IAM Access Analyzer

IAM Access Analyzer: Complete Guide for AWS Security Specialty

IAM Access Analyzer is a critical AWS service that helps you identify resources in your organization and accounts that are shared with an external entity. Understanding this service thoroughly is essential for the AWS Security Specialty exam.

Why IAM Access Analyzer Is Important

In modern cloud environments, unintended public or cross-account access to resources is one of the most common security risks. Organizations often have hundreds or thousands of resource-based policies across S3 buckets, IAM roles, KMS keys, Lambda functions, SQS queues, and Secrets Manager secrets. Manually reviewing each policy for overly permissive access is impractical and error-prone.

IAM Access Analyzer addresses this challenge by using automated reasoning (mathematical logic-based analysis) to determine whether a resource policy grants access to external principals. This is not a simple pattern match — it uses provable logic to evaluate all possible access paths, giving you comprehensive and accurate findings.

Without IAM Access Analyzer, organizations risk:
- Publicly exposed S3 buckets containing sensitive data
- Cross-account IAM role assumptions by unintended accounts
- KMS keys accessible to external entities
- Lambda functions invocable by unauthorized principals
- Data exfiltration through misconfigured resource policies

What Is IAM Access Analyzer?

IAM Access Analyzer is a feature within the IAM console that continuously monitors resource-based policies and identifies resources that are accessible from outside your zone of trust. The zone of trust is defined as either:

- Your AWS account (account-level analyzer): Identifies resources shared with any external principal outside the account
- Your AWS organization (organization-level analyzer): Identifies resources shared with any principal outside the entire organization

IAM Access Analyzer generates findings for each instance where a resource policy allows access from outside the zone of trust. Each finding provides detailed information about the resource, the external principal, the granted permissions, and the condition keys involved.

Key Capabilities:

1. External Access Findings — Identifies resources shared with external entities
2. Unused Access Findings — Identifies unused IAM roles, unused access keys, unused passwords, and unused permissions (available with IAM Access Analyzer for unused access)
3. Policy Validation — Validates IAM policies against best practices and grammar rules during policy authoring
4. Policy Generation — Generates fine-grained IAM policies based on CloudTrail access activity
5. Custom Policy Checks — Allows you to validate that policies do not grant specific permissions you want to restrict

Supported Resource Types:
- Amazon S3 buckets (and S3 access points, multi-region access points, and S3 directory buckets)
- IAM roles (trust policies)
- AWS KMS keys
- AWS Lambda functions and layers
- Amazon SQS queues
- AWS Secrets Manager secrets
- Amazon SNS topics
- Amazon EBS volume snapshots
- Amazon RDS DB snapshots and DB cluster snapshots
- Amazon ECR repositories
- Amazon EFS file systems
- DynamoDB tables and streams

How IAM Access Analyzer Works

Step 1: Create an Analyzer
You create an analyzer in the IAM console, CLI, or API. You choose the zone of trust — either the current AWS account or the AWS organization. You can create multiple analyzers per Region. Note: IAM Access Analyzer is a per-Region service. You must create an analyzer in each Region where you want to monitor resources.

Step 2: Automated Analysis Using Formal Reasoning
Once created, the analyzer automatically and continuously scans all supported resource-based policies within the Region. It uses a technique called Zelkova, which is based on automated reasoning and formal mathematical proofs. This is not heuristic-based — it provides provable security guarantees about whether access is possible.

Step 3: Findings Generation
When the analyzer identifies a resource policy that grants access to an external principal (outside the zone of trust), it generates a finding. Each finding includes:
- The resource ARN
- The external principal (account, organization, or public)
- The condition that allows access
- The actions granted
- Whether the access is public or cross-account

Step 4: Finding Status Management
Findings can have the following statuses:
- Active — The finding is new and needs review
- Archived — The finding has been reviewed and archived (either manually or via an archive rule)
- Resolved — The resource policy was modified, and the access no longer exists

Step 5: Archive Rules
You can create archive rules to automatically archive findings that match specific criteria. For example, if you intentionally share an S3 bucket with a specific partner account, you can create an archive rule so that finding is automatically archived and does not clutter your active findings.

Step 6: Integration with Other Services
- AWS Security Hub: Findings from IAM Access Analyzer are automatically sent to Security Hub for centralized visibility
- Amazon EventBridge: You can create EventBridge rules to trigger automated responses (such as SNS notifications or Lambda remediation) when new findings are generated
- AWS CloudTrail: IAM Access Analyzer uses CloudTrail logs for policy generation

Unused Access Analyzer

A newer capability allows you to identify:
- Unused IAM roles — Roles that have not been assumed within a specified period
- Unused access keys — Access keys that have not been used
- Unused passwords — Console passwords not used for sign-in
- Unused permissions — Services and actions granted but never used

This is configured at the organization level and requires a paid subscription (charged per IAM role/user analyzed per month).

Policy Validation

IAM Access Analyzer provides over 100 policy validation checks that analyze your IAM policies and report:
- Errors — Invalid policy syntax or logic
- Warnings — Policies that may not work as intended
- Suggestions — Best practice recommendations
- Security warnings — Overly permissive policies

This feature is free and available during policy authoring.

Policy Generation

IAM Access Analyzer can analyze CloudTrail logs (up to 90 days of activity) and generate a least-privilege IAM policy based on actual usage. This helps you:
- Move from broad permissions to fine-grained policies
- Implement the principle of least privilege effectively
- Reduce the attack surface of your IAM policies

Custom Policy Checks

Custom policy checks allow you to define reference policies and validate new or updated policies against them. For example, you can check whether a new policy grants s3:PutBucketPolicy to ensure it doesn't. This can be integrated into CI/CD pipelines for automated policy governance.

Architecture Considerations

- IAM Access Analyzer is Regional. You need to enable it in every Region where you have resources.
- For organization-level analysis, the analyzer must be created in the management account or a delegated administrator account.
- Findings are generated within approximately 30 minutes of a resource policy change, or within 24 hours for periodic scans.
- It is a free service for external access analysis and policy validation. Unused access analysis has a cost.

Key Differences to Understand

IAM Access Analyzer vs. S3 Block Public Access:
S3 Block Public Access is a preventive control that blocks public access. IAM Access Analyzer is a detective control that identifies public and cross-account access but does not block it.

IAM Access Analyzer vs. AWS Config Rules:
AWS Config rules like s3-bucket-public-read-prohibited use pattern matching. IAM Access Analyzer uses formal mathematical reasoning, which is more thorough and can detect complex policy interactions that Config rules might miss.

IAM Access Analyzer vs. IAM Policy Simulator:
IAM Policy Simulator tests whether specific API calls are allowed or denied for a principal. IAM Access Analyzer examines resource-based policies to find all external access paths.

---

Exam Tips: Answering Questions on IAM Access Analyzer

1. Remember it is Regional: If a question asks about monitoring resources in multiple Regions, the answer involves creating an analyzer in each Region. A single analyzer does not cover all Regions.

2. Zone of Trust is key: Questions will test whether you understand the difference between account-level and organization-level analyzers. An organization-level analyzer will NOT flag cross-account access within the same organization, because those accounts are within the zone of trust.

3. Detective, not preventive: IAM Access Analyzer identifies external access — it does not block it. If a question asks about preventing public access, think S3 Block Public Access or SCPs. If it asks about detecting or identifying unintended access, think IAM Access Analyzer.

4. Automated reasoning, not heuristics: When questions reference comprehensive or provable analysis of policies, IAM Access Analyzer is the answer. It uses Zelkova-based formal verification.

5. Archive rules for expected findings: If a scenario describes known, intentional cross-account sharing and asks how to reduce noise, the answer is archive rules — not disabling the analyzer or suppressing findings in Security Hub.

6. Integration with EventBridge for automation: Questions about automated notification or remediation when new findings appear should point to EventBridge integration (triggering SNS or Lambda).

7. Integration with Security Hub: For centralized visibility of findings across accounts, IAM Access Analyzer sends findings to Security Hub. This is a common exam pattern.

8. Policy generation uses CloudTrail: If a question asks about generating least-privilege policies based on actual usage, the answer is IAM Access Analyzer policy generation, which analyzes CloudTrail logs.

9. Know the supported resource types: Questions may present a scenario involving a resource type and ask if Access Analyzer can detect external access. Remember the supported types: S3, IAM roles, KMS, Lambda, SQS, Secrets Manager, SNS, EBS snapshots, RDS snapshots, ECR, EFS, and DynamoDB.

10. Unused access analysis for least privilege: If a question asks about identifying unused roles, permissions, or access keys across an organization, think unused access analysis in IAM Access Analyzer.

11. Free vs. paid: External access analysis and policy validation are free. Unused access analysis incurs charges. This is unlikely to be a direct exam question but helps eliminate incorrect answers about cost.

12. Look for keywords in questions: Phrases like "identify resources shared externally," "unintended public access," "cross-account access detection," "external principals," or "resource policy analysis" all point toward IAM Access Analyzer as the correct answer.

13. Delegated administrator: For organization-level analyzers, you can designate a member account as a delegated administrator instead of using the management account. This is an AWS best practice and may appear in exam scenarios about account governance.