Voiced by Amazon Polly |
Introduction to IAM
Identity and access management is a service that helps the user to control and access AWS resources. IAM users will have permission to authenticate and authorize their AWS services. Using IAM, the user can create multiple users and groups and grant and deny permission on accessing the services in AWS.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
What is IAM Access Analyzer?
IAM Access Analyzer is used to analyse the resources and the policies that are accessed by an external user from an external account. The external users can be an AWS account, root user, IAM user, IAM role, federated user, AWS service, the anonymous user or any other entities.
The users and the resources within the access Analyzer are called trusted within the zone. The Analyzer generates findings if the resource is not within the zone.
Access Analyzer will analyse and update the policies within the region in which the resources are enabled. If you want to analyse the policies in all the regions, then you should create the access Analyzer in all the regions.
Why Access Analyzer?
IAM Access Analyzer helps the user to control and access the AWS service and the resources. It also grants complete permission to the user to access AWS services. IAM Analyzer gives you complete permission on the resources which you are sharing with the external principals. This functionality is achieved by using logic-based reasoning to analyse resource-based policies in the AWS environment.
User can create Access Analyzer for their account by enabling access Analyzer policy. Once the Analyzer is enabled, your account is the zone of trust for the Analyzer. The Analyzer can monitor all the resources and the services within the trusted zone.
The resources that are accessed within the trusted zone is can be called trusted resources. Once the access Analyzer is enabled, the Analyzer analyses the policies that are applied to all supported resources to your account. Once the Analyzer finishes analysing the policies for the first time, it keeps analysing the policies every 24 hours. If the policies are changed or any other new policies are updated the access Analyzer keep updating with policies for every 30 minutes.
While analysing the policies, if access Analyzer analyses the external principal who is not within the trusted zone, it automatically generates a finding, which includes resources and granted permissions to the user. So that the IAM user can take immediate action. Sometimes the Access Analyzer will not be notified when new policies are added, or policies are updated at that time. In that case, access Analyzer will analyse or update the policy in the next upcoming scan.
The benefit of using Access Analyzer:
- Access Analyzer saves time in analysing resource policies and cross-account accessibility to public
- IAM Analyzer gives a user complete permission on the resources which they are sharing with the external principals
- All the resources within the trusted zone can be easily monitored
- Access Analyzer generates findings if the resources are not within the trusted zones
- The Analyzer will analyse the policies for every 24 hours
How Access Analyzer work?
Access Analyzer in AWS generates finding for instances based on resource policies that grant access to the resources within the trusted zone. The operations within the trusted zone are considered to be safe and secure, therefore the Analyzer will not generate findings if the operation is safe.
If the user grants permission to S3 bucket from your AWS account to another AWS account, then Analyzer will generate findings, if you grant permission to S3 bucket from your AWS Account to an IAM role in your account, the Analyzer will not generate findings.
Access Analyzer supported resource types:
The following are the resource types that are supported by the IAM Access Analyzer:
Amazon Simple Storage Service Buckets: While Analysing S3 bucket, access Analyzer generates a finding when a bucket policy or ACL rule is applied to the bucket to grant access to an external principal. It creates a filter when an entity is not within a trusted zone.
Access Analyzer analyses the block bucket policy setting at the bucket level whenever the policies are changed or updated. Analyzer evaluates the bucket policy setting only once every 6 hours.
AWS Identity and Access Management roles: Access Analyzer analyses the trusted polices. In a role define policy, the IAM user will define the principal of the trusted role. Resource base policy is attached to the IAM role which is required for role trusted policy. The Analyzer will generate findings for a role within the trusted zone. Access Analyzer will generate the findings only in the enabled regions.
AWS Key Management Service Keys: In AWS KMS, Access Analyzer analyses the keys policies and grant applies to the key. The Analyzer will generate finding if the Analyzer analyses the external entities to access the key. The Analyzer reads the key metadata and lists the grant permission for the user to access KMS. If Key policy denies the Analyzer to read the key metadata, an access denied error finding will be generated.
AWS Lambda Functions and Layers: Access Analyzer analyses the policies along with the condition statement in the policy that will grant the function to external entities.
Amazon Simple Queue Service Queues: Access Analyzer analyses the polices along with the condition statement in the policy, that grant external access to the queue.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Premier Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.

WRITTEN BY Sindhu Priya M
Comments