AWS IAM documentation change
Summary
Added documentation about IAM Access Analyzer evaluating declarative policies in addition to other policy types
Security assessment
The change enhances documentation about policy analysis capabilities but does not address a specific vulnerability. It improves awareness of security controls without evidence of patching a security issue.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-concepts.md b/IAM/latest/UserGuide/access-analyzer-concepts.md index 2702e5754..68c8c2f82 100644 --- a//IAM/latest/UserGuide/access-analyzer-concepts.md +++ b//IAM/latest/UserGuide/access-analyzer-concepts.md @@ -13 +13 @@ This topic describes the concepts and terms that are used in IAM Access Analyzer -External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. Changes to a resource control policy that impact the **Resource control policy (RCP) restriction** also generate a new finding. If the access in the first finding is removed, that finding is updated to a status of **Resolved**. +External access findings are generated only once for each instance of a resource that is shared outside of your zone of trust. Each time a resource-based policy is modified, IAM Access Analyzer analyzes the policy. If the updated policy shares a resource that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the resource sharing. Changes to a resource control policy that impact the **Resource control policy (RCP) restriction** also generate a new finding. IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html). If the access in the first finding is removed, that finding is updated to a status of **Resolved**. @@ -37 +37 @@ IAM Access Analyzer doesn't currently report findings from AWS service principal -To use internal access analysis, you must first configure the analyzer by selecting the specific resources you want to monitor. Once configured, internal access findings are generated when a principal (IAM user or role) within your organization or account has access to your selected resources. A new finding is generated the next time the analyzer scans the specified resources and identifies a principal that has access to the resources. If an updated policy allows a principal that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the principal and resource. This updated policy could be a resource-based policy, identity-based policy, service control policy (SCP), or resource control policy (RCP). +To use internal access analysis, you must first configure the analyzer by selecting the specific resources you want to monitor. Once configured, internal access findings are generated when a principal (IAM user or role) within your organization or account has access to your selected resources. A new finding is generated the next time the analyzer scans the specified resources and identifies a principal that has access to the resources. If an updated policy allows a principal that is already identified in a finding, but with different permissions or conditions, a new finding is generated for that instance of the principal and resource. This updated policy could be a resource-based policy, identity-based policy, service control policy (SCP), or resource control policy (RCP). IAM Access Analyzer also evaluates access control configurations established by [declarative policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_declarative.html).