Findings for external and unused access (original) (raw)

IAM Access Analyzer generates findings for external access and unused access in your AWS account or organization. For external access, IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an external access analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an Amazon S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding.

IAM Access Analyzer also generates findings for unused access granted in your AWS organization and accounts. When you create an unused access analyzer, IAM Access Analyzer continuously monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. IAM Access Analyzer generates the following types of findings for unused access:

• Unused roles – Roles with no access activity within the specified usage window.
• Unused IAM user access keys and passwords – Credentials belonging to IAM users that have not been used to access your AWS account in the specified usage window.
• Unused permissions – Service-level and action-level permissions that weren't used by a role within the specified usage window. IAM Access Analyzer uses identity-based policies attached to roles to determine the services and actions that those roles can access. IAM Access Analyzer supports review of unused permissions for all service-level permissions. For a complete list of action-level permissions that are supported for unused access findings, see IAM action last accessed information services and actions.

Note

IAM Access Analyzer offers external access findings for free and charges for unused access findings based on the number of IAM roles and users analyzed per analyzer per month. For more details about pricing, see IAM Access Analyzer pricing.

Topics

• Understand how IAM Access Analyzer findings work
• Getting started with AWS Identity and Access Management Access Analyzer
• View the IAM Access Analyzer findings dashboard
• Review IAM Access Analyzer findings
• Filter IAM Access Analyzer findings
• Archive IAM Access Analyzer findings
• Resolve IAM Access Analyzer findings
• IAM Access Analyzer resource types for external access
• Delegated administrator for IAM Access Analyzer
• Delete external and unused access analyzers
• Archive rules
• Monitoring AWS Identity and Access Management Access Analyzer with Amazon EventBridge
• Integrate IAM Access Analyzer with AWS Security Hub
• Logging IAM Access Analyzer API calls with AWS CloudTrail
• IAM Access Analyzer filter keys
• Using service-linked roles for AWS Identity and Access Management Access Analyzer

IAM Access Analyzer

How findings work

Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.