Resolving findings - AWS Identity and Access Management

Resolving findings

External access findings

To resolve external access findings generated from access that you did not intend to allow, modify the policy statement to remove the permissions that allow access to the identified resource. For example, for findings on Amazon S3 buckets, use the Amazon S3 console to configure the permissions on the bucket. For IAM roles, use the IAM console to modify the trust policy for the listed IAM role. Use the console for the other supported resources to modify the policy statements that resulted in a generated finding.

After you make a change to resolve an external access finding, such as modifying a policy applied to an IAM role, IAM Access Analyzer scans the resource again. If the resource is no longer shared outside of your zone of trust, the status of the finding is changed to Resolved. The finding is no longer displayed in the active findings list, and instead is displayed in the resolved findings list.

Note

This does not apply to Error findings. When IAM Access Analyzer is not able to analyze a resource, it generates an error finding. If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding is removed completely rather than changing to a resolved finding.

If the changes you made resulted in the resource being shared outside of your zone of trust, but in a different way, such as with a different principal or for a different permission, IAM Access Analyzer generates a new Active finding.

Note

It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to again analyze the resource and then update the finding. Resolved findings are deleted 90 days after the last update to the finding status.

Unused access findings

To resolve unused access findings, use the IAM console to remove the unused access key, password, permission, or role. For more information, see the following resources:

After you make a change to resolve an unused access finding, the status of the finding is changed to Resolved the next time the unused access analyzer runs. The finding is no longer displayed in the active findings list, and instead is displayed in the resolved findings list. If you make a change that only partially addresses an unused access finding, the existing finding is changed to Resolved but a new finding is generated. For example, you remove only some of the unused permissions in a finding, but not all of them.

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see IAM Access Analyzer pricing.