AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I use AWS IAM Access Analyzer to monitor my AWS resources in my AWS Organizations accounts?

2 minute read

I want to use AWS Identity and Access Management Access Analyzer to identify resources in my organization and accounts that I share with an external entity.

Short description

To monitor external access to resources across your organization, use your organization's management account to create external access analyzers in each AWS Region. You can also add a member account in your organization as a delegated administrator for IAM Access Analyzer.

Note: Only the management account can add a delegated administrator.

Resolution

You can use either the IAM console or the AWS Command Line Interface (AWS CLI) to create the external access analyzer.

Use the IAM console

From your organization's management or delegated administrator account, use the IAM console to create the IAM Access Analyzer external access analyzer.

Use the AWS CLI

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Run the following create-analyzer command:

aws accessanalyzer create-analyzer —analyzer-name example —type ORGANIZATION

Check the status of your analyzers

You can view the status of your external access analyzers in the Analyzers section of the IAM console.

Related information

Using AWS Identity and Access Management Access Analyzer

IAM Access Analyzer supported resource types for external and internal access

Topics: Security, Identity, & Compliance
Tags: AWS Identity and Access Management
Language: English

AWS OFFICIALUpdated 7 months ago

1 Comment

IAM Access Analyzer has a suite of features. The above Knowledge Center post is talking about external access analysis. This feature is offered at no additional charges to customers. It analyzes resource permissions. Since those resources are regional, it is recommended to create an analyzer in each region where you have resources that need to be analyzed. IAM Access Analyzer has another analyzer type for its unused access analysis. Unused access analysis is a paid offering and analyzes IAM users and roles permissions, which are not regional. Hence, you only need a single unused access analyzer. I think we just need the Knowledge Center post to specify that the guidance is for external access analysis.

Ujjwal Pugalia

replied a year ago

Relevant content

Enable IAM Access Analyzer to delegated admin account error: Access Analyzer Service Linked Role is not in the organizational management account
AWS-User-9621341
asked 4 years ago
Do I need Security Hub if I only use IAM Access Analyzer to detect unused access?
K
asked 6 months ago
IAM Access Analyzer Delegated admin and Org configuration, doesnt pick up root account
AWS-User-1166501
asked 4 years ago
Security Hub: cross-account access warning for SSO and OIDC
Georg
asked 4 years ago
Inspect IAM Role Trust Policy with IAM Access Analyzer
georgevlt
asked a year ago
How do I use IAM Access Advisor to view last accessed information and IAM Access Analyzer to validate and generate policies?
AWS OFFICIALUpdated a year ago
How do I resolve permission issues with policies generated from IAM Access Analyzer?
AWS OFFICIALUpdated a year ago
How can I allow all accounts in an AWS Organization to use an AWS KMS key in my account?
AWS OFFICIALUpdated 2 years ago
How do I use SCPs and tag policies so that users in my organization's member accounts in Organizations can't create resources?
AWS OFFICIALUpdated a year ago
IAM Access Analyzer now identifies who in your AWS organization can access your AWS resources
EXPERT
Sophia Yang
published 6 months ago