AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-10-25 · Documentation low

File: IAM/latest/UserGuide/access-analyzer-concepts.md

Summary

Added documentation about IAM Access Analyzer evaluating declarative policies in addition to other policy types

Security assessment

The change enhances documentation about policy analysis capabilities but does not address a specific vulnerability. It improves awareness of security controls without evidence of patching a security issue.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-concepts.md b/IAM/latest/UserGuide/access-analyzer-concepts.md
index 2702e5754..68c8c2f82 100644
--- a//IAM/latest/UserGuide/access-analyzer-concepts.md
+++ b//IAM/latest/UserGuide/access-analyzer-concepts.md
@@ -13 +13 @@ This topic describes the concepts and terms that are used in IAM Access Analyzer
-External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. Changes to a resource control policy that impact the **Resource control policy (RCP) restriction** also generate a new finding. If the access in the first finding is removed, that finding is updated to a status of **Resolved**.
+External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. Changes to a resource control policy that impact the **Resource control policy (RCP) restriction** also generate a new finding. IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html). If the access in the first finding is removed, that finding is updated to a status of **Resolved**.
@@ -37 +37 @@ IAM Access Analyzer doesn't currently report findings from AWS service principal
-To use internal access analysis, you must first configure the analyzer by selecting the specific resources you want to monitor. Once configured, internal access findings are generated when a principal (IAM user or role) within your organization or account has access to your selected resources. A new finding is generated the next time the analyzer scans the specified resources and identifies a principal that has access to the resources. If an updated policy allows a principal that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the principal and resource. This updated policy could be a resource-based policy, identity-based policy, service control policy (SCP), or resource control policy (RCP).
+To use internal access analysis, you must first configure the analyzer by selecting the specific resources you want to monitor. Once configured, internal access findings are generated when a principal (IAM user or role) within your organization or account has access to your selected resources. A new finding is generated the next time the analyzer scans the specified resources and identifies a principal that has access to the resources. If an updated policy allows a principal that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the principal and resource. This updated policy could be a resource-based policy, identity-based policy, service control policy (SCP), or resource control policy (RCP). IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html).