Manage an IAM Access Analyzer internal access analyzer

To enable an internal access analyzer in a Region, you must create an analyzer in that Region. You must create an internal access analyzer in each Region in which you want to monitor access to your resources.

Note

After you create or update an analyzer, it can take time for findings to be available.

Update an internal access analyzer

Use the following procedure to update an internal access analyzer.

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. Under Access analyzer, choose Analyzer settings.

3. In the Analyzers section, choose the name of the internal access analyzer to manage.

4. On the Archive rules tab, you can create, edit, or delete archive rules for the analyzer. For more information, see Archive rules.

5. On the Tags tab, you can manage and create tags for the analyzer. For more information, see Tags for AWS Identity and Access Management resources.

6. On the Resources tab, choose Edit in the Resources to analyze section.

   1. To add resources by account, choose Add resources > Add resources from selected accounts.

      1. Choose All supported resource types or choose Define specific resource types and select the resource types from the Resource type list.

         Internal access analyzers support the following resource types:

         • Amazon Simple Storage Service buckets

         • Amazon Simple Storage Service directory buckets

         • Amazon Relational Database Service DB snapshots

         • Amazon Relational Database Service DB cluster snapshots

         • Amazon DynamoDB streams

         • Amazon DynamoDB tables

      2. Choose Add resources.

   2. To add resources by Amazon Resource Name (ARN), choose Add resources > Add resources by pasting in resource ARN.

      1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line.

      2. Choose Add resources.

   3. To add resources by a CSV file, choose Add resources > Add resources by uploading a CSV.

      You can use AWS Resource Explorer to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor.

      1. Choose Choose file and select the CSV file from your computer.

      2. Choose Add resources.

   4. To remove resources from the analyzer, select the check box next to the resources to remove and choose Remove.

   5. Choose Save changes.

Note

Any updates to the analyzer will be evaluated at the next automatic rescan within 24 hours.

Delete an internal access analyzer

Use the following procedure to delete an internal access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.

1. Open the IAM console at https://console.aws.amazon.com/iam/.

2. Under Access analyzer, choose Analyzer settings.

3. In the Analyzers section, choose the name of the internal access analyzer to delete.

4. Choose Delete analyzer.

5. Enter delete and choose Delete to confirm deleting the analyzer.