AWS IAM documentation change
Summary
Updated terminology from 'external access findings' to broader 'resource findings', added internal access analysis details, clarified rescan timelines for different analyzer types, and linked error findings documentation
Security assessment
The changes expand documentation about access analysis to include internal access scenarios and clarify security monitoring processes. While related to security posture improvement, there's no evidence of addressing a specific vulnerability. The updates enhance existing security documentation about IAM Access Analyzer's capabilities.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-findings-remediate.md b/IAM/latest/UserGuide/access-analyzer-findings-remediate.md index 2e83f9057..14e1fc61f 100644 --- a//IAM/latest/UserGuide/access-analyzer-findings-remediate.md +++ b//IAM/latest/UserGuide/access-analyzer-findings-remediate.md @@ -5 +5 @@ -Resolving external access findingsResolving unused access findings +Resolving resource findingsResolving unused access findings @@ -9 +9 @@ Resolving external access findingsResolving unused access findings -## Resolving external access findings +## Resolving resource findings @@ -11 +11 @@ Resolving external access findingsResolving unused access findings -To resolve external access findings generated from unintended access, you should modify the policy statement to remove the permissions that allow access to the identified resource. +To resolve external and internal access findings generated from unintended access, you should modify the policy statement to remove the permissions that allow access to the identified resource. @@ -19 +19 @@ For other supported resources, use the console to modify the policy statements t -After making a change to resolve an external access finding, such as modifying a policy applied to an IAM role, IAM Access Analyzer will scan the resource again. If the resource is no longer shared outside of your zone of trust, the status of the finding is changed to **Resolved**. The finding will then be displayed in the resolved findings list instead of the active findings list. +After making a change to resolve a resource finding, such as modifying a policy applied to an IAM role, IAM Access Analyzer will scan the resource again. If the access to the resource is removed, the status of the finding is changed to **Resolved**. The finding will then be displayed in the resolved findings list instead of the active findings list. @@ -23 +23 @@ After making a change to resolve an external access finding, such as modifying a -This does not apply to **Error** findings. When IAM Access Analyzer is not able to analyze a resource, it will generate an error finding. If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding will be removed completely instead of changing to a resolved finding. +This does not apply to **Error** findings. When IAM Access Analyzer is not able to analyze a resource, it will generate an error finding. If you resolve the issue that prevented IAM Access Analyzer from analyzing the resource, the error finding will be removed completely instead of changing to a resolved finding. For more information, see [IAM Access Analyzer error findings](./access-analyzer-error-findings.html). @@ -25 +25 @@ This does not apply to **Error** findings. When IAM Access Analyzer is not able -If the changes you made resulted in the resource being shared outside of your zone of trust, but in a different way, such as with a different principal or for a different permission, IAM Access Analyzer will generate a new **Active** finding. +If the changes you made resulted in external or internal access to the resource, but in a different way, such as with a different principal or for a different permission, IAM Access Analyzer will generate a new **Active** finding. @@ -29 +29,5 @@ If the changes you made resulted in the resource being shared outside of your zo -It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to again analyze the resource and then update the finding. Resolved findings are deleted 90 days after the last update to the finding status. +For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource again and then update the finding. + +For internal access analyzers, it might take several minutes or hours for IAM Access Analyzer to analyze the resource again and then update the finding. IAM Access Analyzer automatically rescans all policies every 24 hours. + +Resolved findings are deleted 90 days after the last update to the finding status. @@ -128 +132 @@ Archive findings -Supported resource types +Error findings