Posted On: Nov 26, 2023

AWS Identity and Access Manager (IAM) Access Analyzer now simplifies inspecting unused access to guide you toward least privilege. IAM Access Analyzer continuously analyzes your accounts to identify unused access and creates a centralized dashboard with findings. Security teams can use the dashboard to review findings centrally and prioritize which accounts to review based on the volume of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions.

After the new analyzer is enabled in the IAM console, security teams can prioritize which accounts to review based on excessive permissions. The dashboard highlights your AWS accounts that have the most findings and provides a breakdown of findings by type. Your security teams can automate notification workflows to help development teams identify and remove unused access by integrating with Amazon EventBridge. An integration with AWS Security Hub provides an aggregated view for external and unused access findings alongside your security findings. This aggregated view helps you manage and improve the security of all your AWS accounts, resources, and workloads. You can use AWS Organizations to centralize unused access analysis through a delegated administrator account or enable analysis individually in each account.

This new feature is available in AWS Commercial Regions, excluding the AWS GovCloud (US) Regions and AWS China Regions.

To learn more about IAM Access Analyzer unused access analysis: