AWS IAM Access Analyzer features

Overview

IAM Access Analyzer guides you towards least privilege by providing tools to set, verify, and refine permissions. As a comprehensive permissions analysis and policy validation tool, IAM Access Analyzer offers access findings, policy checks, and policy generation.

IAM Access Analyzer uses provable security to deliver comprehensive findings on external access analysis and custom policy checks. Provable security relies on automated reasoning technology, which is the application of mathematical logic to help answer critical questions about your infrastructure, including AWS permissions. To learn how AWS automated reasoning tools and methods provide a higher level of security assurance for the cloud, visit the What is Automated Reasoning page or download the whitepaper Formal Reasoning About the Security of Amazon Web Services.

Set fine-grained permissions

IAM Access Analyzer generates a fine-grained policy based on the access activity captured in your AWS CloudTrail logs. This means that after you build and run an application, you can generate IAM policies that grant only the required permissions to operate the application.

IAM Access Analyzer guides you to author and validate secure and functional policies based on IAM best practices. For example, if your policy contains IAM:PassRole permission with asterik in the Resource element, IAM Access Analyzer flags this as a security warning. There are four policy validation finding types, including security warnings, errors, general warnings, and IAM best practice suggestions for your policy. Findings provide actionable recommendations that help you author policies that are functional and conform to AWS best practices. 

Verify who can access what

IAM Access Analyzer guides you to verify that existing access meets your intent. IAM Access Analyzer uses automated reasoning tools, for provable security assurance, to analyze all access paths and provide comprehensive analysis of external access to your resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket is accessible by users from outside the account. Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes. 

IAM Access Analyzer validates that IAM policies adhere to your security standards ahead of deployments. Custom policy checks use the power of automated reasoning—provable security assurance backed by mathematical proof— to enable security teams to proactively detect nonconformant updates to policies. For example, IAM policy changes that are more permissive than their previous version. Security teams can use these checks to streamline their reviews, automatically approving policies that conform with their security standards, and inspecting more deeply when they don't. This new kind of validation provides higher security assurance in the cloud. Security and development teams can automate policy reviews at scale by integrating these custom policy checks into the tools and environments where developers author their policies, such as their CI/CD pipelines. 

Refine access

IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. Security teams can use IAM Access Analyzer to gain visibility into unused access across their AWS organization and automate how they rightsize permissions. IAM Access Analyzer continuously analyzes your accounts to identify unused access and offers recommendations with actionable guidance to help you remediate the unused access. It consolidates findings in a centralized dashboard, which helps security teams review findings centrally and prioritize accounts based on the volume of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions. Security teams can automate notification workflows to help development teams identify and remove unused access.

IAM Access Analyzer provides last accessed information data about when AWS services and actions from select AWS services were last used by a role or user through their IAM policies, which helps you identify opportunities to tighten your permissions. With this information, you can compare the permissions that have been granted to a role or user when those permissions were last accessed to remove unused access and further refine your permissions. 

Integrations

With this integration, external and unused access findings generated by IAM Access Analyzer can be sent to AWS Security Hub and checked against security industry standards and best practices. This allows further analysis on your security patterns and helps identify the highest priority security issues. Security Hub can include findings from IAM Access analyzer in its analysis of your security posture.

With this integration, you can automate and scale permissions refinement by alerting teams to review and remove excessive permissions within their AWS accounts. IAM Access Analyzer sends an event to EventBridge when a finding is generated, deleted, or its status changes. To receive findings and notifications about findings, you must enable and create an event rule in Amazon EventBridge.