Reviewing findings - AWS Identity and Access Management

Reviewing findings

After you enable Access Analyzer, the next step is to review any findings to determine whether the access identified in the finding is intentional or unintentional. You can also review findings to determine common findings for access that is intended, and then create an archive rule to automatically archive those findings. You can also review archived and resolved findings.

To review findings

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Access analyzer.

Note

Findings are displayed only if you have permission to view findings for the analyzer.

All Active findings are displayed for the analyzer. To view other findings generated by the analyzer, choose the appropriate tab:

  • Choose Active to view all active findings that were generated by the analyzer.

  • Choose Archived to view only findings generated by the analyzer that have been archived. To learn more, see Archiving findings.

  • Choose Resolved to view only findings that were generated by the analyzer that have been resolved. When you remediate the issue that generated the finding, the finding status is changed to Resolved.

    Important

    Resolved findings are deleted 90 days after the last update to the finding. Active and archived findings are not deleted unless you delete the analyzer that generated them.

  • Choose All to view all findings with any status that were generated by the analyzer.

The Findings page displays the following details about the shared resource and policy statement that generated the finding:

Finding ID

The unique ID assigned to the finding. Choose the finding ID to display additional details about the resource and policy statement that generated the finding.

Resource

The type and partial name of the resource that has a policy applied to it that grants access to an external entity not within your zone of trust.

Resource owner account

This column is displayed only if you are using an organization as the zone of trust. The account in the organization that owns the resource reported in the finding.

External principal

The principal, not within your zone of trust, that the analyzed policy grants access to. Valid values include:

  • AWS account – All principals in the listed AWS account with permissions from that account's administrator can access the resource.

  • Any principal – All principals in any AWS account that meet the conditions included in the Conditions column have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC can access the resource.

  • Canonical user – All principals in the AWS account with the listed canonical user ID have permission to access the resource.

  • IAM role – The listed IAM role has permission to access the resource.

  • IAM user – The listed IAM user has permission to access the resource.

Condition

The condition from the policy statement that grants the access. For example, if the Condition field includes Source VPC, it means that the resource is shared with a principal that has access to the VPC listed. Conditions can be global or service-specific. Global condition keys have the aws: prefix.

Shared through

The Shared through field indicates how the access that generated the finding is granted. Valid values include:

  • Bucket policy – The bucket policy attached to the Amazon S3 bucket.

  • Access control list – The access control list (ACL) attached to the Amazon S3 bucket.

  • Access point – An access point or multi-region access point associated with the Amazon S3 bucket. The ARN of the access point is displayed in the Findings details.

Access level

The level of access granted to the external entity by the actions in the resource-based policy. View the details of the finding for more information. Access level values include the following:

  • List – Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.

  • Read – Permission to read but not edit the contents and attributes of resources in the service.

  • Write – Permission to create, delete, or modify resources in the service.

  • Permissions – Permission to grant or modify resource permissions in the service.

  • Tagging – Permission to perform actions that only change the state of resource tags.

Updated

A timestamp for the most recent update to the finding status, or the time and date the finding was generated if no updates have been made.

Note

It may take up to 30 minutes after a policy is modified for Access Analyzer to again analyze the resource and then update the finding.

Status

The status of the finding, one of Active, Archived, or Resolved.