Amazon IAM Access Analyzer features

IAM Access Analyzer guides you toward least privilege by providing tools to set, verify, and refine permissions. As a comprehensive permissions analysis and policy validation tool, IAM Access Analyzer offers access findings and policy checks.

IAM Access Analyzer uses provable security to deliver comprehensive findings on external access and provides custom policy checks. Provable security relies on automated reasoning technology, which is the application of mathematical logic to help answer critical questions about your infrastructure, including Amazon Web Services permissions.

Policy validation

IAM Access Analyzer guides you to author and validate secure and functional policies based on IAM best practices. For example, if your policy contains IAM:PassRole permission with an asterisk in the Resource element, IAM Access Analyzer flags this as a security warning. IAM Access Analyzer includes four policy validation finding types: security warnings, errors, general warnings, and IAM best practice suggestions for your policy. Findings provide actionable recommendations that help you author policies that are functional, and conform to Amazon Web Services best practices and your security standards.

External access analyzer

IAM Access Analyzer guides you to verify that existing external access meets your intent. IAM Access Analyzer uses automated reasoning tools, for provable security assurance, to analyze all external access to your Amazon Web Services resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket had become accessible by users from outside the account. Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes.

Custom policy checks

IAM Access Analyzer validates that IAM policies adhere to your security standards ahead of deployments. Custom policy checks use the power of automated reasoning so that security teams can proactively detect nonconformant updates to policies. For example, IAM policy changes that are more permissive than their previous version would be flagged for additional review. Security teams can use these checks to streamline their reviews, automatically approving policies that conform with their security standards, and inspecting more deeply when they don't. Security and development teams can automate policy reviews at scale by integrating custom policy checks into the tools and environments where developers author their policies, such as their CI/CD pipelines.

Last accessed information

IAM Access Analyzer provides last accessed information about when Amazon Web Services services and actions from select Amazon Web Services services were last used by a role or user through their IAM policies. This helps you identify opportunities to refine your permissions. With this information, you can compare the permissions that have been granted to a role or user, when those permissions were last accessed to remove unused access, and further refine your permissions.

Integration with Amazon EventBridge

By integrating IAM Access Analyzer with Amazon EventBridge, you can automate and scale permissions refinement by alerting teams to review and remove excessive permissions within their Amazon Web Services accounts. IAM Access Analyzer sends an event to EventBridge when a finding is generated, deleted, or its status changes. To receive findings and notifications about findings, you must enable and create an event rule in EventBridge.