Amazon managed policies for Amazon Identity and Access Management Access Analyzer - Amazon Identity and Access Management
IAMReadOnlyAccessIAMUserChangePasswordIAMAccessAnalyzerFullAccessIAMAccessAnalyzerReadOnlyAccessAccessAnalyzerServiceRolePolicyPolicy updates
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon managed policies for Amazon Identity and Access Management Access Analyzer

To add permissions to users, groups, and roles, it is easier to use Amazon managed policies than to write policies yourself. It takes time and expertise to create IAM customer managed policies that provide your team with only the permissions they need. To get started quickly, you can use our Amazon managed policies. These policies cover common use cases and are available in your Amazon Web Services account. For more information about Amazon managed policies, see Amazon managed policies in the IAM User Guide.

Amazon services maintain and update Amazon managed policies. You can't change the permissions in Amazon managed policies. Services occasionally add additional permissions to an Amazon managed policy to support new features. This type of update affects all identities (users, groups, and roles) where the policy is attached. Services are most likely to update an Amazon managed policy when a new feature is launched or when new operations become available. Services do not remove permissions from an Amazon managed policy, so policy updates won't break your existing permissions.

Additionally, Amazon supports managed policies for job functions that span multiple services. For example, the ReadOnlyAccess Amazon managed policy provides read-only access to all Amazon services and resources. When a service launches a new feature, Amazon adds read-only permissions for new operations and resources. For a list and descriptions of job function policies, see Amazon managed policies for job functions in the IAM User Guide.

IAMReadOnlyAccess

Use the IAMReadOnlyAccess managed policy to allow read only access to IAM resources. This policy grants permission to get and list all IAM resources. It allows viewing details and activity reports for users, groups, roles, policies, identity providers, and MFA devices. It does not include the ability to create or delete resources or access to IAM Access Analyzer resources. View the policy for the full list of services and actions supported by this policy.

IAMUserChangePassword

Use the IAMUserChangePassword managed policy to allow IAM users to change their password.

You configure your IAM Account settings and the Password policy to allow IAM users to change their IAM account password. When you allow this action, IAM attaches the following policy to each user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword"
            ],
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy"
            ],
            "Resource": "*"
        }
    ]
}

IAMAccessAnalyzerFullAccess

Use the IAMAccessAnalyzerFullAccess Amazon managed policy to allow your administrators to access IAM Access Analyzer.

Permissions groupings

This policy is grouped into statements based on the set of permissions provided.

  • IAM Access Analyzer – Allows full administrative permissions to all resources in IAM Access Analyzer.

  • Create service linked role – Allows the administrator to create a service-linked role, which allows IAM Access Analyzer to analyze resources in other services on your behalf. This permission allows creating the service-linked role only for use by IAM Access Analyzer.

  • Amazon Organizations – Allows administrators to use IAM Access Analyzer for an organization in Amazon Organizations. After enabling trusted access for IAM Access Analyzer in Amazon Organizations, members of the management account can view findings across their organization.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "access-analyzer:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": "access-analyzer.amazonaws.com"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:ListChildren",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:ListParents",
        "organizations:ListRoots"
      ],
      "Resource": "*"
    }
  ]
}

IAMAccessAnalyzerReadOnlyAccess

Use the IAMAccessAnalyzerReadOnlyAccess Amazon managed policy to allow read-only access to IAM Access Analyzer.

To also allow read-only access to IAM Access Analyzer for Amazon Organizations, create a customer managed policy that allows the Describe and List actions from the IAMAccessAnalyzerFullAccess Amazon managed policy.

Service-level permissions

This policy provides read-only access to IAM Access Analyzer. No other service permissions are included in this policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "access-analyzer:Get*",
        "access-analyzer:List*",
        "access-analyzer:ValidatePolicy"
      ],
      "Resource": "*"
    }
  ]
}

AccessAnalyzerServiceRolePolicy

You can't attach AccessAnalyzerServiceRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows IAM Access Analyzer to perform actions on your behalf. For more information, see Using service-linked roles for Amazon Identity and Access Management Access Analyzer.

Permissions groupings

This policy allows access to IAM Access Analyzer to analyze resource metadata from multiple Amazon Web Services.

  • Amazon Elastic Compute Cloud – Allows permissions to describe IP addresses, snapshots, and VPCs.

  • Amazon Elastic Container Registry – Allows permissions to describe image repositories and retrieve repository policies.

  • Amazon Elastic File System – Allows permissions to view the description of an Amazon EFS file system and view the resource-level policy for an Amazon EFS file system.

  • Amazon Identity and Access Management – Allows permissions to retrieve information about a specified role and list the IAM roles that have a specified path prefix.

  • Amazon Key Management Service – Allows permissions to view detailed information about an KMS key and its key policies and grants.

  • Amazon Lambda – Allows permissions to view information about Lambda aliases, functions, layers, and aliases.

  • Amazon Organizations – Allows permissions to Organizations and allows the creation of an analyzer within the Amazon organization as the zone of trust.

  • Amazon Relational Database Service – Allows permissions to view detailed information about Amazon RDS DB snapshots and Amazon RDS DB cluster snapshots.

  • Amazon Simple Storage Service – Allows permissions to view detailed information about Amazon S3 access points and buckets.

  • Amazon Secrets Manager – Allows permissions to view detailed information about secrets and resource policies attached to secrets.

  • Amazon Simple Notification Service – Allows permissions to view detailed information about a topic.

  • Amazon Simple Queue Service – Allows permissions to view detailed information about specified queues.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAddresses",
        "ec2:DescribeByoipCidrs",
        "ec2:DescribeSnapshotAttribute",
        "ec2:DescribeSnapshots",
        "ec2:DescribeVpcEndpoints",
        "ec2:DescribeVpcs",
        "ecr:DescribeRepositories",
        "ecr:GetRepositoryPolicy",
        "elasticfilesystem:DescribeFileSystemPolicy",
        "elasticfilesystem:DescribeFileSystems",
        "iam:GetRole",
        "iam:ListRoles",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:ListGrants",
        "kms:ListKeyPolicies",
        "kms:ListKeys",
        "lambda:GetFunctionUrlConfig",
        "lambda:GetLayerVersionPolicy",
        "lambda:GetPolicy",
        "lambda:ListAliases",
        "lambda:ListFunctions",
        "lambda:ListLayers",
        "lambda:ListLayerVersions",
        "lambda:ListVersionsByFunction",
        "organizations:DescribeAccount",
        "organizations:DescribeOrganization",
        "organizations:DescribeOrganizationalUnit",
        "organizations:ListAccounts",
        "organizations:ListAccountsForParent",
        "organizations:ListAWSServiceAccessForOrganization",
        "organizations:ListChildren",
        "organizations:ListDelegatedAdministrators",
        "organizations:ListOrganizationalUnitsForParent",
        "organizations:ListParents",
        "organizations:ListRoots",
        "rds:DescribeDBClusterSnapshotAttributes",
        "rds:DescribeDBClusterSnapshots",
        "rds:DescribeDBSnapshotAttributes",
        "rds:DescribeDBSnapshots",
        "s3:DescribeMultiRegionAccessPointOperation",
        "s3:GetAccessPoint",
        "s3:GetAccessPointPolicy",
        "s3:GetAccessPointPolicyStatus",
        "s3:GetAccountPublicAccessBlock",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketPolicy",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetMultiRegionAccessPoint",
        "s3:GetMultiRegionAccessPointPolicy",
        "s3:GetMultiRegionAccessPointPolicyStatus",
        "s3:ListAccessPoints",
        "s3:ListAllMyBuckets",
        "s3:ListMultiRegionAccessPoints",
        "sns:GetTopicAttributes",
        "sns:ListTopics",
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:ListSecrets",
        "sqs:GetQueueAttributes",
        "sqs:ListQueues"
      ],
      "Resource": "*"
    }
  ]
}

IAM and IAM Access Analyzer updates to Amazon managed policies

View details about updates to IAM and Amazon managed policies since these service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the IAM and IAM Access Analyzer Document history pages.

Change Description Date
AccessAnalyzerServiceRolePolicy – Added permissions IAM Access Analyzer added support for the following resource types to the service-level permissions of AccessAnalyzerServiceRolePolicy:

  • Amazon EBS volume snapshots

  • Amazon ECR repositories

  • Amazon EFS file systems

  • Amazon RDS DB snapshots

  • Amazon RDS DB cluster snapshots

  • Amazon SNS topics

 October 25, 2022
AccessAnalyzerServiceRolePolicy – Added permissions IAM Access Analyzer added the lambda:GetFunctionUrlConfig action to the service-level permissions of AccessAnalyzerServiceRolePolicy. April 6, 2022
AccessAnalyzerServiceRolePolicy – Added permissions IAM Access Analyzer added new Amazon S3 actions to analyze metadata associated with multi-region access points. September 2, 2021

IAMAccessAnalyzerReadOnlyAccess – Added permissions

IAM Access Analyzer added a new action to grant ValidatePolicy permissions to allow you to use the policy checks for validation.

This permission is required by IAM Access Analyzer to perform policy checks on your policies.

 March 16, 2021

IAM Access Analyzer started tracking changes

IAM Access Analyzer started tracking changes for its Amazon managed policies.

 March 1, 2021