Check provider logo

IAM Access Analyzer is enabled

accessanalyzer_enabled

Severitylow
Serviceaccessanalyzer
by Prowler
identity-accesstrust-boundaries

IAM Access Analyzer presence and status are evaluated per account and Region. An analyzer in ACTIVE state indicates continuous analysis of supported resources and IAM activity to identify external, internal, and unused access.

Risk

Without an active analyzer, visibility into unintended public, cross-account, or risky internal access is lost. Adversaries can exploit exposed S3, snapshots, KMS keys, or permissive role trusts for data exfiltration and escalation. Unused permissions persist, enlarging the attack surface. This degrades confidentiality and integrity.

Run this check with Prowler CLI

prowler aws --checks accessanalyzer_enabled

Run in Prowler Cloud
Fix finding with Prowler CLI

prowler aws --checks accessanalyzer_enabled --fixer

Recommendation

Enable IAM Access Analyzer across all accounts and active Regions (or organization-wide). Operate on least privilege: continuously review findings, remove unintended access, and trim unused permissions. Use archive rules sparingly, integrate reviews into change/CI/CD workflows, and enforce separation of duties on policy changes.

Remediation

CLI

aws accessanalyzer create-analyzer --analyzer-name example_resource --type ACCOUNT

Native IaC
Terraform
Other
  1. In the AWS Console, open IAM
  2. Go to Access analyzer > Analyzer settings
  3. Confirm the desired Region
  4. Click Create analyzer
  5. Select Resource analysis - External access
  6. Set Name to "example_resource" and Zone of trust to "Current account"
  7. Click Create

Source Code

Resource Type

Other

References