Posted On: Mar 30, 2020

With a single click, customers can now enable AWS Identity and Access Management (IAM) Access Analyzer for all their accounts centrally managed through AWS Organizations. This enables security teams and administrators to uncover unintended access to resources from outside their AWS organization within minutes. Customers can proactively address whether any resource policies across any of their accounts violate their security and governance practices by allowing unintended access.

Customers can create an organization-level analyzer in any account within the organization, such as the AWS Organizations master account or a delegated member account for security teams. Once created, the organization-level analyzer continuously monitors and scans resources within the organization. When a resource policy allows access on a resource from outside the organization, the analyzer generates comprehensive findings. After reviewing findings, customers can archive or resolve them. If the access is intended, customers can archive the finding. If the access is unintended, customers can resolve the finding by fixing the resource policy.

IAM Access Analyzer is available at no additional cost in the IAM console and through APIs in all commercial AWS Regions and AWS GovCloud (US).