Review IAM Access Analyzer findings (original) (raw)

After you enable IAM Access Analyzer, the next step is to review any findings to determine whether the access identified in the finding is intentional or unintentional. You can also review findings to determine similar findings for access that is intended, and then create an archive rule to automatically archive those findings. You can also review archived and resolved findings.

You should review all of the findings in your account to determine whether the external or unused access is expected and approved. If the external or unused access identified in the finding is expected, you can archive the finding. When you archive a finding, the status is changed to Archived, and the finding is removed from the active findings list. The finding is not deleted. You can view your archived findings at any time. Work through all of the findings in your account until you have zero active findings. After you get to zero findings, you know that any new Active findings that are generated are from a recent change in your environment.

To review findings

1. Open the IAM console athttps://console.aws.amazon.com/iam/.
2. Choose Access analyzer.
3. The findings dashboard is displayed. Select the active findings for your external or unused access analyzer.
   For more information on viewing the findings dashboard, see View the IAM Access Analyzer findings dashboard.

Note

Findings are displayed only if you have permission to view findings for the analyzer.

All findings are displayed for the analyzer. To view other findings generated by the analyzer, choose the appropriate finding type from the Status dropdown:

• Choose Active to view all active findings that were generated by the analyzer.
• Choose Archived to view only findings generated by the analyzer that have been archived. To learn more, see Archive IAM Access Analyzer findings.
• Choose Resolved to view only findings that were generated by the analyzer that have been resolved. When you remediate the issue that generated the finding, the finding status is changed to Resolved.

Important

Resolved findings are deleted 90 days after the last update to the finding. Active and archived findings are not deleted unless you delete the analyzer that generated them.

• Choose All to view all findings with any status that were generated by the analyzer.

External access findings

Choose External access and then choose the external access analyzer from the View analyzer dropdown. TheFindings page for external access analyzers displays the following details about the shared resource and policy statement that generated the finding:

Finding ID

The unique ID assigned to the finding. Choose the finding ID to display additional details about the resource and policy statement that generated the finding.

Resource

The type and partial name of the resource that has a policy applied to it that grants access to an external entity not within your zone of trust.

Resource owner account

This column is displayed only if you are using an organization as the zone of trust. The account in the organization that owns the resource reported in the finding.

External principal

The principal, not within your zone of trust, that the analyzed policy grants access to. Valid values include:

• AWS account – All principals in the listed AWS account with permissions from that account's administrator can access the resource.
• Any principal – All principals in any AWS account that meet the conditions included in theConditions column have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC can access the resource.
• Canonical user – All principals in the AWS account with the listed canonical user ID have permission to access the resource.
• IAM role – The listed IAM role has permission to access the resource.
• IAM user – The listed IAM user has permission to access the resource.

Condition

The condition from the policy statement that grants the access. For example, if the Condition field includesSource VPC, it means that the resource is shared with a principal that has access to the VPC listed. Conditions can be global or service-specific. Global condition keys have the aws: prefix.

Shared through

The Shared through field indicates how the access that generated the finding is granted. Valid values include:

• Bucket policy – The bucket policy attached to the Amazon S3 bucket.
• Access control list – The access control list (ACL) attached to the Amazon S3 bucket.
• Access point – An access point or multi-region access point associated with the Amazon S3 bucket. The ARN of the access point is displayed in theFindings details.

Access level

The level of access granted to the external entity by the actions in the resource-based policy. View the details of the finding for more information. Access level values include the following:

• List – Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.
• Read – Permission to read but not edit the contents and attributes of resources in the service.
• Write – Permission to create, delete, or modify resources in the service.
• Permissions – Permission to grant or modify resource permissions in the service.
• Tagging – Permission to perform actions that only change the state of resource tags.

Resource control policy (RCP) restriction

The impact an Organizations resource control policy (RCP) has on the finding. Resource control policy restriction values include the following:

• Error: There was an error evaluating the RCP.
• Not applicable: No RCP restricts this resource or principal. This also includes resources where RCPs are not yet supported.
• Applicable: Your organization administrator has set restrictions through a RCP that impacts the resource or resource type. Contact your organization administrator for more details.

Last updated

A timestamp for the most recent update to the finding status, or the time and date the finding was generated if no updates have been made.

Note

It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then update the external access finding. Changes to a resource control policy (RCP) do not trigger a rescan of the resource reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours.

Status

The status of the finding, one of Active,Archived, or Resolved.

Unused access findings

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see IAM Access Analyzer pricing.

Choose Unused access and then choose the unused access analyzer from the View analyzer dropdown. The Findings page for unused access analyzers displays the following details about the IAM entity that generated the finding:

Finding ID

The unique ID assigned to the finding. Choose the finding ID to display additional details about the IAM entity that generated the finding.

Finding type

The type of unused access finding: Unused access key,Unused password, Unused permission, or Unused role.

IAM entity

The IAM entity reported in the finding. This can be an IAM user or role.

AWS account ID

This column is displayed only if you set up the analyzer for all AWS accounts in the organization. The AWS account in the organization that owns the IAM entity reported in the finding.

Last updated

The last time that the IAM entity reported in the finding was updated, or when the entity was created if no updates have been made.

Status

The status of the finding (Active,Archived, or Resolved).