docs.aws.amazon.com
Open in
urlscan Pro
13.35.58.99
Public Scan
Submitted URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
Submission: On May 30 via api from US — Scanned from DE
Effective URL: https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
Submission: On May 30 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
SELECT YOUR COOKIE PREFERENCES
We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”
Accept all cookiesContinue without acceptingCustomize cookies
CUSTOMIZE COOKIE PREFERENCES
We use cookies and similar tools (collectively, "cookies") for the following
purposes.
ESSENTIAL
Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.
PERFORMANCE
Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.
Allow performance category
Allowed
FUNCTIONAL
Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.
Allow functional category
Allowed
ADVERTISING
Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.
Allow advertising category
Allowed
Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice.
CancelSave preferences
UNABLE TO SAVE COOKIE PREFERENCES
We will only store essential cookies at this time, because we were unable to
save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.
Dismiss
Contact Us
English
Create an AWS Account
1. AWS
2. ...
3. Documentation
4. AWS Identity and Access Management
5. User Guide
Feedback
Preferences
AWS IDENTITY AND ACCESS MANAGEMENT
USER GUIDE
* What is IAM?
* When do I use IAM
* How IAM works
* Users in AWS
* Permissions and policies in IAM
* What is ABAC?
* Security features outside IAM
* Quick links to common tasks
* IAM console search
* AWS CloudFormation resources
* Using AWS CloudShell
* Working with AWS SDKs
* Getting set up
* IAM management methods
* Your AWS account ID and its alias
* Getting started
* Security best practices and use cases
* Security best practices
* Root user best practices
* Business use cases
* Tutorials
* Grant access to the billing console
* Delegate access across AWS accounts using roles
* Create a customer managed policy
* Use attribute-based access control (ABAC)
* Use SAML session tags for ABAC
* Permit users to manage their credentials and MFA settings
* Identities
* AWS account root user
* Enable a virtual MFA device for your AWS account root user (console)
* Enable a hardware TOTP token for the AWS account root user (console)
* Enable a FIDO security key for the AWS account root user (console)
* Change the password
* Resetting a lost or forgotten root user password
* Creating access keys for the root user
* Deleting access keys for the root user
* Tasks that require root user
* Troubleshooting root user issues
* Related information
* Users
* Adding a user
* Controlling user access to the console
* How IAM users sign in to AWS
* Using MFA devices with your IAM sign-in page
* Managing users
* Changing permissions for a user
* Managing passwords
* Setting a password policy
* Managing user passwords
* Permitting IAM users to change their own passwords
* How an IAM user changes their own password
* Access keys
* Retrieving lost passwords or access keys
* Multi-factor authentication (MFA)
* Enabling MFA devices
* General steps for enabling MFA devices
* Enabling a virtual MFA device (console)
* Enabling a FIDO security key (console)
* Supported configurations for using FIDO security keys
* Enabling a hardware TOTP token (console)
* Enabling and managing virtual MFA devices (AWS CLI or AWS API)
* Checking MFA status
* Resynchronizing virtual and hardware MFA devices
* Deactivating MFA devices
* What if an MFA device is lost or stops working?
* Configuring MFA-protected API access
* Sample code: MFA
* Find unused credentials
* Getting credential reports
* Using IAM with CodeCommit
* Using IAM with Amazon Keyspaces
* Managing server certificates
* User groups
* Creating user groups
* Managing user groups
* Listing IAM user groups
* Adding and removing users in an IAM user group
* Attaching a policy to an IAM user group
* Renaming an IAM user group
* Deleting a user group
* Roles
* Terms and concepts
* Common scenarios
* Providing access across AWS accounts
* Providing access for non AWS workloads
* Providing access to third-party AWS accounts
* Using an external ID for third-party access
* Providing access to AWS services
* The confused deputy problem
* Providing access through identity federation
* Service-linked roles
* Creating roles
* Creating a role for an IAM user
* Creating a role for an AWS service
* Creating a role for identity federation
* Create a role for OIDC federation
* Create a role for SAML 2.0 federation
* Creating a role using custom trust policies
* Examples of policies for delegating access
* Using roles
* Granting a user permissions to switch roles
* Granting permissions to pass a role to a service
* Switching roles (console)
* Switching roles (AWS CLI)
* Switching roles (Tools for Windows PowerShell)
* Switching roles (AWS API)
* Using roles for applications on Amazon EC2
* Using instance profiles
* Revoking role temporary credentials
* Managing roles
* Modifying a role
* Modifying a role (console)
* Modifying a role (AWS CLI)
* Modifying a role (AWS API)
* Deleting roles or instance profiles
* Identity providers and federation
* Common scenarios
* Using Amazon Cognito for mobile apps
* Using OIDC federation API operations for mobile apps
* OIDC federation
* Create OIDC identity provider
* Obtain the thumbprint for an OIDC provider
* Identify users with OIDC federation
* Additional resources for OIDC federation
* SAML 2.0 federation
* Create SAML identity provider
* Configure relying party trust and claims
* Integrate third-party SAML solution providers with AWS
* Configure SAML assertions for the authentication response
* Enable SAML 2.0 federated users to access the AWS console
* Temporary security credentials
* Requesting temporary security credentials
* Using temporary credentials with AWS resources
* Controlling permissions for temporary security credentials
* Permissions for AssumeRole API operations
* Monitor and control actions taken with assumed roles
* Permissions for GetFederationToken
* Permissions for GetSessionToken
* Disabling permissions
* Granting permissions to create credentials
* Granting permissions to use identity-aware console sessions
* Managing AWS STS in an AWS Region
* Using bearer tokens
* Sample applications that use temporary credentials
* Enabling custom identity broker access to the AWS console
* Additional resources for temporary credentials
* Tagging IAM resources
* Tagging IAM users
* Tagging IAM roles
* Tagging customer managed policies
* Tagging IAM identity providers
* Tagging OpenID Connect (OIDC) identity providers
* Tagging IAM SAML identity providers
* Tagging instance profiles
* Tagging server certificates
* Tagging virtual MFA devices
* Session tags
* Log events with CloudTrail
* Access management
* Policies and permissions
* Managed policies and inline policies
* Choosing managed or inline
* Getting started with managed policies
* Converting inline policy to managed
* Deprecated AWS managed policies
* Data perimeters
* Permissions boundaries
* Identity vs resource
* Controlling access using policies
* Control access to IAM users and roles using tags
* Control access to AWS resources using tags
* Cross account resource access
* Forward access sessions
* Example policies
* AWS: Specific access during a date range
* AWS: Enable or disable AWS Regions
* AWS: Self-manage credentials with MFA (Security credentials)
* AWS: Specific access with MFA during a date range
* AWS: Self-manage credentials no MFA (Security credentials)
* AWS: Self-manage MFA device (Security credentials)
* AWS: Self-manage console password (Security credentials)
* AWS: Self-manage password, access keys, & SSH public keys (My
security credentials)
* AWS: Deny access based on requested Region
* AWS: Deny access based on source IP
* AWS: Deny access to Amazon S3 resources outside your account except
AWS Data Exchange
* Data Pipeline: Deny access to pipelines not created by user
* DynamoDB: Access specific table
* DynamoDB: Allow access to specific attributes
* DynamoDB: Allow item access based on a Amazon Cognito ID
* EC2: Attach or detach tagged EBS volumes
* EC2: Launch instances in a subnet (includes console)
* EC2: Manage security groups with the same tags (includes console)
* EC2: Start or stop instances a user has tagged (includes console)
* EC2: Start or stop instances based on tags
* EC2: Start or stop for matching tags
* EC2: Full access within a Region (includes console)
* EC2: Start or stop an instance, modify security group (includes
console)
* EC2: Requires MFA (GetSessionToken) for operations
* EC2: Limit terminating instances to IP range
* IAM: Access the policy simulator API
* IAM: Access the policy simulator console
* IAM: Assume tagged roles
* IAM: Allows and denies multiple services (includes console)
* IAM: Add specific tag to tagged user
* IAM: Add a specific tag
* IAM: Create only tagged users
* IAM: Generate credential reports
* IAM: Manage group membership (includes console)
* IAM: Manage a tag
* IAM: Pass a role to a service
* IAM: Read-only console access (no reporting)
* IAM: Read-only console access
* IAM: Specific users manage group (includes console)
* IAM: Setting account password requirements (includes console)
* IAM: Access the policy simulator API based on user path
* IAM: Access the policy simulator console based on user path
(includes console)
* IAM: MFA self-management
* IAM: Update credentials (includes console)
* IAM: View Organizations service last accessed information for a
policy
* IAM: Apply limited managed policies
* AWS: Deny access to resources outside your account except AWS
managed IAM policies
* Lambda: Service access to DynamoDB
* RDS: Full access within a Region
* RDS: Restore databases (includes console)
* RDS: Full access for tag owners
* S3: Access bucket if cognito
* S3: Access federated user home directory (includes console)
* S3: Full access with recent MFA
* S3: Access IAM user home directory (includes console)
* S3: Restrict management to a specific bucket
* S3: Read and write objects to a specific bucket
* S3: Read and write to a specific bucket (includes console)
* Managing IAM policies
* Creating IAM policies
* Creating IAM policies (console)
* Creating IAM policies (CLI)
* Creating IAM policies (API)
* Validating policies
* Generating policies
* Testing IAM policies
* Add or remove identity permissions
* Versioning IAM policies
* Editing IAM policies
* Deleting IAM policies
* Refining permissions using access information
* View IAM access information
* View access information for Organizations
* Example scenarios
* Action last accessed services and actions
* Understanding policies
* Policy summary (list of services)
* Access levels in policy summaries
* Service summary (list of actions)
* Action summary (list of resources)
* Example policy summaries
* Permissions required
* Example policies for IAM
* Code examples
* IAM
* Actions
* AddClientIdToOpenIdConnectProvider
* AddRoleToInstanceProfile
* AddUserToGroup
* AttachGroupPolicy
* AttachRolePolicy
* AttachUserPolicy
* ChangePassword
* CreateAccessKey
* CreateAccountAlias
* CreateGroup
* CreateInstanceProfile
* CreateLoginProfile
* CreateOpenIdConnectProvider
* CreatePolicy
* CreatePolicyVersion
* CreateRole
* CreateSAMLProvider
* CreateServiceLinkedRole
* CreateUser
* CreateVirtualMfaDevice
* DeactivateMfaDevice
* DeleteAccessKey
* DeleteAccountAlias
* DeleteAccountPasswordPolicy
* DeleteGroup
* DeleteGroupPolicy
* DeleteInstanceProfile
* DeleteLoginProfile
* DeleteOpenIdConnectProvider
* DeletePolicy
* DeletePolicyVersion
* DeleteRole
* DeleteRolePermissionsBoundary
* DeleteRolePolicy
* DeleteSAMLProvider
* DeleteServerCertificate
* DeleteServiceLinkedRole
* DeleteSigningCertificate
* DeleteUser
* DeleteUserPermissionsBoundary
* DeleteUserPolicy
* DeleteVirtualMfaDevice
* DetachGroupPolicy
* DetachRolePolicy
* DetachUserPolicy
* EnableMfaDevice
* GenerateCredentialReport
* GenerateServiceLastAccessedDetails
* GetAccessKeyLastUsed
* GetAccountAuthorizationDetails
* GetAccountPasswordPolicy
* GetAccountSummary
* GetContextKeysForCustomPolicy
* GetContextKeysForPrincipalPolicy
* GetCredentialReport
* GetGroup
* GetGroupPolicy
* GetInstanceProfile
* GetLoginProfile
* GetOpenIdConnectProvider
* GetPolicy
* GetPolicyVersion
* GetRole
* GetRolePolicy
* GetSamlProvider
* GetServerCertificate
* GetServiceLastAccessedDetails
* GetServiceLastAccessedDetailsWithEntities
* GetServiceLinkedRoleDeletionStatus
* GetUser
* GetUserPolicy
* ListAccessKeys
* ListAccountAliases
* ListAttachedGroupPolicies
* ListAttachedRolePolicies
* ListAttachedUserPolicies
* ListEntitiesForPolicy
* ListGroupPolicies
* ListGroups
* ListGroupsForUser
* ListInstanceProfiles
* ListInstanceProfilesForRole
* ListMfaDevices
* ListOpenIdConnectProviders
* ListPolicies
* ListPolicyVersions
* ListRolePolicies
* ListRoleTags
* ListRoles
* ListSAMLProviders
* ListServerCertificates
* ListSigningCertificates
* ListUserPolicies
* ListUserTags
* ListUsers
* ListVirtualMfaDevices
* PutGroupPolicy
* PutRolePermissionsBoundary
* PutRolePolicy
* PutUserPermissionsBoundary
* PutUserPolicy
* RemoveClientIdFromOpenIdConnectProvider
* RemoveRoleFromInstanceProfile
* RemoveUserFromGroup
* ResyncMfaDevice
* SetDefaultPolicyVersion
* TagRole
* TagUser
* UntagRole
* UntagUser
* UpdateAccessKey
* UpdateAccountPasswordPolicy
* UpdateAssumeRolePolicy
* UpdateGroup
* UpdateLoginProfile
* UpdateOpenIdConnectProviderThumbprint
* UpdateRole
* UpdateRoleDescription
* UpdateSamlProvider
* UpdateServerCertificate
* UpdateSigningCertificate
* UpdateUser
* UploadServerCertificate
* UploadSigningCertificate
* Scenarios
* Build and manage a resilient service
* Create a group and add a user
* Create a user and assume a role
* Create read-only and read-write users
* Manage access keys
* Manage policies
* Manage roles
* Manage your account
* Roll back a policy version
* Work with the IAM Policy Builder API
* AWS STS
* Actions
* AssumeRole
* AssumeRoleWithWebIdentity
* DecodeAuthorizationMessage
* GetFederationToken
* GetSessionToken
* Scenarios
* Assume an IAM role that requires an MFA token
* Construct a URL for federated users
* Get a session token that requires an MFA token
* Security
* AWS security credentials
* AWS security audit guidelines
* Data protection
* Logging and monitoring
* Compliance validation
* Resilience
* Infrastructure security
* Configuration and vulnerability analysis
* AWS managed policies
* IAM Access Analyzer
* Findings for external and unused access
* How IAM Access Analyzer findings work
* Getting started with IAM Access Analyzer findings
* Findings dashboard
* Working with findings
* Reviewing findings
* Filtering findings
* Archiving findings
* Resolving findings
* Supported resource types
* Settings
* Archive rules
* Monitoring with EventBridge
* Security Hub integration
* Logging with CloudTrail
* IAM Access Analyzer filter keys
* Using service-linked roles
* Preview access
* Previewing access in Amazon S3 console
* Previewing access with IAM Access Analyzer APIs
* Checks for validating policies
* IAM Access Analyzer policy validation
* Policy check reference
* Custom policy checks
* IAM Access Analyzer policy generation
* IAM Access Analyzer policy generation services
* IAM Access Analyzer quotas
* Troubleshooting IAM
* General issues
* Access denied error messages
* IAM policies
* FIDO security keys
* IAM roles
* IAM and Amazon EC2
* IAM and Amazon S3
* SAML 2.0 federation
* Viewing a SAML response in your browser
* Reference
* Amazon Resource Names (ARNs)
* IAM identifiers
* IAM and AWS STS quotas
* Interface VPC endpoints
* Services that work with IAM
* Signing AWS API requests
* Signature Version 4 request elements
* Authentication methods
* Create a signed request
* Request signature examples
* Troubleshoot
* Policy reference
* JSON element reference
* Version
* Id
* Statement
* Sid
* Effect
* Principal
* NotPrincipal
* Action
* NotAction
* Resource
* NotResource
* Condition
* Condition operators
* Conditions with multiple context keys or values
* Single-valued vs. multivalued context keys
* Condition policy examples
* Multivalued context key examples
* Single-valued context key policy examples
* Variables and tags
* Supported data types
* Policy evaluation logic
* Cross-account policy evaluation logic
* Policy grammar
* AWS managed policies for job functions
* Creating roles and attaching policies (console)
* Global condition keys
* IAM condition keys
* Actions, resources, and condition keys
* Resources
* Making HTTP query requests
* Document history
Using AWS Identity and Access Management Access Analyzer - AWS Identity and
Access Management
AWSDocumentationAWS Identity and Access ManagementUser Guide
Identifying resources shared with an external entityIdentifying unused access
granted to IAM users and rolesValidating policies against AWS best
practicesValidating policies against your specified security standardsGenerating
policiesPricing for IAM Access Analyzer
USING AWS IDENTITY AND ACCESS MANAGEMENT ACCESS ANALYZER
PDFRSS
AWS Identity and Access Management Access Analyzer provides the following
capabilities:
* IAM Access Analyzer external access analyzers help identify resources in your
organization and accounts that are shared with an external entity.
* IAM Access Analyzer unused access analyzers help identify unused access in
your organization and accounts.
* IAM Access Analyzer validates IAM policies against policy grammar and AWS
best practices.
* IAM Access Analyzer custom policy checks help validate IAM policies against
your specified security standards.
* IAM Access Analyzer generates IAM policies based on access activity in your
AWS CloudTrail logs.
IDENTIFYING RESOURCES SHARED WITH AN EXTERNAL ENTITY
IAM Access Analyzer helps you identify the resources in your organization and
accounts, such as Amazon S3 buckets or IAM roles, shared with an external
entity. This lets you identify unintended access to your resources and data,
which is a security risk. IAM Access Analyzer identifies resources shared with
external principals by using logic-based reasoning to analyze the resource-based
policies in your AWS environment. For each instance of a resource shared outside
of your account, IAM Access Analyzer generates a finding. Findings include
information about the access and the external principal granted to it. You can
review findings to determine if the access is intended and safe or if the access
is unintended and a security risk. In addition to helping you identify resources
shared with an external entity, you can use IAM Access Analyzer findings to
preview how your policy affects public and cross-account access to your resource
before deploying resource permissions. The findings are organized in a visual
summary dashboard. The dashboard highlights the split between public and
cross-account access findings, and provides a breakdown of findings by resource
type. To learn more about the dashboard, see Viewing the IAM Access Analyzer
findings dashboard.
NOTE
An external entity can be another AWS account, a root user, an IAM user or role,
a federated user, an AWS service, an anonymous user, or other entity that you
can use to create a filter. For more information, see AWS JSON Policy Elements:
Principal.
When you enable IAM Access Analyzer, you create an analyzer for your entire
organization or your account. The organization or account you choose is known as
the zone of trust for the analyzer. The analyzer monitors all of the supported
resources within your zone of trust. Any access to resources by principals
within your zone of trust is considered trusted. Once enabled, IAM Access
Analyzer analyzes the policies applied to all of the supported resources in your
zone of trust. After the first analysis, IAM Access Analyzer analyzes these
policies periodically. If you add a new policy , or change an existing policy,
IAM Access Analyzer analyzes the new or updated policy within about 30 minutes.
When analyzing the policies, if IAM Access Analyzer identifies one that grants
access to an external principal that isn't within your zone of trust, it
generates a finding. Each finding includes details about the resource, the
external entity with access to it, and the permissions granted so that you can
take appropriate action. You can view the details included in the finding to
determine whether the resource access is intentional or a potential risk that
you should resolve. When you add a policy to a resource, or update an existing
policy, IAM Access Analyzer analyzes the policy. IAM Access Analyzer also
analyzes all resource-based policies periodically.
On rare occasions under certain conditions, IAM Access Analyzer does not receive
notification of an added or updated policy, which can cause delays in generated
findings. IAM Access Analyzer can take up to 6 hours to generate or resolve
findings if you create or delete a multi-region access point associated with an
Amazon S3 bucket, or update the policy for the multi-region access point. Also,
if there is a delivery issue with AWS CloudTrail log delivery, the policy change
does not trigger a rescan of the resource reported in the finding. When this
happens, IAM Access Analyzer analyzes the new or updated policy during the next
periodic scan, which is within 24 hours. If you want to confirm a change you
make to a policy resolves an access issue reported in a finding, you can rescan
the resource reported in a finding by using the Rescan link in the Findings
details page, or by using the StartResourceScan operation of the IAM Access
Analyzer API. To learn more, see Resolving findings.
IMPORTANT
IAM Access Analyzer analyzes only policies applied to resources in the same AWS
Region where it's enabled. To monitor all resources in your AWS environment, you
must create an analyzer to enable IAM Access Analyzer in each Region where
you're using supported AWS resources.
IAM Access Analyzer analyzes the following resource types:
* Amazon Simple Storage Service buckets
* Amazon Simple Storage Service directory buckets
* AWS Identity and Access Management roles
* AWS Key Management Service keys
* AWS Lambda functions and layers
* Amazon Simple Queue Service queues
* AWS Secrets Manager secrets
* Amazon Simple Notification Service topics
* Amazon Elastic Block Store volume snapshots
* Amazon Relational Database Service DB snapshots
* Amazon Relational Database Service DB cluster snapshots
* Amazon Elastic Container Registry repositories
* Amazon Elastic File System file systems
* Amazon DynamoDB streams
* Amazon DynamoDB tables
IDENTIFYING UNUSED ACCESS GRANTED TO IAM USERS AND ROLES
IAM Access Analyzer helps you identify and review unused access in your AWS
organization and accounts. IAM Access Analyzer continuously monitors all IAM
roles and users in your AWS organization and accounts and generates findings for
unused access. The findings highlight unused roles, unused access keys for IAM
users, and unused passwords for IAM users. For active IAM roles and users, the
findings provide visibility into unused services and actions.
The findings for both external access and unused access analyzers are organized
into a visual summary dashboard. The dashboard highlights your AWS accounts that
have the most findings and provides a breakdown of findings by type. For more
information about the dashboard, see Viewing the IAM Access Analyzer findings
dashboard.
IAM Access Analyzer reviews last accessed information for all roles in your AWS
organization and accounts to help you identify unused access. IAM action last
accessed information helps you identify unused actions for roles in your AWS
accounts. For more information, see Refining permissions in AWS using last
accessed information.
VALIDATING POLICIES AGAINST AWS BEST PRACTICES
You can validate your policies against IAM policy grammar and AWS best practices
using the basic policy checks provided by IAM Access Analyzer policy validation.
You can create or edit a policy using the AWS CLI, AWS API, or JSON policy
editor in the IAM console. You can view policy validation check findings that
include security warnings, errors, general warnings, and suggestions for your
policy. These findings provide actionable recommendations that help you author
policies that are functional and conform to AWS best practices. To learn more
about validating policies using policy validation, see IAM Access Analyzer
policy validation.
VALIDATING POLICIES AGAINST YOUR SPECIFIED SECURITY STANDARDS
You can validate your policies against your specified security standards using
the IAM Access Analyzer custom policy checks. You can create or edit a policy
using the AWS CLI, AWS API, or JSON policy editor in the IAM console. Through
the console, you can check whether your updated policy grants new access
compared to the existing version. Through AWS CLI and AWS API, you can also
check specific IAM actions that you consider critical are not allowed by a
policy. These checks highlight a policy statement that grants new access. You
can update the policy statement and re-run the checks until the policy conform
to your security standard. To learn more about validating policies using custom
policy checks, see IAM Access Analyzer custom policy checks.
GENERATING POLICIES
IAM Access Analyzer analyzes your AWS CloudTrail logs to identify actions and
services that have been used by an IAM entity (user or role) within your
specified date range. It then generates an IAM policy that is based on that
access activity. You can use the generated policy to refine an entity's
permissions by attaching it to an IAM user or role. To learn more about
generating policies using IAM Access Analyzer, see IAM Access Analyzer policy
generation.
PRICING FOR IAM ACCESS ANALYZER
IAM Access Analyzer charges for unused access analysis based on the number of
IAM roles and users analyzed per analyzer per month.
* You will be charged for each unused access analyzer that you create.
* Creating unused access analyzers across multiple Regions will result in you
being charged for each analyzer.
* Service-linked roles aren't analyzed for unused access activity and they
aren't included in the total number of IAM roles analyzed.
IAM Access Analyzer charges for custom policy checks based on the number of API
requests made to IAM Access Analyzer to check for new access.
For a complete list of charges and prices for IAM Access Analyzer, see IAM
Access Analyzer pricing.
To see your bill, go to the Billing and Cost Management Dashboard in the AWS
Billing and Cost Management console. Your bill contains links to usage reports
that provide details about your bill. To learn more about AWS account billing,
see the AWS Billing User Guide
If you have questions concerning AWS billing, accounts, and events, contact AWS
Support.
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.
Document Conventions
AWS managed policies
Findings for external and unused access
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of
it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.
DID THIS PAGE HELP YOU?
Yes
No
Provide feedback
NEXT TOPIC:
Findings for external and unused access
PREVIOUS TOPIC:
AWS managed policies
NEED HELP?
* Try AWS re:Post
* Connect with an AWS IQ expert
PrivacySite termsCookie preferences
© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ON THIS PAGE
* Identifying resources shared with an external entity
* Identifying unused access granted to IAM users and roles
* Validating policies against AWS best practices
* Validating policies against your specified security standards
* Generating policies
* Pricing for IAM Access Analyzer