AWS IAM Access Analyzer is a new feature that makes it simple for security teams and administrators to check that their policies provide only the intended access to resources.
Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment. With one click in the IAM console, customers can enable the analyzer across their account to continuously analyze permissions granted using policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions.
The analyzer continuously monitors policies for changes, meaning customers no longer need to rely on intermittent manual checks in order to catch issues as policies are added or updated. Using the analyzer, customers can proactively address any resource policies that violate their security and governance best practices around resource sharing and protect their resources from unintended access.
The solution delivers comprehensive, detailed findings through the AWS IAM, Amazon S3, and AWS Security Hub consoles and also through its APIs. Findings can also be exported as a report for auditing purposes. AWS IAM Access Analyzer findings provide definitive answers of who has public and cross-account access to AWS resources from outside an account.
AWS IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy. This means that it can evaluate hundreds or even thousands of policies across a customer’s environment in seconds, and deliver comprehensive findings about resources that are accessible from outside the account.
With this launch, the analyzer is available at no additional cost in the IAM console and through APIs in all commercial AWS Regions. It is also available through APIs in AWS GovCloud (US).