AWS recently added support for detecting unused access granted to IAM roles and users within their AWS IAM Access Analyzer tool. The new IAM Access Analyzer unused access findings can identify unused roles, unused IAM user access keys and passwords, and unused permissions within a defined usage window. This analysis can be done across accounts within the organization and be controlled from a delegated administrator account.
The AWS IAM Access Analyzer tool currently has two types of analyzers: external access findings and unused access findings. The two analyzers are distinct and need to be created individually. Analyzers can be created at the organization level or the account level.
The analyzer can be created either via the console or APIs. Note that while the analyzer is created at the regional level, it is analyzing IAM components that are global. It is recommended to create the unused findings analyzer only in the region where the findings should be stored. Creating multiple analyzers within multiple regions will not generate new findings but will incur additional costs.
The IAM Access Analyzer uses a service-linked role to review the last accessed information for the roles, user access keys, and user passwords within the organization. IAM service and action last access information is used to identify unused permissions for IAM roles and users. Note that the analyzer can detect unused permissions for all service-level permissions and 200 services at the action level based on the actions that support tracking last accessed information.
The results are displayed within the IAM Access Analyzer findings dashboard and are broken out by unused roles, credentials, and permissions. The dashboard also showcases the accounts with the most active findings.
The findings are classified as active, resolved, or archived. Active findings will automatically be moved to resolved once the identified unused resource is deleted. Findings can be manually suppressed by archiving them. Archive rules can be created to automatically archive findings based on their attributes.
IAM Access Analyzer integrates with both Amazon EventBridge and AWS Security Hub. With EventBridge rules, it is possible to automatically notify account owners when new findings are discovered.
The new unused access analyzer is in addition to the previously released external access analyzer. The external analyzer generates findings for access that is being performed from outside the defined "zone of trust". The zone of trust comprises the defined organization or account. Permission granted from one account in the organization to another account within the same organization will not generate a finding.
Unlike the external access analyzer, IAM Access Analyzer unused access analyzer is a paid feature. The service charges are based on the number of IAM roles and users analyzed per analyzer per month. The new unused access findings analyzer is available in all AWS regions excluding the AWS GovCloud (US) regions and the AWS China regions. More details about the service can be found in the IAM Access Analyzer documentation.