStackSetAdminRole}
      ExecutionRoleName: !Ref pStackExecutionRole
      CallAs: SELF
      Capabilities:
        - CAPABILITY_NAMED_IAM
      Description: !Sub ${pSRASolutionVersion} - Deploys an account level IAM Access Analyzer to all management account regions
      ManagedExecution:
        Active: true
      OperationPreferences:
        FailureTolerancePercentage: 100
        MaxConcurrentPercentage: 100
        RegionConcurrencyType: PARALLEL
      PermissionModel: SELF_MANAGED
      StackInstancesGroup:
        - DeploymentTargets:
            Accounts:
              - !Sub ${AWS::AccountId}
          Regions: !Ref pAccessAnalyzerRegionsToEnable
      TemplateURL: !Sub https://${pSRAStagingS3BucketName}.s3.${AWS::Region}.${AWS::URLSuffix}/${pSRASolutionName}/templates/sra-iam-access-analyzer-account.yaml
      Parameters:
        - ParameterKey: pAccessAnalyzerNamePrefix
          ParameterValue: !Ref pAccessAnalyzerNamePrefix
      Tags:
        - Key: sra-solution
          Value: !Ref pSRASolutionName

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions