Amazon IAM Access Analyzer

aid: amazon-iam-access-analyzer
name: Amazon IAM Access Analyzer
description: AWS IAM Access Analyzer helps you set, verify, and refine your IAM policies by providing a suite of capabilities
  including findings for external, internal, and unused access, basic and custom policy checks for validating policies, and
  policy generation to generate fine-grained policies. It uses automated reasoning to identify resources shared with external
  entities and helps implement least privilege access across your AWS environment.
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
- Access Control
- AWS
- Compliance
- IAM
- Policy Management
- Security
url: https://raw.githubusercontent.com/api-evangelist/amazon-iam-access-analyzer/refs/heads/main/apis.yml
created: '2026-03-16'
modified: '2026-05-19'
specificationVersion: '0.19'
apis:
- aid: amazon-iam-access-analyzer:aws-access-analyzer-api
  name: AWS IAM Access Analyzer API
  description: The AWS IAM Access Analyzer API provides programmatic access to create and manage analyzers, findings, archive
    rules, and policy validations to identify and remediate unintended resource access across AWS accounts and organizations.
  humanURL: https://aws.amazon.com/iam/features/analyze-access/
  baseURL: https://access-analyzer.amazonaws.com
  tags:
  - Access Control
  - IAM
  - Policy Management
  - Security
  properties:
  - type: Documentation
    url: https://docs.aws.amazon.com/access-analyzer/latest/APIReference/Welcome.html
  - type: OpenAPI
    url: openapi/amazon-iam-access-analyzer-openapi-original.yml
  - type: GettingStarted
    url: https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
  - type: Pricing
    url: https://aws.amazon.com/iam/pricing/
  - type: FAQ
    url: https://aws.amazon.com/iam/faqs/
  - type: JSONSchema
    url: json-schema/iam-access-analyzer-analyzer-schema.json
  - type: JSONStructure
    url: json-structure/iam-access-analyzer-analyzer-structure.json
  - type: Example
    url: examples/iam-access-analyzer-analyzer-example.json
  - type: NaftikoCapability
    url: capabilities/amazon-iam-access-analyzer.yaml
common:
- type: Portal
  url: https://aws.amazon.com/iam/features/analyze-access/
- type: Website
  url: https://aws.amazon.com/iam/
- type: Documentation
  url: https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
- type: TermsOfService
  url: https://aws.amazon.com/service-terms/
- type: PrivacyPolicy
  url: https://aws.amazon.com/privacy/
- type: Support
  url: https://aws.amazon.com/premiumsupport/
- type: Blog
  url: https://aws.amazon.com/blogs/security/tag/iam-access-analyzer/
- type: GitHubOrganization
  url: https://github.com/aws
- type: Console
  url: https://console.aws.amazon.com/access-analyzer/
- type: SignUp
  url: https://portal.aws.amazon.com/billing/signup
- type: Login
  url: https://signin.aws.amazon.com/
- type: StatusPage
  url: https://health.aws.amazon.com/health/status
- type: Contact
  url: https://aws.amazon.com/contact-us/
- type: SpectralRules
  url: rules/amazon-iam-access-analyzer-spectral-rules.yml
- type: Vocabulary
  url: vocabulary/amazon-iam-access-analyzer-vocabulary.yaml
- type: JSONLD
  url: json-ld/amazon-iam-access-analyzer-context.jsonld
- type: Features
  data:
  - name: External Access Analysis
    description: Identifies resources shared with external entities outside your AWS organization using automated reasoning.
  - name: Internal Access Analysis
    description: Identifies which principals within your organization have access to selected resources.
  - name: Unused Access Analysis
    description: Identifies unused IAM roles, access keys, console passwords, and unused service permissions.
  - name: Policy Validation
    description: Validates IAM policies against best practices and custom security standards before deployment.
  - name: Policy Generation
    description: Generates fine-grained IAM policies based on actual access activity logged in AWS CloudTrail.
  - name: Access Preview
    description: Preview public and cross-account access to resources before deploying permission changes.
  - name: Archive Rules
    description: Automatically archive findings that match specified criteria to reduce noise.
- type: UseCases
  data:
  - name: Least Privilege Enforcement
    description: Analyze actual API activity to generate minimal permission policies that implement least privilege access.
  - name: Security Compliance Auditing
    description: Continuously monitor for unintended external access to sensitive resources like S3 buckets and IAM roles.
  - name: CI/CD Policy Validation
    description: Integrate policy checks into deployment pipelines to catch overpermissive policies before they reach production.
  - name: Access Governance
    description: Identify and remediate unused access across IAM users, roles, and service accounts organization-wide.
  - name: Cross-Account Access Review
    description: Identify all resources shared across AWS accounts and validate the intent of each cross-account permission.
- type: Integrations
  data:
  - name: AWS CloudTrail
    description: Uses CloudTrail activity logs to generate least-privilege IAM policies based on actual usage.
  - name: AWS Security Hub
    description: Publishes Access Analyzer findings to Security Hub for centralized security monitoring.
  - name: AWS Organizations
    description: Analyzes access across all accounts in an AWS Organization for comprehensive governance.
  - name: AWS Config
    description: Triggers re-scanning of resources when configuration changes are detected.
  - name: Amazon EventBridge
    description: Publishes finding events to EventBridge for automated security workflow responses.
- type: Integrations
  url: https://aws.amazon.com/marketplace
integrations:
- name: Sign in
- name: Agent Mode
- name: Why AWS Marketplace?
- name: Get started in AWS Marketplace
- name: Industry
- name: Resources
- name: Become a Channel Partner
- name: Sell in AWS Marketplace
- name: Manage Your Account
maintainers:
- FN: Kin Lane
  email: [email protected]