Getting started with AWS Identity and Access Management Access Analyzer findings - AWS Identity and Access Management

Getting started with AWS Identity and Access Management Access Analyzer findings

Use the information in this topic to learn about the requirements necessary to use and manage AWS Identity and Access Management Access Analyzer, and then how to enable IAM Access Analyzer. To learn more about the service-linked role for IAM Access Analyzer, see Using service-linked roles for AWS Identity and Access Management Access Analyzer.

Permissions required to use IAM Access Analyzer

To successfully configure and use IAM Access Analyzer, the account you use must be granted the required permissions.

AWS managed policies for IAM Access Analyzer

AWS Identity and Access Management Access Analyzer provides AWS managed policies to help you get started quickly.

  • IAMAccessAnalyzerFullAccess - Allows full access to IAM Access Analyzer for administrators. This policy also allows creating the service-linked roles that are required to allow IAM Access Analyzer to analyze resources in your account or AWS organization.

  • IAMAccessAnalyzerReadOnlyAccess - Allows read-only access to IAM Access Analyzer. You must add additional policies to your IAM identities (users, groups of users, or roles) to allow them to view their findings.

Resources defined by IAM Access Analyzer

To view the resources defined by IAM Access Analyzer, see Resource types defined by IAM Access Analyzer in the Service Authorization Reference.

Required IAM Access Analyzer service permissions

IAM Access Analyzer uses a service-linked role (SLR) named AWSServiceRoleForAccessAnalyzer. This SLR grants the service read-only access to analyze AWS resources with resource-based policies and analyze unused access on your behalf. The service creates the role in your account in the following scenarios:

  • You create an external access analyzer with your account as the zone of trust.

  • You create an unused access analyzer with your account as the selected account.

For more information, see Using service-linked roles for AWS Identity and Access Management Access Analyzer.

Note

IAM Access Analyzer is Regional. For external access, you must enable IAM Access Analyzer in each Region independently.

For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.

In some cases, after you create an external access or unused access analyzer in IAM Access Analyzer, the Findings page or dashboard loads with no findings or summary. This might be due to a delay in the console for populating your findings. You might need to manually refresh the browser or check back later to view your findings or summary. If you still don't see any findings for an external access analyzer, it's because you have no supported resources in your account that can be accessed by an external entity. If a policy that grants access to an external entity is applied to a resource, IAM Access Analyzer generates a finding.

Note

For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then either generate a new external access finding or update an existing finding for the access to the resource. For both external and unused access analyzers, updates for findings might not be reflected in the dashboard immediately.

Required IAM Access Analyzer permissions to view the findings dashboard

To view the IAM Access Analyzer findings dashboard, the account you use must be granted access to perform the following required actions:

To view all of the actions defined by IAM Access Analyzer, see Actions defined by IAM Access Analyzer in the Service Authorization Reference.

Enabling IAM Access Analyzer

To create an external access analyzer with the AWS account as the zone of trust

To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Access analyzer.

  3. Choose Analyzer settings.

  4. Choose Create analyzer.

  5. In the Analysis section, choose External access analysis.

  6. In the Analyzer details section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

  7. Enter a name for the analyzer.

  8. Choose Current AWS account as the zone of trust for the analyzer.

    Note

    If your account is not the AWS Organizations management account or delegated administrator account, you can create only one analyzer with your account as the zone of trust.

  9. Optional. Add any tags that you want to apply to the analyzer.

  10. Choose Submit.

When you create an external access analyzer to enable IAM Access Analyzer, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in your account.

To create an external access analyzer with the organization as the zone of trust
  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Access analyzer.

  3. Choose Analyzer settings.

  4. Choose Create analyzer.

  5. In the Analysis section, choose External access analysis.

  6. In the Analyzer details section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

  7. Enter a name for the analyzer.

  8. Choose Current organization as the zone of trust for the analyzer.

  9. Optional. Add any tags that you want to apply to the analyzer.

  10. Choose Submit.

When you create an external access analyzer with the organization as the zone of trust, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in each account of your organization.

To create an unused access analyzer for the current account

Use the following procedure to create an unused access analyzer for a single AWS account. For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see IAM Access Analyzer pricing.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Access analyzer.

  3. Choose Analyzer settings.

  4. Choose Create analyzer.

  5. In the Analysis section, choose Unused access analysis.

  6. Enter a name for the analyzer.

  7. For Tracking period, enter the number of days for which to generate findings for unused permissions. For example, if you enter 90 days, the analyzer will generate findings for IAM entities within the selected account for any permissions that haven't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days.

  8. For Selected accounts, choose Current AWS account.

    Note

    If your account is not the AWS Organizations management account or delegated administrator account, you can create only one analyzer with your account as the selected account.

  9. Optional. Add any tags that you want to apply to the analyzer.

  10. Choose Submit.

When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in your account.

To create an unused access analyzer with the current organization

Use the following procedure to create an unused access analyzer for an organization to centrally review all AWS accounts in an organization. For unused access analysis, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.

IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see IAM Access Analyzer pricing.

Note

If a member account is removed from the organization, the unused access analyzer will stop generating new findings and updating existing findings for that account after 24 hours. Findings associated with the member account that is removed from the organization will be removed permanently after 90 days.

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Access analyzer.

  3. Choose Analyzer settings.

  4. Choose Create analyzer.

  5. In the Analysis section, choose Unused access analysis.

  6. Enter a name for the analyzer.

  7. For Tracking period, enter the number of days for which to generate findings for unused permissions. For example, if you enter 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any permissions that haven't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 180 days.

  8. For Selected accounts, choose Current organization as the selected accounts for the analyzer.

  9. Optional. Add any tags that you want to apply to the analyzer.

  10. Choose Submit.

When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in your account.

IAM Access Analyzer status

To view the status of your analyzers, choose Analyzers. Analyzers created for an organization or account can have the following status:

Status Description

Active

For external access analyzers, the analyzer is actively monitoring resources within its zone of trust. The analyzer actively generates new findings and updates existing findings.

For unused access analyzers, the analyzer is actively monitoring unused access within the selected organization or AWS account in the specified tracking period. The analyzer actively generates new findings and updates existing findings.

Creating

The creation of the analyzer is still in progress. The analyzer becomes active once creation is complete.

Disabled

The analyzer is disabled due to an action taken by the AWS Organizations administrator. For example, removing the analyzer’s account as the delegated administrator for IAM Access Analyzer. When the analyzer is in a disabled state, it does not generate new findings or update existing findings.

Failed

The creation of the analyzer failed due to a configuration issue. The analyzer won't generate any findings. Delete the analyzer and create a new analyzer.