AWS IAM Access Analyzer features

IAM Access Analyzer guides you to verify that existing access meets your intent. IAM Access Analyzer uses automated reasoning tools, for provable security assurance, to analyze all access paths and provide comprehensive analysis of external access to your resources. When you turn on IAM Access Analyzer, it continuously monitors for new or updated resource permissions to help you identify permissions that grant public and cross-account access. For example, if an Amazon S3 bucket policy were to change, IAM Access Analyzer would alert you that the bucket is accessible by users from outside the account. Using this same analysis, IAM Access Analyzer makes it easier to review and validate public and cross-account access before deploying permissions changes. 

IAM Access Analyzer validates that IAM policies adhere to your security standards ahead of deployments. Custom policy checks use the power of automated reasoning—provable security assurance backed by mathematical proof— to enable security teams to proactively detect nonconformant updates to policies. For example, IAM policy changes that are more permissive than their previous version. Security teams can use these checks to streamline their reviews, automatically approving policies that conform with their security standards, and inspecting more deeply when they don't. This new kind of validation provides higher security assurance in the cloud. Security and development teams can automate policy reviews at scale by integrating these custom policy checks into the tools and environments where developers author their policies, such as their CI/CD pipelines. 

IAM Access Analyzer simplifies inspecting unused access to guide you toward least privilege. Security teams can use IAM Access Analyzer to gain visibility into unused access across their AWS organization and automate how they rightsize permissions. IAM Access Analyzer continuously analyzes your accounts to identify unused access and offers recommendations with actionable guidance to help you remediate the unused access. It consolidates findings in a centralized dashboard, which helps security teams review findings centrally and prioritize accounts based on the volume of findings. The findings highlight unused roles, unused access keys for IAM users, and unused passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions. Security teams can automate notification workflows to help development teams identify and remove unused access.

IAM Access Analyzer provides last accessed information data about when AWS services and actions from select AWS services were last used by a role or user through their IAM policies, which helps you identify opportunities to tighten your permissions. With this information, you can compare the permissions that have been granted to a role or user when those permissions were last accessed to remove unused access and further refine your permissions. 

With this integration, external and unused access findings generated by IAM Access Analyzer can be sent to AWS Security Hub and checked against security industry standards and best practices. This allows further analysis on your security patterns and helps identify the highest priority security issues. Security Hub can include findings from IAM Access analyzer in its analysis of your security posture.

With this integration, you can automate and scale permissions refinement by alerting teams to review and remove excessive permissions within their AWS accounts. IAM Access Analyzer sends an event to EventBridge when a finding is generated, deleted, or its status changes. To receive findings and notifications about findings, you must enable and create an event rule in Amazon EventBridge.