Confirm IAM Access Analyzer is enabled to monitor access permissions
Why this matters
IAM Access Analyzer is a built-in AWS tool that detects resources in your account—such as IAM roles, KMS keys, or S3 buckets—that are accessible from outside your organization. This helps identify unintended exposure and supports implementation of the least privilege principle.
Without Access Analyzer, externally shared permissions can go unnoticed, increasing the risk of data leaks or unauthorized actions by third parties.
Access Analyzer provides visibility into external access paths and helps maintain tight control over cross-account permissions.
What this check does
This Auto Check verifies that:
An IAM Access Analyzer of type ACCOUNT
is active in each AWS region where your account is used
The check passes if:
A valid analyzer is detected in every region in scope
The check fails if:
One or more active regions are missing an analyzer instance
How to fix it
📍 The IAM Access Analyzer must be created per region. Repeat the setup for every AWS region where resources are used.
Using AWS Console
Go to the IAM Console
In the left navigation, click Access Analyzer
Click Create analyzer
Confirm the current region in the top bar
Enter a name for the analyzer (e.g., external-access-check
)
Set the type to Account
(leave Organization
unless using delegated admin)
Click Create analyzer
Repeat for each region where resources exist
Using AWS CLI
aws accessanalyzer create-analyzer \ --analyzer-name access-checker \ --type ACCOUNT \ --region <region-name>
Be sure to run this in each region. The analyzer only detects access to resources in its own region.
Exceptions
If your AWS account uses centralized policy review through an Organization-level analyzer, this check may be Not Applicable for member accounts. In that case:
Ensure the delegated admin account has the analyzer set to ORGANIZATION
type
Document the roles and accounts that are covered