AWS IAM documentation change
Summary
Added documentation for new 'internal access analysis' capability that identifies access to business-critical resources within an organization/account. Expanded resource type listings, updated dashboard description, and added pricing details for internal access monitoring.
Security assessment
The changes introduce documentation for internal access analysis features that help implement least privilege and identify unintended internal access patterns. While this enhances security visibility, there is no evidence of addressing a specific existing vulnerability or security incident.
Diff
diff --git a/IAM/latest/UserGuide/what-is-access-analyzer.md b/IAM/latest/UserGuide/what-is-access-analyzer.md index c8b7b49c0..5aae1be65 100644 --- a//IAM/latest/UserGuide/what-is-access-analyzer.md +++ b//IAM/latest/UserGuide/what-is-access-analyzer.md @@ -5 +5 @@ -Identifying resources shared with an external entityIdentifying unused access granted to IAM users and rolesValidating policies against AWS best practicesValidating policies against your specified security standardsGenerating policiesPricing for IAM Access Analyzer +Identifying resources shared with an external entityIdentifying internal access to business-critical resourcesIdentifying unused access granted to IAM users and rolesValidating policies against AWS best practicesValidating policies against your specified security standardsGenerating policiesPricing for IAM Access Analyzer @@ -12,0 +13,2 @@ AWS Identity and Access Management Access Analyzer provides the following capabi + * IAM Access Analyzer internal access analyzers help identify internal access to selected resources in your organization and accounts. + @@ -44 +46 @@ For unused access, findings for the analyzer do not change based on Region. Crea -IAM Access Analyzer analyzes the following resource types: +IAM Access Analyzer analyzes the following resource types for external access: @@ -78,0 +81,36 @@ IAM Access Analyzer analyzes the following resource types: +## Identifying internal access to business-critical resources + +For your selected business-critical resources, IAM Access Analyzer helps you identify which principals within your organization or account have access to them. This analysis supports implementing the principle of least privilege by ensuring that your specified resources can only be accessed by the intended principals within your organization. + +Internal access analysis helps you: + + * Determine which IAM users or roles within your account or organization can access your specified resources + + * Understand access paths between principals and resources within your AWS environment + + * Verify that your access controls are working as intended + + * Review findings to determine if the access is intended and safe or if the access is unintended and presents a security risk + + * Identify and remediate unintended access within your organization + + + + +IAM Access Analyzer analyzes the following resource types for internal access: + + * [Amazon Simple Storage Service buckets](./access-analyzer-resources.html#access-analyzer-s3) + + * [Amazon Simple Storage Service directory buckets](./access-analyzer-resources.html#access-analyzer-s3-directory) + + * [Amazon Relational Database Service DB snapshots](./access-analyzer-resources.html#access-analyzer-rds-db) + + * [Amazon Relational Database Service DB cluster snapshots](./access-analyzer-resources.html#access-analyzer-rds-db-cluster) + + * [Amazon DynamoDB streams](./access-analyzer-resources.html#access-analyzer-ddb-stream) + + * [Amazon DynamoDB tables](./access-analyzer-resources.html#access-analyzer-ddb-table) + + + + @@ -83,2 +120,0 @@ IAM Access Analyzer helps you identify and review unused access in your AWS orga -The findings for both external access and unused access analyzers are organized into a visual summary dashboard. The dashboard highlights your AWS accounts that have the most findings and provides a breakdown of findings by type. For more information about the dashboard, see [View the IAM Access Analyzer findings dashboard](./access-analyzer-dashboard.html). - @@ -86,0 +123,2 @@ IAM Access Analyzer reviews last accessed information for all roles in your AWS +The findings for external, internal, and unused access analyzers are organized into a visual summary dashboard. The dashboard highlights your AWS resources and AWS accounts that have the most findings and provides a breakdown of findings by type. For more information about the dashboard, see [View the IAM Access Analyzer findings dashboard](./access-analyzer-dashboard.html). + @@ -111,0 +150,2 @@ IAM Access Analyzer charges for unused access analysis based on the number of IA +IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per internal access analyzer per month. + @@ -128 +168 @@ Security features outside IAM -Findings for external and unused access +Findings