AWS, Cloud Computing

3 Mins Read

AWS IAM Access Analyzer for Enhanced Resource Protection

Voiced by Amazon Polly


AWS recently launched two new features to improve the AWS IAM Access Analyzer functionalities by analyzing unused permissions that are granted but not in use and validating the newly authored policies, thereby limiting permissions. In this blog, we are going to explore these two features.


AWS IAM Access Analyzer examines the resource-based policies in your AWS environment and uses logic-based reasoning to identify resources shared with external principals. With the aid of AWS IAM Access Analyzer, you can determine which accounts and organizational resources—like Amazon S3 buckets or AWS IAM roles—are shared with a third party.

This enables you to detect unauthorized access to your data and resources, which poses a security concern. AWS IAM Access Analyzer produces a finding for every instance of a resource shared outside of your account. Information regarding the access and the external principal who gave it is included in the findings.

To ascertain if the access was unintentional and a security concern or if it was intended and safe, you can review the findings. Before installing resource permissions, you can utilize the results of the AWS IAM Access Analyzer to preview how your policy affects public and cross-account access to your resource, in addition to assisting you in identifying resources shared with an external entity. AWS introduced two new features of AWS IAM Access Analyzer during AWS’s recent re-Invent.

  • Unused Access Analyzer
  • Custom Policy Checks

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Unused Access Analyzer

A new analyzer that keeps an eye on users and roles in order to find permissions that are granted but not really utilized. A dashboard view that enables central security teams to identify which accounts stand to gain the most from an examination of underused roles, permissions, and AWS IAM users can be utilized.

With this new feature, it is possible to build an analyzer that searches for access rights that are either excessively permissive or no longer needed. This comprises unused AWS IAM roles, unused AWS IAM users’ access keys, unused AWS IAM users’ passwords, and unused services and actions for unused AWS IAM users and roles. Once an organization-wide or account-specific analyzer has produced its findings, you can take appropriate action by removing/deleting unnecessary rights.

An analyzer, a resource that regularly assesses your accounts or AWS organization for either external access or unused access, is created when you enable AWS IAM Access Analyzer. Access findings for your AWS resources, AWS IAM users, and roles are produced by an analyzer. For no additional cost, an external access analyzer generates cross-account and public access findings for resources. A premium feature that makes it easier to examine unused access and point you in the direction of least privilege is called an unused access analyzer. You pay each month for an AWS IAM role or AWS IAM user analysis while using this feature.

Custom Policy Checks

Developers are the ones who create the applications that need permissions, even while security teams are in charge of the organization’s overall security posture. Organizations strive to find safe ways to provide developers the authority to design AWS IAM policies so that developers may work quickly without sacrificing security. Several AWS clients carry out manual AWS IAM policy evaluations prior to releasing developer-authored policies into operational settings.

Customers adhere to this procedure in an effort to stop unauthorized or excessive permits from entering the production process. These assessments can be thorough and time-consuming, depending on the quantity and complexity of the regulations that need to be examined. As a result, there will likely be a delay in the deployment of applications and services and a halt in development. Confirmation that recently created policies don’t give rise to any unexpected or extra permissions. By incorporating automated policy reviews into your CI/CD pipelines and bespoke policy tools, you can accelerate the process of bringing AWS apps from development to production and exert more control over your AWS IAM policies.

A new feature of AWS IAM Access Analyzer, custom policy checks, assists security teams in precisely and proactively identifying important rights within their rules. If a policy has changed and is now more permissive than it was previously, you may also find out with custom policy checks. Automated reasoning, a type of static analysis, is used in custom policy checks to offer a higher degree of cloud security assurance.

In order to perform checks against policies without requiring the deployment of the policies, custom policy checks can be integrated into a continuous integration and delivery (CI/CD) pipeline. Furthermore, developers may quickly ascertain whether the policies they are writing comply with your company’s security standards by running custom policy checks from their local development environments.


In order to give the appropriate fine-grained permissions as your needs change, achieving the least privilege is an ongoing process. AWS IAM Access Analyzer helps you set, check, and fine-tune permissions so that you can follow the principle of least privilege. AWS IAM Access Analyzer analyzes external access and verifies that your policies adhere to the corporate security criteria you’ve set using proven security.

Drop a query if you have any questions regarding AWS IAM Access Analyzer and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. How do I work toward least privilege permissions?

ANS: – As you begin to grant permissions, you might begin by granting more rights as you learn and do more. AWS advises that as your use cases develop, you hone permissions to the point where you only provide the necessary ones, ultimately aiming for least-privilege rights. AWS offers resources to assist you in fine-tuning your permissions. AWS managed policies, which are made and maintained by AWS and contain permissions for typical use scenarios, are a good place to start. Define particular rights in customer controlled policies as you continue to optimize your permissions. Use AWS Identity and Access Management (AWS IAM) Access Analyzer, examine AWS CloudTrail logs, and look up the last access information to assist you in figuring out what precise permissions you need. To test and troubleshoot policies, you can also use the AWS IAM policy simulator.

2. What are the least-privilege permissions?

ANS: – Give only the rights necessary to complete a task when you specify permissions using AWS IAM policies. The term “granting least privilege” refers to this practice. Least-privilege permissions can be applied in AWS IAM by specifying the actions that are permissible on particular resources under particular circumstances.

3. How does the AWS IAM access analyzer work?

ANS: – AWS IAM Access Analyzer reviews last accessed information for all roles, user access keys, and user passwords in your AWS organization and accounts to help you identify unused access.

WRITTEN BY Deepak Surendran



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!