セキュリティ

IAM Access Analyzer

A service that automatically analyzes resource policies on S3 buckets, IAM roles, and more to detect external access and unused permissions, strengthening your security posture

About 4 min read

Overview

IAM Access Analyzer is a security service that uses a mathematical reasoning engine (automated reasoning) to analyze policies attached to AWS resources, detecting unintended external access and excessive permissions. It continuously monitors resource policies on S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and more, reporting findings when resources are accessible from external AWS accounts or the public. Its unused access analysis feature examines CloudTrail access logs to identify permissions that are granted but never actually used, supporting automatic generation of least-privilege policies. The custom policy checks feature lets you embed automated verification in CI/CD pipelines to confirm that policy changes stay within intended boundaries.

External Access Analysis and Findings

Access Analyzer's external access analysis uses an automated reasoning engine to exhaustively evaluate resource policy conditions, detecting resources accessible from outside the zone of trust. The zone of trust is typically set at the AWS account level, but when using Organizations, it can be extended to the entire organization. Each finding details which resource grants which actions to which principal. Finding status is managed across three states - Active, Archived, and Resolved - and intentional external sharing can be classified as Archived to reduce false-positive noise. Predefined archive rules can automatically archive findings matching specific conditions. For example, setting a rule like "S3 bucket sharing with a specific partner account is approved" causes matching findings to be auto-archived upon generation. Integrating with EventBridge to notify Security Hub or Slack when new findings appear is a recommended operational pattern.

Unused Access Analysis and Policy Optimization

Unused access analysis examines CloudTrail access logs to identify permissions granted to IAM users and roles that have never actually been used. By specifying an analysis period (up to 180 days), actions never invoked during that window, unused access keys, unused passwords, and unused roles are reported as findings. This information enables you to remove excessive permissions and move closer to the principle of least privilege. The policy generation feature automatically creates IAM policies containing only the actions actually used, based on CloudTrail logs. A practical staged approach is to start operations with broad permissions (such as AdministratorAccess), accumulate logs over a period, then use policy generation to narrow down to least privilege. Unused access analysis is enabled per account, and a delegated administrator account in Organizations can centrally manage analysis results across all member accounts. Pricing is $0.20 per IAM role and user per month, making cost forecasting straightforward even in large-scale environments.

Custom Policy Checks and CI/CD Integration

Custom policy checks use automated reasoning to verify whether IAM policy changes comply with your organization's security standards. For example, you can define rules like "policies granting s3:* are prohibited" or "access to specific KMS keys is restricted to designated roles," then programmatically determine whether policy changes violate those rules. The CheckNoNewAccess API compares an existing policy with a proposed policy to verify that no new access permissions are being added. The CheckAccessNotGranted API confirms that access to specified actions or resources is not present in a policy. Embedding these APIs as approval steps in CodePipeline or GitHub Actions automatically blocks policy changes that fail to meet security standards before deployment. A pattern of pre-validating IAM policies in CloudFormation or Terraform templates within CI pipelines is highly effective for governance at scale. Verification results are returned as PASS or FAIL, making them directly usable in pipeline conditional logic.

共有するXB!

Related Terms

AWS IAMAmazon GuardDutyAWS Security HubAWS ConfigAWS Organizations

Related Services

AWS IAMAmazon GuardDutyAWS Security HubAWS CloudTrailAWS Organizations

Related Articles

Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.API Audit Logging with AWS CloudTrail - Trail Design and Security AnalysisRecord all API activity and run advanced analysis with SQL queries in CloudTrail Lake. This article covers automatic anomaly detection with Insights and real-time detection through EventBridge integration.

Similar Terms and Articles

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.IAM Access AnalyzerA service that detects externally accessible resources and unused access permissionsDesigning Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.AWS IAM Fine-Grained Access Control - How Policy-Based Design Achieves the Principle of Least PrivilegeExplore the design philosophy behind AWS IAM's policy-based access control and compare its granularity with Azure RBAC and GCP IAM in concrete terms.