How can I use AWS IAM Access Analyzer to monitor my AWS resources in my AWS Organization accounts?

Last updated: 2022-04-07

I want to use AWS IAM Access Analyzer to identify resources in my organization and accounts that are shared with an external entity.

Resolution

You can add a member account in the organization as the delegated administrator to manage Access Analyzer for your organization. The delegated administrator has permissions to create and manage analyzers with the organization as the zone of trust. Access Analyzer analyzes only policies applied to resources in the same AWS Region where it's enabled. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources. For more information, see Delegated administrator for Access Analyzer.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Follow the instructions to add a delegated administrator using the AWS Management Console or AWS CLI. Then, follow the instructions to create an analyzer with the organization as the zone of trust.

Note: Only the management account can add a delegated administrator.

To view the status of your analyzers, see Access Analyzer status.