Understand how IAM Access Analyzer findings work
This topic describes the concepts and terms that are used in IAM Access Analyzer to help you become familiar with how IAM Access Analyzer monitors access to your Amazon resources.
External access findings
External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. Changes to a resource control policy that impact the Resource control policy (RCP) restriction also generate a new finding. If the access in the first finding is removed, that finding is updated to a status of Resolved.
The status of all findings remains Active until you archive them or remove the access that generated the finding. When you remove the access, the finding status is updated to Resolved.
Note
It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then update the external access finding. Changes to a resource control policy (RCP) do not trigger a rescan of the resource reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours.
How IAM Access Analyzer generates findings for external access
Amazon Identity and Access Management Access Analyzer uses a technology called Zelkova
Zelkova translates IAM policies into equivalent logical statements and runs them through
a suite of general-purpose and specialized logical solvers (satisfiability modulo theories).
IAM Access Analyzer applies Zelkova repeatedly to a policy, using increasingly specific queries to
characterize the types of access the policy allows based on its content. For more information
about satisfiability modulo theories, see Satisfiability
Modulo Theories
For external access analyzers, IAM Access Analyzer does not examine access logs to determine whether an external entity has actually accessed a resource within your zone of trust. Instead, it generates a finding when a resource-based policy allows access to a resource, regardless of whether the resource was accessed by the external entity.
Additionally, IAM Access Analyzer does not consider the state of any external accounts when making its determinations. If it indicates that account 111122223333 can access your Amazon S3 bucket, it doesn't have any information about the users, roles, service control policies (SCP), or other relevant configurations in that account. This is for customer privacy, as IAM Access Analyzer doesn't know who owns the other account. This is also for security, as it's important to know about potential external access even if there are currently no active principals that can use it.
IAM Access Analyzer only considers certain IAM condition keys that external users can't directly influence or that are otherwise impactful to authorization. For examples of condition keys IAM Access Analyzer considers, see IAM Access Analyzer filter keys.
IAM Access Analyzer doesn't currently report findings from Amazon Web Services service principals or internal service accounts. In rare cases where it can't fully determine whether a policy statement grants access to an external entity, it errs on the side of declaring a false positive finding. This is because IAM Access Analyzer is designed to provide a comprehensive view of the resource sharing in your account and to minimize false negatives.
Unused access findings
Unused access findings are generated for IAM entities within the selected account or organization based on the number of days specified while creating the analyzer. A new finding is generated the next time the analyzer scans the entities if one of the following conditions is met:
-
A role is inactive for the specified number of days.
-
An unused permission, unused user password, or unused user access key surpasses the specified number of days.
Note
Unused access findings are only available using the ListFindingsV2 API action.
How IAM Access Analyzer generates findings for unused access
To analyze unused access, you must create a separate analyzer for unused access findings for your roles, even if you’ve already created an analyzer to generate external access findings for your resources.
After creating the unused access analyzer, IAM Access Analyzer reviews access activity to identify unused access. IAM Access Analyzer examines the last accessed information for all IAM users, IAM roles including service roles, user access keys, and user passwords across your Amazon organization and accounts. This helps you identify unused access.
Note
A service-linked role is a special type of service role that is linked to an Amazon Web Services service and owned by the service. Service-linked roles are not analyzed by unused access analyzers.
For active IAM roles and users, IAM Access Analyzer uses last accessed information for IAM services and actions to identify unused permissions. This allows you to scale your review process at the Amazon organization and account level. You can also use the action last accessed information for deeper investigation of individual roles. This provides more granular insights into which specific permissions are not being utilized.
By creating an analyzer dedicated to unused access, you can comprehensively review and identify unused access across your Amazon environment, complementing the findings generated by your existing external access analyzer.