Achieving least privilege is a continuous cycle to grant the right fine-grained permissions as your requirements evolve. AWS Identity and Access Management (IAM) Access Analyzer helps you streamline permissions management throughout each step of the cycle.

Image showing set, verify, and refine

Your journey toward least privilege: Set, verify, and refine

Set fine-grained permissions

Policy generation with IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. This means that after you build and run an application, you can generate policies that grant only the required permissions to operate the application.

Policy validation with IAM Access Analyzer guides you to author and validate secure and functional policies with more than 100 policy checks. You can use these checks while creating new policies or to validate existing policies.

Verify intended permissions

Public and cross-account findings with IAM Access Analyzer guide you to verify that existing access meets your intent. IAM Access Analyzer uses provable security to analyze all access paths and provide comprehensive analysis of external access to your resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket is accessible by users from outside the account.

Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.

Refine permissions by removing unused access

Last-accessed information provides data about when AWS services were last used, which helps you identify opportunities to tighten your permissions. With this information, you can compare the permissions that have been granted with when those permissions were last accessed to remove unused access and further refine your permissions.

You also can use last-used timestamps for your IAM roles and access keys to remove IAM entities that are no longer required.

Provable security for public and cross-account analysis

IAM Access Analyzer uses provable security to provide comprehensive findings for public and cross-account access to your resources. Provable security relies on automated reasoning technology, which is the application of mathematical logic to help answer critical questions about your infrastructure, including AWS permissions. To learn how automated AWS reasoning tools and methods provide a higher level of security assurance for the cloud, see Formal Reasoning About the Security of Amazon Web Services.

Watch these videos to learn more about IAM Access Analyzer

A least-privilege journey: IAM policies and IAM Access Analyzer (55:59)
Use IAM Access Analyzer with Amazon S3 buckets (8:06)
Use IAM Access Analyzer policy validation to set secure and functional policies (2:59)

Learn more about IAM features

Visit the features page
Ready to build?
Get started with IAM
Have more questions?
Contact us