Introducing AWS Identity and Access Management (IAM) Access Analyzer

IAM Access Analyzer continuously monitors policies for changes, meaning customers no longer need to rely on intermittent manual checks in order to catch issues as policies are added or updated. Using IAM Access Analyzer, customers can proactively address any resource policies that violate their security and governance best practices around resource sharing and protect their resources from unintended access. IAM Access Analyzer delivers comprehensive, detailed findings through the AWS IAM, Amazon S3, and AWS Security Hub consoles and also through its APIs. Findings can also be exported as a report for auditing purposes. IAM Access Analyzer findings provide definitive answers of who has public and cross-account access to AWS resources from outside an account. 

IAM Access Analyzer uses a form of mathematical analysis called automated reasoning, which applies logic and mathematical inference to determine all possible access paths allowed by a resource policy. This means that IAM Access Analyzer can evaluate hundreds or even thousands of policies across a customer’s environment in seconds, and deliver comprehensive findings about resources that are accessible from outside the account. We call this provable security.

With this launch, IAM Access Analyzer is available at no additional cost in the IAM console and through APIs in all commercial AWS Regions. IAM Access Analyzer is also available through APIs in AWS GovCloud (US).

To learn more about IAM Access Analyzer, see the feature page.