Resolve IAM Access Analyzer findings
Resolving external access findings
To resolve external access findings generated from unintended access, you should modify the policy statement to remove the permissions that allow access to the identified resource.
For findings related to Amazon S3 buckets, use the Amazon S3 console to configure the permissions on the bucket.
For IAM roles, use the IAM console to modify the trust policy for the listed IAM role.
For other supported resources, use the console to modify the policy statements that resulted in a generated finding.
After making a change to resolve an external access finding, such as modifying a policy applied to an IAM role, IAM Access Analyzer will scan the resource again. If the resource is no longer shared outside of your zone of trust, the status of the finding is changed to Resolved. The finding will then be displayed in the resolved findings list instead of the active findings list.
Note
This does not apply to Error findings. When IAM Access Analyzer is not able to analyze a resource, it will generate an error finding. If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding will be removed completely instead of changing to a resolved finding.
If the changes you made resulted in the resource being shared outside of your zone of trust, but in a different way, such as with a different principal or for a different permission, IAM Access Analyzer will generate a new Active finding.
Note
It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to again analyze the resource and then update the finding. Resolved findings are deleted 90 days after the last update to the finding status.
Resolving unused access findings
IAM Access Analyzer provides recommended steps to resolve unused access analyzer findings based on the type of finding.
After you make a change to resolve an unused access finding, the status of the finding is changed to Resolved the next time the unused access analyzer runs. The finding is no longer displayed in the active findings list and instead is displayed in the resolved findings list. If you make a change that only partially addresses an unused access finding, the existing finding is changed to Resolved but a new finding is generated. For example, if you remove only some of the unused permissions in a finding, but not all of them.
IAM Access Analyzer charges for unused access analysis based on the number of IAM roles
and users analyzed per month. For more details about pricing, see IAM Access Analyzer
pricing
Resolving unused permission findings
For unused permission findings, IAM Access Analyzer can recommend policies to remove from an IAM user or role and provide new policies to replace existing permissions policies. Policy recommendation is not supported for the following scenarios:
-
The unused permission finding is for an IAM user that is in a user group.
-
The unused permission finding is for an IAM role for IAM Identity Center.
-
The unused permission finding has an existing permissions policy that includes the
notAction
element.
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
Choose Unused access.
-
Choose a finding with the Finding type of Unused permissions.
-
In the Recommendations section, if there are policies listed in the Recommended policy column, choose Preview policy to view the existing policy with the recommended policy to replace the existing policy. If there are mutliple recommended policies, you can choose Next policy and Previous policy to view each existing and recommended policy.
-
Choose Download JSON to download a .zip file with JSON files of all the recommended policies.
-
Create and attach the recommended policies to the IAM user or role. For more information, see Changing permissions for a user (console) and Modifying a role permissions policy (console).
-
Remove the policies listed in the Existing permissions policy column from the IAM user or role. For more information, see Removing a permissions from a user (console) and Modifying a role permissions policy (console).
Resolving unused role findings
For unused role findings, IAM Access Analyzer recommends deleting the unused IAM role.
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
Choose Unused access.
-
Choose a finding with the Finding type of Unused role.
-
In the Recommendations section, review the details of the IAM role.
-
Delete the IAM role. For more information, see Deleting an IAM role (console).
Resolving unused access key findings
For unused access key findings, IAM Access Analyzer recommends deactivating or deleting the unused access key.
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
Choose Unused access.
-
Choose a finding with the Finding type of Unused access keys.
-
In the Recommendations section, review the details of the access key.
-
Deactivate or delete the access key. For more information, see Managing access keys (console).
Resolving unused password findings
For unused password findings, IAM Access Analyzer recommends deleting the unused password for the IAM user.
-
Open the IAM console at https://console.aws.amazon.com/iam/
. -
Choose Unused access.
-
Choose a finding with the Finding type of Unused password.
-
In the Recommendations section, review the details of the IAM user.
-
Delete the password for the IAM user. For more information, see Creating, changing, or deleting an IAM user password (console).