AWS IAM documentation change
Summary
Updated terminology from 'Unused access analysis' to 'Principal analysis - Unused access', adjusted step numbering, added note about analysis delay, and corrected UI labels from 'Scope of analysis' to 'Selected accounts'
Security assessment
Changes appear to be UI label updates and procedural clarifications for IAM Access Analyzer configuration. No mention of vulnerabilities, exploits, or security incidents. The updates improve documentation accuracy but don't introduce new security features or address specific security flaws.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-create-unused.md b/IAM/latest/UserGuide/access-analyzer-create-unused.md index ee1277264..7c281eb48 100644 --- a//IAM/latest/UserGuide/access-analyzer-create-unused.md +++ b//IAM/latest/UserGuide/access-analyzer-create-unused.md @@ -14,0 +15,4 @@ IAM Access Analyzer charges for unused access analysis based on the number of IA +###### Note + +After you create or update an analyzer, it can take time for findings to be available. + @@ -21 +25 @@ IAM Access Analyzer charges for unused access analysis based on the number of IA - 4. In the **Analysis** section, choose **Unused access analysis**. + 4. In the **Analysis** section, choose **Principal analysis - Unused access**. @@ -29 +33 @@ IAM Access Analyzer charges for unused access analysis based on the number of IA - 8. For **Scope of analysis** , choose **Current account**. + 8. For **Selected accounts** , choose **Current account**. @@ -58,3 +62 @@ If a member account is removed from the organization, the unused access analyzer - 2. Choose **Access analyzer**. - - 3. Choose **Analyzer settings**. + 2. Under **Access analyzer** , choose **Analyzer settings**. @@ -62 +64 @@ If a member account is removed from the organization, the unused access analyzer - 4. Choose **Create analyzer**. + 3. Choose **Create analyzer**. @@ -64 +66 @@ If a member account is removed from the organization, the unused access analyzer - 5. In the **Analysis** section, choose **Unused access analysis**. + 4. In the **Analysis** section, choose **Principal analysis - Unused access**. @@ -66 +68 @@ If a member account is removed from the organization, the unused access analyzer - 6. Enter a name for the analyzer. + 5. Enter a name for the analyzer. @@ -68 +70 @@ If a member account is removed from the organization, the unused access analyzer - 7. For **Tracking period** , enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the accounts of the selected organization that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days. + 6. For **Tracking period** , enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the accounts of the selected organization that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days. @@ -70 +72 @@ If a member account is removed from the organization, the unused access analyzer - 8. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. + 7. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer. @@ -72 +74 @@ If a member account is removed from the organization, the unused access analyzer - 9. For **Scope of analysis** , choose **Current organization**. + 8. For **Selected accounts** , choose **Current organization**. @@ -74 +76 @@ If a member account is removed from the organization, the unused access analyzer - 10. Optional. In the **Exclude AWS accounts from analysis** section, you can choose AWS accounts in your organization to exclude from unused access analysis. Findings will not be generated for excluded accounts. + 9. Optional. In the **Exclude AWS accounts from analysis** section, you can choose AWS accounts in your organization to exclude from unused access analysis. Findings will not be generated for excluded accounts. @@ -92 +94 @@ Excluded accounts cannot include the organization analyzer owner account. When n - 11. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key** , enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value** , you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value** , the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude. + 10. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key** , enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value** , you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value** , the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude. @@ -94 +96 @@ Excluded accounts cannot include the organization analyzer owner account. When n - 12. Optional. Add any tags that you want to apply to the analyzer. + 11. Optional. Add any tags that you want to apply to the analyzer. @@ -96 +98 @@ Excluded accounts cannot include the organization analyzer owner account. When n - 13. Choose **Create analyzer**. + 12. Choose **Create analyzer**. @@ -109 +111 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Manage an external access analyzer +Manage an internal access analyzer