How IAM Access Analyzer findings work - AWS Identity and Access Management

How IAM Access Analyzer findings work

This topic describes the concepts and terms that are used in IAM Access Analyzer to help you become familiar with how IAM Access Analyzer monitors access to your AWS resources.

External access

For external access analyzers, AWS Identity and Access Management Access Analyzer is built on Zelkova, which translates IAM policies into equivalent logical statements, and runs a suite of general-purpose and specialized logical solvers (satisfiability modulo theories) against the problem. IAM Access Analyzer applies Zelkova repeatedly to a policy with increasingly specific queries to characterize classes of behaviors the policy allows, based on the content of the policy. To learn more about satisfiability modulo theories, see Satisfiability Modulo Theories.

For external access analyzers, IAM Access Analyzer does not examine access logs to determine whether an external entity accessed a resource within your zone of trust. It generates a finding when a resource-based policy allows access to a resource, even if the resource was not accessed by the external entity. IAM Access Analyzer also does not consider the state of any external accounts when making its determination. That is, if it indicates that account 111122223333 can access your Amazon S3 bucket, it knows nothing about the state of users, roles, service control policies (SCP), and other relevant configurations in that account. This is for customer privacy – IAM Access Analyzer doesn't consider who owns the other account. It is also for security – if the account is not owned by the IAM Access Analyzer customer, it is still important to know that an external entity could gain access to their resources even if there are currently no principals in the account that could access the resources.

IAM Access Analyzer considers only certain IAM condition keys that external users cannot directly influence, or that are otherwise impactful to authorization. For examples of condition keys IAM Access Analyzer considers, see IAM Access Analyzer filter keys.

IAM Access Analyzer does not currently report findings from AWS service principals or internal service accounts. In rare cases where IAM Access Analyzer isn't able to fully determine whether a policy statement grants access to an external entity, it errs on the side of declaring a false positive finding. IAM Access Analyzer is designed to provide a comprehensive view of the resource sharing in your account, and strives to minimize false negatives.

Unused access

You must create an analyzer for unused access findings for your roles even if you’ve already created an analyzer to generate external access findings for your resources. After creating the analyzer, IAM Access Analyzer reviews access activity to identify unused access. IAM Access Analyzer reviews last accessed information for all roles, user access keys, and user passwords in your AWS organization and accounts to help you identify unused access. For active IAM roles and users, IAM Access Analyzer uses IAM service and action last accessed information to identify unused permissions. You can use unused access analyzers to scale your review process at the AWS organization and account level. You can use action last accessed information for deeper investigation of individual roles.

Summary dashboard

For both external and unused access, IAM Access Analyzer organizes the findings in a summary dashboard. For external access, the summary dashboard highlights the split between public and cross-account access findings, and provides a breakdown of findings by resource type. For the unused access, the dashboard highlights your AWS accounts that have the most findings and provides a breakdown of findings by type. After you create an analyzer for external or unused access, IAM Access Analyzer automatically adds new findings to the dashboard focused on roles with unused permissions.