Pricing Overview

AWS Identity and Access Management (IAM) Access Analyzer guides you toward least privilege by providing tools to set, verify, and refine permissions. IAM Access Analyzer provides access analysis findings, policy checks, and policy generation.

When you enable IAM Access Analyzer, you create an analyzer, which regularly checks your accounts or AWS organization for external access, internal access, and unused access. The analyzer generates access findings for your IAM roles, IAM users, and AWS resources. You can enable three types of analyzers: external access analyzer, internal access analyzer, and unused access analyzer:

  • An external access analyzer creates public and cross-account access findings for AWS resources. This is provided at no additional charge.
  • An internal access analyzer identifies the IAM roles and users within your AWS organization that have access to your business-critical AWS resources. This is a paid feature. For every internal analyzer you enable, you pay per resource monitored per Region per month.
  • An unused access analyzer inspects unused access to guide you toward least privilege. This is a paid feature. For every unused access analyzer you enable, you pay per IAM role or IAM user per month. Because IAM roles and users are global, you need to enable only one analyzer across all Regions in a partition.

Internal access analyzer and unused access analyzer charges occur once during setup, and then monthly on the first day of the month.

IAM Access Analyzer also offers two types of policy checks:

  • IAM Access Analyzer policy validation guides you to author and validate secure and functional policies based on IAM best practices. This is provided at no additional charge.
  • IAM Access Analyzer custom policy checks validate before deployment that developer-authored policies adhere to your specified security standards. This is a paid feature. Custom policy checks use automated reasoning—provable security assurance backed by mathematical proof—so that security teams can proactively detect nonconformant updates to policies. For custom policy checks, you are charged based on the number of checks you run by calling the IAM Access Analyzer APIs.

IAM Access Analyzer policy generation creates fine-grained policies based on the access activity captured in your logs. This is provided at no additional charge.

Pricing

  • Internal access

  • Pricing examples

    Example 1: You have enabled an internal access analyzer for an account in US East (N. Virginia) Region. You have configured the analyzer to monitor access for three Amazon S3 buckets and five Amazon DynamoDB tables.

    Total number of AWS resources being monitored:
    3 buckets + 5 tables = 8 resources

    Monthly cost of analysis
    $9.00 * 8 AWS resources = $72 per month

    Example 2: You have five accounts in your AWS organization. You have enabled an internal access analyzer for your organization in the US East (N. Virginia) Region. The following is a breakdown of the resources in each account and the total monthly cost.

    Account number Number of Amazon S3 buckets Number of Amazon DynamoDB tables Total resources per account
    1 5 1 6
    2 10 2 12
    3 0 10 10
    4 3 0 3
    5 2 5 7
    Total AWS resources     38

    Monthly cost of analysis
    $9.00 * 38 AWS resources = $342 per month

  • Unused access

  • Pricing Examples

    Example 1:

    You have one account with 10 IAM users and 60 IAM roles. You have enabled the unused access analyzer for IAM Access Analyzer for this account in US East (N. Virginia) Region.

    Total number of IAM roles or users analyzed in a month
    10 users + 60 roles = 70 IAM roles and users

    Cost of analysis
    $0.20*70 IAM roles and users = $14 per month

    Example 2:

    You have 5 accounts in your AWS organization. You have enabled the unused access analyzer for this organization in US East (N. Virginia) Region. Following is a breakdown of number of IAM roles and users in each account and the total monthly cost.  

     

    Account # Number of IAM roles Number of IAM Users Total per account
    1 150 10 160
    2 200 15 215
    3 100 20 120
    4 250 10 260
    5 80 15 95
    Total IAM roles and users in the organization     850

    Cost of analysis
    $0.20*850 IAM roles and users = $170 per month  

  • Custom policy checks

  • Pricing Examples

    Example 1: 

    You have a single AWS account and make 1,000 calls per month to the IAM Access Analyzer APIs to run custom policy checks as a part of your automated policy review process. 

    Cost of analysis
    $0.0020*1000 API calls = $2 per month

    Example 2: 

    You make 10,000 calls each month to the IAM Access Analyzer APIs to run custom policy checks across 5 accounts signed up for consolidated billing with AWS Organizations. 

    Cost of analysis
    $0.0020*10,000 API calls = $20 per month

Additional pricing resources

AWS Pricing Calculator

Easily calculate your monthly costs with AWS

Get pricing assistance

Contact AWS specialists to get a personalized quote