AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-19 · Documentation medium

File: IAM/latest/UserGuide/access-analyzer-dashboard.md

Summary

Expanded Access Analyzer dashboard documentation to include internal access findings alongside external/unused access. Added new workflow for selecting analyzers, clarified zone of trust controls, and updated dashboard visualization details.

Security assessment

The changes enhance documentation about analyzing internal access risks (in addition to external/unused access), which improves security visibility. However, there's no evidence of addressing a specific vulnerability. The note about AWS Organizations management account restrictions for organization-wide analysis demonstrates security controls but doesn't indicate a resolved security issue.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-dashboard.md b/IAM/latest/UserGuide/access-analyzer-dashboard.md
index 15741d2f7..ead987b5d 100644
--- a//IAM/latest/UserGuide/access-analyzer-dashboard.md
+++ b//IAM/latest/UserGuide/access-analyzer-dashboard.md
@@ -4,0 +5,2 @@
+Viewing the summary dashboard for external and internal access analyzersViewing the summary dashboard for unused access analyzers
+
@@ -7 +9 @@
-AWS Identity and Access Management Access Analyzer organizes external access and unused access findings into a visual summary dashboard. The dashboard helps you gain visibility into the effective use of permissions at scale and identify accounts that need attention. You can use the dashboard to review findings by AWS organization, account, and finding type.
+AWS Identity and Access Management Access Analyzer organizes external, internal, and unused access findings into a visual summary dashboard. The dashboard helps you gain visibility into the effective use of permissions at scale and identify accounts and AWS resources that need attention. You can use the dashboard to review findings by AWS organization, account, and finding type.
@@ -9 +11 @@ AWS Identity and Access Management Access Analyzer organizes external access and
-For external access findings:
+For external and internal access findings:
@@ -11 +13 @@ For external access findings:
-  * The dashboard highlights the split between public access and cross-account access findings.
+  * The dashboard highlights the split between public access findings, external access findings, and internal access findings.
@@ -27 +29 @@ For unused access findings:
-After you create an analyzer for either external or unused access, IAM Access Analyzer automatically adds new findings to the relevant dashboard. This allows you to identify and prioritize the areas with the most security concerns.
+After you create any type of access analyzer, IAM Access Analyzer automatically adds new findings to the relevant dashboard. This allows you to identify and prioritize the areas with the most security concerns.
@@ -31 +33 @@ The summary dashboards give you a high-level view of the access issues detected
-###### To view the summary dashboard for external access analyzers
+## Viewing the summary dashboard for external and internal access analyzers
@@ -39 +41 @@ After you create or update an analyzer, it can take time for the summary dashboa
-  2. Choose **Access analyzer**. The **Summary** window is displayed.
+  2. Choose **Access Analyzer**. The **Summary** window is displayed.
@@ -41 +43 @@ After you create or update an analyzer, it can take time for the summary dashboa
-  3. Choose an analyzer from the **External access analyzer** dropdown. A summary of the findings for the analyzer is displayed in the **External access findings** section.
+  3. Choose **Select analyzers**.
@@ -42,0 +45 @@ After you create or update an analyzer, it can take time for the summary dashboa
+  4. In the **Select analyzers** window, choose **Organization** or **Account** for the **Zone of trust**.
@@ -43,0 +47 @@ After you create or update an analyzer, it can take time for the summary dashboa
+###### Note
@@ -44,0 +49 @@ After you create or update an analyzer, it can take time for the summary dashboa
+Only the AWS Organizations management account or delegated administrator can choose **Organization** as the zone of trust.
@@ -46 +51 @@ After you create or update an analyzer, it can take time for the summary dashboa
-![External access analyzer dashboard.](/images/IAM/latest/UserGuide/images/access-analyzer-dashboard-external.png)
+  5. Choose external and internal access analyzers from the **Resource access analyzers** dropdown.
@@ -48 +53 @@ After you create or update an analyzer, it can take time for the summary dashboa
-In the preceding image, the external access findings dashboard is visible from within the **Summary** page:
+###### Note
@@ -50 +55 @@ In the preceding image, the external access findings dashboard is visible from w
-  1. The **Active findings** section includes the number of active findings for public access and the number of active findings that provide access outside of the account or organization. Choose a number to list all of the active findings of each type.
+You can select a maximum of one external access analyzer and a maximum of one internal access analyzer.
@@ -52 +57,6 @@ In the preceding image, the external access findings dashboard is visible from w
-  2. The **Findings overview** section includes a breakdown of the type of active findings. Choose **View all active findings** for a complete list of active findings for the analyzer's account or organization.
+  6. Choose **Update**. A summary of the findings for the selected external and internal access analyzers is displayed in the **Resource access findings** section.
+
+
+
+
+![Resource findings access analyzer dashboard.](/images/IAM/latest/UserGuide/images/access-analyzer-dashboard-external-internal-new.png)
@@ -54 +64 @@ In the preceding image, the external access findings dashboard is visible from w
-  3. The **Primary resource types with active findings** section includes a breakdown of the primary resource types with active findings. This information helps you prioritize findings for the primary resources first. For example, Amazon S3, DynamoDB, and AWS KMS. This is not an exhaustive list of every resource type. Your analyzer might have active findings for resource types not listed in this section.
+In the preceding image, the resource findings dashboard is visible from within the **Summary** page.
@@ -55,0 +66 @@ In the preceding image, the external access findings dashboard is visible from w
+  1. The **Active findings** section includes the number of active findings for public access, the number of active findings that provide access outside of the account or organization, and the number of active internal access findings for the selected analyzers. Choose a number to list all of the active findings of each type.
@@ -56,0 +68 @@ In the preceding image, the external access findings dashboard is visible from w
+  2. The **Resource types** section includes a breakdown of the resource types with active findings for the selected analyzers. Choose **View all active findings** for a complete list of active findings for the selected analyzers.
@@ -57,0 +70 @@ In the preceding image, the external access findings dashboard is visible from w
+  3. The **Key resources** section includes a summary of the key resources with active findings. This information helps you prioritize findings for your business-critical resources. Choose **View all active findings** for a complete list of active findings for the selected analyzers.
@@ -59 +71,0 @@ In the preceding image, the external access findings dashboard is visible from w
-###### To view the summary dashboard for unused access analyzers
@@ -61 +73,3 @@ In the preceding image, the external access findings dashboard is visible from w
-IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
+
+
+## Viewing the summary dashboard for unused access analyzers
@@ -69 +83,11 @@ After you create or update an analyzer, based on the amount of users and roles,
-  2. Choose **Access analyzer**. The **Summary** window is displayed.
+  2. Choose **Access Analyzer**. The **Access Analyzer Summary** window is displayed.
+
+  3. Choose **Select analyzers**.
+
+  4. In the **Select analyzers** window, choose **Organization** or **Account** for the **Zone of trust**.
+
+###### Note
+
+Only the AWS Organizations management account or delegated administrator can choose **Organization** as the zone of trust.
+
+  5. Choose an unused access analyzer from the **Unused access analyzers** dropdown.
@@ -71 +95 @@ After you create or update an analyzer, based on the amount of users and roles,
-  3. Choose an analyzer from the **Unused access analyzer** dropdown. A summary of the findings for the analyzer is displayed in the **Unused access findings** section.
+  6. Choose **Update summary**. A summary of the findings for the selected unused access analyzer is displayed in the **Unused access findings** section.
@@ -76 +100 @@ After you create or update an analyzer, based on the amount of users and roles,
-![Unused access analyzer dashboard.](/images/IAM/latest/UserGuide/images/access-analyzer-dashboard-unused.png)
+![Unused access analyzer dashboard.](/images/IAM/latest/UserGuide/images/access-analyzer-dashboard-unused-new.png)
@@ -78 +102 @@ After you create or update an analyzer, based on the amount of users and roles,
-In the preceding image, the external access findings dashboard is visible from within the **Summary** page:
+In the preceding image, the unused access findings dashboard is visible from within the **Summary** page.
@@ -84 +108 @@ In the preceding image, the external access findings dashboard is visible from w
-  3. The **Finding status** section includes a breakdown of the status of findings (**Active** , **Archived** , and **Resolved**) for your account or organization.
+  3. The **Finding status** section includes a breakdown of the status of findings (**Active** , **Archived** , and **Resolved**) for your account or organization. You can select the findings statuses to display in the **Filter displayed data** dropdown.