AWS Security Blog
Now Available: Get Even More Details from Service Last Accessed Data
In December, AWS Identity and Access Management (IAM) released service last accessed data, which shows the time when an IAM entity (a user, group, or role) last accessed an AWS service. This provided a powerful tool to help you grant least privilege permissions. Starting today, it’s easier to identify where you can reduce permissions based on additional service last accessed data.
With this release, you have access to the following for IAM entities and policies:
- Last accessed data for all IAM users and roles associated with a managed policy or group.
- All policies contributing service permissions to an IAM user, role, or group.
These additional details can improve your understanding of access patterns and policy configurations. As a result, you can make better-informed permissions-management decisions.
In this blog post, I will walk through these new, more-detailed service last accessed capabilities and explain how you can use them to manage permissions more effectively.
See last accessed data for all IAM users and roles associated with a managed policy or group
Imagine that you are an IAM administrator responsible for managing the security of your users and applications. You probably would want to know whether policies have been applied too broadly to IAM users and roles that do not use all those permissions. Previously, the Access Advisor tab for a managed policy showed when services were last accessed, but identifying the specific user or role responsible for the last accessed time required searching your AWS CloudTrail logs. Now as shown in the following screenshot, by clicking any link in the Access by Entities column, you can quickly see which IAM user or role was responsible for the last access of a service, as well as when all associated users or roles last accessed that service.
For example, the following screenshot shows information for Amazon EC2 permissions granted by a managed policy. As you can see, not all of the users and roles attached to the policy actually accessed EC2, indicating that some of those users and roles may have excessive permissions that could be reduced
See all policies contributing service permissions to an IAM user, role, or group
Imagine you are that same IAM administrator trying to apply the principle of least privilege. After viewing the service last accessed data for a user or role, you might want to delete or detach policies from users and roles that do not need them. To facilitate this, in the Access Advisor tab for a user, click the link in the Policies Granting Permissions column for a specific service permission to quickly see where the permission originates. This could be an AWS managed policy or a policy inherited by IAM group membership. In the details dialog box, clicking a policy name takes you to that policy, where you can easily make changes.
The following screenshot shows the sources of Amazon EC2 permissions granted to an IAM user. As you can see, permission to access EC2 originates from multiple managed and inline policies, indicating that it may be appropriate to do some policy cleanup or consolidation.
The ability to view more details in service last accessed data makes it easier for you to manage permissions. If you have comments about the more-detailed service last accessed data, submit a comment below. If you have questions, please start a thread on the IAM forum.
– Zaher