IAM Access Analyzer のアイコン

IAM Access Analyzer Specialized2019年〜

A service that detects externally accessible resources and unused access permissions

About 3 min read

What It Does

IAM Access Analyzer automatically analyzes whether AWS resources such as S3 buckets and IAM roles are accessible from external accounts or the internet. It also detects IAM permissions unused for a certain period and helps create policies aligned with the principle of least privilege, reducing security risks through early detection of unintended access.

Use Cases

Used for regular checks to ensure S3 buckets and KMS keys are not unintentionally exposed, removing unnecessary permissions through IAM policy audits, and pre-deployment policy validation. Also used for access permission visualization in preparation for compliance audits.

Everyday Analogy

Think of it as a company security auditor who regularly checks the locks (access permissions) on each room (resource), reporting whether outsiders can enter or unused keys are left unattended. When issues are found, alerts are raised immediately with suggestions for proper configurations.

What Is IAM Access Analyzer

IAM Access Analyzer is a service that automatically analyzes access permissions to AWS resources and detects security issues. In AWS, access permissions are configured in various places such as S3 bucket policies and IAM role trust policies. As configurations become complex, resources may unintentionally become externally accessible. Access Analyzer automatically discovers these issues and prompts remediation.

External Access Detection

Access Analyzer analyzes resource policies for S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and more to detect configurations allowing access from outside your AWS account. Results are displayed as "findings" where you can verify whether each is intentional. Intentional sharing can be archived, while unintentional access should be remediated by modifying the policy.

Unused Access Analysis

Access Analyzer analyzes permissions actually used by IAM users and roles, detecting those unused for a certain period. For example, if S3 write permissions have not been used for 90 days, it reports this. Removing unnecessary permissions based on this achieves least privilege and minimizes blast radius in case of credential compromise. To learn about access analysis from basics to advanced topics, related books (Amazon) provide systematic coverage.

Getting Started

Create an analyzer from the "Access Analyzer" menu in the IAM console. Select your AWS account or organization as the trust zone, and analysis begins automatically. Results appear within minutes for review. Integrating with EventBridge enables automatic notifications for new findings.

Things to Watch Out For

  • Creating an analyzer is free, but unused access analysis is charged based on the number of IAM roles and users analyzed
  • Findings may include intentional sharing - not all indicate problems. Review each and decide whether to archive or remediate
  • With Organizations integration, set the entire organization as trust zone to detect only unintended external access
共有するXB!

Related Services

AWS IAM iconAWS IAMAn authentication and authorization service for securely managing access to AWS resourcesAWS Config iconAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAWS Security Hub iconAWS Security HubCentrally manage your AWS security posture and automatically check compliance with best practicesAWS CloudTrail iconAWS CloudTrailA service that records and monitors API activity in your AWS account

Related Articles

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.IAM Policy Evaluation Logic Explained - How Implicit Deny Loses to Explicit AllowA step-by-step explanation of how IAM evaluates requests to allow or deny them, covering the priority of implicit deny, explicit allow, and explicit deny, as well as intersection logic for SCPs, permission boundaries, and session policies.

More in This Category

AWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWSAWS Firewall Manager iconAWS Firewall Manager SpecializedA service for centrally managing firewall rules across your entire AWS Organization

Similar Articles and Services

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.IAM Access AnalyzerA service that automatically analyzes resource policies on S3 buckets, IAM roles, and more to detect external access and unused permissions, strengthening your security postureDesigning Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.AWS IAMAn authentication and authorization service for securely controlling access to AWS resources, providing fine-grained access management through users, groups, roles, and policies