Optimizing IAM Role Permissions for External Access Using IAM Access Analyzer

Overview

In a multi-account AWS environment, it’s common to grant external entities—such as users from another AWS account, third-party services, or identity providers—access to resources via IAM roles. These roles include:

Trust Policies (who can assume the role)
Permissions Policies (what actions the role can perform)

To ensure security, it’s crucial to apply the principle of least privilege. This blog post show how to use IAM Access Analyzer and IAM action last accessed data to identify and refine overly permissive roles.

Train your workforce to leverage the cloud

Contemplating Migrating Workload to Cloud?
Here is a Hassle Free Solution

Get Started Now

Use IAM roles to securely grant access to an external entity in AWS.

This allows users, applications, or services outside your AWS account—such as another AWS account, a third-party service, or an external identity provider—to access your resources without sharing long-term credentials.

You can create an IAM role to grant an external entity access to resources in your AWS account. For example, as an application developer, you might enable cross-account access by attaching a trust policy to a role.

To do this, first, create a role with a trust policy that allows external entities to assume it. Then, define a permissions policy that specifies the actions that the role can perform. Once role can be assumed, the external entity can access your resources based on the permissions assigned to the role.

It’s very essential to limit the permissions of externally accessible roles to only allow the permissions what is necessary for the specific task.

How to Grant Access Using IAM Roles:

Create an IAM Role:
- Go to the IAM Console → Roles → Create role.
- Select the trusted entity type (AWS account, web identity, SAML, or custom trust).
Define a Trust Policy:
- Specify which external entities can assume the role.
- Example trust policy for cross-account access:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::123456789012:root"

      },

      "Action": "sts:AssumeRole",

      "Condition": {}

    }

  ]

}

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Principal": {

"AWS": "arn:aws:iam::123456789012:root"

"Action": "sts:AssumeRole",

"Condition": {}

}

]

}

Attach a Permissions Policy:
- Define the actions and resources the role can access.
- Example policy to allow S3 read-only access:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Action": "s3:GetObject",

      "Resource": "arn:aws:s3:::example-bucket/*"

    }

  ]

}

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::example-bucket/*"

}

]

}

Provide Role Details to the External Entity:
- Share the role ARN so the external entity can assume it using AWS Security Token Service (STS).

Monitor and Refine Access:

Use IAM Access Analyzer to detect unintended access.

AWS IAM Access Analyzer is a security tool that helps identify and analyze access permissions for AWS resources. It detects unintended external access and assists in refining IAM policies to follow the principle of least privilege.

Key Features of IAM Access Analyzer

Detects External Access – Identifies resources (S3 buckets, IAM roles, KMS keys, etc.) that are accessible from outside your AWS account.
Analyzes IAM Policies – Helps validate and refine IAM roles, trust policies, and permissions.
Findings & Recommendations – Provides detailed findings on risky permissions and suggests actions to secure resources.
1. Policy Validation – Flags overly permissive policies and offers security improvements.

How to Use IAM Access Analyzer

Enable IAM Access Analyzer

Go to IAM Console → Access Analyzer.
Create an analyzer for your AWS account or organization.

AWS automatically scans IAM policies for risky access.

Review Findings

Findings highlight resources that allow external access (e.g., IAM roles, S3 buckets, Lambda functions).

Check if the access is intended or unintentional.

Refine Permissions

Use the IAM action last accessed to remove unnecessary permissions.
Restrict access using least privilege policies.
Update trust policies to limit external entities.

Validate IAM Policies

Use IAM Access Analyzer’s policy validation to identify misconfigurations.
Modify policies based on AWS security recommendations.

Best Practices for IAM Access Analyzer

Regularly review findings to identify security risks.
Use IAM policy validation to avoid overly permissive access.
Implement least privilege access by refining IAM roles.
Monitor and log access using AWS CloudTrail.

Want to save money on IT costs?

Migrate to cloud without hassles
Save up to 60%

Get Started with Free AWS Credits

About CloudThat

Established in 2012, CloudThat is an award-winning company and the first in India to offer cloud training and consulting services for individuals and enterprises worldwide. Recently, it won Google Cloud’s New Training Partner of the Year Award for 2025, becoming the first company in the world in 2025 to hold awards from all three major cloud giants: AWS, Microsoft, and Google. CloudThat notably won consecutive AWS Training Partner of the Year (APJ) awards in 2023 and 2024 and the Microsoft Training Services Partner of the Year Award in 2024, bringing its total award count to an impressive 12 awards in the last 8 years. In addition to this, 20 trainers from CloudThat are ranked among Microsoft’s Top 100 MCTs globally for 2025, demonstrating its exceptional trainer quality on the global stage.

As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, Google Cloud Platform Partner, and collaborator with leading organizations like HPE and Databricks, CloudThat has trained over 850,000 professionals across 600+ cloud certifications, empowering students and professionals worldwide to advance their skills and careers.