Amazon managed policies for Amazon Identity and Access Management Access Analyzer
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
IAMReadOnlyAccess
Use the IAMReadOnlyAccess
managed policy to allow read only access to IAM
resources. This policy grants permission to get and list all IAM resources. It allows
viewing details and activity reports for users, groups, roles, policies, identity
providers, and MFA devices. It does not include the ability to create or delete resources
or access to IAM Access Analyzer resources. View the policy
IAMUserChangePassword
Use the IAMUserChangePassword
managed policy to allow IAM users to change
their password.
You configure your IAM Account settings and the Password policy to allow IAM users to change their IAM account password. When you allow this action, IAM attaches the following policy to each user:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ChangePassword" ], "Resource": [ "arn:aws-cn:iam::*:user/${aws:username}" ] }, { "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy" ], "Resource": "*" } ] }
IAMAccessAnalyzerFullAccess
Use the IAMAccessAnalyzerFullAccess
Amazon managed policy to allow your
administrators to access IAM Access Analyzer.
Permissions groupings
This policy is grouped into statements based on the set of permissions provided.
-
IAM Access Analyzer – Allows full administrative permissions to all resources in IAM Access Analyzer.
-
Create service linked role – Allows the administrator to create a service-linked role, which allows IAM Access Analyzer to analyze resources in other services on your behalf. This permission allows creating the service-linked role only for use by IAM Access Analyzer.
-
Amazon Organizations – Allows administrators to use IAM Access Analyzer for an organization in Amazon Organizations. After enabling trusted access for IAM Access Analyzer in Amazon Organizations, members of the management account can view findings across their organization.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "access-analyzer:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "access-analyzer.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren", "organizations:ListDelegatedAdministrators", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListRoots" ], "Resource": "*" } ] }
IAMAccessAnalyzerReadOnlyAccess
Use the IAMAccessAnalyzerReadOnlyAccess
Amazon managed policy to allow
read-only access to IAM Access Analyzer.
To also allow read-only access to IAM Access Analyzer for Amazon Organizations, create a customer managed policy that allows the Describe and List actions from the IAMAccessAnalyzerFullAccess Amazon managed policy.
Service-level permissions
This policy provides read-only access to IAM Access Analyzer. No other service permissions are included in this policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "IAMAccessAnalyzerReadOnlyAccess", "Effect": "Allow", "Action": [ "access-analyzer:CheckAccessNotGranted", "access-analyzer:CheckNoNewAccess", "access-analyzer:Get*", "access-analyzer:List*", "access-analyzer:ValidatePolicy" ], "Resource": "*" } ] }
AccessAnalyzerServiceRolePolicy
You can't attach AccessAnalyzerServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows IAM Access Analyzer to perform actions on your behalf. For more information, see Using service-linked roles for Amazon Identity and Access Management Access Analyzer.
Permissions groupings
This policy allows access to IAM Access Analyzer to analyze resource metadata from multiple Amazon Web Services.
-
Amazon DynamoDB – Allows permissions to view DynamoDB streams and tables.
-
Amazon Elastic Compute Cloud – Allows permissions to describe IP addresses, snapshots, and VPCs.
-
Amazon Elastic Container Registry – Allows permissions to describe image repositories and retrieve repository policies.
-
Amazon Elastic File System – Allows permissions to view the description of an Amazon EFS file system and view the resource-level policy for an Amazon EFS file system.
-
Amazon Identity and Access Management – Allows permissions to retrieve information about a specified role and list the IAM roles that have a specified path prefix. Allows permissions to retrieve information about users, user groups, login profiles, access keys, and service last accessed data.
-
Amazon Key Management Service – Allows permissions to view detailed information about an KMS key and its key policies and grants.
-
Amazon Lambda – Allows permissions to view information about Lambda aliases, functions, layers, and aliases.
-
Amazon Organizations – Allows permissions to Organizations and allows the creation of an analyzer within the Amazon organization as the zone of trust.
-
Amazon Relational Database Service – Allows permissions to view detailed information about Amazon RDS DB snapshots and Amazon RDS DB cluster snapshots.
-
Amazon Simple Storage Service – Allows permissions to view detailed information about Amazon S3 access points, buckets, and Amazon S3 directory buckets that use the Amazon S3 Express One storage class.
-
Amazon Secrets Manager – Allows permissions to view detailed information about secrets and resource policies attached to secrets.
-
Amazon Simple Notification Service – Allows permissions to view detailed information about a topic.
-
Amazon Simple Queue Service – Allows permissions to view detailed information about specified queues.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessAnalyzerServiceRolePolicy", "Effect": "Allow", "Action": [ "dynamodb:GetResourcePolicy", "dynamodb:ListStreams", "dynamodb:ListTables", "ec2:DescribeAddresses", "ec2:DescribeByoipCidrs", "ec2:DescribeSnapshotAttribute", "ec2:DescribeSnapshots", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs", "ec2:GetSnapshotBlockPublicAccessState", "ecr:DescribeRepositories", "ecr:GetRepositoryPolicy", "elasticfilesystem:DescribeFileSystemPolicy", "elasticfilesystem:DescribeFileSystems", "iam:GetRole", "iam:ListEntitiesForPolicy", "iam:ListRoles", "iam:ListUsers", "iam:GetUser", "iam:GetGroup", "iam:GenerateServiceLastAccessedDetails", "iam:GetServiceLastAccessedDetails", "iam:ListAccessKeys", "iam:GetLoginProfile", "iam:GetAccessKeyLastUsed", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListUserPolicies", "iam:GetUserPolicy", "iam:ListAttachedUserPolicies", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListGroupsForUser", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:ListGrants", "kms:ListKeyPolicies", "kms:ListKeys", "lambda:GetFunctionUrlConfig", "lambda:GetLayerVersionPolicy", "lambda:GetPolicy", "lambda:ListAliases", "lambda:ListFunctions", "lambda:ListLayers", "lambda:ListLayerVersions", "lambda:ListVersionsByFunction", "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:DescribeOrganizationalUnit", "organizations:ListAccounts", "organizations:ListAccountsForParent", "organizations:ListAWSServiceAccessForOrganization", "organizations:ListChildren", "organizations:ListDelegatedAdministrators", "organizations:ListOrganizationalUnitsForParent", "organizations:ListParents", "organizations:ListRoots", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBSnapshotAttributes", "rds:DescribeDBSnapshots", "s3:DescribeMultiRegionAccessPointOperation", "s3:GetAccessPoint", "s3:GetAccessPointPolicy", "s3:GetAccessPointPolicyStatus", "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketPolicyStatus", "s3:GetBucketPolicy", "s3:GetBucketPublicAccessBlock", "s3:GetMultiRegionAccessPoint", "s3:GetMultiRegionAccessPointPolicy", "s3:GetMultiRegionAccessPointPolicyStatus", "s3:ListAccessPoints", "s3:ListAllMyBuckets", "s3:ListMultiRegionAccessPoints", "s3express:GetBucketPolicy", "s3express:ListAllMyDirectoryBuckets", "sns:GetTopicAttributes", "sns:ListTopics", "secretsmanager:DescribeSecret", "secretsmanager:GetResourcePolicy", "secretsmanager:ListSecrets", "sqs:GetQueueAttributes", "sqs:ListQueues" ], "Resource": "*" } ] }
IAM and IAM Access Analyzer updates to Amazon managed policies
View details about updates to IAM and Amazon managed policies since the service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM and IAM Access Analyzer Document history pages.
Change | Description | Date |
---|---|---|
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added support for permission to retrieve information about
IAM user and role policies to the service-level permissions of
AccessAnalyzerServiceRolePolicy . |
May 30, 2024 |
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added support for permission to retrieve the current state of
the block public access for Amazon EC2 snapshots to the service-level permissions of
AccessAnalyzerServiceRolePolicy . |
January 23, 2024 |
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added support for DynamoDB streams and tables to the
service-level permissions of AccessAnalyzerServiceRolePolicy . |
January 11, 2024 |
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added support for Amazon S3 directory buckets to the service-level
permissions of AccessAnalyzerServiceRolePolicy . |
December 1, 2023 |
IAMAccessAnalyzerReadOnlyAccess – Added permissions |
IAM Access Analyzer added permissions to allow you to check whether updates to your policies grant additional access. This permission is required by IAM Access Analyzer to perform policy checks on your policies. |
November 26, 2023 |
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added IAM actions to the service-level permissions of
AccessAnalyzerServiceRolePolicy to support the following
actions:
|
November 26, 2023 |
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added support for the following resource types to the
service-level permissions of AccessAnalyzerServiceRolePolicy :
|
October 25, 2022 |
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added the lambda:GetFunctionUrlConfig action to
the service-level permissions of
AccessAnalyzerServiceRolePolicy . |
April 6, 2022 |
AccessAnalyzerServiceRolePolicy |
IAM Access Analyzer added new Amazon S3 actions to analyze metadata associated with multi-region access points. | September 2, 2021 |
IAMAccessAnalyzerReadOnlyAccess – Added permissions |
IAM Access Analyzer added a new action to grant This permission is required by IAM Access Analyzer to perform policy checks on your policies. |
March 16, 2021 |
IAM Access Analyzer started tracking changes |
IAM Access Analyzer started tracking changes for its Amazon managed policies. |
March 1, 2021 |