A comprehensive, production-ready reference for enterprise AWS security teams using IAM Access Analyzer to enforce least-privilege access, detect unintended external exposure, and operationalize continuous policy governance.
This guide is written for:
- Cloud Security Engineers responsible for designing and enforcing IAM guardrails across AWS accounts.
- Security Operations (SecOps) teams triaging and responding to IAM findings at scale.
- Platform / DevOps Engineers integrating IAM policy validation into CI/CD pipelines.
- Cloud Governance and Compliance teams requiring auditable evidence of least-privilege enforcement.
Readers are assumed to be familiar with AWS IAM fundamentals (policies, roles, trust relationships) and comfortable working with the AWS CLI, Python/boto3, and CloudFormation or CDK. Sections covering automation require Python 3.9+ and appropriate AWS credentials.
IAM Access Analyzer is a managed AWS service that uses automated reasoning (formally: satisfiability modulo theories / the Zelkova engine) to mathematically prove whether a resource policy allows unintended access. Unlike heuristic scanners that pattern-match against known bad configurations, Access Analyzer evaluates the full logical semantics of IAM policies — conditions, service control policies (SCPs), permission boundaries, and resource-based policies — to produce findings that are provably correct.
| Capability | Description |
|---|---|
| External Access Analysis | Detects resources (S3, KMS, Lambda, SQS, SNS, IAM roles, Secrets Manager, EFS, DynamoDB Streams) that are accessible from outside your zone of trust. |
| Unused Access Analysis | Identifies IAM roles, users, and access keys that have permissions never exercised within a configurable lookback window (up to 180 days). |
| Policy Validation | Validates policies against IAM best practices and AWS policy grammar before deployment — actionable from the CLI, SDK, or console. |
| Policy Generation | Generates a least-privilege policy from real CloudTrail activity for a specified IAM entity over a time range. |
| Action Last Accessed | Returns per-action and per-service timestamps of the most recent use of each permission for a given IAM entity. |
| Access Preview | Lets you model the access implications of a proposed policy change before applying it. |
Access Analyzer operates continuously. Analyzers are event-driven and re-evaluate affected resources whenever a policy changes, typically within minutes. Periodic re-scans ensure findings remain current even when no explicit policy change event is emitted.
- AWS CLI v2 configured with credentials that have at least
access-analyzer:*,iam:List*,iam:Get*permissions. - An AWS Organization with all features enabled (for organization-level analyzers).
- Python 3.9+ with
boto3andbotocoreinstalled (pip install boto3).
aws accessanalyzer create-analyzer \
--analyzer-name my-account-analyzer \
--type ACCOUNT \
--region us-east-1# Register a dedicated security account as the delegated administrator
aws organizations register-delegated-administrator \
--account-id 111122223333 \
--service-principal access-analyzer.amazonaws.com
# From the delegated admin account, create an organization-level analyzer
aws accessanalyzer create-analyzer \
--analyzer-name org-analyzer \
--type ORGANIZATION \
--region us-east-1aws accessanalyzer list-findings \
--analyzer-arn arn:aws:access-analyzer:us-east-1:111122223333:analyzer/org-analyzer \
--filter '{"status": {"eq": ["ACTIVE"]}}' \
--region us-east-1python scripts/generate_least_privilege.py \
--role-arn arn:aws:iam::123456789012:role/MyLambdaRole \
--days 90 \
--output-file least-privilege-policy.jsonaws accessanalyzer validate-policy \
--policy-document file://my-policy.json \
--policy-type IDENTITY_POLICY \
--region us-east-1| File | Description |
|---|---|
| docs/01-how-it-works.md | Internals of Access Analyzer: the Zelkova automated reasoning engine, supported resource types, finding types, zone of trust, finding lifecycle, and archive rules. |
| docs/02-enterprise-setup.md | Setting up delegated administrator in AWS Organizations, creating org-level analyzers, CloudFormation/CDK deployment templates, EventBridge integration for findings routing, and archive rules for known-good cross-account access. |
| docs/03-action-last-accessed.md | Working with Action Last Accessed data: CLI and boto3 retrieval, interpreting results, using data to scope down policies, and an end-to-end workflow. |
| docs/04-least-privilege-playbook.md | Step-by-step enterprise playbook: policy validation, policy generation from CloudTrail, checking against AWS managed policies, CI/CD integration, and before/after policy examples. |
| Script | Description |
|---|---|
| scripts/generate_least_privilege.py | Python/boto3 script that takes a role ARN, retrieves service and action last accessed data, filters to recently-used permissions, and outputs a JSON least-privilege policy skeleton. |
iam-access-analyzer-guide/
├── README.md # This file
├── docs/
│ ├── 01-how-it-works.md # Internals and concepts
│ ├── 02-enterprise-setup.md # Org-level deployment and integrations
│ ├── 03-action-last-accessed.md # Action Last Accessed deep dive
│ └── 04-least-privilege-playbook.md # Least-privilege enforcement playbook
└── scripts/
└── generate_least_privilege.py # Least-privilege policy generator
The organizational boundary within which access is considered internal. For an ACCOUNT analyzer, the zone of trust is the single AWS account. For an ORGANIZATION analyzer, the zone of trust is the entire AWS Organization. Any principal outside this boundary that has access to a resource generates an external access finding.
Findings move through states: ACTIVE → ARCHIVED (manually suppressed or matched by an archive rule) → RESOLVED (the access was removed). Resolved findings are retained for audit history.
AWS's automated reasoning engine that powers Access Analyzer. It translates IAM policies into logical formulas and uses an SMT solver to determine reachability — meaning findings are not guesses or heuristics but mathematically proven conclusions.
- External access findings flag resources accessible from outside your zone of trust.
- Unused access findings flag IAM entities with permissions granted but never exercised.
Both are necessary for a complete least-privilege program: external access catches over-permissive resource policies; unused access catches over-permissive identity policies.
IAM Access Analyzer findings and the least-privilege controls documented here directly support requirements in:
- SOC 2 Type II — CC6.1, CC6.3 (logical access controls, least privilege)
- PCI DSS v4.0 — Requirement 7 (restrict access to system components and cardholder data)
- NIST SP 800-53 — AC-2, AC-3, AC-6 (account management, access enforcement, least privilege)
- CIS AWS Foundations Benchmark — Section 1 (IAM)
- AWS Security Hub FSBP — IAM.1 through IAM.8
Pull requests are welcome. Please open an issue first to discuss significant changes. All documentation contributions should be technically accurate and include CLI or SDK examples where applicable.
Not an official AWS publication.