External Access and Unused Access Analyzer Findings

Overview

The following provides an explanation of both external access and unused access findings.

External Access Findings:

  • Purpose: Identifies when resource-based policies allow access to resources from outside your zone of trust.

  • How it Works:

    • Each modification to a resource-based policy triggers a new finding if permissions change.

    • Resolved Status: A finding is marked as Resolved when the external access is removed.

    • Finding Updates: Findings stay Active until manually archived or access is removed. Updates can take up to 30 minutes after a policy change.

  • Zelkova Analysis:

    • IAM policies are converted into logical statements, evaluated using Zelkova (a satisfiability modulo theories solver).

    • Findings indicate access allowed by policies, regardless of actual access by external entities.

    • Privacy Consideration: IAM Access Analyzer doesn’t assess the state of external accounts (e.g., users or policies in external accounts) for security and privacy reasons.

  • Key Limitations:

    • Certain IAM condition keys are considered for access analysis.

    • Findings focus on resource-based policies and external access only.

    • Potential false positives may occur to ensure comprehensive analysis and avoid missing external access risks.

Unused Access Findings:

  • Purpose: Identifies unused permissions, roles, passwords, or access keys within your AWS environment based on a specified inactivity period.

  • Conditions Triggering Findings:

    • A role is inactive for the specified number of days.

    • Permissions, passwords, or access keys are unused for the defined duration.

    • Note: These findings are available only through the ListFindingsV2 API.

  • How it Works:

    • Requires creating a separate analyzer for unused access findings.

    • The analyzer reviews last accessed information for roles, user keys, and passwords across accounts.

    • Granular Insights: Helps identify unused permissions at the service or action level for deeper investigation.

Last updated