Introducing AWS Identity and Access Management (IAM) Access Analyzer

Posted on: Dec 2, 2019

AWS Identity and Access Management (IAM) Access Analyzer is a new feature that makes it simple for security teams and administrators to check that their policies provide only the intended access to resources. Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment. With one click in the IAM console, customers can enable IAM Access Analyzer across their account to continuously analyze permissions granted using policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions.

IAM Access Analyzer continuously monitors policies for changes, meaning customers no longer need to rely on intermittent manual checks in order to catch issues as policies are added or updated. Using IAM Access Analyzer, customers can proactively address any resource policies that violate their security and governance best practices around resource sharing and protect their resources from unintended access. IAM Access Analyzer delivers comprehensive, detailed findings through the AWS IAM, Amazon S3, and AWS Security Hub consoles and also through its APIs. Findings can also be exported as a report for auditing purposes. IAM Access Analyzer findings provide definitive answers of who has public and cross-account access to AWS resources from outside an account. 

IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy. This means that IAM Access Analyzer can evaluate hundreds or even thousands of policies across a customer's environment in seconds, and deliver comprehensive findings about resources that are accessible from outside the account. We call this provable security.

With this launch, IAM Access Analyzer is available at no additional cost in the IAM console and through APIs in all commercial AWS Regions. IAM Access Analyzer is also available through APIs in AWS GovCloud (US).

To learn more about IAM Access Analyzer, see the feature page.