AWSGlossary

IAM Access Analyzer: What It Is and When to Use It

Definition

AWS Identity and Access Management (IAM) Access Analyzer is a security service that formally verifies your policies to help you identify and remediate unintended resource access. It continuously monitors resource-based policies for services like Amazon S3 buckets, IAM roles, and AWS KMS keys to identify those shared with an external entity outside of your defined zone of trust, such as a public user or a different AWS account.

How It Works

IAM Access Analyzer operates on the principle of provable security, using a form of mathematical logic called automated reasoning to analyze policies. This underlying engine, known as Zelkova, translates IAM policies into precise logical statements and then uses solvers to determine all possible access scenarios the policy allows. This approach provides a higher level of assurance than simply testing a few known access patterns.

The core component is an Analyzer, which you create for a specific zone of trust—either your entire AWS Organization or a single AWS account. Once enabled, the analyzer continuously monitors supported resources within that zone. When it detects a resource-based policy that grants access to a principal outside your zone of trust, it generates a finding. Each finding provides details about the shared resource, the external principal, and the permissions granted, allowing you to quickly assess whether the access is intended or poses a security risk.

IAM Access Analyzer provides several types of analysis:

  • External Access Analysis: Identifies resources shared with principals outside your zone of trust. This is the original and most common use case.
  • Unused Access Analysis: Helps you achieve least privilege by identifying unused IAM roles, access keys, passwords, and even specific unused permissions within active roles and users. This feature continuously analyzes access activity to highlight opportunities to tighten permissions.
  • Internal Access Analysis: Identifies which principals within your organization or account have access to critical resources, helping you enforce internal access controls.
  • Custom Policy Checks: Allows you to validate IAM policies against your specific security standards before deployment. You can check if a policy change introduces new, more permissive access (CheckNoNewAccess) or if a policy grants access to specific sensitive actions (CheckAccessNotGranted).

Findings from all analysis types can be viewed in a centralized dashboard, archived if the access is intended, or remediated by updating the offending policy. When access is removed, IAM Access Analyzer automatically resolves the corresponding finding.

Key Features and Limits

  • Broad Resource Coverage: Analyzes policies for many critical AWS services, including Amazon S3 buckets, AWS IAM roles, AWS KMS keys, AWS Lambda functions, Amazon SQS queues, and AWS Secrets Manager secrets.
  • Provable Security: Uses automated reasoning to provide comprehensive and mathematically-backed analysis of policies, going beyond simple pattern matching.
  • Continuous Monitoring: Automatically analyzes new and updated resource policies to provide timely findings, typically within 30 minutes of a change.
  • Unused Access Guidance: Identifies unused roles, credentials, and permissions to help you implement the principle of least privilege.
  • Policy Validation: Provides static policy checks against AWS best practices during policy authoring and offers custom policy checks to enforce your organization's specific security standards within CI/CD pipelines.
  • AWS Organizations Integration: Can be configured at the organization level, allowing a delegated administrator account to centrally monitor findings from all member accounts.
  • Integration with AWS Security Hub: Findings can be sent to AWS Security Hub, providing a single pane of glass for security alerts across your AWS environment.

Service Limits (as of 2026):

  • Analyzers: You can create a limited number of analyzers per account or organization per region. For example, the limit for organization-level internal access analyzers is 1 per organization per region.
  • Archive Rules: A maximum of 100 archive rules can be created per analyzer.
  • Access Previews: You can run up to 1,000 access previews per analyzer per hour.

Common Use Cases

  1. Auditing for Public and Cross-Account Access: The primary use case is to continuously scan for and be alerted to any resources, like S3 buckets or IAM roles, that are inadvertently exposed to the public or to an unauthorized third-party AWS account.
  2. Implementing Least Privilege (Right-Sizing Permissions): Use the unused access analyzer to systematically identify and remove IAM roles, users, and credentials that are no longer needed. For active roles, it provides recommendations to help you craft more fine-grained policies based on actual usage.
  3. Automating Policy Reviews in CI/CD: Integrate custom policy checks into your development pipeline to automatically validate IAM policies before they are deployed. This prevents non-compliant or overly permissive policies from ever reaching your production environment.
  4. Verifying Internal Access Controls: For critical resources like databases or data stores containing sensitive information, use the internal access analyzer to get a definitive list of all internal users and roles that can access them, ensuring compliance with internal governance policies.
  5. Validating Compliance: Generate findings that serve as evidence for security and compliance audits (e.g., for PCI-DSS, HIPAA) by proving that no unintended external access to critical resources exists.

Pricing Model

The pricing for AWS IAM Access Analyzer varies by feature as of 2026:

  • External Access Analysis & Basic Policy Validation: These features are provided at no additional charge.
  • Unused Access Analysis: This is a paid feature. You are charged per IAM role or IAM user analyzed per month.
  • Internal Access Analysis: This is a paid feature. You are charged per resource monitored per region per month.
  • Custom Policy Checks: This is a paid feature. You are charged based on the number of API calls made to run the custom checks.

For detailed pricing, always refer to the official AWS IAM Access Analyzer pricing page and the AWS Pricing Calculator.

Pros and Cons

Pros:

  • Proactive Security: Identifies potential security risks from misconfigured policies before they can be exploited.
  • High-Fidelity Findings: The use of automated reasoning provides provable security, reducing false positives compared to simple linting or pattern-matching tools.
  • Automated and Continuous: Once configured, it runs continuously, automatically detecting policy changes and providing ongoing assurance.
  • Supports Least Privilege: The unused access analysis is a powerful tool for systematically reducing your attack surface by removing unnecessary permissions.
  • Centralized Governance: Strong integration with AWS Organizations enables centralized security teams to monitor access across the entire enterprise.

Cons:

  • Cost for Advanced Features: While external access analysis is free, the valuable unused access, internal access, and custom policy check features have associated costs that can scale with the size of your environment.
  • Focus on Resource-Based Policies: For external access analysis, the primary focus is on resource-based policies. It does not analyze identity-based policies in isolation to determine all possible external access paths.
  • Actionability of Findings: While it identifies issues, remediation is not automatic. Teams must still review findings and take action, which can be time-consuming in large environments with many findings.

Comparison with Alternatives

  • IAM Access Analyzer vs. AWS Config:

    • AWS Config is a service that records resource configuration changes and evaluates them against desired rules. It can tell you that an S3 bucket policy changed and whether it is now non-compliant with a rule (e.g., "s3-bucket-public-read-prohibited").
    • IAM Access Analyzer goes a step further by not just checking for a specific violation but by analyzing the entire policy to prove whether it grants public or cross-account access. It understands the logic of the policy language.
    • Conclusion: They are complementary. Use AWS Config for tracking configuration history and broad compliance checks. Use IAM Access Analyzer for deep, provable analysis of resource accessibility.

  • IAM Access Analyzer vs. Amazon GuardDuty:

    • Amazon GuardDuty is an intelligent threat detection service. It monitors network logs (VPC Flow Logs, DNS logs) and account activity (CloudTrail events) for malicious or unauthorized behavior, such as an EC2 instance communicating with a known crypto-mining server.
    • IAM Access Analyzer is a preventative configuration analysis tool. It identifies risky permissions before any malicious activity occurs.
    • Conclusion: They serve different purposes in a defense-in-depth strategy. Access Analyzer is proactive (preventing misconfigurations), while GuardDuty is reactive (detecting active threats).

Exam Relevance

IAM Access Analyzer is a key service within the AWS Security Pillar and is highly relevant for several AWS certifications.

  • AWS Certified Security - Specialty (SCS-C02): Expect in-depth questions about its functionality, including interpreting findings, configuring analyzers for an organization, and using it to enforce least privilege.
  • AWS Certified Solutions Architect - Professional (SAP-C02): Questions may focus on how to use Access Analyzer as part of a comprehensive governance and security strategy in a multi-account environment.
  • AWS Certified DevOps Engineer - Professional (DOP-C02): Candidates should know how to integrate custom policy checks into a CI/CD pipeline to automate security reviews.

For all exams, you should understand what a "finding" is, the difference between external and unused access analysis, and its role in auditing and achieving compliance.

Frequently Asked Questions

Q: What is the difference between IAM Access Analyzer and Amazon Macie?

A: IAM Access Analyzer analyzes permissions to determine who can access a resource. Amazon Macie inspects the content within Amazon S3 buckets to discover and protect sensitive data, such as Personally Identifiable Information (PII) or financial data. They answer different questions: Access Analyzer asks "Who can get in?" while Macie asks "What is inside?"

Q: Does IAM Access Analyzer scan identity-based policies (e.g., on an IAM user)?

A: For its primary function of detecting external access, IAM Access Analyzer focuses on resource-based policies (like an S3 bucket policy) because these are what grant access to external entities. However, its unused access analysis feature does analyze IAM users and roles (which use identity-based policies) to find unused permissions. Furthermore, the policy validation and custom policy check features can be used to check both identity-based and resource-based policies.

Q: How quickly does IAM Access Analyzer generate a finding after a policy is changed?

A: IAM Access Analyzer is designed to be continuous. After a resource policy is modified, it typically analyzes the resource and updates or generates a finding within 30 minutes. It also performs periodic scans of all supported resources, which occur within 24 hours.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/26/2026 / Updated: 5/26/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

AWS CloudHSM: Secure Key Management in the Cloud

AWS CloudHSM offers dedicated HSMs for secure key generation and storage, meeting FIPS 140-2 Level 3 compliance. Learn how it works and when to use it.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

Multi-Factor Authentication (MFA): Secure Your AWS Account

Multi-Factor Authentication (MFA) adds a vital security layer to AWS IAM, requiring a second factor beyond passwords. Reduce unauthorized access risk. Learn how it works.

View all Security terms →