Confirm IAM Access Analyzer is enabled to monitor access permissions

Framework Reference: A.5.18 (Access Rights Management) Integration: AWS – IAM

Why this matters

IAM Access Analyzer is a built-in AWS tool that detects resources in your account—such as IAM roles, KMS keys, or S3 buckets—that are accessible from outside your organization. This helps identify unintended exposure and supports implementation of the least privilege principle.

Without Access Analyzer, externally shared permissions can go unnoticed, increasing the risk of data leaks or unauthorized actions by third parties.

Access Analyzer provides visibility into external access paths and helps maintain tight control over cross-account permissions.


What this check does

This Auto Check verifies that:

An IAM Access Analyzer of type ACCOUNT is active in each AWS region where your account is used

The check passes if:

A valid analyzer is detected in every region in scope

The check fails if:

One or more active regions are missing an analyzer instance


How to fix it

📍 The IAM Access Analyzer must be created per region. Repeat the setup for every AWS region where resources are used.

Using AWS Console

Go to the IAM Console

In the left navigation, click Access Analyzer

Click Create analyzer

Confirm the current region in the top bar

Enter a name for the analyzer (e.g., external-access-check)

Set the type to Account (leave Organization unless using delegated admin)

Click Create analyzer

Repeat for each region where resources exist

Using AWS CLI

aws accessanalyzer create-analyzer \  --analyzer-name access-checker \  --type ACCOUNT \  --region <region-name>

Be sure to run this in each region. The analyzer only detects access to resources in its own region.


Exceptions

If your AWS account uses centralized policy review through an Organization-level analyzer, this check may be Not Applicable for member accounts. In that case:

Ensure the delegated admin account has the analyzer set to ORGANIZATION type

Document the roles and accounts that are covered


Further Resources

What is IAM Access Analyzer?

Getting Started with Access Analyzer

AWS CLI – Create Analyzer

Was this article helpful?