Setup

Overview

IAM Access Analyzer helps monitor and manage access to AWS resources by identifying external access and unused access permissions. It uses service-linked roles to analyze resources and requires proper IAM permissions to operate.

Key IAM Permissions:

  • IAMAccessAnalyzerFullAccess: Full access for administrators, including the ability to create service-linked roles.

  • IAMAccessAnalyzerReadOnlyAccess: Read-only access to view findings.

Service-Linked Role:

IAM Access Analyzer uses AWSServiceRoleForAccessAnalyzer to analyze resource-based policies and identify unused access.

Types of Analyzers:

  1. External Access Analyzer:

    • Purpose: Identifies resources that are shared outside of your zone of trust (AWS account or organization).

    • Findings Update: It may take up to 30 minutes to reflect changes after a policy modification.

    • Creation Steps:

      1. Open the IAM console and go to Access Analyzer.

      2. Create a new analyzer for external access.

      3. Choose either Current AWS account or Current organization as the zone of trust.

      4. Optionally, apply tags for management.

    • Scope: An analyzer is Region-specific, meaning you must create one in each Region to monitor external access.

  2. Unused Access Analyzer:

    • Purpose: Identifies unused IAM roles, permissions, passwords, or access keys within a defined time frame.

    • Creation Steps:

      1. Open the IAM console and create a new Unused Access Analyzer.

      2. Specify the tracking period (1–180 days).

      3. Choose whether the analyzer applies to Current account or Current organization.

      4. Optionally, apply tags to the analyzer.

    • Scope: Findings are not Region-specific. One analyzer can monitor all unused permissions across multiple Regions.

Analyzer Status:

  • Active: Monitoring is in progress, and new findings are generated.

  • Creating: Analyzer creation is underway.

  • Disabled: The analyzer is disabled, often due to administrative actions.

  • Failed: Creation failed due to configuration issues—requires deletion and re-creation.

Managing Findings and Permissions:

  • Viewing Findings: Permissions are required to use the following API actions:

    • GetAnalyzer

    • ListAnalyzers

    • GetFindingsStatistics

  • Dashboards and Refresh Delays: Findings may take time to appear after analyzer creation or updates; manual browser refreshes may be necessary.

Last updated