We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Customize cookie preferences
We use cookies and similar tools (collectively, "cookies") for the following purposes.
Essential
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Allowed
Functional
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Allowed
Advertising
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Allowed
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
Your privacy choices
We and our advertising partners (“we”) may use information we collect from or about you to show you ads on other websites and online services. Under certain laws, this activity is referred to as “cross-context behavioral advertising” or “targeted advertising.”
To opt out of our use of cookies or similar technologies to engage in these activities, select “Opt out of cross-context behavioral ads” and “Save preferences” below. If you clear your browser cookies or visit this site from a different device or browser, you will need to make your selection again. For more information about cookies and how we use them, read our Cookie Notice.
To opt out of the use of other identifiers, such as contact information, for these activities, fill out the form here.
For more information about how AWS handles your information, read the AWS Privacy Notice.
Unable to save cookie preferences
We will only store essential cookies at this time, because we were unable to save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists.
Konten ini tidak tersedia dalam bahasa yang dipilih. Kami terus berusaha menyediakan konten kami dalam bahasa yang dipilih. Terima kasih atas pengertian Anda.
IAM Access Analyzer guides you toward least privilege by providing tools to set, verify, and refine permissions. As a comprehensive permissions analysis and policy validation tool, IAM Access Analyzer offers access findings, policy checks, and policy generation.
IAM Access Analyzer uses provable security to deliver comprehensive findings on external, internal and unused access, and provides custom policy checks. Provable security relies on automated reasoning technology, which is the application of mathematical logic to help answer critical questions about your infrastructure, including AWS permissions. To learn how AWS automated reasoning tools and methods provide a higher level of security assurance for the cloud, see What is Automated Reasoning?, or download the whitepaper, Formal Reasoning About the Security of Amazon Web Services.
IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your AWS CloudTrail logs. This means that after you build and run an application, you can generate IAM policies that grant only the required permissions to operate the application.
Policy validation
IAM Access Analyzer guides you to author and validate secure and functional policies based on IAM best practices. For example, if your policy contains IAM:PassRole permission with an asterisk in the Resource element, IAM Access Analyzer flags this as a security warning. IAM Access Analyzer includes four policy validation finding types: security warnings, errors, general warnings, and IAM best practice suggestions for your policy. Findings provide actionable recommendations that help you author policies that are functional, and conform to AWS best practices and your security standards.
IAM Access Analyzer guides you to verify that existing external access meets your intent. IAM Access Analyzer uses automated reasoning tools, for provable security assurance, to analyze all external access to your AWS resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket had become accessible by users from outside the account. Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.
Internal access analyzer
IAM Access Analyzer identifies who within your AWS organization has access to your critical AWS resources. It uses automated reasoning to collectively evaluate multiple policies and generates findings when a user or role has access to your S3, DynamoDB, or RDS resources. The findings are aggregated in a unified dashboard, simplifying access review and management. You can use Amazon EventBridge to automatically notify development teams of new findings to remove unintended access. Internal access findings provide security teams the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements.
Custom policy checks
IAM Access Analyzer validates that IAM policies adhere to your security standards ahead of deployments. Custom policy checks use the power of automated reasoning so that security teams can proactively detect nonconformant updates to policies. For example, IAM policy changes that are more permissive than their previous version would be flagged for additional review. Security teams can use these checks to streamline their reviews, automatically approving policies that conform with their security standards, and inspecting more deeply when they don't. Security and development teams can automate policy reviews at scale by integrating custom policy checks into the tools and environments where developers author their policies, such as their CI/CD pipelines.
IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. Security teams can use IAM Access Analyzer to gain visibility into unused access across their AWS organization and automate how they rightsize permissions. IAM Access Analyzer continuously analyzes your accounts to identify unused access and offers recommendations with actionable guidance to help you remediate any unused access. It consolidates findings in a centralized dashboard, which helps security teams review findings and prioritize accounts based on the volume of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions. Security teams can automate notification workflows to help development teams identify and remove unused access.
Last accessed information
IAM Access Analyzer provides last accessed information about when AWS services and actions from select AWS services were last used by a role or user through their IAM policies. This helps you identify opportunities to refine your permissions. With this information, you can compare the permissions that have been granted to a role or user, when those permissions were last accessed to remove unused access, and further refine your permissions.
When IAM Access Analyzer is integrated with AWS Security Hub Cloud Security Posture Management (CSPM), external and unused access findings can be sent to CSPM and checked against security industry standards and best practices. This allows further analysis of your security patterns and helps identify the highest priority security issues. Security Hub can include findings from IAM Access Analyzer in its analysis of your security posture.
Integration with Amazon EventBridge
By integrating IAM Access Analyzer with Amazon EventBridge, you can automate and scale permissions refinement by alerting teams to review and remove excessive permissions within their AWS accounts. IAM Access Analyzer sends an event to EventBridge when a finding is generated, deleted, or its status changes. To receive findings and notifications about findings, you must enable and create an event rule in EventBridge.