Achieving least privilege is a continuous cycle to grant the right fine-grained permissions as your requirements evolve. AWS Identity and Access Management (IAM) Access Analyzer helps you streamline permissions management throughout each step of the cycle.
Your journey toward least privilege: Set, verify, and refine
Set fine-grained permissions
Policy generation with IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. This means that after you build and run an application, you can generate policies that grant only the required permissions to operate the application.
Policy validation with Access Analyzer guides you to author and validate secure and functional policies with more than 100 policy checks. You can use these checks while creating new policies or to validate existing policies.
Verify intended permissions
Public and cross-account findings with Access Analyzer guide you to verify that existing access meets your intent. Access Analyzer uses provable security to analyze all access paths and provide comprehensive analysis of external access to your resources. When you turn on Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, Access Analyzer would alert you that the bucket is accessible by users from outside the account.
Using this same analysis, Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.
Refine permissions by removing unused access
Last-accessed information provides data about when AWS services were last used, which helps you identify opportunities to tighten your permissions. With this information, you can compare the permissions that have been granted with when those permissions were last accessed to remove unused access and further refine your permissions.
You also can use last-used timestamps for your IAM roles and access keys to remove IAM entities that are no longer required.
Provable security for public and cross-account analysis
Access Analyzer uses provable security to provide comprehensive findings for public and cross-account access to your resources. Provable security relies on automated reasoning technology, which is the application of mathematical logic to help answer critical questions about your infrastructure, including AWS permissions. To learn how automated AWS reasoning tools and methods provide a higher level of security assurance for the cloud, see Formal Reasoning About the Security of Amazon Web Services.