When you enable Access Analyzer, you create an analyzer for your entire organization or your account. The organization or account you choose is known as the zone of trust for the analyzer. The analyzer monitors all of the supported resources within your zone of trust. Any access to resources by principals that are within your zone of trust is considered trusted. Once enabled, Access Analyzer analyzes the policies applied to all of the supported resources in your zone of trust. After the first analysis, Access Analyzer analyzes these policies periodically. If a new policy is added, or an existing policy is changed, Access Analyzer analyzes the new or updated policy within about 30 minutes.
When analyzing the policies, if Access Analyzer identifies one that grants access to an external principal that isn't within your zone of trust, it generates a finding. Each finding includes details about the resource, the external entity that has access to it, and the permissions granted so that you can take appropriate action. You can view the details included in the finding to determine whether the resource access is intentional or a potential risk that you should resolve. When you add a policy to a resource, or update an existing policy, Access Analyzer analyzes the policy. Access Analyzer also analyzes all resource-based policies periodically.
On rare occasions under certain conditions, Access Analyzer is not notified that a policy was added or updated. For example, a change to account-level block public access settings on an S3 bucket can take up to 12 hours. Also, if there is a delivery issue with AWS CloudTrail log delivery the policy change does not trigger a rescan of the resource that was reported in the finding. When this happens, Access Analyzer analyzes the new or updated policy during the next periodic scan, which is within 24 hours. If you want to confirm that a change you make to a policy resolves an access issue reported in a finding, you can rescan the resource reported in a finding by using the Rescan link in the Finding details page, or by using the StartResourceScan operation of the Access Analyzer API.
- Amazon Simple Storage Service Buckets
- AWS Identity and Access Management Roles
- AWS Key Management Service Keys
- AWS Lambda Functions and Layers
- Amazon Simple Queue Service Queues
The first time that you configure analyzers in the master account, you can choose the option to Add delegated administrator that is displayed on the Access Analyzer homepage in the IAM console. To add a delegated administrator (console)
- Log in to the AWS console using the master account for your organization.
- Open the IAM console at https://console.aws.amazon.com/iam/
- Under Access Analyzer, choose Settings.
- Choose Add delegated administrator.
- Enter the account number of an organization member account to make the delegated administrator. The account must be a member of your organization.
- Choose Save changes.