AWS IAM documentation change
Summary
Expanded documentation to include internal access findings, updated pricing details, and restructured content. Added explanations about internal access analysis using automated reasoning and comprehensive trust boundary analysis.
Security assessment
The changes introduce documentation for internal access findings, which help identify potential internal access paths within an organization/account. While this enhances security visibility, there is no evidence of addressing a specific vulnerability. The updates improve documentation of security features (access analysis capabilities).
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-findings.md b/IAM/latest/UserGuide/access-analyzer-findings.md index 5e2b175ad..cdefa4b72 100644 --- a//IAM/latest/UserGuide/access-analyzer-findings.md +++ b//IAM/latest/UserGuide/access-analyzer-findings.md @@ -5 +5 @@ -# Findings for external and unused access +# IAM Access Analyzer findings @@ -7 +7 @@ -IAM Access Analyzer generates findings for external access and unused access in your AWS account or organization. For external access, IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an external access analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an Amazon S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding. +IAM Access Analyzer generates findings for external access, internal access, and unused access in your AWS account or organization. @@ -9 +9,7 @@ IAM Access Analyzer generates findings for external access and unused access in -IAM Access Analyzer also generates findings for unused access granted in your AWS organization and accounts. When you create an unused access analyzer, IAM Access Analyzer continuously monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. IAM Access Analyzer generates the following types of findings for unused access: +For external access, IAM Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. When you create an external access analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted. Because principals in the same organization or account are trusted, the resources and principals within the organization or account comprise the zone of trust for the analyzer. Any sharing that is within the zone of trust is considered safe, so IAM Access Analyzer does not generate a finding. For example, if you select an organization as the zone of trust for an analyzer, all resources and principals in the organization are within the zone of trust. If you grant permissions to an Amazon S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding. + +For internal access, IAM Access Analyzer generates findings when there is a possible access path between an IAM role or user within your organization and your specified resources. Similar to external access analysis, the scope you choose (organization or account) determines what is considered internal. If you select an organization as the scope, IAM Access Analyzer will generate findings for access paths between principals and resources within your organization. If you select an account, findings will be generated for access paths within that specific account. IAM Access Analyzer uses automated reasoning to evaluate all IAM policies to monitor who has access to your resources. + +The combination of external and internal access findings with the same zone of trust provides a comprehensive analysis of all possible access to a particular resource, both from within and outside your defined trust boundary. + +For unused access, IAM Access Analyzer generates findings for unused access granted in your AWS organization and accounts. When you create an unused access analyzer, IAM Access Analyzer continuously monitors all IAM roles and users in your AWS organization and accounts and generates findings for unused access. IAM Access Analyzer generates the following types of findings for unused access: @@ -22 +28 @@ IAM Access Analyzer also generates findings for unused access granted in your AW -IAM Access Analyzer offers external access findings for free and charges for unused access findings based on the number of IAM roles and users analyzed per analyzer per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). +IAM Access Analyzer offers external access findings for free. There are charges for unused access findings based on the number of IAM roles and users analyzed per analyzer per month. There are also charges for internal access findings based on the number of AWS resources monitored per analyzer per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing). @@ -40 +46 @@ IAM Access Analyzer offers external access findings for free and charges for unu - * [IAM Access Analyzer resource types for external access](./access-analyzer-resources.html) + * [IAM Access Analyzer error findings](./access-analyzer-error-findings.html) @@ -42 +48 @@ IAM Access Analyzer offers external access findings for free and charges for unu - * [Delegated administrator for IAM Access Analyzer](./access-analyzer-delegated-administrator.html) + * [IAM Access Analyzer supported resource types for external and internal access](./access-analyzer-resources.html) @@ -44 +50 @@ IAM Access Analyzer offers external access findings for free and charges for unu - * [Delete external and unused access analyzers](./access-analyzer-delete-analyzer.html) + * [Delegated administrator for IAM Access Analyzer](./access-analyzer-delegated-administrator.html)