AWS Identity and Access Management (IAM) helps you control access and permissions to your AWS services and resources, such as compute instances and storage buckets. By using resource policies, for example, IAM allows customers to granularly control who is able to access a specific resource and how they are able to use it.
With the cloud, you can quickly spin up resources as you need them, deploying thousands of servers in minutes. So, it becomes particularly important to be able to quickly look across resource policies and identify resources with public or cross-account access you may not intend. IAM Access Analyzer generates comprehensive findings that identify resources that can be accessed from outside an AWS account. IAM Access Analyzer does this by evaluating resource policies using mathematical logic and inference to determine the possible access paths allowed by the policies. IAM Access Analyzer continuously monitors for new or updated policies, and it analyzes permissions granted using policies for your Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions.
As a security best practice, it is also important to look at how permissions are actually being used over time, so you can remove unnecessary permissions, in accordance with the principle of least privilege. IAM provides you “service last accessed” data, which is a timestamp on when an IAM policy or entity, such as a user or role, last used a service. This enables you to easily identify unused permissions and improve your security posture by removing the permissions not necessary for the user, group, or role to perform a specific task. From the AWS Organizations master account, you can also see the last time a service was accessed by the organization root, organizational units (OUs), and accounts. To learn more about how to use “service last accessed” data to make decisions about the permissions granted to your IAM or Organizations entities, see Example Scenarios for Using Service Last Accessed Data.
Saves time analyzing resource policies for public or cross-account accessibility
Compared to heuristics or pattern-matching techniques that could take days or weeks, IAM Access Analyzer uses mathematical logic and inference to dramatically reduce the time to generate comprehensive findings about resources that can be accessed from outside an AWS account. IAM Access Analyzer evaluates permissions granted using policies for your Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions. IAM Access Analyzer delivers detailed findings through the AWS IAM, Amazon S3, and AWS Security Hub consoles and also through its APIs.
Continuously monitors and helps you refine permissions
IAM Access Analyzer continuously monitors and analyzes any new or updated resource policy to help you understand the potential security implications. For example, when an Amazon S3 bucket policy changes, IAM would alert you that the bucket is accessible by users from outside the account.
In addition to IAM Access Analyzer, IAM also provides you with “service last accessed” timestamp data on when an IAM policy or entity last used a service, so you can easily identify and remove unused permissions to improve your security posture by granting only the permissions required to perform a specific task.
Provides the highest levels of security assurance
IAM Access Analyzer uses automated reasoning, a form of mathematical logic and inference, to determine all possible access paths allowed by a resource policy. We call these analytical results provable security, a higher level of assurance for security of the cloud and in the cloud.
While some tools let you test particular access scenarios, IAM Access Analyzer is able to use mathematics to analyze for all possible access requests increasing your confidence that your policies enable only the access you intend.
How it works
Automated reasoning for policy analysis
Automated reasoning is an area of cognitive science that automates different aspects of reasoning related to mathematics and formal logic. The AWS Automated Reasoning Group designs algorithms and builds code that can reason about cloud resources, configurations, and infrastructure to quickly provide assurances about aspects of their behaviors. In the case of resources policies, AWS transforms them into precise logical formulas, and then uses automated reasoners to comprehensively summarize which resources grant public or cross-account access. Learn how automated reasoning tools and methods within Amazon Web Services provide a higher level of security assurance for the cloud by reading "Formal Reasoning About AWS."