docs.aws.amazon.com
Open in
urlscan Pro
65.9.77.106
Public Scan
URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
Submission: On May 13 via api from US — Scanned from DE
Submission: On May 13 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
SELECT YOUR COOKIE PREFERENCES We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features. CustomizeAccept all CUSTOMIZE COOKIE PREFERENCES We use cookies and similar tools (collectively, "cookies") for the following purposes. ESSENTIAL Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms. PERFORMANCE Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes. Allow performance category Allowed FUNCTIONAL Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly. Allow functional category Allowed ADVERTISING Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising. Allow advertising category Allowed Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by clicking Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice . CancelSave preferences English Sign In to the Console 1. AWS 2. ... 3. Documentation 4. AWS Identity and Access Management 5. User Guide Feedback Preferences AWS Identity and Access Management User Guide * What is IAM? * How IAM works * Users in AWS * Permissions and policies in IAM * What is ABAC? * Security features outside IAM * Quick links to common tasks * Working with AWS SDKs * Getting set up * Getting started * Creating an IAM admin user and user group * Creating a delegated user * How IAM users sign in * IAM console search * Tutorials * Delegate access to the billing console * Delegate access across AWS accounts using roles * Create a customer managed policy * Use attribute-based access control (ABAC) * Use SAML session tags for ABAC * Permit users to manage their credentials and MFA settings * Signing in to AWS * Your AWS account ID and its alias * AWS sign-in issues * Identities * Users * Adding a user * Controlling user access to the console * How IAM users sign in to AWS * Using MFA devices with your IAM sign-in page * Managing users * Changing permissions for a user * Managing passwords * Changing the root user password * Setting a password policy * Managing user passwords * Permitting users to change their own passwords * How an IAM user changes their own password * Access keys * Retrieving lost passwords or access keys * Multi-factor authentication (MFA) * Enabling MFA devices * Enabling a virtual MFA device (console) * Enabling a U2F security key (console) * Supported configurations for using U2F security keys * Enabling a hardware MFA device (console) * Enabling and managing virtual MFA devices (AWS CLI or AWS API) * Checking MFA status * Resynchronizing virtual and hardware MFA devices * Deactivating MFA devices * What if an MFA device is lost or stops working? * Configuring MFA-protected API access * Sample code: MFA * Finding unused credentials * Getting credential reports * Using IAM with CodeCommit * Using IAM with Amazon Keyspaces * Managing server certificates * User groups * Creating user groups * Managing user groups * Listing IAM user groups * Adding and removing users in an IAM user group * Attaching a policy to an IAM user group * Renaming an IAM user group * Deleting a user group * Roles * Terms and concepts * Common scenarios * Providing access across AWS accounts * Providing access to third-party AWS accounts * Using an external ID for third-party access * Providing access to AWS services * The confused deputy problem * Providing access through identity federation * Identity providers and federation * About web identity federation * Using Amazon Cognito for mobile apps * Using web identity federation API operations for mobile apps * Identifying users with web identity federation * Additional resources for web identity federation * About SAML 2.0 federation * Creating IAM identity providers * Creating OIDC identity providers * Obtaining the thumbprint for an OIDC Identity Provider * Creating IAM SAML identity providers * Configuring relying party trust and claims * Integrating third-party SAML solution providers with AWS * Configuring SAML assertions for the authentication response * Enable SAML 2.0 federated users to access the AWS console * Enabling custom identity broker access to the AWS console * Service-linked roles * Creating roles * Creating a role for an IAM user * Creating a role for an AWS service * Creating a role for identity federation * Creating a role for web Identity/OIDC federation * Creating a role for SAML 2.0 federation * Creating a role using custom trust policies * Examples of policies for delegating access * Using roles * Granting a user permissions to switch roles * Granting permissions to pass a role to a service * Switching roles (console) * Switching roles (AWS CLI) * Switching roles (Tools for Windows PowerShell) * Switching roles (AWS API) * Using roles for applications on Amazon EC2 * Using instance profiles * Revoking role temporary credentials * Managing roles * Modifying a role * Modifying a role (console) * Modifying a role (AWS CLI) * Modifying a role (AWS API) * Deleting roles or instance profiles * Roles vs. resource-based policies * Tagging IAM resources * Tagging IAM users * Tagging IAM roles * Tagging customer managed policies * Tagging IAM identity providers * Tagging OpenID Connect (OIDC) identity providers * Tagging IAM SAML identity providers * Tagging instance profiles * Tagging server certificates * Tagging virtual MFA devices * Session tags * Temporary security credentials * Requesting temporary security credentials * Using temporary credentials with AWS resources * Controlling permissions for temporary security credentials * Permissions for AssumeRole API operations * Monitor and control actions taken with assumed roles * Permissions for GetFederationToken * Permissions for GetSessionToken * Disabling permissions * Granting permissions to create credentials * Managing AWS STS in an AWS Region * Using AWS STS interface VPC endpoints * Using bearer tokens * Sample applications that use temporary credentials * Additional resources for temporary credentials * AWS account root user * Log events with CloudTrail * Access management * Policies and permissions * Managed policies and inline policies * Deprecated AWS managed policies * Permissions boundaries * Identity vs resource * Controlling access using policies * Control access to IAM users and roles using tags * Control access to AWS resources using tags * Example policies * AWS: Specific access during a date range * AWS: Enable or disable AWS Regions * AWS: Self-manage credentials with MFA (My Security Credentials) * AWS: Specific access with MFA during a date range * AWS: Self-manage credentials no MFA (My Security Credentials) * AWS: Self-manage MFA device (My Security Credentials) * AWS: Self-manage console password (My Security Credentials) * AWS: Self-manage password, access keys, & SSH public keys (My Security Credentials) * AWS: Deny access based on requested Region * AWS: Deny access based on source IP * AWS: Deny access to Amazon SNS resources outside your account except CloudFormation * AWS: Deny access to Amazon S3 resources outside your account except AWS Data Exchange * Data Pipeline: Deny access to pipelines not created by user * DynamoDB: Access specific table * DynamoDB: Allow access to specific attributes * DynamoDB: Allow item access based on a Amazon Cognito ID * EC2: Attach or detach volumes to an EC2 instance * EC2: Attach or detach tagged EBS volumes * EC2: Launch instances in a subnet (includes console) * EC2: Manage security groups with the same tags (includes console) * EC2: Start or stop instances a user has tagged (includes console) * EC2: Start or stop instances based on tags * EC2: Start or stop for matching tags * EC2: Full access within a Region (includes console) * EC2: Start or stop an instance, modify security group (includes console) * EC2: Requires MFA (GetSessionToken) for operations * EC2: Limit terminating instances to IP range * IAM: Access the policy simulator API * IAM: Access the policy simulator console * IAM: Assume tagged roles * IAM: Allows and denies multiple services (includes console) * IAM: Add specific tag to tagged user * IAM: Add a specific tag * IAM: Create only tagged users * IAM: Generate credential reports * IAM: Manage group membership (includes console) * IAM: Manage a tag * IAM: Pass a role to a service * IAM: Read-only console access (no reporting) * IAM: Read-only console access * IAM: Specific users manage group (includes console) * IAM: Setting account password requirements (includes console) * IAM: Access the policy simulator API based on user path * IAM: Access the policy simulator console based on user path (includes console) * IAM: MFA self-management * IAM: Rotate credentials (includes console) * IAM: View Organizations service last accessed information for a policy * IAM: Apply limited managed policies * AWS: Deny access to resources outside your account except AWS managed IAM policies * Lambda: Service access to DynamoDB * RDS: Full access within a Region * RDS: Restore databases (includes console) * RDS: Full access for tag owners * S3: Access bucket if cognito * S3: Access federated user home directory (includes console) * S3: Full access with recent MFA * S3: Access IAM user home directory (includes console) * S3: Restrict management to a specific bucket * S3: Read and write objects to a specific bucket * S3: Read and write to a specific bucket (includes console) * Managing IAM policies * Creating IAM policies * Creating IAM policies (console) * Creating IAM policies (CLI) * Creating IAM policies (API) * Validating policies * Generating policies * Testing IAM policies * Add or remove identity permissions * Versioning IAM policies * Editing IAM policies * Deleting IAM policies * Refining permissions using access information * View IAM access information * View access information for Organizations * Example scenarios * Understanding policies * Policy summary (list of services) * Access levels in policy summaries * Service summary (list of actions) * Action summary (list of resources) * Example policy summaries * Permissions required * Example policies for IAM * Code examples * IAM examples * Actions * Attach a policy to a role * Attach a policy to a user * Create a policy * Create a policy version * Create a role * Create a service-linked role * Create a user * Create an access key * Create an alias for an account * Create an inline policy for a user * Delete a policy * Delete a role * Delete a role policy * Delete a server certificate * Delete a service-linked role * Delete a user * Delete an access key * Delete an account alias * Delete an inline policy from a user * Detach a policy from a role * Detach a policy from a user * Generate a credential report * Get a credential report * Get a detailed authorization report for your account * Get a policy * Get a policy version * Get a role * Get a server certificate * Get a summary of account usage * Get data about the last use of an access key * Get the account password policy * List SAML providers * List a user's access keys * List account aliases * List groups * List inline policies for a role * List policies * List policies attached to a role * List roles * List server certificates * List users * Update a server certificate * Update a user * Update an access key * Scenarios * Create a user and assume a role * Create read-only and read-write users * Manage access keys * Manage policies * Manage roles * Manage your account * Rollback a policy version * AWS STS examples * Actions * Assume a role * Get a session token * Scenarios * Assume an IAM role that requires an MFA token * Construct a URL for federated users * Get a session token that requires an MFA token * Security * Data protection * Logging and monitoring * Compliance validation * Resilience * Infrastructure security * Configuration and vulnerability analysis * Security best practices and use cases * Security best practices * Business use cases * AWS managed policies * Access Analyzer * Supported resource types * How Access Analyzer works * Getting started * Using service-linked roles * Settings * Access Analyzer findings * Working with findings * Reviewing findings * Filtering findings * Archiving findings * Resolving findings * Access Analyzer policy validation * Policy check reference * Access Analyzer policy generation * Archive rules * Preview access * Previewing access in Amazon S3 console * Previewing access with Access Analyzer APIs * Access Analyzer reference * Access Analyzer filter keys * Monitoring with EventBridge * Security Hub integration * Logging with CloudTrail * Troubleshooting IAM * General issues * Access denied error messages * IAM policies * U2F security keys * IAM roles * IAM and Amazon EC2 * IAM and Amazon S3 * SAML 2.0 federation * Viewing a SAML response in your browser * Reference * IAM identifiers * Quotas * Services that work with IAM * Policy reference * JSON element reference * Version * Id * Statement * Sid * Effect * Principal * NotPrincipal * Action * NotAction * Resource * NotResource * Condition * Condition operators * Conditions with multiple keys or values * Single-valued vs. multivalued condition keys * Variables and tags * Supported data types * Policy evaluation logic * Cross-account policy evaluation logic * Policy grammar * AWS managed policies for job functions * Creating roles and attaching policies (console) * Global condition keys * IAM condition keys * Actions, resources, and condition keys * Resources * Making HTTP query requests * Document history Using AWS IAM Access Analyzer - AWS Identity and Access Management AWSDocumentationAWS Identity and Access ManagementUser Guide Identifying resources shared with an external entityValidating policiesGenerating policies USING AWS IAM ACCESS ANALYZER PDFRSS AWS IAM Access Analyzer provides the following capabilities: * Access Analyzer helps identify resources in your organization and accounts that are shared with an external entity. * Access Analyzer validates IAM policies against policy grammar and best practices. * Access Analyzer generates IAM policies based on access activity in your AWS CloudTrail logs. IDENTIFYING RESOURCES SHARED WITH AN EXTERNAL ENTITY Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment. For each instance of a resource shared outside of your account, Access Analyzer generates a finding. Findings include information about the access and the external principal granted to it. You can review findings to determine whether the access is intended and safe, or the access is unintended and a security risk. In addition to helping you identify resources shared with an external entity, you can use Access Analyzer findings to preview how your policy affects public and cross-account access to your resource before deploying resource permissions. Note An external entity can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, an anonymous user, or other entity that you can use to create a filter. For more information, see AWS JSON Policy Elements: Principal. When you enable Access Analyzer, you create an analyzer for your entire organization or your account. The organization or account you choose is known as the zone of trust for the analyzer. The analyzer monitors all of the supported resources within your zone of trust. Any access to resources by principals within your zone of trust is considered trusted. Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust. After the first analysis, Access Analyzer analyzes these policies periodically. If you add a new policy , or change an existing policy, Access Analyzer analyzes the new or updated policy within about 30 minutes. When analyzing the policies, if Access Analyzer identifies one that grants access to an external principal that isn't within your zone of trust, it generates a finding. Each finding includes details about the resource, the external entity with access to it, and the permissions granted so that you can take appropriate action. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve. When you add a policy to a resource, or update an existing policy, Access Analyzer analyzes the policy. Access Analyzer also analyzes all resource-based policies periodically. On rare occasions under certain conditions, Access Analyzer does not receive notification of an added or updated policy. Access Analyzer can take up to 6 hours to generate or resolve findings if you create or delete a multi-region access point associated with an S3 bucket, or update the policy for the multi-region access point. Also, if there is a delivery issue with AWS CloudTrail log delivery, the policy change does not trigger a rescan of the resource reported in the finding. When this happens, Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours. If you want to confirm a change you make to a policy resolves an access issue reported in a finding, you can rescan the resource reported in a finding by using the Rescan link in the Findings details page, or by using the StartResourceScan operation of the Access Analyzer API. To learn more, see Resolving findings. Important Access Analyzer analyzes only policies applied to resources in the same AWS Region where it's enabled. To monitor all resources in your AWS environment, you must create an analyzer to enable Access Analyzer in each Region where you're using supported AWS resources. Access Analyzer analyzes the following resource types: * Amazon Simple Storage Service buckets * AWS Identity and Access Management roles * AWS Key Management Service keys * AWS Lambda functions and layers * Amazon Simple Queue Service queues * AWS Secrets Manager secrets VALIDATING POLICIES You can validate your policies using Access Analyzer policy checks. You can create or edit a policy using the AWS CLI, AWS API, or JSON policy editor in the IAM console. Access Analyzer validates your policy against IAM policy grammar and best practices. You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to security best practices. To learn more about validating policies using Access Analyzer, see Access Analyzer policy validation. GENERATING POLICIES Access Analyzer analyzes your AWS CloudTrail logs to identify actions and services that have been used by an IAM entity (user or role) within your specified date range. It then generates an IAM policy that is based on that access activity. You can use the generated policy to refine an entity's permissions by attaching it to an IAM user or role. To learn more about generating policies using Access Analyzer, see IAM Access Analyzer policy generation. Javascript is disabled or is unavailable in your browser. To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. Document Conventions AWS managed policies Supported resource types Did this page help you? - Yes Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Did this page help you? - No Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Did this page help you? YesNo Provide feedback Edit this page on GitHub Next topic:Supported resource types Previous topic:AWS managed policies Need help? * Try AWS re:Post * Connect with an AWS IQ expert PrivacySite termsCookie preferences © 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. On this page -------------------------------------------------------------------------------- * Identifying resources shared with an external entity * Validating policies * Generating policies DID THIS PAGE HELP YOU? - NO Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Feedback