AWS IAM Access Analyzer推出新功能，帮助安全团队验证IAM角色和用户对其关键AWS资源的访问权限。该功能提供对AWS组织内授予的访问权限的全面可见性，补充现有的外部访问分析。通过自动化评估多项策略，IAM Access Analyzer能够识别组织内哪些用户和角色有权访问S3存储桶、DynamoDB表或RDS快照等关键资源。安全团队可以使用Amazon EventBridge自动通知开发团队新的发现结果，从而加强对其关键资源的访问控制，并帮助合规团队满足访问控制审计要求。

🛡️IAM Access Analyzer的新功能可以帮助安全团队验证哪些IAM角色和用户可以访问他们的关键AWS资源，从而增强安全性。

🔍该功能通过自动化评估多种策略，包括服务控制策略（SCPs）、资源控制策略（RCPs）和基于身份的策略，来识别组织内部的访问模式。

🔑IAM Access Analyzer会生成关于用户或角色访问S3存储桶、DynamoDB表或RDS快照等资源的发现结果，并将其汇总到一个统一的仪表板中。

💡用户可以使用Amazon EventBridge自动通知开发团队新的发现结果，以便及时处理和删除意外访问权限。

⚙️用户可以通过AWS管理控制台启用IAM Access Analyzer，并选择监控特定资源。可以选择组织范围或账户范围的分析，并支持多种资源添加方式，包括账户选择、资源ARN和CSV文件上传。

<section class="blog-post-content lb-rtxt"><table id="amazon-polly-audio-table"><tbody><tr><td id="amazon-polly-audio-tab"><p></p></td></tr></tbody></table><p>Today, we’re announcing a new capability in <a href="https://aws.amazon.com/iam/access-analyzer/&quot;&gt;AWS IAM Access Analyzer</a> that helps security teams verify which <a href="https://aws.amazon.com/iam&quot;&gt;AWS Identity and Access Management (IAM)</a> roles and users have access to their critical AWS resources. This new feature provides comprehensive visibility into access granted from within your <a href="https://aws.amazon.com/&quot;&gt;Amazon Web Services (AWS)</a> organization, complementing the existing external access analysis.</p><p>Security teams in regulated industries, such as financial services and healthcare, need to verify access to sensitive data stores like <a href="https://aws.amazon.com/s3&quot;&gt;Amazon Simple Storage Service (Amazon S3)</a> buckets containing credit card information or healthcare records. Previously, teams had to invest considerable time and resources conducting manual reviews of AWS Identity and Access Management (IAM) policies or rely on pattern-matching tools to understand internal access patterns.</p><p>The new IAM Access Analyzer internal access findings identify who within your AWS organization has access to your critical AWS resources. It uses automated reasoning to collectively evaluate multiple policies, including service control policies (SCPs), resource control policies (RCPs), and identity-based policies, and generates findings when a user or role has access to your S3 buckets, <a href="https://aws.amazon.com/dynamodb/&quot;&gt;Amazon DynamoDB</a> tables, or <a href="https://aws.amazon.com/rds/&quot;&gt;Amazon Relational Database Service (Amazon RDS)</a> snapshots. The findings are aggregated in a unified dashboard, simplifying access review and management. You can use <a href="https://aws.amazon.com/eventbridge/&quot;&gt;Amazon EventBridge</a> to automatically notify development teams of new findings to remove unintended access. Internal access findings provide security teams with the visibility to strengthen access controls on their critical resources and help compliance teams demonstrate access control audit requirements.</p><p><strong>Let’s try it out</strong></p><p>To begin using this new capability, you can enable IAM Access Analyzer to monitor specific resources using the <a href="https://aws.amazon.com/console/&quot;&gt;AWS Management Console</a>. Navigate to IAM and select <strong>Analyzer settings</strong> under the <strong>Access reports</strong> section of the left-hand navigation menu. From here, select <strong>Create analyzer</strong>.</p><p><img class="alignnone size-large wp-image-97024" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/09/analyzer-01-1-1024x628.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="628" /></p><p>From the <strong>Create analyzer</strong> page, select the option of <strong>Resource analysis – Internal access</strong>. Under <strong>Analyzer details</strong>, you can customize your analyzer’s name to whatever you prefer or use the automatically generated name. Next, you need to select your <strong>Zone of trust</strong>. If your account is the management account for an AWS organization, you can choose to monitor resources across all accounts within your organization or the current account you’re logged in to. If your account is a member account of an AWS organization or a standalone account, then you can monitor resources within your account.</p><p>The zone of trust also determines which IAM roles and users are considered in scope for analysis. An organization zone of trust analyzer evaluates all IAM roles and users in the organization for potential access to a resource, whereas an account zone of trust only evaluates the IAM roles and users in that account.</p><p>For this first example, we assume our account is the management account and create an analyzer with the organization as the zone of trust.</p><p><img class="alignnone size-large wp-image-97025" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/09/analyzer-02-1-1024x665.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="665" /></p><p>Next, we need to select the resources we wish to analyze. Selecting <strong>Add resources</strong> gives us three options. Let’s first examine how we can select resources by identifying the account and resource type for analysis.</p><p><img class="alignnone size-large wp-image-97027" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/09/analyzer-03-1024x340.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="340" /></p><p>You can use <strong>Add resources by account dialog</strong> to choose resource types through a new interface. Here, we select <strong>All supported resource types</strong> and select the accounts we wish to monitor. This will create an analyzer that monitors all supported resource types. You can either select accounts through the organization structure (shown in the following screenshot) or paste in account IDs using the <strong>Enter AWS account ID</strong> option.</p><p><img class="alignnone size-large wp-image-97028" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/09/analyzer-04-1024x674.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="674" /></p><p>You can also choose to use the <strong>Define specific resource types</strong> dialog, which you can use to pick from a list of supported resource types (as shown in the following screenshot). By creating an analyzer with this configuration, IAM Access Analyzer will continually monitor both existing and new resources of the selected type within the account, checking for internal access.</p><p><img class="alignnone size-large wp-image-97029" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/09/analyzer-05-1024x776.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="776" /></p><p>After you’ve completed your selections, choose <strong>Add resources</strong>.</p><p><img class="alignnone size-large wp-image-97049" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/analyzer-09-1024x423.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="423" /></p><p>Alternatively, you can use the <strong>Add resources by resource ARN</strong> option.</p><p><img class="alignnone wp-image-97051 size-full" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/image-9-2.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="478" height="216" /></p><p>Or you can use the <strong>Add resources by uploading a CSV file</strong> option to configure monitoring a list of specific resources at scale.</p><p><img class="alignnone size-full wp-image-97054" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/analyzer-10.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="486" height="187" /></p><p>After you’ve completed the creation of your analyzer, IAM Access Analyzer will analyze policies daily and generate findings that show access granted to IAM roles and users within your organization. The updated IAM Access Analyzer dashboard now provides a resource-centric view. The <strong>Active findings</strong> section summarizes access into three distinct categories: public access, external access outside of the organization (requires creation of a separate external access analyzer), and access within the organization. The <strong>Key resources</strong> section highlights the top resources with active findings across the three categories. You can see a list of all analyzed resources by selecting <strong>View all active findings</strong> or <strong>Resource analysis</strong> on the left-hand navigation menu.</p><p><img class="alignnone size-large wp-image-96913" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/06/analyzer-findings-01-1024x527.png&quot; alt="Screenshot of Access Analyzer findings" width="1024" height="527" /></p><p>On the <strong>Resource analysis</strong> page, you can filter the list of all analyzed resources for further analysis.</p><p><img class="alignnone size-large wp-image-97072" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/image-10-5-1024x460.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="460" /></p><p>When you select a specific resource, any available external access and internal access findings are listed on the <strong>Resource details</strong> page. Use this feature to evaluate all possible access to your selected resource. For each finding, IAM Access Analyzer provides you with detailed information about allowed IAM actions and their conditions, including the impact of any applicable SCPs and RCPs. This means you can verify that access is appropriately restricted and meets least-privilege requirements.</p><p><img class="alignnone size-large wp-image-97073" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/06/10/image-11-2-1024x602.png&quot; alt="Screenshot of creating an Analyzer in the AWS Console" width="1024" height="602" /></p><p><strong>Pricing and availability</strong></p><p>This new IAM Access Analyzer capability is available today in all commercial Regions. <a href="https://aws.amazon.com/iam/access-analyzer/pricing/&quot;&gt;Pricing&lt;/a&gt; is based on the number of critical AWS resources monitored per month. External access analysis remains available at no additional charge. Pricing for EventBridge applies separately.</p><p>To learn more about IAM Access Analyzer and get started with analyzing internal access to your critical resources, visit the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html&quot;&gt;IAM Access Analyzer documentation</a>.</p></section><aside id="Comments" class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="5ce70206-ef24-4e00-a1f7-3195b6cbdedd" data-title="Verify internal access to critical AWS resources with new IAM Access Analyzer capabilities" data-url="https://aws.amazon.com/blogs/aws/verify-internal-access-to-critical-aws-resources-with-new-iam-access-analyzer-capabilities/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>