Findings for external and unused access - AWS Identity and Access Management

Findings for external and unused access

IAM Access Analyzer generates findings for external access and unused access in your AWS account or organization. For external access, IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an external access analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an Amazon S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding.

IAM Access Analyzer also generates findings for unused access granted in your AWS organization and accounts. When you create an unused access analyzer, IAM Access Analyzer continuously monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. IAM Access Analyzer generates the following types of findings for unused access:

  • Unused roles – Roles with no access activity within the specified usage window.

  • Unused IAM user access keys and passwords – Credentials belonging to IAM users that enable them to access your AWS account.

  • Unused permissions – Service-level and action-level permissions that weren't used by a role within the specified usage window. IAM Access Analyzer uses identity-based policies attached to roles to determine the services and actions that those roles can access. IAM Access Analyzer supports review of unused permissions for all service-level permissions. For a complete list of action-level permissions that are supported for unused access findings, see IAM action last accessed information services and actions.


IAM Access Analyzer offers external access findings for free and charges for unused access findings based on the number of IAM roles and users analyzed per analyzer per month. For more details about pricing, see IAM Access Analyzer pricing.