Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Create an IAM Access Analyzer external access analyzer

PDF
RSS
Focus mode
Create an IAM Access Analyzer external access analyzer - AWS Identity and Access Management
Create an external access analyzer with the AWS account as the zone of trustCreate an external access analyzer with the organization as the zone of trust

To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources.

Create an external access analyzer with the AWS account as the zone of trust

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Under Access analyzer, choose Analyzer settings.

  3. Choose Create analyzer.

  4. In the Analysis section, choose External access analysis.

  5. In the Analyzer details section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

  6. Enter a name for the analyzer.

  7. Choose Current AWS account as the zone of trust for the analyzer.

    Note

    If your account is not the AWS Organizations management account or delegated administrator account, you can create only one analyzer with your account as the zone of trust.

  8. Optional. Add any tags that you want to apply to the analyzer.

  9. Choose Submit.

When you create an external access analyzer to enable IAM Access Analyzer, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in your account.

Create an external access analyzer with the organization as the zone of trust

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Access analyzer.

  3. Choose Analyzer settings.

  4. Choose Create analyzer.

  5. In the Analysis section, choose External access analysis.

  6. In the Analyzer details section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.

  7. Enter a name for the analyzer.

  8. Choose Current organization as the zone of trust for the analyzer.

  9. Optional. Add any tags that you want to apply to the analyzer.

  10. Choose Submit.

When you create an external access analyzer with the organization as the zone of trust, a service-linked role named AWSServiceRoleForAccessAnalyzer is created in each account of your organization.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.