AWS IAM medium security documentation change
Summary
Expanded filtering capabilities for IAM Access Analyzer findings including active resources, internal access filtering, and updated console navigation steps. Added documentation for filtering by VPC endpoints, session modes, and organizational internal access analysis.
Security assessment
The changes enhance security documentation by adding filtering capabilities for internal/external access findings and session mode controls. Specific security-related additions include filtering by Source VPCE (VPC endpoint security controls) and Session Mode for S3 directory buckets (ReadOnly/ReadWrite permissions). These features help identify overprivileged resources and external exposure risks.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-findings-filter.md b/IAM/latest/UserGuide/access-analyzer-findings-filter.md index 1a7cd8632..9c731fd99 100644 --- a//IAM/latest/UserGuide/access-analyzer-findings-filter.md +++ b//IAM/latest/UserGuide/access-analyzer-findings-filter.md @@ -5 +5 @@ -Filtering external access findingsFiltering unused access findings +Filtering resources with active findingsFiltering external access findingsFiltering internal access findingsFiltering unused access findings @@ -9 +9 @@ Filtering external access findingsFiltering unused access findings -The default filtering for a findings page is to display all findings. To view active findings, choose the **Active** status from the **Status** dropdown. To view archived findings, choose the **Archived** status from the **Status** dropdown. When you first start using IAM Access Analyzer, there are no archived findings. +The default filtering for a findings page is to display all active findings. To view all findings, choose **All** from the **Status** dropdown. To view archived findings, choose **Archived**. To view resolved findings, choose **Resolved**. When you first start using IAM Access Analyzer, there are no archived findings. @@ -11 +11 @@ The default filtering for a findings page is to display all findings. To view ac -Use filters to display only the findings that meet the specified property criteria. To create a filter, select the property to filter on, then choose whether the property equals or contains a value, then enter or choose a property value to filter on. For example, to create a filter that displays only findings for a specific AWS account, choose **AWS Account** for the property, then choose **AWS Account =** , then enter the account number for the AWS account that you want to view findings for. +Use filters to display only the findings that meet the specified property criteria. To create a filter, select the property to filter on, then choose whether the property equals or contains a value, then enter or choose a property value to filter on. @@ -14,0 +15,27 @@ For a list of filter keys that you can use to create or update an archive rule, +## Filtering resources with active findings + +You can view and filter active findings by resource for a maximum of one external access analyzer and a maximum of one internal access analyzer. + +###### To filter resources with active findings + + 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). + + 2. Choose **Resource analysis**. + + 3. To filter by resource name, type all or part of the name of the resource in the search box. + + 4. In the **Filter access type** dropdown, choose the access type: + + * **All types** – display resources with all types of access findings. + + * **Public access** – display only resources with public access findings. + + * **External access** – display only resources with external access findings. + + * **Internal access within organization** – display only resources with internal access findings. + + 5. In the **Filter resource type** dropdown, choose a resource type to display only resources of the selected type. + + + + @@ -19 +46 @@ For a list of filter keys that you can use to create or update an archive rule, - 1. Choose **External access** and then choose the analyzer in the **View analyzer** dropdown. + 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). @@ -21 +48 @@ For a list of filter keys that you can use to create or update an archive rule, - 2. Choose the search box to display a list of available properties. + 2. Choose **Analyzer settings** and then choose the external access analyzer in the **Analyzers** section. @@ -23 +50 @@ For a list of filter keys that you can use to create or update an archive rule, - 3. Choose the property to use to filter the findings displayed. + 3. Choose **View findings**. @@ -25 +52,5 @@ For a list of filter keys that you can use to create or update an archive rule, - 4. Choose the value to match for the property. Only findings with that value in the finding are displayed. + 4. Choose the search box to display a list of available properties. + + 5. Choose the property to use to filter the findings displayed. + + 6. Choose the value to match for the property. Only findings with that value in the finding are displayed. @@ -36 +67 @@ Some fields are displayed only when you are viewing findings for an analyzer wit -The following properties are available for defining filters: +The following properties are available for defining filters for external access: @@ -77,0 +109,2 @@ The following properties are available for defining filters: + * **Source VPCE** – To filter by Source VPCE, type all or part of the VPC endpoint ID that allows external entities access to resources in the current account when using the specified VPC endpoint. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). + @@ -85,0 +119,2 @@ The following properties are available for defining filters: + * **Session Mode** – To filter by session mode for Amazon S3 directory buckets (`ReadOnly` or `ReadWrite`, type all or part of the session mode. To learn more, see [CreateSession](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html) in the Amazon Simple Storage Service API Reference. + @@ -100,0 +136,38 @@ The following properties are available for defining filters: +## Filtering internal access findings + +###### To filter internal access findings + + 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). + + 2. Choose **Analyzer settings** and then choose the internal access analyzer in the **Analyzers** section. + + 3. Choose **View findings**. + + 4. Choose the search box to display a list of available properties. + + 5. Choose the property to use to filter the findings displayed. + + 6. Choose the value to match for the property. Only findings with that value in the finding are displayed. + +For example, choose **Resource** as the property, then choose **Resource:** , then type part or all of the name of a bucket, then press Enter. Only findings for the bucket that matches the filter criteria are displayed. + + + + +You can add additional properties to further filter the findings displayed. When you add additional properties, only findings that match all conditions in the filter are displayed. Defining a filter to display findings that match one property OR another property is not supported. Choose **Clear filters** to clear any filters you have defined and display all of the findings with the specified status for your analyzer. + +Some fields are displayed only when you are viewing findings for an analyzer with an organization as its zone of trust. + +The following fields are displayed only when you are viewing findings for an analyzer that is monitoring internal access: + + * **Resource** – To filter by resource, type all or part of the name of the resource. + + * **Resource Type** – To filter by resource type, choose the type from the list displayed. + + * **Resource Owner Account** – Use this property to filter by the account in the organization that owns the resource reported in the finding. + + * **Finding id** – To filter by finding ID, type all or part of the finding ID. + + + + @@ -105 +178,3 @@ The following properties are available for defining filters: - 1. Choose **Unused access** and then choose the analyzer in the **View analyzer** dropdown. + 1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). + + 2. Choose **Unused access** and then choose the analyzer in the **View analyzer** dropdown. @@ -107 +182 @@ The following properties are available for defining filters: - 2. Choose the search box to display a list of available properties. + 3. Choose the search box to display a list of available properties. @@ -109 +184 @@ The following properties are available for defining filters: - 3. Choose the property to use to filter the findings displayed. + 4. Choose the property to use to filter the findings displayed. @@ -111 +186 @@ The following properties are available for defining filters: - 4. Choose the value to match for the property. Only findings with that value in the finding are displayed. + 5. Choose the value to match for the property. Only findings with that value in the finding are displayed. @@ -113 +188 @@ The following properties are available for defining filters: -For example, choose **Findings type** as the property, then choose **Findings type =** , then choose **Findings type = UnusedIAMRole**. Only findings with a type of **UnusedIAMRole** are displayed. +For example, choose **Findings type** as the property, then choose **Findings type =** , then choose **Findings type = Unused role**. Only findings with a type of **Unused role** are displayed.