IAM Access Analyzer should be enabled in all active regions
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
AWS IAM Access Analyzer is an AWS service that analyzes permissions to your resources, helping you ensure they are configured following least-privilege principles. This is achieved through several key capabilities:
- External Access Analysis: Continuously monitors resource-based policies to identify resources (like S3 buckets, IAM roles, KMS keys, Lambda functions, and SQS queues) that are shared with entities outside your defined zone of trust (account or organization).
- Unused Access Analysis: Helps you refine permissions by identifying unused IAM roles, access keys, passwords for IAM users, and even specific unused permissions within policies.
- Policy Validation & Generation: Offers tools to validate your IAM policies against AWS best practices and policy grammar during development, and can generate fine-grained IAM policies based on actual access activity logged in AWS CloudTrail.
- Custom Policy Checks: Allows validation of IAM policies against your organization’s specific custom security standards.
You can utilize these IAM Access Analyzer features at the individual account level. For broader, centralized management, you can enable IAM Access Analyzer for your entire AWS Organization. When configured at the organization level, it operates as a regional service (requiring activation in each desired region) to provide unified findings and governance across all member accounts. Organization-level analyzers can be managed from the organization’s management account or through a designated delegated administrator account, which helps centralize the monitoring of access security in multi-account environments.
For instructions on enabling IAM Access Analyzer, refer to Getting Started with IAM Access Analyzer.
