# IAM Access Analyzer findings Findings IAM Access Analyzer generates findings for external access, internal access, and unused access in your AWS account or organization. For external access, IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an external access analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an Amazon S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding. For internal access, IAM Access Analyzer generates findings when there is a possible access path between an IAM role or user within your organization and your specified resources. Similar to external access analysis, the scope you choose (organization or account) determines what is considered internal. If you select an organization as the scope, IAM Access Analyzer will generate findings for access paths between principals and resources within your organization. If you select an account, findings will be generated for access paths within that specific account. IAM Access Analyzer uses automated reasoning to evaluate all IAM policies to monitor who has access to your resources. The combination of external and internal access findings with the same zone of trust provides a comprehensive analysis of all possible access to a particular resource, both from within and outside your defined trust boundary. For unused access, IAM Access Analyzer generates findings for unused access granted in your AWS organization and accounts. When you create an unused access analyzer, IAM Access Analyzer continuously monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. IAM Access Analyzer generates the following types of findings for unused access: + **Unused roles** – Roles with no access activity within the specified usage window. + **Unused IAM user access keys and passwords** – Credentials belonging to IAM users that have not been used to access your AWS account in the specified usage window. + **Unused permissions** – Service-level and action-level permissions that weren't used by a role within the specified usage window. IAM Access Analyzer uses identity-based policies attached to roles to determine the services and actions that those roles can access. IAM Access Analyzer supports review of unused permissions for all service-level permissions. For a complete list of action-level permissions that are supported for unused access findings, see [IAM action last accessed information services and actions](access_policies_last-accessed-action-last-accessed.md). **Note** IAM Access Analyzer offers external access findings for free. There are charges for unused access findings based on the number of IAM roles and users analyzed per analyzer per month. There are also charges for internal access findings based on the number of AWS resources monitored per analyzer per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). **Topics** + [ # Understand how IAM Access Analyzer findings work ](access-analyzer-concepts.md) + [ # Getting started with AWS Identity and Access Management Access Analyzer ](access-analyzer-getting-started.md) + [ # View the IAM Access Analyzer findings dashboard ](access-analyzer-dashboard.md) + [ # Review IAM Access Analyzer findings ](access-analyzer-findings-view.md) + [ # Filter IAM Access Analyzer findings ](access-analyzer-findings-filter.md) + [ # Archive IAM Access Analyzer findings ](access-analyzer-findings-archive.md) + [ # Resolve IAM Access Analyzer findings ](access-analyzer-findings-remediate.md) + [ # IAM Access Analyzer error findings ](access-analyzer-error-findings.md) + [ # IAM Access Analyzer supported resource types for external and internal access ](access-analyzer-resources.md) + [ # Delegated administrator for IAM Access Analyzer ](access-analyzer-delegated-administrator.md) + [ # Archive rules ](access-analyzer-archive-rules.md) + [ # Monitoring AWS Identity and Access Management Access Analyzer with Amazon EventBridge ](access-analyzer-eventbridge.md) + [ # Integrate IAM Access Analyzer with AWS Security Hub CSPM ](access-analyzer-securityhub-integration.md) + [ # Logging IAM Access Analyzer API calls with AWS CloudTrail ](logging-using-cloudtrail.md) + [ # IAM Access Analyzer filter keys ](access-analyzer-reference-filter-keys.md) + [ # Using service-linked roles for AWS Identity and Access Management Access Analyzer ](access-analyzer-using-service-linked-roles.md) # Understand how IAM Access Analyzer findings work How findings work This topic describes the concepts and terms that are used in IAM Access Analyzer to help you become familiar with how IAM Access Analyzer monitors access to your AWS resources. ## External access findings External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. Changes to a resource control policy that impact the **Resource control policy (RCP) restriction** also generate a new finding. IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html). If the access in the first finding is removed, that finding is updated to a status of **Resolved**. The status of all findings remains **Active** until you archive them or remove the access that generated the finding. When you remove the access, the finding status is updated to **Resolved**. **Note** It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then update the external access finding. Changes to a resource control policy (RCP) do not trigger a rescan of the resource reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours. ## How IAM Access Analyzer generates findings for external access How external access findings are generated AWS Identity and Access Management Access Analyzer uses a technology called [Zelkova](https://aws.amazon.com/blogs/security/protect-sensitive-data-in-the-cloud-with-automated-reasoning-zelkova/) to analyze IAM policies and identify external access to resources. Zelkova translates IAM policies into equivalent logical statements and runs them through a suite of general-purpose and specialized logical solvers (satisfiability modulo theories). IAM Access Analyzer applies Zelkova repeatedly to a policy, using increasingly specific queries to characterize the types of access the policy allows based on its content. For more information about satisfiability modulo theories, see [Satisfiability Modulo Theories](https://people.eecs.berkeley.edu/~sseshia/pubdir/SMT-BookChapter.pdf). For external access analyzers, IAM Access Analyzer does not examine access logs to determine whether an external entity has actually accessed a resource within your zone of trust. Instead, it generates a finding when a resource-based policy allows access to a resource, regardless of whether the resource was accessed by the external entity. Additionally, IAM Access Analyzer does not consider the state of any external accounts when making its determinations. If it indicates that account 111122223333 can access your Amazon S3 bucket, it doesn't have any information about the users, roles, service control policies (SCP), or other relevant configurations in that account. This is for customer privacy, as IAM Access Analyzer doesn't know who owns the other account. This is also for security, as it's important to know about potential external access even if there are currently no active principals that can use it. IAM Access Analyzer only considers certain IAM condition keys that external users can't directly influence or that are otherwise impactful to authorization. For examples of condition keys IAM Access Analyzer considers, see [IAM Access Analyzer filter keys](access-analyzer-reference-filter-keys.md). IAM Access Analyzer doesn't currently report findings from AWS service principals or internal service accounts. In rare cases where it can't fully determine whether a policy statement grants access to an external entity, it errs on the side of declaring a false positive finding. This is because IAM Access Analyzer is designed to provide a comprehensive view of the resource sharing in your account and to minimize false negatives. ## Internal access findings To use internal access analysis, you must first configure the analyzer by selecting the specific resources you want to monitor. Once configured, internal access findings are generated when a principal (IAM user or role) within your organization or account has access to your selected resources. A new finding is generated the next time the analyzer scans the specified resources and identifies a principal that has access to the resources. If an updated policy allows a principal that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the principal and resource. This updated policy could be a resource-based policy, identity-based policy, service control policy (SCP), or resource control policy (RCP). IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html). **Note** Internal access findings are only available using the [ListFindingsV2](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html) API action. ## How IAM Access Analyzer generates findings for internal access How internal access findings are generated To analyze internal access, you must create a separate analyzer for internal access findings for your resources, even if you’ve already created an analyzer to generate external access findings or unused access findings. After creating the internal access analyzer, IAM Access Analyzer evaluates all resource-based policies, identity-based policies, service control policies (SCPs), resource control policies (RCPs), and permissions boundaries within your specified account or organization. By creating an analyzer dedicated to internal access to your selected resources, you can identify: + When a principal in your organization or account can access your selected resources + The total effective permissions allowed for a principal based on the intersection of all applicable policies + Complex access paths where a principal gains access based on the combination of identity policies and resource policies **Note** IAM Access Analyzer cannot generate internal access findings for organizations that contain more than 70,000 principals (IAM users and roles combined). ## Unused access findings Unused access findings are generated for IAM entities (principals) within the selected account or organization based on the number of days specified while creating the analyzer. A new finding is generated the next time the analyzer scans the entities if one of the following conditions is met: + A role is inactive for the specified number of days. + An unused permission, unused user password, or unused user access key surpasses the specified number of days. **Note** Unused access findings are only available using the [ListFindingsV2](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html) API action. ## How IAM Access Analyzer generates findings for unused access How unused access findings are generated To analyze unused access, you must create a separate analyzer for unused access findings for your roles, even if you’ve already created an analyzer to generate external or internal access findings for your resources. After creating the unused access analyzer, IAM Access Analyzer reviews access activity to identify unused access. IAM Access Analyzer examines the last accessed information for all IAM users, IAM roles including service roles, user access keys, and user passwords across your AWS organization and accounts. This helps you identify unused access. **Note** A [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts) is a special type of service role that is linked to an AWS service and owned by the service. Service-linked roles are not analyzed by unused access analyzers. For active IAM roles and users, IAM Access Analyzer uses last accessed information for IAM services and actions to identify unused permissions. This allows you to scale your review process at the AWS organization and account level. You can also use the action last accessed information for deeper investigation of individual roles. This provides more granular insights into which specific permissions are not being utilized. By creating an analyzer dedicated to unused access, you can comprehensively review and identify unused access across your AWS environment, complementing the findings generated by your existing external access analyzer. # Getting started with AWS Identity and Access Management Access Analyzer Getting started with IAM Access Analyzer Use the information in this topic to learn about the requirements necessary to use and manage AWS Identity and Access Management Access Analyzer. ## Permissions required to use IAM Access Analyzer To successfully configure and use IAM Access Analyzer, the account you use must be granted the required permissions. ### AWS managed policies for IAM Access Analyzer AWS Identity and Access Management Access Analyzer provides AWS managed policies to help you get started quickly. + [IAMAccessAnalyzerFullAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAccessAnalyzerFullAccess) - Allows full access to IAM Access Analyzer for administrators. This policy also allows creating the service-linked roles that are required to allow IAM Access Analyzer to analyze resources in your account or AWS organization. + [IAMAccessAnalyzerReadOnlyAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAccessAnalyzerReadOnlyAccess) - Allows read-only access to IAM Access Analyzer. You must add additional policies to your IAM identities (users, groups of users, or roles) to allow them to view their findings. ### Resources defined by IAM Access Analyzer To view the resources defined by IAM Access Analyzer, see [Resource types defined by IAM Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html#awsiamaccessanalyzer-resources-for-iam-policies) in the *Service Authorization Reference*. ### Required IAM Access Analyzer service permissions IAM Access Analyzer uses a service-linked role (SLR) named `AWSServiceRoleForAccessAnalyzer`. This SLR grants the service read-only access to analyze AWS resources with resource-based policies and analyze unused access on your behalf. The service creates the role in your account in the following scenarios: + You create an external access analyzer with your account as the zone of trust. + You create an unused access analyzer with your account as the selected account. + You create an internal access analyzer with your account as the zone of trust. For more information, see [Using service-linked roles for AWS Identity and Access Management Access Analyzer](access-analyzer-using-service-linked-roles.md). **Note** IAM Access Analyzer is Regional. For external and internal access, you must enable IAM Access Analyzer in each Region independently. For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required. In some cases, after you create an analyzer in IAM Access Analyzer, the **Findings** page or dashboard loads with no findings or summary. This might be due to a delay in the console for populating your findings. You might need to manually refresh the browser or check back later to view your findings or summary. If you still don't see any findings for an external access analyzer, it's because you have no supported resources in your account that can be accessed by an external entity. If a policy that grants access to an external entity is applied to a resource, IAM Access Analyzer generates a finding. **Note** For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then either generate a new finding or update an existing finding for the access to the resource. When you create an internal access analyzer, it might take several minutes or hours before findings are available. After the initial scan, IAM Access Analyzer automatically rescans all policies every 24 hours. For all types of access analyzers, updates for findings might not be reflected in the dashboard immediately. ### Required IAM Access Analyzer permissions to view the findings dashboard To view the [IAM Access Analyzer findings dashboard](access-analyzer-dashboard.md), the account you use must be granted access to perform the following required actions: + [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzer.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzer.html) + [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzers.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzers.html) + [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingsStatistics.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingsStatistics.html) To view all of the actions defined by IAM Access Analyzer, see [Actions defined by IAM Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html#awsiamaccessanalyzer-actions-as-permissions) in the *Service Authorization Reference*. ## IAM Access Analyzer status To view the status of your analyzers, choose **Analyzers**. Analyzers created for an organization or account can have the following status: | Status | Description | | --- | --- | | Active | For external and internal access analyzers, the analyzer is actively monitoring resources within its zone of trust. The analyzer actively generates new findings and updates existing findings. For unused access analyzers, the analyzer is actively monitoring unused access within the selected organization or AWS account in the specified tracking period. The analyzer actively generates new findings and updates existing findings. | | Creating | The creation of the analyzer is still in progress. The analyzer becomes active once creation is complete. | | Disabled | The analyzer is disabled due to an action taken by the AWS Organizations administrator. For example, removing the analyzer’s account as the delegated administrator for IAM Access Analyzer. When the analyzer is in a disabled state, it does not generate new findings or update existing findings. | | Failed | The creation of the analyzer failed due to a configuration issue. The analyzer won't generate any findings. Delete the analyzer and create a new analyzer. | # Create an IAM Access Analyzer external access analyzer Create an external access analyzer To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources. **Note** After you create or update an analyzer, it can take time for findings to be available. ## Create an external access analyzer with the AWS account as the zone of trust 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. Choose **Create analyzer**. 1. In the **Analysis** section, choose **Resource analysis - External access**. 1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. 1. Enter a name for the analyzer. 1. Choose **Current account** as the zone of trust for the analyzer. **Note** If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the zone of trust. 1. Optional. Add any tags that you want to apply to the analyzer. 1. Choose **Create analyzer**. When you create an external access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account. ## Create an external access analyzer with the organization as the zone of trust 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. Choose **Create analyzer**. 1. In the **Analysis** section, choose **Resource analysis - External access**. 1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. 1. Enter a name for the analyzer. 1. Choose **Current organization** as the zone of trust for the analyzer. 1. Optional. Add any tags that you want to apply to the analyzer. 1. Choose **Submit**. When you create an external access analyzer with the organization as the zone of trust, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in each account of your organization. # Manage an IAM Access Analyzer external access analyzer Manage an external access analyzer To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources. **Note** After you create or update an analyzer, it can take time for findings to be available. ## Update an external access analyzer Use the following procedure to update an external access analyzer. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. In the **Analyzers** section, choose the name of the external access analyzer to manage. 1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md). 1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md). ## Delete an external access analyzer Use the following procedure to delete an external access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. In the **Analyzers** section, choose the name of the external access analyzer to delete. 1. Choose **Delete analyzer**. 1. Enter **delete** and choose **Delete** to confirm deleting the analyzer. # Create an IAM Access Analyzer internal access analyzer Create an internal access analyzer To enable an internal access analyzer in a Region, you must create an analyzer in that Region. You must create an internal access analyzer in each Region in which you want to monitor access to your resources. IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per analyzer per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). **Note** After you create or update an analyzer, it can take time for findings to be available. IAM Access Analyzer cannot generate internal access findings for organizations that contain more than 70,000 principals (IAM users and roles combined). You can only create one organization-level internal access analyzer in an AWS organization. ## Create an internal access analyzer with the AWS account as the zone of trust 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. Choose **Create analyzer**. 1. In the **Analysis** section, choose **Resource analysis - Internal access**. 1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. 1. Enter a name for the analyzer. 1. Choose **Current account** as the zone of trust for the analyzer. **Note** If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the zone of trust. 1. In the **Resources to analyze** section, add resources for the analyzer to monitor. + To add resources by account, choose **Add > Add resources from selected accounts**. 1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list. Internal access analyzers support the following resource types: + [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3) + [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory) + [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db) + [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster) + [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream) + [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table) 1. Choose **Add resources**. + To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**. **Note** ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported. 1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line. 1. Choose **Add resources**. + To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**. You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor. 1. Choose **Choose file** and select the CSV file from your computer. 1. Choose **Add resources**. 1. Optional. Add any tags that you want to apply to the analyzer. 1. Choose **Create analyzer**. When you create an internal access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account. ## Create an internal access analyzer with the organization as the zone of trust 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. Choose **Create analyzer**. 1. In the **Analysis** section, choose **Resource analysis - Internal access**. 1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. 1. Enter a name for the analyzer. 1. Choose **Entire organization** as the zone of trust for the analyzer. 1. In the **Resources to analyze** section, add resources for the analyzer to monitor. + To add resources for the account, choose **Add resources > Add resources from selected accounts**. 1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list. Internal access analyzers support the following resource types: + [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3) + [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory) + [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db) + [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster) + [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream) + [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table) 1. To select accounts from your organization, choose **Select from organization**. In the **Select accounts** section, choose **Hierarchy** to select accounts by organizational structure or **List** to select accounts from a list of all accounts in your organization. To manually enter accounts from your organization, choose **Enter AWS account ID**. Enter one or more AWS account IDs separated by commas in the **AWS account ID** field. 1. Choose **Add resources**. + To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**. **Note** ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported. 1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line. 1. Choose **Add resources**. + To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**. You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor. 1. Choose **Choose file** and select the CSV file from your computer. 1. Choose **Add resources**. 1. Optional. Add any tags that you want to apply to the analyzer. 1. Choose **Submit**. When you create an internal access analyzer with the organization as the zone of trust, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in each account of your organization. # Manage an IAM Access Analyzer internal access analyzer Manage an internal access analyzer To enable an internal access analyzer in a Region, you must create an analyzer in that Region. You must create an internal access analyzer in each Region in which you want to monitor access to your resources. **Note** After you create or update an analyzer, it can take time for findings to be available. ## Update an internal access analyzer Use the following procedure to update an internal access analyzer. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. In the **Analyzers** section, choose the name of the internal access analyzer to manage. 1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md). 1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md). 1. On the **Resources** tab, choose **Edit** in the **Resources to analyze** section. 1. To add resources by account, choose **Add resources > Add resources from selected accounts**. 1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list. Internal access analyzers support the following resource types: + [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3) + [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory) + [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db) + [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster) + [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream) + [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table) 1. Choose **Add resources**. 1. To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**. **Note** ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported. 1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line. 1. Choose **Add resources**. 1. To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**. You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor. 1. Choose **Choose file** and select the CSV file from your computer. 1. Choose **Add resources**. 1. To remove resources from the analyzer, select the check box next to the resources to remove and choose **Remove**. 1. Choose **Save changes**. **Note** Any updates to the analyzer will be evaluated at the next automatic rescan within 24 hours. ## Delete an internal access analyzer Use the following procedure to delete an internal access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. In the **Analyzers** section, choose the name of the internal access analyzer to delete. 1. Choose **Delete analyzer**. 1. Enter **delete** and choose **Delete** to confirm deleting the analyzer. # Create an IAM Access Analyzer unused access analyzer Create an unused access analyzer ## Create an unused access analyzer for the current account Use the following procedure to create an unused access analyzer for a single AWS account. For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required. IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). **Note** After you create or update an analyzer, it can take time for findings to be available. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. Choose **Create analyzer**. 1. In the **Analysis** section, choose **Principal analysis - Unused access**. 1. Enter a name for the analyzer. 1. For **Tracking period**, enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the selected account that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days. 1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. 1. For **Selected accounts**, choose **Current account**. **Note** If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the selected account. 1. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude. 1. Optional. Add any tags that you want to apply to the analyzer. 1. Choose **Create analyzer**. When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account. ## Create an unused access analyzer with the current organization Use the following procedure to create an unused access analyzer for an organization to centrally review all AWS accounts in an organization. For unused access analysis, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required. IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). **Note** If a member account is removed from the organization, the unused access analyzer will stop generating new findings and updating existing findings for that account after 24 hours. Findings associated with the member account that is removed from the organization will be removed permanently after 90 days. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. Choose **Create analyzer**. 1. In the **Analysis** section, choose **Principal analysis - Unused access**. 1. Enter a name for the analyzer. 1. For **Tracking period**, enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the accounts of the selected organization that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days. 1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. 1. For **Selected accounts**, choose **Current organization**. 1. Optional. In the **Exclude AWS accounts from analysis** section, you can choose AWS accounts in your organization to exclude from unused access analysis. Findings will not be generated for excluded accounts. 1. To specify individual account IDs to exclude, choose **Specify AWS account ID** and enter the account IDs separated by commas in the **AWS account ID** field. Choose **Exclude**. The accounts are then listed in the **AWS accounts to exclude** table. 1. To choose from a list of accounts in your organization to exclude, choose **Choose from organization**. 1. You can search for accounts by name, email, and account ID in the **Exclude accounts from organization** field. 1. Choose **Hierarchy** to view your accounts by organizational unit or choose **List** to view a list of all individual accounts in your organization. 1. Choose **Exclude all current accounts** to exclude all accounts in an organizational unit or choose **Exclude** to exclude individual accounts. The accounts are then listed in the **AWS accounts to exclude** table. **Note** Excluded accounts cannot include the organization analyzer owner account. When new accounts are added to your organization, they are not excluded from analysis, even if you previously excluded all current accounts within an organizational unit. For more information on excluding accounts after creating an unused access analyzer, see [Manage an IAM Access Analyzer unused access analyzer](access-analyzer-manage-unused.md). 1. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude. 1. Optional. Add any tags that you want to apply to the analyzer. 1. Choose **Create analyzer**. When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account. # Manage an IAM Access Analyzer unused access analyzer Manage an unused access analyzer Use the information in this topic to learn about how to update or delete an existing unused access analyzer. **Note** After you create or update an analyzer, it can take time for findings to be available. ## Update an unused access analyzer Use the following procedure to update an unused access analyzer. IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Analyzer settings**. 1. In the **Analyzers** section, choose the name of the unused access analyzer to manage. 1. On the **Exclusion** tab, if the analyzer was created for an organization as the scope of analysis, choose **Manage** in the **Excluded AWS accounts** section. 1. To specify individual account IDs to exclude, choose **Specify AWS account ID** and enter the account IDs separated by commas in the **AWS account ID** field. Choose **Exclude**. The accounts are then listed in the **AWS accounts to exclude** table. 1. To choose from a list of accounts in your organization to exclude, choose **Choose from organization**. 1. You can search for accounts by name, email, and account ID in the **Exclude accounts from organization** field. 1. Choose **Hierarchy** to view your accounts by organizational unit or choose **List** to view a list of all individual accounts in your organization. 1. Choose **Exclude all current accounts** to exclude all accounts in an organizational unit or choose **Exclude** to exclude individual accounts. The accounts are then listed in the **AWS accounts to exclude** table. 1. To remove accounts to exclude, choose **Remove** next to the account in the **AWS accounts to exclude** table. 1. Choose **Save changes**. **Note** Excluded accounts cannot include the organization analyzer owner account. When new accounts are added to your organization, they are not excluded from analysis, even if you previously excluded all current accounts within an organizational unit. After you update the exclusions for an analyzer, it can take up to two days for the list of excluded accounts to be updated. 1. On the **Exclusion** tab, choose **Manage** in the **Excluded IAM users and roles with tags** section. 1. You can specify key-value pairs for IAM users and roles to exclude from unused access analysis. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**. 1. Choose **Add new exclusion** to add additional key-value pairs to exclude. 1. To remove key-value pairs to exclude, choose **Remove** next to the key-value pair. 1. Choose **Save changes**. 1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md). 1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md). ## Delete an unused access analyzer Use the following procedure to delete an unused access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access analyzer**, choose **Unused access**. 1. Under **Access analyzer**, choose **Analyzer settings**. 1. In the **Analyzers** section, choose the name of the unused access analyzer to delete. 1. Choose **Delete analyzer**. 1. Enter **delete** and choose **Delete** to confirm deleting the analyzer. # View the IAM Access Analyzer findings dashboard Findings dashboard AWS Identity and Access Management Access Analyzer organizes external, internal, and unused access findings into a visual summary dashboard. The dashboard helps you gain visibility into the effective use of permissions at scale and identify accounts and AWS resources that need attention. You can use the dashboard to review findings by AWS organization, account, and finding type. For external and internal access findings: + The dashboard highlights the split between public access findings, external access findings, and internal access findings. + The dashboard provides a breakdown of findings by resource type. For unused access findings: + The dashboard highlights the AWS accounts with the most unused access findings. + The dashboard provides a breakdown of findings by type. After you create any type of access analyzer, IAM Access Analyzer automatically adds new findings to the relevant dashboard. This allows you to identify and prioritize the areas with the most security concerns. The summary dashboards give you a high-level view of the access issues detected by IAM Access Analyzer across your AWS environment. You can then drill down into the individual findings to investigate further and take appropriate actions to resolve them. ## Viewing the summary dashboard for external and internal access analyzers **Note** After you create or update an analyzer, it can take time for the summary dashboard to reflect updates to findings. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Access Analyzer**. The **Summary** window is displayed. 1. Choose **Select analyzers**. 1. In the **Select analyzers** window, choose **Organization** or **Account** for the **Zone of trust**. **Note** Only the AWS Organizations management account or delegated administrator can choose **Organization** as the zone of trust. 1. Choose external and internal access analyzers from the **Resource access analyzers** dropdown. **Note** You can select a maximum of one external access analyzer and a maximum of one internal access analyzer. 1. Choose **Update**. A summary of the findings for the selected external and internal access analyzers is displayed in the **Resource access findings** section. ![\[Resource findings access analyzer dashboard.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access-analyzer-dashboard-external-internal-new.png) In the preceding image, the resource findings dashboard is visible from within the **Summary** page. 1. The **Active findings** section includes the number of active findings for public access, the number of active findings that provide access outside of the account or organization, and the number of active internal access findings for the selected analyzers. Choose a number to list all of the active findings of each type. 1. The **Resource types** section includes a breakdown of the resource types with active findings for the selected analyzers. Choose **View all active findings** for a complete list of active findings for the selected analyzers. 1. The **Key resources** section includes a summary of the key resources with active findings. This information helps you prioritize findings for your business-critical resources. Choose **View all active findings** for a complete list of active findings for the selected analyzers. ## Viewing the summary dashboard for unused access analyzers **Note** After you create or update an analyzer, based on the amount of users and roles, it can take time for the summary dashboard to reflect updates to findings. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Access Analyzer**. The **Access Analyzer Summary** window is displayed. 1. Choose **Select analyzers**. 1. In the **Select analyzers** window, choose **Organization** or **Account** for the **Zone of trust**. **Note** Only the AWS Organizations management account or delegated administrator can choose **Organization** as the zone of trust. 1. Choose an unused access analyzer from the **Unused access analyzers** dropdown. 1. Choose **Update summary**. A summary of the findings for the selected unused access analyzer is displayed in the **Unused access findings** section. ![\[Unused access analyzer dashboard.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access-analyzer-dashboard-unused-new.png) In the preceding image, the unused access findings dashboard is visible from within the **Summary** page. 1. The **Active findings** section includes the number of active findings for unused roles, unused credentials, and unused permissions in your account or organization. **Unused credentials** include both unused access key and unused password findings. **Unused permissions** include both users and roles with unused permissions. Choose a number to list all of the active findings of each type. 1. The **Findings overview** section includes a breakdown of the type of active findings. Choose **View all active findings** for a complete list of active findings for the analyzer's account or organization. 1. The **Finding status** section includes a breakdown of the status of findings (**Active**, **Archived**, and **Resolved**) for your account or organization. You can select the findings statuses to display in the **Filter displayed data** dropdown. 1. The **Accounts with the most findings for unused access** section is only displayed if the selected accounts of your unused access analyzer is at the organization level. It includes a breakdown of the accounts in your organization with the most active findings. This is not an exhaustive list of every account in your organization. Your analyzer might have active findings for other accounts not listed in this section. # Review IAM Access Analyzer findings Review findings After you enable IAM Access Analyzer, the next step is to review any findings to determine whether the access identified in the finding is intentional or unintentional. You can also review findings to determine similar findings for access that is intended, and then [create an archive rule](access-analyzer-archive-rules.md) to automatically archive those findings. You can also review archived and resolved findings. You should review all of the findings in your account to determine whether the external, internal, or unused access is expected and approved. If the access identified in the finding is expected, you can archive the finding. When you archive a finding, the status is changed to **Archived**, and the finding is removed from the active findings list. The finding is not deleted. You can view your archived findings at any time. Work through all of the findings in your account until you have zero active findings. After you get to zero findings, you know that any new **Active** findings that are generated are from a recent change in your environment. **To review active findings for all types of access analyzers** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Access analyzer**. The findings dashboard is displayed. 1. Choose **Select analyzers**. 1. In the **Select analyzers** window, choose a maximum of one external access analyzer and a maximum of one internal access analyzer from the **Resource access analyzers** dropdown. Choose an unused access analyzer from the **Unused access analyzers** dropdown. 1. Choose **Update summary**. A summary of the active findings for the selected access analyzers is displayed on the dashboard. Choose a finding type in the **Resource access findings** or **Unused access findings** sections to view all active findings of the selected type. For more information on viewing the findings dashboard, see [View the IAM Access Analyzer findings dashboard](access-analyzer-dashboard.md). **Note** Findings are displayed only if you have permission to view findings for the analyzer. ## External and internal access findings **Note** IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per Region per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). 1. Under **Access Analyzer**, choose **Resource analysis**. 1. Choose **Select analyzers**. 1. In the **Select analyzers** window, choose a maximum of one external access analyzer and a maximum of one internal access analyzer from the **Resource access analyzers** dropdown. 1. Choose **Update summary**. The **Resource analysis** page displays the following details about the resources with active findings for the selected access analyzers: **Name** The name of the resource with active findings. **Type** The type of the resource. **Owner account** This column is displayed only if you are using an organization as the zone of trust for one or more of the selected analyzers. The account in the organization that owns the resource reported in the finding. **Active findings** A visual representation of the number and type of active findings for the resource. Hover over the field to display more information about the findings for the resource. **Public access** Indicates whether any of the findings for the resource allow public access. ## Unused access findings **Note** IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). 1. Under **Access Analyzer**, choose **Unused access**. 1. Choose **Select analyzers**. 1. In the **Select analyzers** window, choose an unused access analyzer from the **Unused access analyzers** dropdown. 1. Choose **Update summary**. The **Unused access** page displays the following details about the IAM entities that generated the findings for the selected access analyzer: **Finding ID** The unique ID assigned to the finding. Choose the finding ID to display additional details about the IAM entity that generated the finding. **Finding type** The type of unused access finding: **Unused access key**, **Unused password**, **Unused permission**, or **Unused role**. **IAM entity** The IAM entity reported in the finding. This can be an IAM user or role. **AWS account ID** This column is displayed only if you set up the analyzer for all AWS accounts in the organization. The AWS account in the organization that owns the IAM entity reported in the finding. **Last updated** The last time that the IAM entity reported in the finding was updated, or when the entity was created if no updates have been made. **Status** The status of the finding (**Active**, **Archived**, or **Resolved**). # Filter IAM Access Analyzer findings Filter findings The default filtering for a findings page is to display all active findings. To view all findings, choose **All** from the **Status** dropdown. To view archived findings, choose **Archived**. To view resolved findings, choose **Resolved**. When you first start using IAM Access Analyzer, there are no archived findings. Use filters to display only the findings that meet the specified property criteria. To create a filter, select the property to filter on, then choose whether the property equals or contains a value, then enter or choose a property value to filter on. For a list of filter keys that you can use to create or update an archive rule, see [IAM Access Analyzer filter keys](access-analyzer-reference-filter-keys.md). ## Filtering resources with active findings You can view and filter active findings by resource for a maximum of one external access analyzer and a maximum of one internal access analyzer. **To filter resources with active findings** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Resource analysis**. 1. To filter by resource name, type all or part of the name of the resource in the search box. 1. In the **Filter access type** dropdown, choose the access type: + **All types** – display resources with all types of access findings. + **Public access** – display only resources with public access findings. + **External access** – display only resources with external access findings. + **Internal access within organization** – display only resources with internal access findings. 1. In the **Filter resource type** dropdown, choose a resource type to display only resources of the selected type. ## Filtering external access findings **To filter external access findings** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Analyzer settings** and then choose the external access analyzer in the **Analyzers** section. 1. Choose **View findings**. 1. Choose the search box to display a list of available properties. 1. Choose the property to use to filter the findings displayed. 1. Choose the value to match for the property. Only findings with that value in the finding are displayed. For example, choose **Resource** as the property, then choose **Resource:**, then type part or all of the name of a bucket, then press Enter. Only findings for the bucket that matches the filter criteria are displayed. To create a filter that displays only findings for resources that allow public access, you can choose the **Public access** property, then choose **Public access =**, then choose **Public access = true**. You can add additional properties to further filter the findings displayed. When you add additional properties, only findings that match all conditions in the filter are displayed. Defining a filter to display findings that match one property OR another property is not supported. Choose **Clear filters** to clear any filters you have defined and display all of the findings with the specified status for your analyzer. Some fields are displayed only when you are viewing findings for an analyzer with an organization as its zone of trust. The following properties are available for defining filters for external access: + **Public access** – To filter by findings for resources that allow public access, filter by **Public access** then choose **Public access: true**. + **Resource** – To filter by resource, type all or part of the name of the resource. + **Resource Type** – To filter by resource type, choose the type from the list displayed. + **Resource Owner Account** – Use this property to filter by the account in the organization that owns the resource reported in the finding. + **Resource Control Policy Restriction** – Use this property to filter by the type of restriction applied by an Organizations resource control policy (RCP). To learn more, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the AWS Organizations User Guide. + **Failed to evaluate RCP**: There was an error evaluating the RCP. + **Not applicable**: No RCP restricts this resource or principal. This also includes resources where RCPs are not yet supported. + **Applicable**: Your organization administrator has set restrictions through a RCP that impacts the resource or resource type. Contact your organization administrator for more details. + **AWS Account** – Use this property to filter by AWS account that is granted access in the **Principal** section of a policy statement. To filter by AWS account, type all or part of the 12-digit AWS account ID, or all or part of the full account ARN of the external AWS user or role that has access to resources in the current account. + **Canonical User** – To filter by canonical user, type the canonical user ID as defined for Amazon S3 buckets. To learn more, see [AWS Account Identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). + **Federated User** – To filter by federated user, type all or part of the ARN of the federated identity. To learn more, see [Identity Providers and Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html). + **Finding ID** – To filter by finding ID, type all or part of the finding ID. + **Error** – To filter by error type, choose **Access Denied** or **Internal Error**. + **Principal ARN** – Use this property to filter on the ARN of the principal (IAM user, role, or group) used in an **aws:PrincipalArn** condition key. To filter by Principal ARN, type all or part of the ARN of the IAM user, role, or group from an external AWS account reported in a finding. + **Principal OrgID** – To filter by Principal OrgID, type all or part of the organization ID associated with the external principals that belong to the AWS organization specified as a condition in the finding. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Principal OrgPaths** – To filter by Principal OrgPaths, type all or part of the ID for the AWS organization or organizational unit (OU) that allows access to all external principals that are account members of the specified organization or OU as a condition in the policy. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source Account** – To filter on Source Account, type all or part of the AWS account ID associated with the resources, as used in some cross-service permissions in AWS. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source ARN** – To filter by Source ARN, type all or part of the ARN specified as a condition in the finding. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source IP** – To filter by Source IP, type all or part of the IP address that allows external entities access to resources in the current account when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source OrgID** – To filter by Source OrgID, type all or part of the organization ID associated with the resources, as used in some cross-service permissions in AWS. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source OrgPaths** – To filter by Source OrgPaths, type all or part of the organizational unit (OU) associated with the resources, as used in some cross-service permission in AWS. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source VPC** – To filter by Source VPC, type all or part of the VPC ID that allows external entities access to resources in the current account when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source VPC ARN** – To filter by Source VPC ARN, type all or part of the VPC ARN that allows external entities access to resources in the current account when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **Source VPCE** – To filter by Source VPCE, type all or part of the VPC endpoint ID that allows external entities access to resources in the current account when using the specified VPC endpoint. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **VPCE Account** – To filter by VPCE Account, type all or part of the 12-digit AWS account ID that owns the the VPC endpoint external entities and allows external entities access to resources. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **VPCE OrgID** – To filter by VPCE OrgID, type all or part of the organization ID that owns the VPC endpoint external entities and allows external entities access to resources. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **VPCE OrgPaths** – To filter by VPCE OrgPaths, type all or part of the organizational unit (OU) that owns the VPC endpoint external entities and allows external entities access to resources. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **User ID** – To filter by User ID, type all or part of the user ID of the IAM user from an external AWS account who is allowed access to resource in the current account. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + **KMS Key ID** – To filter by KMS key ID, type all or part of the key ID for the KMS key specified as a condition for AWS KMS-encrypted Amazon S3 object access in your current account. + **Session Mode** – To filter by session mode for Amazon S3 directory buckets (`ReadOnly` or `ReadWrite`, type all or part of the session mode. To learn more, see [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the Amazon Simple Storage Service API Reference. + **Google Audience** – To filter by Google Audience, type all or part of the Google application ID specified as a condition for IAM role access in your current account. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html). + **Cognito Audience** – To filter by Amazon Cognito audience, type all or part of the Amazon Cognito identity pool ID specified as a condition for IAM role access in your current account. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html). + **Caller Account** – The AWS account ID of the account that owns or contains the calling entity, such as an IAM role, user, or account root user. This is used by services calling AWS KMS. To filter by caller account, type all or part of the AWS account ID. + **Facebook App ID** – To filter by Facebook App ID, type all or part of the Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to an IAM role in your current account. To learn more, see the **id** section in [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif). + **Amazon App ID** – To filter by Amazon App ID, type all or part of the Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to an IAM role in your current account. To learn more, see the **id** section in [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif). + **Lambda Event Source Token** – To filter on Lambda Event Source Token passed in with Alexa integrations, type all or part of the token string. ## Filtering internal access findings **To filter internal access findings** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Analyzer settings** and then choose the internal access analyzer in the **Analyzers** section. 1. Choose **View findings**. 1. Choose the search box to display a list of available properties. 1. Choose the property to use to filter the findings displayed. 1. Choose the value to match for the property. Only findings with that value in the finding are displayed. For example, choose **Resource** as the property, then choose **Resource:**, then type part or all of the name of a bucket, then press Enter. Only findings for the bucket that matches the filter criteria are displayed. You can add additional properties to further filter the findings displayed. When you add additional properties, only findings that match all conditions in the filter are displayed. Defining a filter to display findings that match one property OR another property is not supported. Choose **Clear filters** to clear any filters you have defined and display all of the findings with the specified status for your analyzer. Some fields are displayed only when you are viewing findings for an analyzer with an organization as its zone of trust. The following fields are displayed only when you are viewing findings for an analyzer that is monitoring internal access: + **Resource** – To filter by resource, type all or part of the name of the resource. + **Resource Type** – To filter by resource type, choose the type from the list displayed. + **Resource Owner Account** – Use this property to filter by the account in the organization that owns the resource reported in the finding. + **Finding id** – To filter by finding ID, type all or part of the finding ID. ## Filtering unused access findings **To filter unused access findings** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Unused access** and then choose the analyzer in the **View analyzer** dropdown. 1. Choose the search box to display a list of available properties. 1. Choose the property to use to filter the findings displayed. 1. Choose the value to match for the property. Only findings with that value in the finding are displayed. For example, choose **Findings type** as the property, then choose **Findings type =**, then choose **Findings type = Unused role**. Only findings with a type of **Unused role** are displayed. You can add additional properties to further filter the findings displayed. When you add additional properties, only findings that match all conditions in the filter are displayed. Defining a filter to display findings that match one property OR another property is not supported. Choose **Clear filters** to clear any filters you have defined and display all of the findings with the specified status for your analyzer. The following fields are displayed only when you are viewing findings for an analyzer that is monitoring unused access: + **Findings type** – To filter by finding type, filter by **Findings type** and then choose the type of finding. + **Resource** – To filter by resource, type all or part of the name of the resource. + **Resource Type** – To filter by resource type, choose the type from the list displayed. + **Resource Owner Account** – Use this property to filter by the account in the organization that owns the resource reported in the finding. + **Finding id** – To filter by finding ID, type all or part of the finding ID. # Archive IAM Access Analyzer findings Archive findings When you get a finding for access to a resource that is intentional, you can archive the findings. For example, an external or internal access finding for an Amazon S3 bucket that is accessed for approved workflows or an unused access finding for an access key that may still be necessary. When you archive a finding, it is cleared from active findings list. Archived findings aren't deleted. You can filter the **Findings** page to display your archived findings, and unarchive them at any time. **To archive findings from the **Findings** page** 1. Select the checkbox next to one or more findings to archive. 1. Choose **Actions** and then choose **Archive**. A confirmation is displayed at the top of the screen. **To archive findings from the **Findings Details** page** 1. Choose the **Finding ID** for the finding to archive. 1. Choose **Archive**. A confirmation is displayed at the top of the screen. To unarchive findings, repeat the preceding steps, but choose **Unarchive** instead of **Archive**. When you unarchive a finding, the status is set to Active. # Resolve IAM Access Analyzer findings Resolve findings ## Resolving resource findings To resolve external and internal access findings generated from unintended access, you should modify the policy statement to remove the permissions that allow access to the identified resource. For findings related to Amazon S3 buckets, use the Amazon S3 console to configure the permissions on the bucket. For IAM roles, use the IAM console to [modify the trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html#roles-managingrole_edit-trust-policy) for the listed IAM role. For other supported resources, use the console to modify the policy statements that resulted in a generated finding. After making a change to resolve a resource finding, such as modifying a policy applied to an IAM role, IAM Access Analyzer will scan the resource again. If the access to the resource is removed, the status of the finding is changed to **Resolved**. The finding will then be displayed in the resolved findings list instead of the active findings list. **Note** This does not apply to **Error** findings. When IAM Access Analyzer is not able to analyze a resource, it will generate an error finding. If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding will be removed completely instead of changing to a resolved finding. For more information, see [IAM Access Analyzer error findings](access-analyzer-error-findings.md). If the changes you made resulted in external or internal access to the resource, but in a different way, such as with a different principal or for a different permission, IAM Access Analyzer will resolve the original finding and generate a new **Active** finding. If the changes you made resulted in internal errors or access denied errors, all active non-error findings linked to the specific access of the resource are resolved and a new error finding is generated. **Note** For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource again and then update the finding. For internal access analyzers, it might take several minutes or hours for IAM Access Analyzer to analyze the resource again and then update the finding. IAM Access Analyzer automatically rescans all policies every 24 hours. Resolved findings are deleted 90 days after the last update to the finding status. ## Resolving unused access findings IAM Access Analyzer provides recommended steps to resolve unused access analyzer findings based on the type of finding. After you make a change to resolve an unused access finding, the status of the finding is changed to **Resolved** the next time the unused access analyzer runs. The finding is no longer displayed in the active findings list and instead is displayed in the resolved findings list. If you make a change that only partially addresses an unused access finding, the existing finding is changed to **Resolved** but a new finding is generated. For example, if you remove only some of the unused permissions in a finding, but not all of them. IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). ### Resolving unused permission findings For unused permission findings, IAM Access Analyzer can recommend policies to remove from an IAM user or role and provide new policies to replace existing permissions policies. Policy recommendation is not supported for the following scenarios: + The unused permission finding is for an IAM user that is in a user group. + The unused permission finding is for an IAM role for IAM Identity Center. + The unused permission finding has an existing permissions policy that includes the `notAction` element. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Unused access**. 1. Choose a finding with the **Finding type** of **Unused permissions**. 1. In the **Recommendations** section, if there are policies listed in the **Recommended policy** column, choose **Preview policy** to view the existing policy with the recommended policy to replace the existing policy. If there are mutliple recommended policies, you can choose **Next policy** and **Previous policy** to view each existing and recommended policy. 1. Choose **Download JSON** to download a .zip file with JSON files of all the recommended policies. 1. Create and attach the recommended policies to the IAM user or role. For more information, see [Changing permissions for a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-change-console) and [Modifying a role permissions policy (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy). 1. Remove the policies listed in the **Existing permissions policy** column from the IAM user or role. For more information, see [Removing a permissions from a user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html#users_change_permissions-remove-policy-console) and [Modifying a role permissions policy (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/roles-managingrole-editing-console.html#roles-modify_permissions-policy). ### Resolving unused role findings For unused role findings, IAM Access Analyzer recommends deleting the unused IAM role. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Unused access**. 1. Choose a finding with the **Finding type** of **Unused role**. 1. In the **Recommendations** section, review the details of the IAM role. 1. Delete the IAM role. For more information, see [Deleting an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_delete.html#roles-managingrole-deleting-console). ### Resolving unused access key findings For unused access key findings, IAM Access Analyzer recommends deactivating or deleting the unused access key. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Unused access**. 1. Choose a finding with the **Finding type** of **Unused access keys**. 1. In the **Recommendations** section, review the details of the access key. 1. Deactivate or delete the access key. For more information, see [Managing access keys (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey). ### Resolving unused password findings For unused password findings, IAM Access Analyzer recommends deleting the unused password for the IAM user. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Unused access**. 1. Choose a finding with the **Finding type** of **Unused password**. 1. In the **Recommendations** section, review the details of the IAM user. 1. Delete the password for the IAM user. For more information, see [Creating, changing, or deleting an IAM user password (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html#id_credentials_passwords_admin-change-user_console). # IAM Access Analyzer error findings Error findings When IAM Access Analyzer analyzes resources, it typically generates findings that show who has access to your resources. However, in some cases, the analyzer might encounter issues that prevent it from completing the analysis. In these situations, IAM Access Analyzer generates error findings instead. Error findings indicate that IAM Access Analyzer couldn't complete the analysis for a specific resource or for a specific principal-resource pair. These findings help you identify resources that might need attention to ensure proper analysis. ## External access error findings External access analyzers, which identify resources shared outside your account or organization, can generate two types of error findings: + INTERNAL\$1ERROR – Indicates that IAM Access Analyzer encountered an internal issue while analyzing the resource. This could be due to service limitations or temporary issues. ``` { "findingDetails": [ { "externalAccessDetails": {} } ], "resource": "arn:aws:iam::941407043048:role/TestAccessAnalyzer", "status": "ACTIVE", "error": "INTERNAL_ERROR", "createdAt": "2022-07-14T01:31:43.085000+00:00", "resourceType": "AWS::IAM::Role", "findingType": "ExternalAccess", "resourceOwnerAccount": "941407043048", "analyzedAt": "2025-03-19T06:51:46.109000+00:00", "id": "4b035c7d-b7d2-40e4-a6c3-9887d1a995df", "updatedAt": "2022-07-14T01:31:43.085000+00:00" } ``` + ACCESS\$1DENIED – Indicates that IAM Access Analyzer doesn't have the required permissions to analyze the resource. This typically happens when the service-linked role (SLR) for IAM Access Analyzer is denied access to the resource. ``` { "findingDetails": [ { "externalAccessDetails": {} } ], "resource": "arn:aws:kms:us-west-2:941407043048:key/01cae123-b7f2-4488-9a05-0070a072ea2c", "status": "ACTIVE", "error": "ACCESS_DENIED", "createdAt": "2022-07-14T01:31:43.104000+00:00", "resourceType": "AWS::KMS::Key", "findingType": "ExternalAccess", "resourceOwnerAccount": "941407043048", "analyzedAt": "2025-03-19T06:51:46.090000+00:00", "id": "7ef6f04a-9d2c-4038-9cc0-2a5f00a4d8f8", "updatedAt": "2022-07-14T01:31:43.104000+00:00" } ``` ## Internal access error findings Internal access analyzers, which identify access within your account or organization, can generate four types of error findings: + PRINCIPAL\$1LIMIT\$1EXCEEDED – Generated when more than 3,000 principals have access to a critical resource. This error helps you identify resources with overly broad access that might need to be restricted. If you make changes to the resource or principals in your environment that bring the number of principals below the limit, the analyzer will generate normal findings during the next scan, and the error finding will be marked as resolved. ``` { "id": "efec28fe-b304-412f-af0f-704d0d70c79c", "status": "ACTIVE", "error": "PRINCIPAL_LIMIT_EXCEEDED", "resource": "arn:aws:s3:::critical-data", "resourceType": "AWS::S3::Bucket", "resourceOwnerAccount": "111122223333", "createdAt": "2023-11-30T00:56:56.437000+00:00", "analyzedAt": "2024-03-06T04:11:54.406000+00:00", "updatedAt": "2023-11-30T00:56:56.437000+00:00", "findingType": "InternalAccess", "findingDetails": [ { "internalAccessDetails": {} } ] } ``` + Resource-level errors (INTERNAL\$1ERROR or ACCESS\$1DENIED) – Similar to external access errors, these indicate that the analyzer couldn't analyze a specific resource due to internal issues or permission problems. When a resource-level error occurs, the analyzer generates a single error finding for the resource instead of normal findings. ``` { "id": "efec28fe-b304-412f-af0f-704d0d70c79c", "status": "ACTIVE", "error": "INTERNAL_ERROR", // can be INTERNAL_ERROR or ACCESS_DENIED "resource": "arn:aws:s3:::critical-data", "resourceType": "AWS::S3::Bucket", "resourceOwnerAccount": "111122223333", "createdAt": "2023-11-30T00:56:56.437000+00:00", "analyzedAt": "2024-03-06T04:11:54.406000+00:00", "updatedAt": "2023-11-30T00:56:56.437000+00:00", "findingType": "InternalAccess", "findingDetails": [ { "internalAccessDetails": {} } ] } ``` + Principal-level errors (INTERNAL\$1ERROR or ACCESS\$1DENIED) – Indicates that the analyzer couldn't analyze access for a specific principal to a specific resource. Unlike resource-level errors, a resource can have both normal findings for some principals and error findings for other principals. ``` { "id": "efec28fe-b304-412f-af0f-704d0d70c79c", "status": "ACTIVE", "error": "INTERNAL_ERROR", // can be INTERNAL_ERROR or ACCESS_DENIED "resource": "arn:aws:s3:::critical-data", "resourceType": "AWS::S3::Bucket", "resourceOwnerAccount": "111122223333", "createdAt": "2023-11-30T00:56:56.437000+00:00", "analyzedAt": "2024-03-06T04:11:54.406000+00:00", "updatedAt": "2023-11-30T00:56:56.437000+00:00", "findingType": "InternalAccess", "findingDetails": [ { "internalAccessDetails": { "principal": { "AWS": "arn:aws:iam::111122223333:role/MyRole_1" }, "principalOwnerAccount": "111122223333", "principalType": "IAM_ROLE", "accessType": "INTRA_ACCOUNT" } } ] } ``` + PRINCIPAL\$1ERRORS\$1LIMIT\$1EXCEEDED – Generated when there are too many principal-level error findings for a single resource. This is a resource-level error finding that may appear alongside normal findings for the same resource. ``` { "id": "efec28fe-b304-412f-af0f-704d0d70c79c", "status": "ACTIVE", "error": "PRINCIPAL_ERRORS_LIMIT_EXCEEDED", "resource": "arn:aws:s3:::critical-data", "resourceType": "AWS::S3::Bucket", "resourceOwnerAccount": "111122223333", "createdAt": "2023-11-30T00:56:56.437000+00:00", "analyzedAt": "2024-03-06T04:11:54.406000+00:00", "updatedAt": "2023-11-30T00:56:56.437000+00:00", "findingType": "InternalAccess", "resourceControlPolicyRestriction": "NOT_APPLICABLE", "serviceControlPolicyRestriction": "NOT_APPLICABLE", "findingDetails": [ { "internalAccessDetails": {} } ] } ``` ## Resolving error findings If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding will be removed completely instead of changing to a resolved finding. To resolve error findings, consider the following approaches based on the error type: + For ACCESS\$1DENIED errors, verify that the IAM Access Analyzer service-linked role has the necessary permissions to access the resource. + For PRINCIPAL\$1LIMIT\$1EXCEEDED errors, review the resource's access policies and consider restricting access to fewer principals. + For INTERNAL\$1ERROR findings, you may need to wait for a subsequent analysis cycle or contact AWS support if the issue persists. + For PRINCIPAL\$1ERRORS\$1LIMIT\$1EXCEEDED, review and potentially simplify the access patterns for the affected resource. After making changes to address the underlying issues, IAM Access Analyzer will attempt to analyze the resources again during its next scan cycle. # IAM Access Analyzer supported resource types for external and internal access Supported resource types For external and internal access analyzers, IAM Access Analyzer analyzes the resource-based policies that are applied to AWS resources in the Region where you enabled IAM Access Analyzer. It only analyzes resource-based policies. For details about how IAM Access Analyzer generates findings for each resource type, review the resource type information. **Note** The supported resource types listed are for external and internal access analyzers. Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [Understand how IAM Access Analyzer findings work](access-analyzer-concepts.md). ## Supported resource types for external access + [Amazon Simple Storage Service buckets](#access-analyzer-s3) + [Amazon Simple Storage Service directory buckets](#access-analyzer-s3-directory) + [AWS Identity and Access Management roles](#access-analyzer-iam-role) + [AWS Key Management Service keys](#access-analyzer-kms-key) + [AWS Lambda functions and layers](#access-analyzer-lambda) + [Amazon Simple Queue Service queues](#access-analyzer-sqs) + [AWS Secrets Manager secrets](#access-analyzer-secrets-manager) + [Amazon Simple Notification Service topics](#access-analyzer-sns) + [Amazon Elastic Block Store volume snapshots](#access-analyzer-ebs) + [Amazon Relational Database Service DB snapshots](#access-analyzer-rds-db) + [Amazon Relational Database Service DB cluster snapshots](#access-analyzer-rds-db-cluster) + [Amazon Elastic Container Registry repositories](#access-analyzer-ecr) + [Amazon Elastic File System file systems](#access-analyzer-efs) + [Amazon DynamoDB streams](#access-analyzer-ddb-stream) + [Amazon DynamoDB tables](#access-analyzer-ddb-table) ## Supported resource types for internal access + [Amazon Simple Storage Service buckets](#access-analyzer-s3) + [Amazon Simple Storage Service directory buckets](#access-analyzer-s3-directory) + [Amazon Relational Database Service DB snapshots](#access-analyzer-rds-db) + [Amazon Relational Database Service DB cluster snapshots](#access-analyzer-rds-db-cluster) + [Amazon DynamoDB streams](#access-analyzer-ddb-stream) + [Amazon DynamoDB tables](#access-analyzer-ddb-table) ## Amazon Simple Storage Service buckets Amazon S3 buckets When IAM Access Analyzer analyzes Amazon S3 buckets for external access analyzers, it generates a finding when an Amazon S3 bucket policy, access control list (ACL), or access point, including a multi-Region access point, applied to a bucket grants access to an external entity. An external entity is a principal or other entity that you can use to [create a filter](access-analyzer-findings-filter.md) that isn't within your zone of trust. For example, if a bucket policy grants access to another account or allows public access, IAM Access Analyzer generates a finding. However, if you enable [Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) on your bucket, you can block access at the account level or the bucket level. For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon S3 bucket. **Note** IAM Access Analyzer doesn’t analyze the access point policy attached to cross-account access points because the access point and its policy are outside the analyzer account. IAM Access Analyzer generates a public finding when a bucket delegates access to a cross-account access point and Block Public Access is not enabled on the bucket or account. When you enable Block Public Access, the public finding is resolved and IAM Access Analyzer generates a cross-account finding for the cross-account access point. Amazon S3 *Block Public Access* settings override the bucket policies applied to the bucket. The settings also override the access point policies applied to the bucket’s access points. IAM Access Analyzer analyzes Block Public Access settings at the bucket level whenever a policy changes. However, it evaluates the Block Public Access settings at the account level only once every 6 hours. This means that IAM Access Analyzer might not generate or resolve a finding for public access to a bucket for up to 6 hours. For example, if you have a bucket policy that allows public access, IAM Access Analyzer generates a finding for that access. If you then enable Block Public Access to block all public access to the bucket at the account level, IAM Access Analyzer doesn't resolve the finding for the bucket policy for up to 6 hours, even though all public access to the bucket is blocked. Resolution of public findings for cross-account access points can also take up to 6 hours once you enable Block Public Access at the account level. Changes to a resource control policy (RCP) without a change to the bucket policy do not trigger a rescan of the bucket reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours. For a multi-Region access point, IAM Access Analyzer uses an established policy for generating findings. IAM Access Analyzer evaluates changes to multi-Region access points once every 6 hours. This means IAM Access Analyzer doesn’t generate or resolve a finding for up to 6 hours, even if you create or delete a multi-Region access point, or update the policy for it. ## Amazon Simple Storage Service directory buckets Amazon S3 directory buckets Amazon S3 directory buckets organize data hierarchically into directories as opposed to the flat storage structure of general purpose buckets, which is recommended for performance-critical workloads or applications. For external access analyzers, IAM Access Analyzer analyzes the directory bucket policy, including condition statements in a policy, that allow an external entity to access a directory bucket. For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon S3 directory bucket. Amazon S3 directory buckets also support access points, which enforce distinct permissions and network controls for all requests made to the directory bucket through the access point. Each access point can have an access point policy that works in conjunction with the bucket policy that is attached to the underlying directory bucket. With access points for directory buckets, you can restrict access to specific prefixes, API actions, or a virtual private cloud (VPC). **Note** IAM Access Analyzer doesn’t analyze the access point policy attached to cross-account access points because the access point and its policy are outside the analyzer account. IAM Access Analyzer generates a public finding when a bucket delegates access to a cross-account access point and Block Public Access is not enabled on the bucket or account. When you enable Block Public Access, the public finding is resolved and IAM Access Analyzer generates a cross-account finding for the cross-account access point. For more information about Amazon S3 directory buckets, see [Working with directory buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/directory-buckets-overview.html) in the Amazon Simple Storage Service User Guide. ## AWS Identity and Access Management roles IAM roles For IAM roles, IAM Access Analyzer analyzes [trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#term_trust-policy). In a role trust policy, you define the principals that you trust to assume the role. A role trust policy is a required resource-based policy that is attached to a role in IAM. IAM Access Analyzer generates findings for roles within the zone of trust that can be accessed by an external entity that is outside your zone of trust. **Note** An IAM role is a global resource. If a role trust policy grants access to an external entity, IAM Access Analyzer generates a finding in each enabled Region. ## AWS Key Management Service keys KMS keys For AWS KMS keys, IAM Access Analyzer analyzes the key policies and grants applied to a key. IAM Access Analyzer generates a finding if a key policy or grant allows an external entity to access the key. For example, if you use the [kms:CallerAccount](https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-caller-account) condition key in a policy statement to allow access to all users in a specific AWS account, and you specify an account other than the current account (the zone of trust for the current analyzer), IAM Access Analyzer generates a finding. To learn more about AWS KMS condition keys in IAM policy statements, see [AWS KMS Condition Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). When IAM Access Analyzer analyzes a KMS key it reads key metadata, such as the key policy and list of grants. If the key policy doesn't allow the IAM Access Analyzer role to read the key metadata, an Access Denied error finding is generated. For example, if the following example policy statement is the only policy applied to a key, it results in an Access denied error finding in IAM Access Analyzer. ``` { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/Admin" }, "Action": "kms:*", "Resource": "*" } ``` Because this statement allows only the role named *Admin* from the AWS account 111122223333 to access the key, an Access Denied error finding is generated because IAM Access Analyzer isn't able to fully analyze the key. An error finding is displayed in red text in the **Findings** table. The finding looks similar to the following. ``` { "error": "ACCESS_DENIED", "id": "12345678-1234-abcd-dcba-111122223333", "analyzedAt": "2019-09-16T14:24:33.352Z", "resource": "arn:aws:kms:us-west-2:1234567890:key/1a2b3c4d-5e6f-7a8b-9c0d-1a2b3c4d5e6f7g8a", "resourceType": "AWS::KMS::Key", "status": "ACTIVE", "updatedAt": "2019-09-16T14:24:33.352Z" } ``` When you create a KMS key, the permissions granted to access the key depend on how you create the key. If you receive an Access Denied error finding for a key resource, apply the following policy statement to the key resource to grant IAM Access Analyzer permission to access the key. ``` { "Sid": "Allow IAM Access Analyzer access to key metadata", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer" }, "Action": [ "kms:DescribeKey", "kms:GetKeyPolicy", "kms:List*" ], "Resource": "*" }, ``` After you receive an Access Denied finding for a KMS key resource, and then resolve the finding by updating the key policy, the finding is updated to a status of Resolved. If there are policy statements or key grants that grant permission to the key to an external entity, you might see additional findings for the key resource. ## AWS Lambda functions and layers Lambda functions For AWS Lambda functions, IAM Access Analyzer analyzes policies, including condition statements in a policy, that grant access to the function to an external entity. With Lambda, you can attach unique resource-based policies to functions, versions, aliases, and layers. IAM Access Analyzer reports external access based on resource-based policies attached to functions and layers. IAM Access Analyzer doesn't report external access based on resource-based policies attached to aliases and specific versions invoked using a qualified ARN. For more information, see [Using resource-based policies for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html) and [Using versions](https://docs.aws.amazon.com/lambda/latest/dg/configuration-versions.html#versioning-versions-using) in the AWS Lambda Developer Guide. ## Amazon Simple Queue Service queues Amazon SQS queues For Amazon SQS queues, IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity access to a queue. ## AWS Secrets Manager secrets Secrets Manager secrets For AWS Secrets Manager secrets, IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity to access a secret. ## Amazon Simple Notification Service topics Amazon SNS topics IAM Access Analyzer analyzes resource-based policies attached to Amazon SNS topics, including condition statements in the policies that allow external access to a topic. You can allow external accounts to perform Amazon SNS actions such as subscribing to and publishing topics through a resource-based policy. An Amazon SNS topic is externally accessible if principals from an account outside of your zone of trust can perform operations on the topic. When you choose `Everyone` in your policy when creating an Amazon SNS topic, you make the topic accessible to the public. `AddPermission` is another way to add a resource-based policy to an Amazon SNS topic that allows external access. ## Amazon Elastic Block Store volume snapshots Amazon EBS volume snapshots Amazon Elastic Block Store volume snapshots do not have resource-based policies. A snapshot is shared through Amazon EBS sharing permissions. For Amazon EBS volume snapshots, IAM Access Analyzer analyzes access control lists that allow an external entity access to a snapshot. An Amazon EBS volume snapshot can be shared with external accounts when encrypted. An unencrypted volume snapshot can be shared with external accounts and grant public access. Sharing settings are in the `CreateVolumePermissions` attribute of the snapshot. When customers preview external access of an Amazon EBS snapshot, they can specify the encryption key as an indicator that the snapshot is encrypted, similar to how IAM Access Analyzer preview handles Secrets Manager secrets. ## Amazon Relational Database Service DB snapshots Amazon RDS DB snapshots Amazon RDS DB snapshots do not have resource-based policies. A DB snapshot is shared through Amazon RDS database permissions, and only manual DB snapshots can be shared. For external access analyzers, IAM Access Analyzer analyzes access control lists that allow an external entity access to a Amazon RDS DB snapshot. Unencrypted DB snapshots can be public. Encrypted DB snapshots cannot be shared publicly, but they can be shared with up to 20 other accounts. For more information, see [Creating a DB snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html). IAM Access Analyzer considers the ability to export a database manual snapshot (for example, to an Amazon S3 bucket) as trusted access. For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon RDS DB snapshot. **Note** IAM Access Analyzer does not identify public or cross-account access configured directly on the database itself. IAM Access Analyzer only identifies findings for public or cross-account access configured on the Amazon RDS DB snapshot. ## Amazon Relational Database Service DB cluster snapshots Amazon RDS DB cluster snapshots Amazon RDS DB cluster snapshots do not have resource-based policies. A snapshot is shared through Amazon RDS DB cluster permissions. For external access analyzers, IAM Access Analyzer analyzes access control lists that allow an external entity access to a Amazon RDS DB cluster snapshot. Unencrypted cluster snapshots can be public. Encrypted cluster snapshots cannot be shared publicly. Both unencrypted and encrypted cluster snapshots can be shared with up to 20 other accounts. For more information, see [Creating a DB cluster snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_CreateSnapshotCluster.html). IAM Access Analyzer considers the ability to export a DB cluster snapshot (for example, to an Amazon S3 bucket) as trusted access. For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon RDS DB cluster snapshot. **Note** IAM Access Analyzer findings do not include monitoring of any share of Amazon RDS DB clusters and clones with another AWS account or organization using AWS Resource Access Manager. IAM Access Analyzer only identifies findings for public or cross-account access configured on the Amazon RDS DB cluster snapshot. ## Amazon Elastic Container Registry repositories Amazon ECR repositories For Amazon ECR repositories, IAM Access Analyzer analyzes resource-based policies, including condition statements in a policy, that allow an external entity access to a repository (similar to other resource types like Amazon SNS topics and Amazon EFS file systems). For Amazon ECR repositories, a principal must have permission to `ecr:GetAuthorizationToken` through an identity-based policy to be considered externally available. ## Amazon Elastic File System file systems Amazon EFS file systems For Amazon EFS file systems, IAM Access Analyzer analyzes policies, including condition statements in a policy, that allow an external entity access to a file system. An Amazon EFS file system is externally accessible if principals from an account outside of your zone of trust can perform operations on that file system. Access is defined by a file system policy that uses IAM, and by how the file system is mounted. For example, mounting your Amazon EFS file system in another account is considered externally accessible, unless that account is in your organization and you have defined the organization as your zone of trust. If you are mounting the file system from a virtual private cloud with a public subnet, the file system is externally accessible. When you use Amazon EFS with AWS Transfer Family, file system access requests received from a Transfer Family server that is owned by a different account than the file system are blocked if the file system allows public access. ## Amazon DynamoDB streams DynamoDB streams For external access analyzers, IAM Access Analyzer generates a finding if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB stream. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide. For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified DynamoDB stream. ## Amazon DynamoDB tables DynamoDB tables For external access analyzers, IAM Access Analyzer generates a finding for a DynamoDB table if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB table or index. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide. For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified DynamoDB table. # Delegated administrator for IAM Access Analyzer Delegated administrator If you're configuring AWS Identity and Access Management Access Analyzer in your AWS Organizations management account, you can add a member account in the organization as the delegated administrator to manage IAM Access Analyzer for your organization. The delegated administrator has permissions to create and manage analyzers within the organization. Only the management account can add a delegated administrator. The delegated administrator for IAM Access Analyzer is a member account within the organization that has permissions to create and manage analyzers that analyze access across the organization. Only the management account can add, remove, or change a delegated administrator. If you add a delegated administrator, you can later change to a different account for the delegated administrator. When you do, the former delegated administrator account loses permission to all analyzers that were created using that account to analyze access across the organization. These analyzers move to a disabled state and no longer generate new or update existing findings. The existing findings for these analyzers are also no longer accessible. You can access them again in the future by configuring the account as the delegated administrator. If you know that you won't use the same account as a delegated administrator, consider deleting the analyzers before changing the delegated administrator. This deletes all findings generated. When the new delegated administrator creates new analyzers, new instances of the same findings are generated. You don't lose any findings, they just get generated for the new analyzer in a different account. And you can continue to access findings for the organization using the organization management account, which also has administrator permissions. The new delegated administrator must create new analyzers for IAM Access Analyzer to start monitoring resources in your organization. If the delegated administrator leaves the AWS organization, the delegated administration privileges are removed from the account. All analyzers in the account with the organization as the zone of trust move to a disabled state. The existing findings for these analyzers are also no longer accessible. The first time that you configure analyzers in the management account, you can choose **Add delegated administrator** on the **Analyzer settings** page in the IAM Access Analyzer console. **Note** IAM Access Analyzer charges for unused access analyzers based on the number of IAM roles and users analyzed per analyzer per month. If you create an unused access analyzer in the management account and the delegated administrator account, you will be charged for both unused access analyzers. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). After you change the delegated administrator, the new administrator must create analyzers to start monitoring access to the resources in your organization. # Add a delegated administrator for IAM Access Analyzer Add a delegated administrator If you're configuring AWS Identity and Access Management Access Analyzer in your AWS Organizations management account, you can add a member account in the organization as the delegated administrator to manage IAM Access Analyzer for your organization. The delegated administrator has permissions to create and manage analyzers within the organization. Only the management account can add a delegated administrator. **To add a delegated administrator using the console** 1. Log in to the AWS console using the management account for your organization. 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Under **Access Analyzer**, choose **Analyzer settings**. 1. Choose **Add delegated administrator**. 1. In the **Delegated administrator** field, enter the AWS account number of an organization member account to make the delegated administrator. The account must be a member of your organization. 1. Choose **Save changes**. **To add a delegated administrator using the AWS CLI or the AWS SDKs** When you create an analyzer to analyzer access across the organization in a delegated administrator account using the AWS CLI, AWS API (using the AWS SDKs) or CloudFormation, you must use AWS Organizations APIs to enable service access for IAM Access Analyzer and register the member account as a delegated administrator. 1. Enable trusted service access for IAM Access Analyzer in AWS Organizations. See [How to Enable or Disable Trusted Access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html) in the AWS Organizations User Guide. 1. Register a valid member account of your AWS organization as a delegated administrator using the AWS Organizations [https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html) API operation or the `register-delegated-administrator` AWS CLI command. # Archive rules Archive rules automatically archive new findings that meet the criteria you define when you create the rule. You can also apply archive rules retroactively to archive existing findings that meet the archive rule criteria. For example, you can create an archive rule to automatically archive any findings for a specific Amazon S3 bucket that you regularly grant access to. Or if you grant access to multiple resources to a specific principal, you can create a rule that automatically archives any new finding generated for access granted to that principal. This lets you focus only on active findings that may indicate a security risk. When you create an archive rule, only new findings that match the rule criteria are automatically archived. Existing findings are not automatically archived. When you create a rule, you can include up to 20 values per criterion in the rule. For a list of filter keys that you can use to create or update an archive rule, see [IAM Access Analyzer filter keys](access-analyzer-reference-filter-keys.md). **Note** When you create or edit an archive rule, IAM Access Analyzer does not validate the values you include in the filter for the rule. For example, if you add a rule to match an AWS account, IAM Access Analyzer accepts any value in the field, even if it is not a valid AWS account number. **To create an archive rule** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Access analyzer**, then choose **Analyzer settings**. 1. In the **Analyzers** section, choose the analyzer for which you want to create an archive rule. 1. On the **Archive rules** tab, choose **Create archive rule**. 1. Enter a name for the rule if you want to change the default name. 1. In the **Rule** section, under **Criteria**, select a property to match for the rule. 1. Choose an condition for the property value, such as **Contains**, **Is**, or **Not Equals**. The operators available depend on the property you choose. 1. Optionally, add additional values for the property, or add additional criteria for the rule. For external access findings, to ensure that your rule won’t archive new findings for public access, you can also include the criterion **Public access** and set it to **false**. To add another value for a criterion, choose **Add another value**. To add another criterion for the rule, choose **Add criterion**. 1. When you finish adding criteria and values, choose **Create rule** to apply the rule to new findings only. Choose **Create and archive active findings** to archive new and existing findings based on the rule criteria. In the **Results** section, you can review the list of active findings the archive rule applies to. For example, to create a rule for external access findings that automatically archives any findings for Amazon S3 buckets: choose **Resource type**, and then choose **Is** for the condition. Next choose **S3 bucket** from the **Value** list. To create a rule for unused access findings that automatically archives any finding for a particular account: choose **Resource Owner Account**, and then choose **Equals** for the condition. Type the AWS account ID in the **Value** text box. Continue to define criteria to customize the rule as appropriate for your environment, and then choose **Create rule**. If you are create a new rule and add multiple criteria, you can remove a single criterion from the rule by choosing **Remove this criterion**. You can remove a value added for a criterion by choosing **Remove value**. **To edit an archive rule** 1. Choose name of the rule to edit in the **Name** column. You can edit only one archive rule at a time. 1. Add new criteria or remove the existing criteria and values for each criterion. 1. Choose **Save changes** to apply the rule to new findings only. Choose **Save and archive active findings** to archive new and existing findings based on the rule criteria. **To delete an archive rule** 1. Select the checkbox for the rules that you want to delete. 1. Choose **Delete**. 1. Type **delete** in the **Delete archive rule** confirmation dialog, and then choose **Delete**. The rules are deleted only from the analyzer in the current Region. You must delete archive rules separately for each analyzer that you created in other Regions. # Monitoring AWS Identity and Access Management Access Analyzer with Amazon EventBridge Monitoring with EventBridge Use the information in this topic to learn how to monitor IAM Access Analyzer findings and access previews with Amazon EventBridge. EventBridge is the new version of Amazon CloudWatch Events. ## Findings events IAM Access Analyzer sends an event to EventBridge for each generated finding, for a change to the status of an existing finding, and when a finding is deleted. To receive findings and notifications about findings, you must create an event rule in Amazon EventBridge. When you create an event rule, you can also specify a target action to trigger based on the rule. For example, you could create an event rule that triggers an Amazon SNS topic when an event for a new finding is received from IAM Access Analyzer. Details about the resource control policy (RCP) are available in the event detail section. ## Access preview events IAM Access Analyzer sends an event to EventBridge for each access preview and change to its status. This includes an event when the access preview is first created (status Creating), when the access preview is complete (status Completed), or when the access preview creation failed (status Failed). To receive notifications about access previews, you must create an event rule in EventBridge. When you create an event rule, you can specify a target action to trigger based on the rule. For example, you could create an event rule that triggers an Amazon SNS topic when an event for a completed access preview is received from IAM Access Analyzer. ## Event notification frequency IAM Access Analyzer sends events for new findings and findings with status updates to EventBridge within about an hour from when the event occurs in your account. IAM Access Analyzer also sends events to EventBridge when a resolved finding is deleted because the retention period has expired. For findings that are deleted because the analyzer that generated them is deleted, the event is sent to EventBridge approximately 24 hours after the analyzer was deleted. When a finding is deleted, the finding status is not changed. Instead, the `isDeleted` attribute is set to `true`. IAM Access Analyzer also sends events for newly created access previews and access preview status changes to EventBridge. ## Example external access findings events The following is an example IAM Access Analyzer external access finding event sent to EventBridge. The `id` listed is the ID for the event in EventBridge. To learn more, see [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html). In the `detail` object, the values for the `accountId` and `region` attributes refer to the account and region reported in the finding. The `isDeleted` attribute indicates whether the event was from the finding being deleted. The `id` is the finding ID. The `resources` array is a singleton with the ARN of the analyzer that generated the finding. ``` { "account": "111122223333", "detail": { "accountId": "111122223333", "action": [ "s3:GetObject" ], "analyzedAt": "2019-11-21T01:22:22Z", "condition": {}, "createdAt": "2019-11-20T04:58:50Z", "id": "22222222-dcba-4444-dcba-333333333333", "isDeleted": false, "isPublic": false, "principal": { "AWS": "999988887777" }, "region": "us-west-2", "resource": "arn:aws:s3:::amzn-s3-demo-bucket", "resourceType": "AWS::S3::Bucket", "status": "ACTIVE", "updatedAt": "2019-11-21T01:14:07Z", "version": "1.0" }, "detail-type": "Access Analyzer Finding", "id": "11111111-2222-4444-aaaa-333333333333", "region": "us-west-2", "resources": [ "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer" ], "source": "aws.access-analyzer", "time": "2019-11-21T01:22:33Z", "version": "0" } ``` IAM Access Analyzer also sends events to EventBridge for error findings. An error finding is a finding generated when IAM Access Analyzer can't analyze the resource. Events for error findings include an `error` attribute as shown in the following example. ``` { "account": "111122223333", "detail": { "accountId": "111122223333", "analyzedAt": "2019-11-21T01:22:22Z", "createdAt": "2019-11-20T04:58:50Z", "error": "ACCESS_DENIED", "id": "22222222-dcba-4444-dcba-333333333333", "isDeleted": false, "region": "us-west-2", "resource": "arn:aws:s3:::amzn-s3-demo-bucket", "resourceType": "AWS::S3::Bucket", "status": "ACTIVE", "updatedAt": "2019-11-21T01:14:07Z", "version": "1.0" }, "detail-type": "Access Analyzer Finding", "id": "11111111-2222-4444-aaaa-333333333333", "region": "us-west-2", "resources": [ "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer" ], "source": "aws.access-analyzer", "time": "2019-11-21T01:22:33Z", "version": "0" } ``` ## Example internal access findings events The following is an example IAM Access Analyzer internal access finding event sent to EventBridge. The `id` listed is the ID for the event in EventBridge. To learn more, see [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html). In the `detail` object, the values for the `accountId` and `principalOwnerAccount` attributes refer to the account of the principal reported in the finding. The `isDeleted` attribute indicates whether the event was from the finding being deleted. The `id` is the finding ID. The `resource` is the ARN of the analyzer that generated the finding. ``` { "version": "0", "id": "b45c3678-c278-b593-6121-c155259ce1b5", "detail-type": "Internal Access Finding", "source": "aws.access-analyzer", "account": "111122223333", "time": "2025-04-08T19:42:49Z", "region": "us-east-1", "resources": [ "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/testAnalyzer" ], "detail": { "accessType": "INTRA_ACCOUNT", "action": [ "s3:GetObject" ], "analyzedAt": "2025-04-08T03:18:43.509465073Z", "condition": {}, "createdAt": "2025-04-07T21:33:49.914099224Z", "id": "11111111-2222-4444-aaaa-333333333333", "isDeleted": false, "findingType": "InternalAccess", "principal": { "AWS": "arn:aws:iam::111122223333:role/MyRole_6" }, "principalOwnerAccount": "111122223333", "principalType": "IAM_ROLE", "resource": "arn:aws:s3:::critical-data", "resourceControlPolicyRestrictionType": "NOT_APPLICABLE", "accountId": "111122223333", "resourceType": "AWS::S3::Bucket", "serviceControlPolicyRestrictionType": "NOT_APPLICABLE", "status": "ACTIVE", "updatedAt": "2025-04-08T03:22:12.654688231Z", "version": "1.0" } } ``` IAM Access Analyzer also sends events to EventBridge for error findings. An error finding is a finding generated when IAM Access Analyzer can't analyze the resource. Events for error findings include an `error` attribute as shown in the following example. ``` { "version": "0", "id": "5a94b99b-e87d-a6a7-58c7-f47871532860", "detail-type": "Internal Access Finding", "source": "aws.access-analyzer-test", "account": "444455556666", "time": "2025-05-07T11:57:54Z", "region": "us-west-2", "resources": ["arn:aws:access-analyzer-beta:us-west-2:444455556666:analyzer/example-analyzer"], "detail": { "analyzedAt": "2025-03-24T19:58:52.512329448Z", "createdAt": "2025-03-22T03:30:46.920200692Z", "id": "ef573afd-12a5-4095-87a6-bf2f25109895", "isDeleted": false, "findingType": "InternalAccess", "resource": "arn:aws:s3:::test-entity-88", "accountId": "111122223333", "resourceControlPolicyRestrictionType": "NOT_APPLICABLE", "resourceType": "AWS::S3::Bucket", "serviceControlPolicyRestrictionType": "NOT_APPLICABLE", "error": "ACCESS_DENIED", // can be INTERNAL_ERROR and ACCESS_DENIED "status": "ACTIVE", "updatedAt": "2025-03-24T20:09:39.176075014Z", "version": "1.0" } } ``` ## Example unused access findings related events The following is an example IAM Access Analyzer unused access finding event sent to EventBridge. The `id` listed is the ID for the event in EventBridge. To learn more, see [Events and Event Patterns in EventBridge](https://docs.aws.amazon.com/eventbridge/latest/userguide/eventbridge-and-event-patterns.html). In the `detail` object, the values for the `accountId` and `region` attributes refer to the account and region reported in the finding. The `isDeleted` attribute indicates whether the event was from the finding being deleted. The `id` is the finding ID. ``` { "version": "0", "id": "dc7ce3ee-114b-3243-e249-7f10f9054b21", "detail-type": "Unused Access Finding for IAM entities", "source": "aws.access-analyzer", "account": "123456789012", "time": "2023-09-29T17:31:40Z", "region": "us-west-2", "resources": [ "arn:aws:access-analyzer:us-west-2:123456789012:analyzer/integTestLongLivingAnalyzer-DO-NOT-DELETE" ], "detail": { "findingId": "b8ae0460-5d29-4922-b92a-ba956c986277", "resource": "arn:aws:iam::111122223333:role/FindingIntegTestFakeRole", "resourceType": "AWS::IAM::Role", "accountId": "111122223333", "createdAt": "2023-09-29T17:29:18.758Z", "updatedAt": "2023-09-29T17:29:18.758Z", "analyzedAt": "2023-09-29T17:29:18.758Z", "previousStatus": "", "status": "ACTIVE", "version": "62160bda-8e94-46d6-ac97-9670930d8ffb", "isDeleted": false, "findingType": "UnusedPermission", "numberOfUnusedServices": 0, "numberOfUnusedActions": 1 } } ``` IAM Access Analyzer also sends events to EventBridge for error findings. An error finding is a finding generated when IAM Access Analyzer can't analyze the resource. Events for error findings include an `error` attribute as shown in the following example. ``` { "version": "0", "id": "c2e7aa1a-4df7-7652-f33e-64113b8997d4", "detail-type": "Unused Access Finding for IAM entities", "source": "aws.access-analyzer", "account": "111122223333", "time": "2023-10-31T20:26:12Z", "region": "us-west-2", "resources": [ "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ba811f91-de99-41a4-97c0-7481898b53f2" ], "detail": { "findingId": "b01a34f2-e118-46c9-aef8-0d8526b495c7", "resource": "arn:aws:iam::123456789012:role/TestRole", "resourceType": "AWS::IAM::Role", "accountId": "444455556666", "createdAt": "2023-10-31T20:26:08.647Z", "updatedAt": "2023-10-31T20:26:09.245Z", "analyzedAt": "2023-10-31T20:26:08.525Z", "previousStatus": "", "status": "ACTIVE", "version": "7c7a72a2-7963-4c59-ac71-f0be597010f7", "isDeleted": false, "findingType": "UnusedIAMRole", "error": "INTERNAL_ERROR" } } ``` ## Example access preview events The following example shows data for the first event that is sent to EventBridge when you create an access preview. The `resources` array is a singleton with the ARN of the analyzer that the access preview is associated with. In the `detail` object, the `id` refers to the access preview ID and `configuredResources` refers to the resource for which the access preview was created. The `status` is `Creating` and refers to the access preview status. The `previousStatus` is not specified because the access preview was just created. ``` { "account": "111122223333", "detail": { "accessPreviewId": "aaaabbbb-cccc-dddd-eeee-ffffaaaabbbb", "configuredResources": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "createdAt": "2020-02-20T00:00:00.00Z", "region": "us-west-2", "status": "CREATING", "version": "1.0" }, "detail-type": "Access Preview State Change", "id": "aaaabbbb-2222-3333-4444-555566667777", "region": "us-west-2", "resources": [ "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer" ], "source": "aws.access-analyzer", "time": "2020-02-20T00:00:00.00Z", "version": "0" } ``` The following example shows data for an event that is sent to EventBridge for an access preview with a status change from `Creating` to `Completed`. In the detail object, the `id` refers to the access preview ID. The `status` and `previousStatus` refer to the access preview status, where the previous status was `Creating` and the current status is `Completed`. ``` { "account": "111122223333", "detail": { "accessPreviewId": "aaaabbbb-cccc-dddd-eeee-ffffaaaabbbb", "configuredResources": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "createdAt": "2020-02-20T00:00:00.000Z", "previousStatus": "CREATING", "region": "us-west-2", "status": "COMPLETED", "version": "1.0" }, "detail-type": "Access Preview State Change", "id": "11112222-3333-4444-5555-666677778888", "region": "us-west-2", "resources": [ "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer" ], "source": "aws.access-analyzer", "time": "2020-02-20T00:00:00.00Z", "version": "0" } ``` The following example shows data for an event that is sent to EventBridge for an access preview with a status change from `Creating` to `Failed`. In the `detail` object, the `id` refers to the access preview ID. The `status` and `previousStatus` refer to the access preview status, where the previous status was `Creating` and the current status is `Failed`. The `statusReason` field provides the reason code indicating that the access preview failed due to an invalid resource configuration. ``` { "account": "111122223333", "detail": { "accessPreviewId": "aaaabbbb-cccc-dddd-eeee-ffffaaaabbbb", "configuredResources": [ "arn:aws:s3:::amzn-s3-demo-bucket" ], "createdAt": "2020-02-20T00:00:00.00Z", "previousStatus": "CREATING", "region": "us-west-2", "status": "FAILED", "statusReason": { "code": "INVALID_CONFIGURATION" }, "version": "1.0" }, "detail-type": "Access Preview State Change", "id": "99998888-7777-6666-5555-444433332222", "region": "us-west-2", "resources": [ "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/MyAnalyzer" ], "source": "aws.access-analyzer", "time": "2020-02-20T00:00:00.00Z", "version": "0" } ``` ## Creating an event rule using the console The following procedure describes how to create an event rule using the console. 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. Using the following values, create an EventBridge rule that monitors finding events or access preview events: + For **Rule type**, choose **Rule with an event pattern**. + For **Event source**, choose **Other**. + For **Event pattern**, choose **Custom patterns (JSON editor)**, and paste one of the following event pattern examples into the text area: + To create a rule based on any IAM Access Analyzer event, use the following pattern example: ``` { "source": [ "aws.access-analyzer" ] } ``` + To create a rule based on an external access, internal access, or unused access findings event, use the following pattern example: ``` { "source": [ "aws.access-analyzer" ], "detail-type": [ "Access Analyzer Finding", "Internal Access Finding", "Unused Access Finding for IAM entities" ] } ``` + To create a rule based only on an external access findings event, use the following pattern example: ``` { "source": [ "aws.access-analyzer" ], "detail-type": [ "Access Analyzer Finding" ] } ``` + To create a rule based only on an internal access findings event, use the following pattern example: ``` { "source": [ "aws.access-analyzer" ], "detail-type": [ "Internal Access Finding" ] } ``` + To create a rule based only on an unused access findings event, use the following pattern example: ``` { "source": [ "aws.access-analyzer" ], "detail-type": [ "Unused Access Finding for IAM entities" ] } ``` + To create a rule based on an access preview event, use the following pattern example: ``` { "source": [ "aws.access-analyzer" ], "detail-type": [ "Access Preview State Change" ] } ``` + For **Target types**, choose **AWS service**, and for **Select a target**, choose a target such as an Amazon SNS topic or AWS Lambda function. The target is triggered when an event is received that matches the event pattern defined in the rule. To learn more about creating rules, see [Creating Amazon EventBridge rules that react to events](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-create-rule.html) in the *Amazon EventBridge User Guide*. ### Creating an event rule using the CLI 1. Use the following to create a rule for Amazon EventBridge using the AWS CLI. Replace the rule name *TestRule* with the name for your rule. ``` aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"]}" ``` 1. You can customize the rule to trigger target actions only for a subset of generated findings, such as findings with specific attributes. The following example demonstrates how to create a rule that triggers a target action only for findings with a status of Active. ``` aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"],\"detail-type\":[\"Access Analyzer Finding\"],\"detail\":{\"status\":[\"ACTIVE\"]}}" ``` The following example demonstrates how to create a rule that triggers a target action only for access previews with a status from `Creating` to `Completed`. ``` aws events put-rule --name TestRule --event-pattern "{\"source\":[\"aws.access-analyzer\"],\"detail-type\":[\"Access Preview State Change\"],\"detail\":{\"status\":[\"COMPLETED\"]}}" ``` 1. To define a Lambda function as a target for the rule you created, use the following example command. Replace the Region and the function name in the ARN as appropriate for your environment. ``` aws events put-targets --rule TestRule --targets Id=1,Arn=arn:aws:lambda:us-east-1:111122223333:function:MyFunction ``` 1. Add the permissions required to invoke the rule target. The following example demonstrates how to grant permissions to a Lambda function, following the preceding examples. ``` aws lambda add-permission --function-name MyFunction --statement-id 1 --action 'lambda:InvokeFunction' --principal events.amazonaws.com ``` # Integrate IAM Access Analyzer with AWS Security Hub CSPM Security Hub CSPM integration [AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) provides a comprehensive view of your security state across AWS. It helps you assess your environment against security industry standards and best practices. Security Hub CSPM collects security data from across AWS accounts, services, and supported third-party partner products. It then analyzes your security trends and identify the highest priority security issues. When you integrate IAM Access Analyzer with Security Hub CSPM, you can send findings from IAM Access Analyzer to Security Hub CSPM. Security Hub CSPM can then include those findings in its analysis of your overall security posture. **Contents** + [ ## How IAM Access Analyzer sends findings to Security Hub CSPM ](#access-analyzer-securityhub-integration-sending-findings) + [ ### Types of findings that IAM Access Analyzer sends ](#access-analyzer-securityhub-integration-finding-types) + [ ### Latency for sending findings ](#access-analyzer-securityhub-integration-finding-latency) + [ ### Retrying when Security Hub CSPM is not available ](#access-analyzer-securityhub-integration-retry-send) + [ ### Updating existing findings in Security Hub CSPM ](#access-analyzer-securityhub-integration-finding-updates) + [ ## Viewing IAM Access Analyzer findings in Security Hub CSPM ](#access-analyzer-securityhub-integration-viewing-findings) + [ ### Interpreting IAM Access Analyzer finding names in Security Hub CSPM ](#access-analyzer-securityhub-integration-intrepreting-finding-names) + [ ## Typical findings from IAM Access Analyzer ](#access-analyzer-securityhub-integration-finding-example) + [ ## Enabling and configuring the integration ](#access-analyzer-securityhub-integration-enable) + [ ## How to stop sending findings ](#access-analyzer-securityhub-integration-disable) ## How IAM Access Analyzer sends findings to Security Hub CSPM In Security Hub CSPM, security issues are tracked as findings. Some findings come from issues that are detected by other AWS services or by third-party partners. Security Hub CSPM also has a set of rules that it uses to detect security issues and generate findings. Security Hub CSPM provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view detailed information about each finding. For more information, see [Viewing findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html) in the *AWS Security Hub User Guide*. You can also track the status of investigations into findings. For more information, see [Taking action on findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-taking-action.html) in the *AWS Security Hub User Guide*. All findings in Security Hub CSPM use a standard JSON format called the AWS Security Finding Format (ASFF). The ASFF includes details about the source of the issue, the affected resources, and the current status of the finding. For more information, see [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) in the *AWS Security Hub User Guide*. AWS Identity and Access Management Access Analyzer is one of the AWS services that sends findings to Security Hub CSPM. For unused access, IAM Access Analyzer detects unused access granted to IAM users or roles and generates a finding for each of them. IAM Access Analyzer then sends these findings to Security Hub CSPM. For external access, IAM Access Analyzer detects policy statements that allow public access or cross-account access to external principals on [supported resources](access-analyzer-resources.md) in your organization or account. IAM Access Analyzer generates a finding for public access and sends it to Security Hub CSPM. For cross-account access, IAM Access Analyzer sends a single finding for one external principal at a time to Security Hub CSPM. If there are multiple cross-account findings in IAM Access Analyzer, you must resolve the Security Hub CSPM finding for the single external principal before IAM Access Analyzer provides the next cross-account finding. For a full list of external principals with cross-account access outside the zone of trust for the analyzer, you must view the findings in IAM Access Analyzer. Details about the resource control policy (RCP) are available in the resource detail section. ### Types of findings that IAM Access Analyzer sends IAM Access Analyzer sends the findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html). In ASFF, the `Types` field provides the finding type. Findings from IAM Access Analyzer can have the following values for `Types`. + External access findings – Effects/Data Exposure/External Access Granted + External access findings – Software and Configuration Checks/AWS Security Best Practices/External Access Granted + Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused Permission + Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused IAM Role + Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Password + Unused access findings – Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Access Key ### Latency for sending findings When IAM Access Analyzer creates a new finding, it is usually sent to Security Hub CSPM within 30 minutes. However, there are rare cases when IAM Access Analyzer may not be notified about a policy change. For example: + Changes to Amazon S3 account-level block public access settings can take up to 12 hours to be reflected in IAM Access Analyzer. + Changes to a resource control policy (RCP) without a change to the resource-based policy do not trigger a rescan of the resource reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours. + If there is a delivery issue with AWS CloudTrail log delivery, a policy change may not trigger a rescan of the resource that was reported in the finding. In these situations, IAM Access Analyzer analyzes the new or updated policy during the next periodic scan. ### Retrying when Security Hub CSPM is not available If Security Hub CSPM is not available, IAM Access Analyzer retries sending the findings on a periodic basis. ### Updating existing findings in Security Hub CSPM After sending a finding to Security Hub CSPM, IAM Access Analyzer continues to send updates to reflect any additional observations of the finding activity to Security Hub CSPM. These updates are reflected within the same finding. For external access findings IAM Access Analyzer groups them per resource. In Security Hub CSPM, the finding for a resource remains active if at least one of the findings for that resource is active in IAM Access Analyzer. If all findings in IAM Access Analyzer for a resource are archived or resolved, then the Security Hub CSPM finding is also archived. The Security Hub CSPM finding is updated when the policy access changes between public and cross-account access. This update can include changes to the type, title, description, and severity of the finding. For unused access findings, IAM Access Analyzer does not group them by resource. Instead, if an unused access finding is resolved in IAM Access Analyzer, then the corresponding Security Hub CSPM finding is also resolved. The Security Hub CSPM finding is updated when you update the IAM user or role that generated the unused access finding. ## Viewing IAM Access Analyzer findings in Security Hub CSPM To view your IAM Access Analyzer findings in Security Hub CSPM, choose **See findings** in the **AWS: IAM Access Analyzer** section of the summary page. Alternatively, you can choose **Findings** from the navigation panel. You can then filter the findings to display only AWS Identity and Access Management Access Analyzer findings by choosing the **Product name:** field with a value of **IAM Access Analyzer**. ### Interpreting IAM Access Analyzer finding names in Security Hub CSPM AWS Identity and Access Management Access Analyzer sends the findings to Security Hub CSPM using the AWS Security Finding Format (ASFF). In ASFF, the **Types** field provides the finding type. ASFF types use a different naming scheme than AWS Identity and Access Management Access Analyzer. The following table includes details about all of the ASFF types associated with AWS Identity and Access Management Access Analyzer findings as they appear in Security Hub CSPM. **** | ASFF finding type | Security Hub CSPM finding title | Description | | --- | --- | --- | | Effects/Data Exposure/External Access Granted | allows public access | A resource-based policy attached to the resource allows public access on the resource to all external principals. | | Software and Configuration Checks/AWS Security Best Practices/External Access Granted | allows cross-account access | A resource-based policy attached to the resource allows cross-account access to external principals outside the zone of trust for the analyzer. | | Software and Configuration Checks/AWS Security Best Practices/Unused Permission | contains unused permissions | A user or role contains unused service and action permissions. | | Software and Configuration Checks/AWS Security Best Practices/Unused IAM Role | contains unused IAM role | A user or role contains an unused IAM role. | | Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Password | contains unused IAM user password | A user or role contains an unused IAM user password. | | Software and Configuration Checks/AWS Security Best Practices/Unused IAM User Access Key | contains unused IAM user access key | A user or role contains an unused IAM user access key. | ## Typical findings from IAM Access Analyzer IAM Access Analyzer sends findings to Security Hub CSPM using the [AWS Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html). Here is an example of a typical finding from IAM Access Analyzer for external access findings. ``` { "SchemaVersion": "2018-10-08", "Id": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/my-analyzer/arn:aws:s3:::amzn-s3-demo-bucket", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/access-analyzer", "GeneratorId": "aws/access-analyzer", "AwsAccountId": "111122223333", "Types": ["Software and Configuration Checks/AWS Security Best Practices/External Access Granted"], "CreatedAt": "2020-11-10T16:17:47Z", "UpdatedAt": "2020-11-10T16:43:49Z", "Severity": { "Product": 1, "Label": "LOW", "Normalized": 1 }, "Title": "AwsS3Bucket/arn:aws:s3:::amzn-s3-demo-bucket/ allows cross-account access", "Description": "AWS::S3::Bucket/arn:aws:s3:::amzn-s3-demo-bucket/ allows cross-account access from AWS 444455556666", "Remediation": { "Recommendation": {"Text": "If the access isn't intended, it indicates a potential security risk. Use the console for the resource to modify or remove the policy that grants the unintended access. You can use the Rescan button on the Finding details page in the Access Analyzer console to confirm whether the change removed the access. If the access is removed, the status changes to Resolved."} }, "SourceUrl": "https://console.aws.amazon.com/access-analyzer/home?region=us-west-2#/findings/details/dad90d5d-63b4-6575-b0fa-ef9c556ge798", "Resources": [ { "Type": "AwsS3Bucket", "Id": "arn:aws:s3:::amzn-s3-demo-bucket", "Details": { "Other": { "External Principal Type": "AWS", "Condition": "none", "Action Granted": "s3:GetObject,s3:GetObjectVersion", "External Principal": "444455556666" } } } ], "WorkflowState": "NEW", "Workflow": {"Status": "NEW"}, "RecordState": "ACTIVE" } ``` Here is an example of a typical finding from IAM Access Analyzer for unused access findings. ``` { "Findings": [ { "SchemaVersion": "2018-10-08", "Id": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/integTestAnalyzer-DO-NOT-DELETE/arn:aws:iam::111122223333:role/TestRole/UnusedPermissions", "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/access-analyzer", "ProductName": "IAM Access Analyzer", "CompanyName": "AWS", "Region": "us-west-2", "GeneratorId": "aws/access-analyzer", "AwsAccountId": "111122223333", "Types": [ "Software and Configuration Checks/AWS Security Best Practices/Unused Permission" ], "CreatedAt": "2023-09-18T16:29:09.657Z", "UpdatedAt": "2023-09-21T20:39:16.651Z", "Severity": { "Product": 1, "Label": "LOW", "Normalized": 1 }, "Title": "AwsIamRole/arn:aws:iam::111122223333:role/IsengardRole-DO-NOT-DELETE/ contains unused permissions", "Description": "AWS::IAM::Role/arn:aws:iam::111122223333:role/IsengardRole-DO-NOT-DELETE/ contains unused service and action-level permissions", "Remediation": { "Recommendation": { "Text":"If the unused permissions aren’t required, delete the permissions to refine access to your account. Use the IAM console to modify or remove the policy that grants the unused permissions. If all the unused permissions are removed, the status of the finding changes to Resolved." } }, "SourceUrl": "https://us-west-2.console.aws.amazon.com/access-analyzer/home?region=us-west-2#/unused-access-findings?resource=arn%3Aaws%3Aiam%3A%3A903798373645%3Arole%2FTestRole", "ProductFields": { "numberOfUnusedActions": "256", "numberOfUnusedServices": "15", "resourceOwnerAccount": "111122223333", "findingId": "DEMO24d8d-0d3f-4d3d-99f4-299fc8a62ee7", "findingType": "UnusedPermission", "aws/securityhub/FindingId": "arn:aws:securityhub:us-west-2::product/aws/access-analyzer/arn:aws:access-analyzer:us-west-2:111122223333:analyzer/integTestAnalyzer-DO-NOT-DELETE/arn:aws:iam::111122223333:role/TestRole/UnusedPermissions", "aws/securityhub/ProductName": "AM Access Analyzer", "aws/securityhub/CompanyName": "AWS" }, "Resources": [ { "Type": "AwsIamRole", "Id": "arn:aws:iam::111122223333:role/TestRole" } ], "WorkflowState": "NEW", "Workflow": { "Status": "NEW" }, "RecordState": "ARCHIVED", "FindingProviderFields": { "Severity": { "Label": "LOW" }, "Types": [ "Software and Configuration Checks/AWS Security Best Practices/Unused Permission" ] } } ] } ``` ## Enabling and configuring the integration To use the integration with Security Hub CSPM, you must enable Security Hub CSPM. For information on how to enable Security Hub CSPM, see [Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html) in the *AWS Security Hub User Guide*. When you enable both IAM Access Analyzer and Security Hub CSPM, the integration is enabled automatically. IAM Access Analyzer immediately begins to send findings to Security Hub CSPM. ## How to stop sending findings To stop sending findings to Security Hub CSPM, you can use either the Security Hub CSPM console or the API. See [Disabling and enabling the flow of findings from an integration (console)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-console) or [Disabling the flow of findings from an integration (Security Hub API, AWS CLI)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-disable-api) in the *AWS Security Hub User Guide*. # Logging IAM Access Analyzer API calls with AWS CloudTrail Logging with CloudTrail IAM Access Analyzer is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in IAM Access Analyzer. CloudTrail captures all API calls for IAM Access Analyzer as events. The calls captured include calls from the IAM Access Analyzer console and code calls to the IAM Access Analyzer API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for IAM Access Analyzer. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to IAM Access Analyzer, the IP address from which the request was made, who made the request, when it was made, and additional details. To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/). ## IAM Access Analyzer information in CloudTrail CloudTrail is enabled on your AWS account when you create the account. When activity occurs in IAM Access Analyzer, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html). For an ongoing record of events in your AWS account, including events for IAM Access Analyzer, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following: + [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html) + [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations) + [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html) + [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html) All IAM Access Analyzer actions are logged by CloudTrail and are documented in the [IAM Access Analyzer API Reference](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/). For example, calls to the `CreateAnalyzer`, `CreateArchiveRule` and `ListFindings` actions generate entries in the CloudTrail log files. Every event or log entry contains information about who generated the request. The identity information helps you determine the following: + Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials. + Whether the request was made with temporary security credentials for a role or federated user. + Whether the request was made by another AWS service. For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html). ## Understanding IAM Access Analyzer log file entries A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order. The following example shows a CloudTrail log entry that demonstrates the `CreateAnalyzer` operation made by an assumed-role session named `Alice-tempcreds` on "June 14, 2021". The role session was issued by the role named `admin-tempcreds`. ``` { "eventVersion": "1.05", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIBKEVSQ6C2EXAMPLE:Alice-tempcreds", "arn": "arn:aws:sts::111122223333:assumed-role/admin-tempcreds/Alice-tempcreds", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": "true", "creationDate": "2021-06-14T22:54:20Z" }, "sessionIssuer": { "type": "Role", "principalId": "AKIAI44QH8DHBEXAMPLE", "arn": "arn:aws:iam::111122223333:role/admin-tempcreds", "accountId": "111122223333", "userName": "admin-tempcreds" }, "webIdFederationData": {}, } }, "eventTime": "2021-06-14T22:57:36Z", "eventSource": "access-analyzer.amazonaws.com", "eventName": "CreateAnalyzer", "awsRegion": "us-west-2", "sourceIPAddress": "198.51.100.179", "userAgent": "aws-sdk-java/1.12.79 Linux/5.4.141-78.230 OpenJDK_64-Bit_Server_VM/25.302-b08 java/1.8.0_302 vendor/Oracle_Corporation cfg/retry-mode/standard", "requestParameters": { "analyzerName": "test", "type": "ACCOUNT", "clientToken": "11111111-abcd-2222-abcd-222222222222", "tags": { "tagkey1": "tagvalue1" } }, "responseElements": { "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/test" }, "requestID": "22222222-dcba-4444-dcba-333333333333", "eventID": "33333333-bcde-5555-bcde-444444444444", "readOnly": false, "eventType": "AwsApiCall",, "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" } ``` # IAM Access Analyzer filter keys Filter keys You can use the filter keys below to define an archive rule ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateArchiveRule.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateArchiveRule.html)), update an archive rule ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateArchiveRule.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateArchiveRule.html)), retrieve a list of findings ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindings.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindings.html) and [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html)), or retrieve a list of access preview findings for a resource ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviewFindings.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviewFindings.html)). There is no difference between using IAM API and CloudFormation for configuring archive rules. | **Criterion** | **AWS Management Console field** | **Description** | **Type** | **Archive rule** | **List findings** | **List access preview findings** | **Supported analyzer types** | | --- | --- | --- | --- | --- | --- | --- | --- | | resource | Resource | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see [Amazon resource names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | resourceType `AWS::S3::Bucket` \$1 `AWS::IAM::Role` \$1 `AWS::SQS::Queue` \$1 `AWS::Lambda::Function` \$1 `AWS::Lambda::LayerVersion` \$1`AWS::KMS::Key` \$1 `AWS::SecretsManager::Secret` \$1 `AWS::EFS::FileSystem` \$1 `AWS::EC2::Snapshot` \$1 `AWS::ECR::Repository` \$1 `AWS::RDS::DBSnapshot` \$1 `AWS::RDS::DBClusterSnapshot` \$1 `AWS::SNS::Topic` \$1 `AWS::S3Express::DirectoryBucket` \$1 `AWS::DynamoDB::Table` \$1 `AWS::DynamoDB::Stream` \$1 `AWS::IAM::User` | Resource Type | The type of resource that the external principal has access to. Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [IAM Access Analyzer supported resource types for external and internal access](access-analyzer-resources.md). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | resourceOwnerAccount | Resource Owner Account | The 12 digit AWS account ID that owns the resource. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | isPublic | Public access | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | findingType `ExternalAccess` \$1 `UnusedIAMRole` \$1 `UnusedIAMUserAccessKey` \$1 `UnusedIAMUserPassword` \$1 `UnusedPermission` \$1 `InternalAccess` | Findings type | The type of the finding. For external access analyzers, the type is ExternalAccess. For unused access analyzers, the type can be UnusedIAMRole, UnusedIAMUserAccessKey, UnusedIAMUserPassword, or UnusedPermission. For internal access analyzers, the type is InternalAccess. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External InternalUnused | | resourceControlPolicyRestriction `APPLIED` \$1 `APPLICABLE` \$1 `FAILED_TO_EVALUATE_RCP` \$1 `NOT_APPLICABLE` | Resource control policy (RCP) restriction | The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). For more information about the values for this filter key, see [ExternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ExternalAccessDetails.html) and [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | serviceControlPolicyRestriction `APPLIED` \$1 `APPLICABLE` \$1 `FAILED_TO_EVALUATE_SCP` \$1 `NOT_APPLICABLE` | Service control policy (SCP) restriction | The type of restriction applied by an Organizations service control policy (SCP). For more information about the values for this filter key, see [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | Internal | | status `ACTIVE` \$1 `ARCHIVED` \$1 `RESOLVED` | Status | The current status of the finding. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | error | Error | Indicates the error reported for the finding. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | principal.AWS | AWS Account | The account granted access to the resource in the Principal field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | principal.Federated | Federated User | The ARN of the federated identity that has access to the resource in the finding. To learn more, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:PrincipalArn | Principal ARN | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:PrincipalOrgID | Principal OrgID | The organization identifier of the principal indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:PrincipalOrgPaths | Principal OrgPaths | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:SourceIp | Source IP | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | IP address | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:SourceVpc | Source VPC | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:UserId | User ID | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:VpceAccount | VPCE Account | The account ID of the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | condition.aws:SourceVpcArn | Source VPC Arn | The VPC ARN that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | ARN | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:VpceOrgID | VPCE OrgID | The organizational ID for the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | condition.aws:VpceOrgPaths | VPCE OrgPaths | The organizational unit (OU) for the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String (list) | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | condition.cognito-identity.amazonaws.com:aud | Cognito Audience | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.graph.facebook.com:app\$1id | Facebook App ID | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.accounts.google.com:aud | Google Audience | The Google application ID specified as a condition for access to the IAM role. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.kms:CallerAccount | KMS Key ID | The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see [Condition keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.www.amazon.com:app\$1id | Amazon App ID | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | id | Finding ID | The ID of the finding. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | changeType `CHANGED` \$1 `NEW` \$1 `UNCHANGED` | | Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | existingFindingId | | The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | existingFindingStatus | | The existing status of the finding, provided only for existing findings in the access preview. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | # Using service-linked roles for AWS Identity and Access Management Access Analyzer Using service-linked roles AWS Identity and Access Management Access Analyzer uses an IAM [ service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role linked directly to IAM Access Analyzer. Service-linked roles are predefined by IAM Access Analyzer and include all the permissions that the feature requires to call other AWS services on your behalf. A service-linked role makes setting up IAM Access Analyzer easier because you don’t have to manually add the necessary permissions. IAM Access Analyzer defines the permissions of its service-linked roles, and unless defined otherwise, only IAM Access Analyzer can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. For information about other services that support service-linked roles, see [AWS Services That Work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes** in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. ## Service-linked role permissions for AWS Identity and Access Management Access Analyzer AWS Identity and Access Management Access Analyzer uses the service-linked role named **AWSServiceRoleForAccessAnalyzer** – Allow Access Analyzer to analyze resource metadata for external access and to analyze activity to identify unused access. The AWSServiceRoleForAccessAnalyzer service-linked role trusts the following services to assume the role: + `access-analyzer.amazonaws.com` The role permissions policy named [`AccessAnalyzerServiceRolePolicy`](security-iam-awsmanpol.md#security-iam-aa-service-role-policy) allows IAM Access Analyzer to complete actions on specific resources. You must configure permissions to allow an IAM entity (such as a user, group, or role) to create, edit, or delete a service-linked role. For more information, see [Service-Linked Role Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) in the *IAM User Guide*. ## Creating a service-linked role for IAM Access Analyzer You don't need to manually create a service-linked role. When you enable Access Analyzer in the AWS Management Console or the AWS API, IAM Access Analyzer creates the service-linked role for you. The same service-linked role is used in all Regions in which you enable IAM Access Analyzer. Both external access and unused access findings use the same service-linked role. **Note** IAM Access Analyzer is Regional. You must enable IAM Access Analyzer in each Region independently. If you delete this service-linked role, IAM Access Analyzer recreates the role when you next create an analyzer. You can also use the IAM console to create a service-linked role with the **Access Analyzer** use case. In the AWS CLI or the AWS API, create a service-linked role with the `access-analyzer.amazonaws.com` service name. For more information, see [Creating a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#create-service-linked-role) in the *IAM User Guide*. If you delete this service-linked role, you can use this same process to create the role again. ## Editing a service-linked role for IAM Access Analyzer IAM Access Analyzer does not allow you to edit the AWSServiceRoleForAccessAnalyzer service-linked role. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role) in the *IAM User Guide*. ## Deleting a service-linked role for IAM Access Analyzer If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that isn't actively monitored or maintained. However, you must clean up the resources for your service-linked role before you can manually delete it. If IAM Access Analyzer is enabled in one or more regions in your AWS Organizations, you must delete all analyzers in all regions for your organization before attempting to delete this role. **Note** If IAM Access Analyzer is using the role when you try to delete the resources, then the deletion might fail. If that happens, wait for a few minutes and try the operation again. **To delete IAM Access Analyzer resources used by the AWSServiceRoleForAccessAnalyzer role** 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the **Access reports** section, under **Access analyzer**, choose **Analyzers**. 1. Choose the analyzer from which you want to delete IAM Access Analyzer resources attached to the service-linked role. 1. Choose **Delete**. 1. To confirm that you want to delete the analyzers, enter **delete**, and then choose **Delete**. **To manually delete the service-linked role using IAM** Use the IAM console, the AWS CLI, or the AWS API to delete the AWSServiceRoleForAccessAnalyzer service-linked role. For more information, see [Deleting a Service-Linked Role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*. ## Supported Regions for IAM Access Analyzer service-linked roles IAM Access Analyzer supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html).