Posted On: Mar 16, 2021

AWS Identity and Access Management (IAM) Access Analyzer makes it easier to implement least privilege permissions by analyzing resource policies to provide provable security and help you identify unintended public or cross-account access. A recent update allows you to validate public and cross-account access before deploying permissions changes. Now, we are extending policy validation in IAM Access Analyzer by adding over 100 policy checks with actionable recommendations. These checks use static analysis to help you proactively validate your permission policies during policy authoring to set secure and functional permissions. The checks include functional validation like developers might expect from a linter, and go beyond that to evaluate best practices in granting access. These checks analyze your policy and report security warnings, errors, general warnings, and suggestions based on their impact. They provide actionable recommendations that guide you to set secure and functional permissions. For example, IAM Access Analyzer reports a security warning when your policy grants access to pass any role to any service, which is overly permissive. The security warning includes a recommendation that you scope down the permissions to pass specific role(s) instead.

Just like the grammar checks on your favorite word processors, IAM Access Analyzer automatically performs these policy checks as you’re authoring your identity policies using the JSON policy editor in the IAM console. You can also validate additional policies such as service-control policies and resource policies programmatically using the Access Analyzer ValidatePolicy API.

IAM Access Analyzer policy validation is available at no additional cost in all commercial AWS Regions, AWS China regions, and AWS GovCloud (US). To learn more about IAM Access Analyzer, see the feature page.