AWS recently added support for detecting unused access granted to IAM roles and users within their AWS IAM Access Analyzer tool. The new IAM Access Analyzer unused access findings can identify unused roles, unused IAM user access keys and passwords, and unused permissions within a defined usage window.
The AWS IAM Access Analyzer tool currently has two types of analyzers: external access findings and unused access findings. The two analyzers are distinct and need to be created individually. Analyzers can be created at the organization level or the account level.
The IAM Access Analyzer uses a service-linked role to review the last accessed information for the roles, user access keys, and user passwords within the organization. IAM service and action last access information is used to identify unused permissions for IAM roles and users. The findings are classified as active, resolved, or archived.
[
add
]
[
|
|
...
]