Posted On: Mar 17, 2021

Amazon Identity and Access Management (IAM) Access Analyzer guides you on your least privilege journey by analyzing your existing resource policies to help you identify and resolve unintended public or cross-account access to your resources. Now, we are extending policy analysis in IAM Access Analyzer by adding over 100 policy checks that help you proactively validate your identity and resource policies during policy authoring. The checks include functional validation like developers might expect from a linter, and go beyond that to evaluate best practices in granting access. These checks analyze your policy and report security warnings, errors, general warnings, and suggestions based on their impact. They provide actionable recommendations that guide you to set secure and functional permissions. For example, IAM Access Analyzer reports a security warning when your policy allows your IAM roles and users to pass any role to any service, which is overly permissive. The reported finding recommends that you scope down the permissions to pass specific role(s) instead.

Just like the grammar checks on your favorite word processors, IAM Access Analyzer automatically performs these policy checks as you’re authoring your identity policies using the JSON policy editor in the IAM console. You can also validate additional policies such as service-control policies and resource policies programmatically using the Access Analyzer ValidatePolicy API.

IAM Access Analyzer policy validation is available at no additional cost in the Amazon Web Services China (Beijing) region, operated by Sinnet, and in Amazon Web Services China (Ningxia) region, operated by NWCD. To learn more about IAM Access Analyzer, see the documentation.