Security

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission Analysis

Detect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.

約 4 分で読めます

Overview of Access Analyzer

IAM Access Analyzer is a service that detects access permission issues using two types of analyzers. The external access analyzer examines resource policies on S3 buckets, IAM roles, and other resources to identify configurations that allow access from accounts outside your organization or from the public. The unused access analyzer cross-references CloudTrail activity logs with IAM role permissions to detect permissions that are not actually being used. It also provides a feature that auto-generates least-privilege IAM policies based on past CloudTrail activity, along with custom policy checks that can be integrated into CI/CD pipelines.

Unused Permissions and Policy Generation

The unused access analyzer compares IAM role and user permissions against CloudTrail activity to detect actions not used for 90 days or more, unused access keys, and unused roles. The 90-day period is the default value, so you need to account for batch processes that only run quarterly to avoid false positives. Policy generation automatically creates least-privilege IAM policies containing only the actions actually used, based on the past 90 days of CloudTrail activity. Rather than applying generated policies as-is, review them to ensure they include actions that may be needed in the future before applying. Custom policy checks can be integrated into CI/CD pipelines to automatically verify that IAM policy changes do not grant specific actions such as s3:* or iam:*. A common pattern is to place a Lambda function in a CodePipeline stage that uses the CheckNoNewAccess API to verify the safety of policy changes.

Leveraging External Access Detection

The external access analyzer examines S3 bucket policies, IAM role trust policies, KMS key policies, Lambda function policies, and SQS queue policies to detect resources accessible from external accounts or the public. Findings are classified as archived (intentional sharing) or active (requires action), allowing you to prioritize fixing unintended external exposure. Custom policy checks can automatically verify in CI/CD pipelines that policy changes do not introduce new external access. Integration with Organizations enables centralized management of external access across all accounts, providing visibility into the security posture of the entire organization. To deepen your understanding of IAM security, specialized books on Amazon can also be helpful.

Access Analyzer Pricing

The external access analyzer is available at no charge. The unused access analyzer is billed based on the number of IAM roles and users analyzed, at approximately $0.20 per role/user per month. Custom policy checks cost approximately $0.002 per check. In large-scale environments with many IAM entities, unused access analyzer costs can add up, so a phased rollout starting with critical accounts is recommended. The external access analyzer can be enabled at no cost across all accounts and is essential as a security baseline.

Summary

Access Analyzer is a service that enforces the principle of least privilege through external access and unused permission detection. It efficiently configures appropriate permissions via CloudTrail-based automatic policy generation, and automates the entire permission management lifecycle by integrating security verification into CI/CD pipelines through custom policy checks.

Related Services

IAM Access AnalyzerA service that detects externally accessible resources and unused access permissionsAWS IAMAn authentication and authorization service for securely managing access to AWS resourcesAWS CloudTrailA service that records and monitors API activity in your AWS account

Related Articles

Threat Detection with Amazon GuardDuty - ML-Based Anomaly Detection and Incident ResponseLearn how GuardDuty detects threats, classifies findings, and integrates with Security Hub for incident response.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.

More on This Topic

Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.

Similar Articles and Services

IAM Access AnalyzerA service that automatically analyzes resource policies on S3 buckets, IAM roles, and more to detect external access and unused permissions, strengthening your security postureDesigning Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.AWS IAMAn authentication and authorization service for securely controlling access to AWS resources, providing fine-grained access management through users, groups, roles, and policies