AWS IAM documentation change
Summary
Added documentation for internal access findings analysis capabilities and updated unused access findings terminology
Security assessment
The change introduces documentation for internal access analysis features that help identify internal access patterns and complex permission chains. While this enhances security visibility, there's no indication it addresses a specific vulnerability. The documentation addition helps users understand security controls but isn't tied to a disclosed security issue.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-concepts.md b/IAM/latest/UserGuide/access-analyzer-concepts.md index fa38d1d0e..da23fb3b4 100644 --- a//IAM/latest/UserGuide/access-analyzer-concepts.md +++ b//IAM/latest/UserGuide/access-analyzer-concepts.md @@ -5 +5 @@ -External access findingsHow IAM Access Analyzer generates findings for external accessUnused access findingsHow IAM Access Analyzer generates findings for unused access +External access findingsHow external access findings are generatedInternal access findingsHow internal access findings are generatedUnused access findingsHow unused access findings are generated @@ -34,0 +35,29 @@ IAM Access Analyzer doesn't currently report findings from AWS service principal +## Internal access findings + +To use internal access analysis, you must first configure the analyzer by selecting the specific resources you want to monitor. Once configured, internal access findings are generated when a principal (IAM user or role) within your organization or account has access to your selected resources. A new finding is generated the next time the analyzer scans the specified resources and identifies a principal that has access to the resources. If an updated policy allows a principal that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the principal and resource. This updated policy could be a resource-based policy, identity-based policy, service control policy (SCP), or resource control policy (RCP). + +###### Note + +Internal access findings are only available using the [ListFindingsV2](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html) API action. + +## How IAM Access Analyzer generates findings for internal access + +To analyze internal access, you must create a separate analyzer for internal access findings for your resources, even if you’ve already created an analyzer to generate external access findings or unused access findings. + +After creating the internal access analyzer, IAM Access Analyzer evaluates all resource-based policies, identity-based policies, service control policies (SCPs), resource control policies (RCPs), and permissions boundaries within your specified account or organization. + +By creating an analyzer dedicated to internal access to your selected resources, you can identify: + + * When a principal in your organization or account can access your selected resources + + * The total effective permissions allowed for a principal based on the intersection of all applicable policies + + * Complex access paths where a principal gains access through a chain of permissions that might not be immediately obvious + + + + +###### Note + +IAM Access Analyzer cannot generate internal access findings for organizations that contain more than 70,000 principals (IAM users and roles combined). + @@ -37 +66 @@ IAM Access Analyzer doesn't currently report findings from AWS service principal -Unused access findings are generated for IAM entities within the selected account or organization based on the number of days specified while creating the analyzer. A new finding is generated the next time the analyzer scans the entities if one of the following conditions is met: +Unused access findings are generated for IAM entities (principals) within the selected account or organization based on the number of days specified while creating the analyzer. A new finding is generated the next time the analyzer scans the entities if one of the following conditions is met: @@ -52 +81 @@ Unused access findings are only available using the [ListFindingsV2](https://doc -To analyze unused access, you must create a separate analyzer for unused access findings for your roles, even if you’ve already created an analyzer to generate external access findings for your resources. +To analyze unused access, you must create a separate analyzer for unused access findings for your roles, even if you’ve already created an analyzer to generate external or internal access findings for your resources. @@ -70 +99 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Findings for external and unused access +Findings