External Access and Unused Access Analyzer Findings
Overview
The following provides an explanation of both external access and unused access findings.
External Access Findings:
Purpose: Identifies when resource-based policies allow access to resources from outside your zone of trust.
How it Works:
Each modification to a resource-based policy triggers a new finding if permissions change.
Resolved Status: A finding is marked as Resolved when the external access is removed.
Finding Updates: Findings stay Active until manually archived or access is removed. Updates can take up to 30 minutes after a policy change.
Zelkova Analysis:
IAM policies are converted into logical statements, evaluated using Zelkova (a satisfiability modulo theories solver).
Findings indicate access allowed by policies, regardless of actual access by external entities.
Privacy Consideration: IAM Access Analyzer doesn’t assess the state of external accounts (e.g., users or policies in external accounts) for security and privacy reasons.
Key Limitations:
Certain IAM condition keys are considered for access analysis.
Findings focus on resource-based policies and external access only.
Potential false positives may occur to ensure comprehensive analysis and avoid missing external access risks.
Unused Access Findings:
Purpose: Identifies unused permissions, roles, passwords, or access keys within your AWS environment based on a specified inactivity period.
Conditions Triggering Findings:
A role is inactive for the specified number of days.
Permissions, passwords, or access keys are unused for the defined duration.
Note: These findings are available only through the ListFindingsV2 API.
How it Works:
Requires creating a separate analyzer for unused access findings.
The analyzer reviews last accessed information for roles, user keys, and passwords across accounts.
Granular Insights: Helps identify unused permissions at the service or action level for deeper investigation.
Last updated