ACCT.11 Enable IAM Access Analyzer

Enable IAM Access Analyzer in each AWS Region you use. Because IAM Access Analyzer operates on a per-Region basis, you must enable it separately in each Region to gain visibility into resource sharing across your AWS footprint. This helps prevent accidental public or cross-account access to resources, such as Amazon S3 buckets, IAM roles, and AWS KMS keys.

To enable IAM Access Analyzer

Open the IAM console.
In the left navigation pane, choose Access Analyzer.
Choose Create analyzer.
Enter a name for your analyzer.
For the analyzer scope, choose Account for a single account, or choose Organization if you are using AWS Organizations.
Choose Create analyzer.

Review the findings in the Access Analyzer console and update resource policies to remove unintended external access. For more information, see Reviewing findings for IAM Access Analyzer in the IAM documentation. Prioritize high-impact findings, such as public Amazon S3 buckets or IAM roles that are shared outside of your AWS account.

Note

IAM Access Analyzer pricing depends on the analyzer type and features you use. An external access analyzer is available at no additional charge. Early-stage startups should start with an external access analyzer. For more information about pricing, see IAM Access Analyzer pricing.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

ACCT.10 Configure AWS Budgets to monitor your spending

ACCT.12 Monitor for and resolve AWS Trusted Advisor high-risk items