Reviewing findings - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Reviewing findings

After you enable IAM Access Analyzer, the next step is to review any findings to determine whether the access identified in the finding is intentional or unintentional. You can also review findings to determine similar findings for access that is intended, and then create an archive rule to automatically archive those findings. You can also review archived and resolved findings.

To review findings
  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. Choose Access analyzer.

  3. The findings dashboard is displayed. Select the active findings for your external or unused access analyzer.

    For more information on viewing the findings dashboard, see Viewing the IAM Access Analyzer findings dashboard.

Note

Findings are displayed only if you have permission to view findings for the analyzer.

All findings are displayed for the analyzer. To view other findings generated by the analyzer, choose the appropriate finding type from the Status dropdown:

  • Choose Active to view all active findings that were generated by the analyzer.

  • Choose Archived to view only findings generated by the analyzer that have been archived. To learn more, see Archiving findings.

  • Choose Resolved to view only findings that were generated by the analyzer that have been resolved. When you remediate the issue that generated the finding, the finding status is changed to Resolved.

    Important

    Resolved findings are deleted 90 days after the last update to the finding. Active and archived findings are not deleted unless you delete the analyzer that generated them.

  • Choose All to view all findings with any status that were generated by the analyzer.

External access findings

Choose External access and then choose the external access analyzer from the View analyzer dropdown. The Findings page for external access analyzers displays the following details about the shared resource and policy statement that generated the finding:

Finding ID

The unique ID assigned to the finding. Choose the finding ID to display additional details about the resource and policy statement that generated the finding.

Resource

The type and partial name of the resource that has a policy applied to it that grants access to an external entity not within your zone of trust.

Resource owner account

This column is displayed only if you are using an organization as the zone of trust. The account in the organization that owns the resource reported in the finding.

External principal

The principal, not within your zone of trust, that the analyzed policy grants access to. Valid values include:

  • Amazon Web Services account – All principals in the listed Amazon Web Services account with permissions from that account's administrator can access the resource.

  • Any principal – All principals in any Amazon Web Services account that meet the conditions included in the Conditions column have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC can access the resource.

  • Canonical user – All principals in the Amazon Web Services account with the listed canonical user ID have permission to access the resource.

  • IAM role – The listed IAM role has permission to access the resource.

  • IAM user – The listed IAM user has permission to access the resource.

Condition

The condition from the policy statement that grants the access. For example, if the Condition field includes Source VPC, it means that the resource is shared with a principal that has access to the VPC listed. Conditions can be global or service-specific. Global condition keys have the aws: prefix.

Shared through

The Shared through field indicates how the access that generated the finding is granted. Valid values include:

  • Bucket policy – The bucket policy attached to the Amazon S3 bucket.

  • Access control list – The access control list (ACL) attached to the Amazon S3 bucket.

  • Access point – An access point or multi-region access point associated with the Amazon S3 bucket. The ARN of the access point is displayed in the Findings details.

Access level

The level of access granted to the external entity by the actions in the resource-based policy. View the details of the finding for more information. Access level values include the following:

  • List – Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.

  • Read – Permission to read but not edit the contents and attributes of resources in the service.

  • Write – Permission to create, delete, or modify resources in the service.

  • Permissions – Permission to grant or modify resource permissions in the service.

  • Tagging – Permission to perform actions that only change the state of resource tags.

Updated

A timestamp for the most recent update to the finding status, or the time and date the finding was generated if no updates have been made.

Note

It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to again analyze the resource and then update the finding.

Status

The status of the finding, one of Active, Archived, or Resolved.

Unused access findings

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see IAM Access Analyzer pricing.

Choose Unused access and then choose the unused access analyzer from the View analyzer dropdown. The Findings page for unused access analyzers displays the following details about the IAM entity that generated the finding:

Finding ID

The unique ID assigned to the finding. Choose the finding ID to display additional details about the IAM entity that generated the finding.

Finding type

The type of unused access finding: Unused access key, Unused password, Unused permission, or Unused role.

IAM entity

The IAM entity reported in the finding. This can be an IAM user or role.

Amazon Web Services account ID

This column is displayed only if you set up the analyzer for all Amazon Web Services accounts in the organization. The Amazon Web Services account in the organization that owns the IAM entity reported in the finding.

Last updated

The last time that the IAM entity reported in the finding was updated, or when the entity was created if no updates have been made.

Status

The status of the finding (Active, Archived, or Resolved).