IAM Access Analyzer Guides You Toward Least-Privilege Permissions

Policy generation with IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your logs. This means that after you build and run an application, you can generate policies that grant only the required permissions to operate the application.

Policy validation with IAM Access Analyzer guides you to author and validate secure and functional policies with more than 100 policy checks. You can use these checks while creating new policies or to validate existing policies.

Public and cross-account findings with IAM Access Analyzer guide you to verify that existing access meets your intent. IAM Access Analyzer uses provable security to analyze all access paths and provide comprehensive analysis of external access to your resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket is accessible by users from outside the account.

Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.

Last-accessed information provides data about when AWS services were last used, which helps you identify opportunities to tighten your permissions. With this information, you can compare the permissions that have been granted with when those permissions were last accessed to remove unused access and further refine your permissions.

You also can use last-used timestamps for your IAM roles and access keys to remove IAM entities that are no longer required.