SYSTEM Cited by 1 source
AWS IAM Access Analyzer¶
Definition¶
AWS IAM Access Analyzer is the AWS service that uses automated reasoning to identify resources accessible from outside an AWS account / Organization, surface unintended access, and provide visibility into cross-account permission boundaries.
In cyber-resilience designs, IAM Access Analyzer is one of the two tools (alongside AWS Config) for mapping cross-account dependencies that need to be updated during Stage 5 cutover.
Verbatim from the canonicalising source:
"Before cutover, identify and update cross-account references that point to the original Production Account, IAM role trust policies, resource-based policies, AWS KMS key grants, and service integrations. IAM Access Analyzer and AWS Config can help identify these dependencies." (Source: sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events)
Role in cyber-resilience¶
After IRE rebuild becomes the new Production Account, every resource in other accounts that referenced the old Production Account ID has to be updated:
| Reference type | Where it lives | What needs updating |
|---|---|---|
| IAM role trust policies | Other accounts' IAM | Principal: {AWS: <old prod account ID>} → new ID |
| Resource-based policies | S3 bucket policies, SQS queue policies, etc. | Account-ID references in policy statements |
| KMS key grants | KMS keys in other accounts | Grantee principal references |
| Service integrations | Lambda function configurations, EventBridge rules, etc. | Account-ID parameters |
Access Analyzer's value is enumeration — without it, this inventory has to be built manually, which is error-prone for large organisations.
Operational model¶
Access Analyzer continuously evaluates IAM and resource-based policies and produces:
- Findings — resources accessible from outside the trust zone.
- External access reports — what's reachable from where.
- Policy validation — does this policy do what was intended?
For cyber-resilience, the relevant capability is the inventory of cross-account access paths — which can be queried at cutover time to produce the update list.
Maintaining the inventory¶
Per the canonicalising source's checklist item 6:
"Map cross-account dependencies (IAM role trust policies, resource-based policies, AWS KMS key grants, and service integrations) and maintain the inventory in your recovery runbook."
The inventory should be maintained on an ongoing basis, not constructed at incident time:
- Routine: Access Analyzer continuously discovers new cross-account references; the runbook ingests this output on a schedule.
- Drill: rebuild drills exercise the cutover step against the inventory; gaps surface as drill failures.
- Incident: Stage 5 cutover uses the up-to-date inventory.
Composition with AWS Config¶
AWS Config complements Access Analyzer:
- Access Analyzer = identity-and-access-level cross-account references.
- AWS Config = configuration-level cross-account references (e.g. EventBridge rules pointing at Lambda functions in other accounts).
Both tools together provide the comprehensive cross-account dependency map needed for Stage 5.
Seen in¶
- sources/2026-05-20-aws-cyber-resilience-on-aws-a-reference-approach-for-recovery-from-ransomware-and-destructive-events — canonical wiki reference; first wiki canonicalisation as a dedicated system page; named (alongside AWS Config) as the cross-account dependency mapping tool for Stage 5 cutover; starting-checklist item 6 emphasises maintaining the inventory on an ongoing basis.
Related¶
- systems/aws-iam — the parent identity service.
- systems/aws-config — sibling tool for configuration-level dependencies.
- concepts/cyber-resilience — the parent posture.
- concepts/parallel-recovery-stages — Stage 5 uses Access Analyzer.