AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-19 · Documentation low

File: IAM/latest/UserGuide/access-analyzer-findings-view.md

Summary

Updated Access Analyzer documentation to include internal access findings alongside external findings. Added new procedures for selecting multiple analyzers, updated dashboard navigation steps, and restructured findings display with new columns like 'Public access' and 'Active findings'. Added pricing notes for internal access analysis.

Security assessment

The changes document expanded security analysis capabilities (internal access findings) but do not address a specific vulnerability. Enhances documentation of security features by adding internal access monitoring capabilities.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-findings-view.md b/IAM/latest/UserGuide/access-analyzer-findings-view.md
index ede230a90..7082e3307 100644
--- a//IAM/latest/UserGuide/access-analyzer-findings-view.md
+++ b//IAM/latest/UserGuide/access-analyzer-findings-view.md
@@ -5 +5 @@
-External access findingsUnused access findings
+External and internal access findingsUnused access findings
@@ -11 +11 @@ After you enable IAM Access Analyzer, the next step is to review any findings to
-You should review all of the findings in your account to determine whether the external or unused access is expected and approved. If the external or unused access identified in the finding is expected, you can archive the finding. When you archive a finding, the status is changed to **Archived** , and the finding is removed from the active findings list. The finding is not deleted. You can view your archived findings at any time. Work through all of the findings in your account until you have zero active findings. After you get to zero findings, you know that any new **Active** findings that are generated are from a recent change in your environment.
+You should review all of the findings in your account to determine whether the external, internal, or unused access is expected and approved. If the access identified in the finding is expected, you can archive the finding. When you archive a finding, the status is changed to **Archived** , and the finding is removed from the active findings list. The finding is not deleted. You can view your archived findings at any time. Work through all of the findings in your account until you have zero active findings. After you get to zero findings, you know that any new **Active** findings that are generated are from a recent change in your environment.
@@ -13 +13 @@ You should review all of the findings in your account to determine whether the e
-###### To review findings
+###### To review active findings for all types of access analyzers
@@ -17 +17 @@ You should review all of the findings in your account to determine whether the e
-  2. Choose **Access analyzer**.
+  2. Choose **Access analyzer**. The findings dashboard is displayed. 
@@ -19 +19,5 @@ You should review all of the findings in your account to determine whether the e
-  3. The findings dashboard is displayed. Select the active findings for your external or unused access analyzer.
+  3. Choose **Select analyzers**.
+
+  4. In the **Select analyzers** window, choose a maximum of one external access analyzer and a maximum of one internal access analyzer from the **Resource access analyzers** dropdown. Choose an unused access analyzer from the **Unused access analyzers** dropdown.
+
+  5. Choose **Update summary**. A summary of the active findings for the selected access analyzers is displayed on the dashboard. Choose a finding type in the **Resource access findings** or **Unused access findings** sections to view all active findings of the selected type.
@@ -30,37 +34 @@ Findings are displayed only if you have permission to view findings for the anal
-All findings are displayed for the analyzer. To view other findings generated by the analyzer, choose the appropriate finding type from the **Status** dropdown:
-
-  * Choose **Active** to view all active findings that were generated by the analyzer.
-
-  * Choose **Archived** to view only findings generated by the analyzer that have been archived. To learn more, see [Archive IAM Access Analyzer findings](./access-analyzer-findings-archive.html).
-
-  * Choose **Resolved** to view only findings that were generated by the analyzer that have been resolved. When you remediate the issue that generated the finding, the finding status is changed to **Resolved**.
-
-###### Important
-
-Resolved findings are deleted 90 days after the last update to the finding. Active and archived findings are not deleted unless you delete the analyzer that generated them.
-
-  * Choose **All** to view all findings with any status that were generated by the analyzer.
-
-
-
-
-## External access findings
-
-Choose **External access** and then choose the external access analyzer from the **View analyzer** dropdown. The **Findings** page for external access analyzers displays the following details about the shared resource and policy statement that generated the finding:
-
-**Finding ID**
-    
-
-The unique ID assigned to the finding. Choose the finding ID to display additional details about the resource and policy statement that generated the finding.
-
-**Resource**
-    
-
-The type and partial name of the resource that has a policy applied to it that grants access to an external entity not within your zone of trust.
-
-**Resource owner account**
-    
-
-This column is displayed only if you are using an organization as the zone of trust. The account in the organization that owns the resource reported in the finding.
-
-**External principal**
+## External and internal access findings
@@ -67,0 +36 @@ This column is displayed only if you are using an organization as the zone of tr
+###### Note
@@ -69,30 +38 @@ This column is displayed only if you are using an organization as the zone of tr
-The principal, not within your zone of trust, that the analyzed policy grants access to. Valid values include:
-
-  * **AWS account** – All principals in the listed AWS account with permissions from that account's administrator can access the resource.
-
-  * **Any principal** – All principals in any AWS account that meet the conditions included in the **Conditions** column have permission to access the resource. For example, if a VPC is listed, it means that any principal in any account that has permission to access the listed VPC can access the resource.
-
-  * **Canonical user** – All principals in the AWS account with the listed canonical user ID have permission to access the resource.
-
-  * **IAM role** – The listed IAM role has permission to access the resource.
-
-  * **IAM user** – The listed IAM user has permission to access the resource.
-
-
-
-
-**Condition**
-    
-
-The condition from the policy statement that grants the access. For example, if the **Condition** field includes **Source VPC** , it means that the resource is shared with a principal that has access to the VPC listed. Conditions can be global or service-specific. [Global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) have the `aws:` prefix.
-
-**Shared through**
-    
-
-The **Shared through** field indicates how the access that generated the finding is granted. Valid values include:
-
-  * **Bucket policy** – The bucket policy attached to the Amazon S3 bucket.
-
-  * **Access control list** – The access control list (ACL) attached to the Amazon S3 bucket.
-
-  * **Access point** – An access point or multi-region access point associated with the Amazon S3 bucket. The ARN of the access point is displayed in the **Findings** details.
+IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per Region per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
@@ -99,0 +40 @@ The **Shared through** field indicates how the access that generated the finding
+  1. Under **Access Analyzer** , choose **Resource analysis**.
@@ -100,0 +42 @@ The **Shared through** field indicates how the access that generated the finding
+  2. Choose **Select analyzers**.
@@ -101,0 +44 @@ The **Shared through** field indicates how the access that generated the finding
+  3. In the **Select analyzers** window, choose a maximum of one external access analyzer and a maximum of one internal access analyzer from the **Resource access analyzers** dropdown.
@@ -103 +46 @@ The **Shared through** field indicates how the access that generated the finding
-**Access level**
+  4. Choose **Update summary**.
@@ -104,0 +48 @@ The **Shared through** field indicates how the access that generated the finding
+The **Resource analysis** page displays the following details about the resources with active findings for the selected access analyzers:
@@ -106 +49,0 @@ The **Shared through** field indicates how the access that generated the finding
-The level of access granted to the external entity by the actions in the resource-based policy. View the details of the finding for more information. Access level values include the following:
@@ -108 +50,0 @@ The level of access granted to the external entity by the actions in the resourc
-  * **List** – Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource.
@@ -110 +51,0 @@ The level of access granted to the external entity by the actions in the resourc
-  * **Read** – Permission to read but not edit the contents and attributes of resources in the service.
@@ -112 +53 @@ The level of access granted to the external entity by the actions in the resourc
-  * **Write** – Permission to create, delete, or modify resources in the service.
+**Name**
@@ -114 +54,0 @@ The level of access granted to the external entity by the actions in the resourc
-  * **Permissions** – Permission to grant or modify resource permissions in the service.
@@ -116 +56 @@ The level of access granted to the external entity by the actions in the resourc
-  * **Tagging** – Permission to perform actions that only change the state of resource tags.
+The name of the resource with active findings.
@@ -117,0 +58 @@ The level of access granted to the external entity by the actions in the resourc
+**Type**
@@ -119,0 +61 @@ The level of access granted to the external entity by the actions in the resourc
+The type of the resource.
@@ -121 +63 @@ The level of access granted to the external entity by the actions in the resourc
-**Resource control policy (RCP) restriction**
+**Owner account**
@@ -124 +66 @@ The level of access granted to the external entity by the actions in the resourc
-The impact an Organizations resource control policy (RCP) has on the finding. Resource control policy restriction values include the following:
+This column is displayed only if you are using an organization as the zone of trust for one or more of the selected analyzers. The account in the organization that owns the resource reported in the finding.
@@ -126 +68 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
-  * **Error** : There was an error evaluating the RCP.
+**Active findings**
@@ -128 +69,0 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
-  * **Not applicable** : No RCP restricts this resource or principal. This also includes resources where RCPs are not yet supported.
@@ -130 +71 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
-  * **Applicable** : Your organization administrator has set restrictions through a RCP that impacts the resource or resource type. Contact your organization administrator for more details.
+A visual representation of the number and type of active findings for the resource. Hover over the field to display more information about the findings for the resource.
@@ -131,0 +73 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
+**Public access**
@@ -133,0 +76 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
+Indicates whether any of the findings for the resource allow public access.
@@ -135 +78 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
-**Last updated**
+## Unused access findings
@@ -136,0 +80 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
+###### Note
@@ -138 +82 @@ The impact an Organizations resource control policy (RCP) has on the finding. Re
-A timestamp for the most recent update to the finding status, or the time and date the finding was generated if no updates have been made.
+IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
@@ -140 +84 @@ A timestamp for the most recent update to the finding status, or the time and da
-###### Note
+  1. Under **Access Analyzer** , choose **Unused access**.
@@ -142 +86 @@ A timestamp for the most recent update to the finding status, or the time and da
-It may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then update the external access finding. Changes to a resource control policy (RCP) do not trigger a rescan of the resource reported in the finding. IAM Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours.
+  2. Choose **Select analyzers**.
@@ -144 +88 @@ It may take up to 30 minutes after a policy is modified for IAM Access Analyzer
-**Status**
+  3. In the **Select analyzers** window, choose an unused access analyzer from the **Unused access analyzers** dropdown.
@@ -145,0 +90 @@ It may take up to 30 minutes after a policy is modified for IAM Access Analyzer
+  4. Choose **Update summary**.
@@ -147 +92 @@ It may take up to 30 minutes after a policy is modified for IAM Access Analyzer
-The status of the finding, one of **Active** , **Archived** , or **Resolved**.
+The **Unused access** page displays the following details about the IAM entities that generated the findings for the selected access analyzer:
@@ -149 +93,0 @@ The status of the finding, one of **Active** , **Archived** , or **Resolved**.
-## Unused access findings
@@ -151 +94,0 @@ The status of the finding, one of **Active** , **Archived** , or **Resolved**.
-IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
@@ -153 +95,0 @@ IAM Access Analyzer charges for unused access analysis based on the number of IA
-Choose **Unused access** and then choose the unused access analyzer from the **View analyzer** dropdown. The **Findings** page for unused access analyzers displays the following details about the IAM entity that generated the finding: