Findings for external and unused access
IAM Access Analyzer generates findings for external access and unused access in your Amazon Web Services account or organization. For external access, IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an external access analyzer, you choose an organization or Amazon Web Services account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an Amazon S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding.
IAM Access Analyzer also generates findings for unused access granted in your Amazon organization and accounts. When you create an unused access analyzer, IAM Access Analyzer continuously monitors all IAM roles and users in your Amazon organization and accounts and generates findings for unused access. IAM Access Analyzer generates the following types of findings for unused access:
-
Unused roles – Roles with no access activity within the specified usage window.
-
Unused IAM user access keys and passwords – Credentials belonging to IAM users that have not been used to access your Amazon Web Services account in the specified usage window.
-
Unused permissions – Service-level and action-level permissions that weren't used by a role within the specified usage window. IAM Access Analyzer uses identity-based policies attached to roles to determine the services and actions that those roles can access. IAM Access Analyzer supports review of unused permissions for all service-level permissions. For a complete list of action-level permissions that are supported for unused access findings, see IAM action last accessed information services and actions.
Note
IAM Access Analyzer offers external access findings for free and charges for unused access
findings based on the number of IAM roles and users analyzed per analyzer per month. For more
details about pricing, see IAM Access Analyzer pricing
Topics
- Understand how IAM Access Analyzer findings work
- Getting started with Amazon Identity and Access Management Access Analyzer
- View the IAM Access Analyzer findings dashboard
- Review IAM Access Analyzer findings
- Filter IAM Access Analyzer findings
- Archive IAM Access Analyzer findings
- Resolve IAM Access Analyzer findings
- IAM Access Analyzer resource types for external access
- Delegated administrator for IAM Access Analyzer
- Delete external and unused access analyzers
- Archive rules
- Monitoring Amazon Identity and Access Management Access Analyzer with Amazon EventBridge
- Integrate IAM Access Analyzer with Amazon Security Hub
- Logging IAM Access Analyzer API calls with Amazon CloudTrail
- IAM Access Analyzer filter keys
- Using service-linked roles for Amazon Identity and Access Management Access Analyzer