AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-19 · Documentation medium

File: IAM/latest/UserGuide/access-analyzer-resources.md

Summary

Expanded IAM Access Analyzer documentation to include internal access analysis capabilities, added supported resource types for internal access, and updated resource-specific analysis descriptions for both external/internal contexts

Security assessment

The changes document expanded security monitoring capabilities (internal access analysis) but do not address a specific vulnerability. The updates enhance security visibility by adding support for detecting internal access patterns, which helps prevent overprivileged accounts but isn't a direct response to a disclosed security issue.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-resources.md b/IAM/latest/UserGuide/access-analyzer-resources.md
index 08912b5cf..07dec0a31 100644
--- a//IAM/latest/UserGuide/access-analyzer-resources.md
+++ b//IAM/latest/UserGuide/access-analyzer-resources.md
@@ -7 +7 @@ Amazon S3 bucketsAmazon S3 directory bucketsIAM rolesKMS keysLambda functionsAma
-# IAM Access Analyzer resource types for external access
+# IAM Access Analyzer supported resource types for external and internal access
@@ -9 +9 @@ Amazon S3 bucketsAmazon S3 directory bucketsIAM rolesKMS keysLambda functionsAma
-For external access analyzers, IAM Access Analyzer analyzes the resource-based policies that are applied to AWS resources in the Region where you enabled IAM Access Analyzer. It only analyzes resource-based policies. Review the information about each resource for details about how IAM Access Analyzer generates findings for each resource type.
+For external and internal access analyzers, IAM Access Analyzer analyzes the resource-based policies that are applied to AWS resources in the Region where you enabled IAM Access Analyzer. It only analyzes resource-based policies. For details about how IAM Access Analyzer generates findings for each resource type, review the resource type information.
@@ -13 +13 @@ For external access analyzers, IAM Access Analyzer analyzes the resource-based p
-The supported resource types listed are for external access analyzers. Unused access analyzers only support IAM users and roles. For more information, see [Understand how IAM Access Analyzer findings work](./access-analyzer-concepts.html).
+The supported resource types listed are for external and internal access analyzers. Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [Understand how IAM Access Analyzer findings work](./access-analyzer-concepts.html).
@@ -49,0 +50,17 @@ The supported resource types listed are for external access analyzers. Unused ac
+**Supported resource types for internal access:**
+
+  * Amazon Simple Storage Service buckets
+
+  * Amazon Simple Storage Service directory buckets
+
+  * Amazon Relational Database Service DB snapshots
+
+  * Amazon Relational Database Service DB cluster snapshots
+
+  * Amazon DynamoDB streams
+
+  * Amazon DynamoDB tables
+
+
+
+
@@ -52 +69,3 @@ The supported resource types listed are for external access analyzers. Unused ac
-When IAM Access Analyzer analyzes Amazon S3 buckets, it generates a finding when an Amazon S3 bucket policy, ACL, or access point, including a multi-Region access point, applied to a bucket grants access to an external entity. An external entity is a principal or other entity that you can use to [create a filter](./access-analyzer-findings-filter.html) that isn't within your zone of trust. For example, if a bucket policy grants access to another account or allows public access, IAM Access Analyzer generates a finding. However, if you enable [Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) on your bucket, you can block access at the account level or the bucket level.
+When IAM Access Analyzer analyzes Amazon S3 buckets for external access analyzers, it generates a finding when an Amazon S3 bucket policy, access control list (ACL), or access point, including a multi-Region access point, applied to a bucket grants access to an external entity. An external entity is a principal or other entity that you can use to [create a filter](./access-analyzer-findings-filter.html) that isn't within your zone of trust. For example, if a bucket policy grants access to another account or allows public access, IAM Access Analyzer generates a finding. However, if you enable [Block Public Access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) on your bucket, you can block access at the account level or the bucket level.
+
+For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon S3 bucket.
@@ -64 +83,3 @@ For a multi-Region access point, IAM Access Analyzer uses an established policy
-Amazon S3 directory buckets organize data hierarchically into directories as opposed to the flat storage structure of general purpose buckets, which is recommended for performance-critical workloads or applications. For Amazon S3 directory buckets, IAM Access Analyzer analyzes the directory bucket policy, including condition statements in a policy, that allow an external entity to access a directory bucket.
+Amazon S3 directory buckets organize data hierarchically into directories as opposed to the flat storage structure of general purpose buckets, which is recommended for performance-critical workloads or applications. For external access analyzers, IAM Access Analyzer analyzes the directory bucket policy, including condition statements in a policy, that allow an external entity to access a directory bucket.
+
+For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon S3 directory bucket.
@@ -155 +176,3 @@ Amazon Elastic Block Store volume snapshots do not have resource-based policies.
-Amazon RDS DB snapshots do not have resource-based policies. A DB snapshot is shared through Amazon RDS database permissions, and only manual DB snapshots can be shared. For Amazon RDS DB snapshots, IAM Access Analyzer analyzes access control lists that allow an external entity access to a snapshot. Unencrypted DB snapshots can be public. Encrypted DB snapshots cannot be shared publicly, but they can be shared with up to 20 other accounts. For more information, see [Creating a DB snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html). IAM Access Analyzer considers the ability to export a database manual snapshot (for example, to an Amazon S3 bucket) as trusted access.
+Amazon RDS DB snapshots do not have resource-based policies. A DB snapshot is shared through Amazon RDS database permissions, and only manual DB snapshots can be shared. For external access analyzers, IAM Access Analyzer analyzes access control lists that allow an external entity access to a Amazon RDS DB snapshot. Unencrypted DB snapshots can be public. Encrypted DB snapshots cannot be shared publicly, but they can be shared with up to 20 other accounts. For more information, see [Creating a DB snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html). IAM Access Analyzer considers the ability to export a database manual snapshot (for example, to an Amazon S3 bucket) as trusted access.
+
+For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon RDS DB snapshot.
@@ -163 +186,3 @@ IAM Access Analyzer does not identify public or cross-account access configured
-Amazon RDS DB cluster snapshots do not have resource-based policies. A snapshot is shared through Amazon RDS DB cluster permissions. For Amazon RDS DB cluster snapshots, IAM Access Analyzer analyzes access control lists that allow an external entity access to a snapshot. Unencrypted cluster snapshots can be public. Encrypted cluster snapshots cannot be shared publicly. Both unencrypted and encrypted cluster snapshots can be shared with up to 20 other accounts. For more information, see [Creating a DB cluster snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_CreateSnapshotCluster.html). IAM Access Analyzer considers the ability to export a DB cluster snapshot (for example, to an Amazon S3 bucket) as trusted access.
+Amazon RDS DB cluster snapshots do not have resource-based policies. A snapshot is shared through Amazon RDS DB cluster permissions. For external access analyzers, IAM Access Analyzer analyzes access control lists that allow an external entity access to a Amazon RDS DB cluster snapshot. Unencrypted cluster snapshots can be public. Encrypted cluster snapshots cannot be shared publicly. Both unencrypted and encrypted cluster snapshots can be shared with up to 20 other accounts. For more information, see [Creating a DB cluster snapshot](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_CreateSnapshotCluster.html). IAM Access Analyzer considers the ability to export a DB cluster snapshot (for example, to an Amazon S3 bucket) as trusted access.
+
+For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified Amazon RDS DB cluster snapshot.
@@ -179 +204,3 @@ For Amazon EFS file systems, IAM Access Analyzer analyzes policies, including co
-IAM Access Analyzer generates a finding if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB stream. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide.
+For external access analyzers, IAM Access Analyzer generates a finding if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB stream. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide.
+
+For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified DynamoDB stream.
@@ -183 +210,3 @@ IAM Access Analyzer generates a finding if a DynamoDB policy allows at least one
-IAM Access Analyzer generates a finding for a DynamoDB table if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB table or index. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide.
+For external access analyzers, IAM Access Analyzer generates a finding for a DynamoDB table if a DynamoDB policy allows at least one cross-account action that allows an external entity to access a DynamoDB table or index. For more information on the supported cross-account actions for DynamoDB, see [IAM actions supported by resource-based policies](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/rbac-iam-actions.html) in the Amazon DynamoDB Developer Guide.
+
+For internal access analyzers, IAM Access Analyzer generates a finding when a principal (user or role) within your organization or account has access to a specified DynamoDB table.
@@ -191 +220 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Resolve findings
+Error findings