AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-05-01 · Documentation low

File: IAM/latest/UserGuide/access-analyzer-create-unused.md

Summary

Clarified tracking period requirements for IAM Access Analyzer unused access analysis, specifying permissions must exist for entire tracking period before evaluation

Security assessment

Improves documentation accuracy for a security analysis tool but does not address a specific vulnerability

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-create-unused.md b/IAM/latest/UserGuide/access-analyzer-create-unused.md
index 796a53b3c..ee1277264 100644
--- a//IAM/latest/UserGuide/access-analyzer-create-unused.md
+++ b//IAM/latest/UserGuide/access-analyzer-create-unused.md
@@ -25 +25 @@ IAM Access Analyzer charges for unused access analysis based on the number of IA
-  6. For **Tracking period** , enter the number of days for which to generate findings for unused permissions. For example, if you enter 90 days, the analyzer will generate findings for IAM entities within the selected account for any permissions that haven't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 365 days.
+  6. For **Tracking period** , enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the selected account that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days.
@@ -68 +68 @@ If a member account is removed from the organization, the unused access analyzer
-  7. For **Tracking period** , enter the number of days for which to generate findings for unused permissions. For example, if you enter 90 days, the analyzer will generate findings for IAM entities within the accounts of the selected organization for any permissions that haven't been used in 90 or more days since the analyzer's last scan. You can choose a value between 1 and 365 days.
+  7. For **Tracking period** , enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the accounts of the selected organization that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days.