IAM Access Analyzer introduces custom policy checks powered by automated reasoning

AWS Identity and Access Manager (IAM) Access Analyzer now provides custom policy checks to validate that IAM policies adhere to your security standards ahead of deployments. Custom policy checks use the power of automated reasoning—security assurance backed by mathematic proof— to help security teams proactively detect nonconformant updates to policies. For example, IAM policy changes that are more permissive than their previous version. Security teams can use these checks to streamline their reviews, automatically approving policies that conform with their security standards, and inspecting more deeply when they don't. This new kind of validation provides you higher security assurance in the cloud.

Security and development teams can innovate faster by automating and scaling their policy reviews. Your teams can integrate custom policy checks into the tools and environments where developers author their policies, such as their CI/CD pipelines. Developers can create or modify an IAM policy, and then commit it to a code repository. If custom policy checks determine that the policy adheres to your security standards, your policy review automation lets the deployment process continue. If custom policy checks determine that the policy does not adhere to your security standards, developers can review and update the policy before deploying it to production.

IAM Access Analyzer custom policy checks are available in AWS Regions and the AWS GovCloud (US) Regions where IAM is available, excluding the AWS China Regions. To learn more about IAM Access Analyzer:

1. Read more in the blog post
2. Review the pricing
3. See the documentation