Working with findings - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with findings

External access findings

External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. If the access in the first finding is removed, that finding is updated to a status of Resolved.

The status of all findings remains Active until you archive them or remove the access that generated the finding. When you remove the access, the finding status is updated to Resolved.


It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then update the external access finding.

Unused access findings

Unused access findings are generated for IAM entities within the selected account or organization based on the number of days specified while creating the analyzer. A new finding is generated the next time the analyzer scans the entities if one of the following conditions is met:

  • A role is inactive for the specified number of days.

  • An unused permission, unused user password, or unused user access key surpasses the specified number of days.

You should review all of the findings in your account to determine whether the external or unused access is expected and approved. If the external or unused access identified in the finding is expected, you can archive the finding. When you archive a finding, the status is changed to Archived, and the finding is removed from the active findings list. The finding is not deleted. You can view your archived findings at any time. Work through all of the findings in your account until you have zero active findings. After you get to zero findings, you know that any new Active findings that are generated are from a recent change in your environment.


Unused access findings are only available using the ListFindingsV2 API action.