AWS announced the Identity and Access Management (IAM) Access Analyzer at its AWS re:Invent conference in Las Vegas this week. The new solution is designed to analyze access control policies attached to resources and determines which resources can be accessed publicly or from other accounts.
It continuously monitors all policies for Amazon Simple Storage Service (S3) buckets, IAM roles, AWS Key Management Service (KMS) keys, AWS Lambda functions, and Amazon Simple Queue Service (SQS) queues.
“With IAM Access Analyzer, you have visibility into the aggregate impact of your access controls, so you can be confident your resources are protected from unintended access from outside of your account,” AWS wrote in a post that explains how to set up the analyzer.
This works by evaluating the user’s policies to determine how given resources can be accessed. All possible access paths are verified by mathematical proofs and thousands of policies can be verified within a few seconds as a result of automated reasoning.
Then, all of the IAM Access Analyzer findings are visible in the IAM Console, and can also be accessed using the IAM Access Analyzer API. Findings related to S3 buckets can be viewed directly in the S3 Console, the company explained.
Bucket policies can then be updated right in the S3 Console, closing the open access pathway, according to AWS. The findings are also visible on AWS Security Hub.
“One of the great advantages of building in the cloud is that the infrastructure and tools continue to get stronger over time and IAM Access Analyzer is a great example,” AWS wrote.