AWS IAM Access Analyzer features

IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your AWS CloudTrail logs. This means that after you build and run an application, you can generate IAM policies that grant only the required permissions to operate the application.

IAM Access Analyzer guides you to author and validate secure and functional policies based on IAM best practices. For example, if your policy contains IAM:PassRole permission with an asterisk in the Resource element, IAM Access Analyzer flags this as a security warning. IAM Access Analyzer includes four policy validation finding types: security warnings, errors, general warnings, and IAM best practice suggestions for your policy. Findings provide actionable recommendations that help you author policies that are functional, and conform to AWS best practices and your security standards.

IAM Access Analyzer guides you to verify that existing external access meets your intent. IAM Access Analyzer uses automated reasoning tools, for provable security assurance, to analyze all external access to your AWS resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket had become accessible by users from outside the account. Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.

IAM Access Analyzer identifies who within your AWS organization has access to your critical AWS resources. It uses automated reasoning to collectively evaluate multiple policies and generates findings when a user or role has access to your S3, DynamoDB, or RDS resources. The findings are aggregated in a unified dashboard, simplifying access review and management. You can use Amazon EventBridge to automatically notify development teams of new findings to remove unintended access. Internal access findings provide security teams the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements.

IAM Access Analyzer validates that IAM policies adhere to your security standards ahead of deployments. Custom policy checks use the power of automated reasoning so that security teams can proactively detect nonconformant updates to policies. For example, IAM policy changes that are more permissive than their previous version would be flagged for additional review. Security teams can use these checks to streamline their reviews, automatically approving policies that conform with their security standards, and inspecting more deeply when they don't. Security and development teams can automate policy reviews at scale by integrating custom policy checks into the tools and environments where developers author their policies, such as their CI/CD pipelines.

IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. Security teams can use IAM Access Analyzer to gain visibility into unused access across their AWS organization and automate how they rightsize permissions. IAM Access Analyzer continuously analyzes your accounts to identify unused access and offers recommendations with actionable guidance to help you remediate any unused access. It consolidates findings in a centralized dashboard, which helps security teams review findings and prioritize accounts based on the volume of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions. Security teams can automate notification workflows to help development teams identify and remove unused access.

IAM Access Analyzer provides last accessed information about when AWS services and actions from select AWS services were last used by a role or user through their IAM policies. This helps you identify opportunities to refine your permissions. With this information, you can compare the permissions that have been granted to a role or user, when those permissions were last accessed to remove unused access, and further refine your permissions.

When IAM Access Analyzer is integrated with AWS Security Hub Cloud Security Posture Management (CSPM), external and unused access findings can be sent to CSPM and checked against security industry standards and best practices. This allows further analysis of your security patterns and helps identify the highest priority security issues. Security Hub can include findings from IAM Access Analyzer in its analysis of your security posture.

By integrating IAM Access Analyzer with Amazon EventBridge, you can automate and scale permissions refinement by alerting teams to review and remove excessive permissions within their AWS accounts. IAM Access Analyzer sends an event to EventBridge when a finding is generated, deleted, or its status changes. To receive findings and notifications about findings, you must enable and create an event rule in EventBridge.