IAM helps you analyze access and guides you along your least privilege journey. As you build on AWS you need to set fine-grained permissions using IAM policies. IAM Access Analyzer provides over 100 policy checks that help you proactively validate policies during policy authoring. These checks analyze your policy and report errors, warnings, and suggestions with actionable recommendations that guide you to set secure and functional permissions. Just like the grammar checks on your favorite word processor, IAM Access Analyzer automatically performs these policy checks as you author policies using the policy editor in the IAM console. You can also validate your policies programmatically using Access Analyzer APIs. IAM Access Analyzer also enables you to validate public and cross-account access to resources before deploying permissions changes. You can preview access in the Amazon S3 console or with IAM Access Analyzer APIs.

As you continue along your least privilege journey, IAM Access Analyzer helps you review existing access, enabling you to identify and remove unintended external or unused permissions. To enable you to identify resources with public or cross-account access, IAM Access Analyzer uses automated reasoning to generate comprehensive findings for resources that can be accessed from outside an AWS account. For this analysis, IAM Access Analyzer continuously monitors for new or updated resource policies and analyzes permissions granted for Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, AWS Lambda functions, and AWS Secrets Manager secrets. To help you remove unused permissions, IAM provides last accessed information to specify when an IAM entity last used a service or an action. This helps you reduce access by enabling you to easily identify and remove unused permissions. To help you set permission guardrails you can also analyze the last time a service was accessed by entities in your AWS organization such as organizational units (OUs) or accounts. To learn more about how to use “last accessed” data to make decisions about the permissions granted to your IAM or Organizations entities, see Example Scenarios for Using Service Last Accessed Data. IAM Access Analyzer features are available at no additional cost in the IAM console and through IAM Access Analyzer APIs.

Benefits

Guided policy authoring

IAM Access Analyzer performs policy checks that guide you to set secure and functional permissions. These checks analyze your policies and report errors, warnings, and suggestions with actionable recommendations to help you validate your policies. Just like the grammar checks on your favorite word processor, IAM Access Analyzer automatically performs these checks as you author policies using the policy editor in the IAM console. You can also validate your policies programmatically using IAM Access Analyzer APIs.

Comprehensive analysis for public and cross-account access

IAM Access Analyzer analyzes policies to help you identify and resolve unintended public or cross-account access to your resources. IAM Access Analyzer uses mathematical logic and inference to generate comprehensive findings for resources that can be accessed from outside an AWS account. These findings help you identify resources with public or cross-account access you may not intend. IAM Access Analyzer evaluates permissions granted using policies for your Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions, and delivers detailed findings through the AWS IAM, Amazon S3, and AWS Security Hub consoles and also through its APIs. With IAM Access Analyzer, you can also preview findings and validate that your policy changes grant only intended access to your resources. By previewing findings, you can prevent unintended access before you deploy permissions.

Continuously monitors and reduce permissions

IAM Access Analyzer continuously monitors and analyzes new or updated resource policies to help you identify permissions that grant public and cross account access. For example, when an Amazon S3 bucket policy changes, IAM Access Analyzer would alert you that the bucket is accessible by users from outside the account.

IAM also provides you with last accessed timestamp information about when an IAM entity, such as an IAM role, last used a service or action. This enables you to reduce permissions by removing unused permissions and granting only access required to perform a task.

Provides the highest levels of security assurance

To generate comprehensive findings for resources that can be accessed from outside an AWS account, IAM Access Analyzer uses automated reasoning, a form of mathematical logic and inference. We call these analytical results provable security, a higher level of assurance for security of the cloud and in the cloud. While some tools let you test particular access scenarios, IAM Access Analyzer uses mathematics to analyze for all possible access requests and generate findings for external access. This enables you to verify external access with confidence.

How it works - monitoring external access to resources

How IAM access analyzer works

Automated reasoning for external access analysis

Automated reasoning is an area of cognitive science that automates different aspects of reasoning related to mathematics and formal logic. The AWS Automated Reasoning Group designs algorithms and builds code that can reason about cloud resources, configurations, and infrastructure to quickly provide assurances about aspects of their behaviors. In the case of resources policies, AWS transforms them into precise logical formulas, and then uses automated reasoners to comprehensively summarize which resources grant public or cross-account access. Learn how automated reasoning tools and methods within Amazon Web Services provide a higher level of security assurance for the cloud by reading "Formal Reasoning About AWS."

Learn more about AWS IAM features

Visit the features page
Ready to build?
Get started with AWS IAM
Have more questions?
Contact us