AWS IAM documentation change
Summary
Updated documentation to include internal access analyzer functionality, clarified regional requirements for both external/internal access, added details about findings generation timelines, and enhanced API reference links
Security assessment
The changes document new internal access analyzer capabilities which help identify unintended internal access within AWS accounts. While this improves security visibility, there's no evidence of addressing a specific security vulnerability. The updates enhance documentation of security features (access analysis) rather than patching issues.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-getting-started.md b/IAM/latest/UserGuide/access-analyzer-getting-started.md index 8365fecc6..081300983 100644 --- a//IAM/latest/UserGuide/access-analyzer-getting-started.md +++ b//IAM/latest/UserGuide/access-analyzer-getting-started.md @@ -37,0 +38,2 @@ IAM Access Analyzer uses a service-linked role (SLR) named `AWSServiceRoleForAcc + * You create an internal access analyzer with your account as the zone of trust. + @@ -45 +47 @@ For more information, see [Using service-linked roles for AWS Identity and Acces -IAM Access Analyzer is Regional. For external access, you must enable IAM Access Analyzer in each Region independently. +IAM Access Analyzer is Regional. For external and internal access, you must enable IAM Access Analyzer in each Region independently. @@ -49 +51 @@ For unused access, findings for the analyzer do not change based on Region. Crea -In some cases, after you create an external access or unused access analyzer in IAM Access Analyzer, the **Findings** page or dashboard loads with no findings or summary. This might be due to a delay in the console for populating your findings. You might need to manually refresh the browser or check back later to view your findings or summary. If you still don't see any findings for an external access analyzer, it's because you have no supported resources in your account that can be accessed by an external entity. If a policy that grants access to an external entity is applied to a resource, IAM Access Analyzer generates a finding. +In some cases, after you create an analyzer in IAM Access Analyzer, the **Findings** page or dashboard loads with no findings or summary. This might be due to a delay in the console for populating your findings. You might need to manually refresh the browser or check back later to view your findings or summary. If you still don't see any findings for an external access analyzer, it's because you have no supported resources in your account that can be accessed by an external entity. If a policy that grants access to an external entity is applied to a resource, IAM Access Analyzer generates a finding. @@ -53 +55,5 @@ In some cases, after you create an external access or unused access analyzer in -For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then either generate a new external access finding or update an existing finding for the access to the resource. For both external and unused access analyzers, updates for findings might not be reflected in the dashboard immediately. +For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then either generate a new finding or update an existing finding for the access to the resource. + +When you create an internal access analyzer, it might take several minutes or hours before findings are available. After the initial scan, IAM Access Analyzer automatically rescans all policies every 24 hours. + +For all types of access analyzers, updates for findings might not be reflected in the dashboard immediately. @@ -63 +69 @@ To view the [IAM Access Analyzer findings dashboard](./access-analyzer-dashboard - * `GetFindingsStatistics` + * [`GetFindingsStatistics`](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingsStatistics.html) @@ -76 +82 @@ Status | Description -Active | For external access analyzers, the analyzer is actively monitoring resources within its zone of trust. The analyzer actively generates new findings and updates existing findings. For unused access analyzers, the analyzer is actively monitoring unused access within the selected organization or AWS account in the specified tracking period. The analyzer actively generates new findings and updates existing findings. +Active | For external and internal access analyzers, the analyzer is actively monitoring resources within its zone of trust. The analyzer actively generates new findings and updates existing findings. For unused access analyzers, the analyzer is actively monitoring unused access within the selected organization or AWS account in the specified tracking period. The analyzer actively generates new findings and updates existing findings.