Findings for public and cross-account access
IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding.
Topics
- How IAM Access Analyzer findings work
- Getting started with AWS Identity and Access Management Access Analyzer findings
- Working with findings
- Reviewing findings
- Filtering findings
- Archiving findings
- Resolving findings
- IAM Access Analyzer resource types
- Settings for IAM Access Analyzer
- Archive rules
- Monitoring AWS Identity and Access Management Access Analyzer with Amazon EventBridge
- Integration with AWS Security Hub
- Logging IAM Access Analyzer API calls with AWS CloudTrail
- IAM Access Analyzer filter keys
- Using service-linked roles for AWS Identity and Access Management Access Analyzer