- Newest
- Most votes
- Most comments
For your specific use case of identifying unused access across 30 AWS accounts, you can rely solely on IAM Access Analyzer without requiring Security Hub integration.
IAM Access Analyzer is designed to identify unused access, including unused IAM roles, unused IAM user passwords, and unused access keys for IAM users. It also provides visibility into unused services and actions for active IAM users and roles. You can create a dedicated analyzer for unused access findings, which will examine the last accessed information for all IAM users, roles, access keys, and passwords across your organization and accounts.
Since you've already enabled the analyzer at the organization level, you can use the dashboard from a delegated administrator account to review unused access findings across your organization and prioritize accounts based on the volume and type of findings. IAM Access Analyzer also offers configuration capabilities that allow you to customize the analysis by excluding specific accounts, roles, and users to focus on what matters most to your organization.
While Security Hub provides a comprehensive view of your security state across AWS and can include IAM Access Analyzer findings in its analysis, it's not strictly necessary if your sole focus is identifying unused access. Security Hub would be beneficial if you wanted to integrate findings from multiple security services for a broader security posture assessment, but for your specific use case of managing unused access across your accounts, IAM Access Analyzer alone is sufficient.
Sources
Customize the scope of IAM Access Analyzer unused access analysis | AWS Security Blog
Understand how IAM Access Analyzer findings work - AWS Identity and Access Management
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 10 months ago
