Refine unused access using IAM Access Analyzer recommendations

As a security team lead, your goal is to manage security for your organization at scale and ensure that your team follows AWS Identity and Access Management (IAM) security best practices, such as the principle of least privilege. As your developers build on AWS, you need visibility across your organization to make sure that teams are working with only the required privileges. Now, AWS Identity and Access Management Analyzer offers prescriptive recommendations with actionable guidance that you can share with your developers to quickly refine unused access.

In this post, we show you how to use IAM Access Analyzer recommendations to refine unused access. To do this, we start by focusing on the recommendations to refine unused permissions and show you how to generate the recommendations and the actions you can take. For example, we show you how to filter unused permissions findings, generate recommendations, and remediate issues. Now, with IAM Access Analyzer, you can include step-by-step recommendations to help developers refine unused permissions quickly.

Unused access recommendations

IAM Access Analyzer continuously analyzes your accounts to identify unused access and consolidates findings in a centralized dashboard. The dashboard helps review findings and prioritize accounts based on the volume of findings. The findings highlight unused IAM roles and unused access keys and passwords for IAM users. For active IAM roles and users, the findings provide visibility into unused services and actions. You can learn more about unused access analysis through the IAM Access Analyzer documentation.

For unused IAM roles, access keys, and passwords, IAM Access Analyzer provides quick links in the console to help you delete them. You can use the quick links to act on the recommendations or use export to share the details with the AWS account owner. For overly permissive IAM roles and users, IAM Access Analyzer provides policy recommendations with actionable steps that guide you to refine unused permissions. The recommended policies retain resource and condition context from existing policies, helping you update your policies iteratively.

Throughout this post, we use an IAM role in an AWS account and configure the permissions by doing the following:

1. Attaching the AWS managed policy AmazonBedrockReadOnly.
2. Attaching the AWS managed policy AmazonS3ReadOnlyAccess.
3. Embedding an inline policy with the permissions described in the following code and named InlinePolicyListLambda.

Content of inline policy InlinePolicyListLambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "InlinePolicyLambda",
            "Effect": "Allow",
            "Action": [
                "lambda:ListFunctions",
                "lambda:ListLayers",
                "lambda:ListAliases",
                "lambda:ListFunctionUrlConfigs"
            ],
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "1.100.150.200/32"
                }
            }
        }
    ]
}

We use an inline policy to demonstrate that IAM Access Analyzer unused access recommendations are applicable for that use case. The recommendations are also applicable when using AWS managed policies and customer managed policies.

In your AWS account, after you have configured an unused access analyzer, you can select an IAM role that you have used recently and see if there are unused access permissions findings and recommendations.

Prerequisites

Before you get started, you must create an unused access analyzer for your organization or account. Follow the instructions in IAM Access Analyzer simplifies inspection of unused access in your organization to create an unused access analyzer.

Generate recommendations for unused permissions

In this post we explore three options for generating recommendations for IAM Access Analyzer unused permissions findings: the console, AWS CLI, and AWS API.

Generate recommendations for unused permissions using the console

After you have created an unused access analyzer as described in the prerequisites, wait a few minutes to see the analysis results. Then use the AWS Management Console to view the proposed recommendations for the unused permissions.

To list unused permissions findings

1. Go to the IAM console and under Access Analyzer, choose Unused access from the navigation pane.
2. Search for active findings with the type Unused permissions in the search box.
   1. Select Active from the Status drop-down list.
   2. In the search box, select Findings type under Properties.
   3. Select Equals as Operators.
   4. Select Findings Type = Unused permissions.
   5. This list shows the active findings for IAM resources with unused permissions.
   

   Figure 1: Filter on unused permissions in the IAM console

3. Select a finding to learn more about the unused permissions granted to a given role or user.

To obtain recommendations for unused permissions

1. On the findings detail page, you will see a list of the unused permissions under Unused permissions.
2. Following that, there is a new section called Recommendations. The Recommendations section presents two steps to remediate the finding:
   1. Review the existing permissions on the resource.
   2. Create new policies with the suggested refined permissions and detach the existing policies.
   

   Figure 2: Recommendations section

3. The generation of recommendations is on-demand and is done in the background when you’re using the console. The message Analysis in progress indicates that recommendations are being generated. The recommendations exclude the unused actions from the recommended policies.
4. When an IAM principal, such as an IAM role or user, has multiple permissions policies attached, an analysis of unused permissions is made for each of permissions policies:
   • If no permissions have been used, the recommended action is to detach the existing permissions policy.
   • If some permissions have been used, only the used permissions are kept in the recommended policy, helping you apply the principle of least privilege.
5. The recommendations are presented for each existing policy in the column Recommended policy. In this example, the existing policies are:
   • AmazonBedrockReadOnly
   • AmazonS3ReadOnlyAccess
   • InlinePolicyListLambda

   And the recommended policies are:

   • None
   • AmazonS3ReadOnlyAccess-recommended
   • InlinePolicyListLambda-recommended
   

   Figure 3: Recommended policies

6. There is no recommended policy for AmazonBedrockReadOnly because the recommended action is to detach it. When hovering over None, the following message is displayed: There are no recommended policies to create for the existing permissions policy.
7. AmazonS3ReadOnlyAccess and InlinePolicyListLambda and their associated recommended policy can be previewed by choosing Preview policy.

To preview a recommended policy

IAM Access Analyzer has proposed two recommended policies based on the unused actions.

1. To preview each recommended policy, choose Preview policy for that policy to see a comparison between the existing and recommended permissions.
   1. Choose Preview policy for AmazonS3ReadOnlyAccess-recommended.
      1. The existing policy has been analyzed and the broad permissions—s3:Get* and s3:List*—have been scoped down to detailed permissions in the recommended policy.
      2. The permissions s3:Describe*, s3-object-lambda:Get*, and s3-object-lambda:List* can be removed because they weren’t used.
      

      Figure 4: Preview of the recommended policy for AmazonS3ReadOnlyAccess

   2. Choose Preview policy for InlinePolicyListLambda-recommended to see a comparison between the existing inline policy InlinePolicyListLambda and its recommended version.
      1. The existing permissions, lambda:ListFunctions and lambda:ListLayers, are kept in the recommended policy, as well as the existing condition.
      2. The permissions in lambda:ListAliases and lambda:ListFunctionUrlConfigs can be removed because they weren’t used.
      

      Figure 5: Preview the recommended policy for the existing inline policy InlinePolicyListLambda

To download the recommended policies file

1. Choose Download JSON to download the suggested recommendations locally.
   

   Figure 6: Download the recommended policies

2. A .zip file that contains the recommended policies in JSON format will be downloaded.
   

   Figure 7: Downloaded recommended policies as JSON files

3. The content of the AmazonS3ReadOnlyAccess-recommended-1-2024-07-22T20/08/44.793Z.json file the same as the recommended policy shown in Figure 4.

Generate recommendations for unused permissions using AWS CLI

In this section, you will see how to generate recommendations for unused permissions using AWS Command Line Interface (AWS CLI).

To list unused permissions findings

1. Use the following code to refine the results by filtering on the type UnusedPermission and selecting only the active findings. Copy the Amazon Resource Name (ARN) of your unused access analyzer and use it to replace the ARN in the following code:

   aws accessanalyzer list-findings-v2 \
     --analyzer-arn "arn:aws:access-analyzer:<region>:<123456789012>:analyzer/<analyzer_name>" \
     --region <region> \
     --filter '{"findingType": {"eq": ["UnusedPermission"]}, "status": {"eq": ["ACTIVE"]}}'

2. You will obtain results similar to the following.

   {
       "findings": [
           {
               "analyzedAt": "2024-05-29T07:25:34+00:00",
               "createdAt": "2024-05-23T19:20:59+00:00",
               "id": "0fa3f5a1-bd92-4193-8ca4-aba12cd91370",
               "resource": "arn:aws:iam::123456789012:user/demoIAMUser",
               "resourceType": "AWS::IAM::User",
               "resourceOwnerAccount": "123456789012",
               "status": "ACTIVE",
               "updatedAt": "2024-05-29T07:25:35+00:00",
               "findingType": "UnusedPermission"
           },
           {
               "analyzedAt": "2024-05-29T07:25:34+00:00",
               "createdAt": "2024-05-23T19:20:59+00:00",
               "id": "1e952245-bcf3-48ad-a708-afa460df794b",
               "resource": "arn:aws:iam::123456789012:role/demoIAMRole",
               "resourceType": "AWS::IAM::Role",
               "resourceOwnerAccount": "123456789012",
               "status": "ACTIVE",
               "updatedAt": "2024-05-29T07:25:37+00:00",
               "findingType": "UnusedPermission"
           },
           ...
       ]
   }

To generate unused permissions finding recommendations

After you have a list of findings for unused permissions, you can generate finding recommendations.

1. Run the following, replacing the analyzer ARN and the finding ID to generate the suggested recommendations.

   aws accessanalyzer generate-finding-recommendation \
     --analyzer-arn "arn:aws:access-analyzer:<region>:<123456789012>:analyzer/<analyzer_name>" \
     --region <region> \
     --id "ab123456-bcd0-78ab-a012-afa460df794b"

2. You will get an empty response if your command ran successfully. The process is running in the background.

To obtain the generated recommendations

After the recommendations are generated, you need to make a separate API call to view the recommendations details.

1. The following command returns the recommended remediation.

   aws accessanalyzer get-finding-recommendation \
     --analyzer-arn "arn:aws:access-analyzer:<region>:<123456789012>:analyzer/<analyzer_name>" \
     --region <region> \
     --id "ab123456-bcd0-78ab-a012-afa460df794b"

2. This command provides the following results. For more information about the meaning and structure of the recommendations, see Anatomy of a recommendation later in this post.
   

   Note: The recommendations consider AWS managed policies, customer managed policies, and inline policies. The IAM conditions in the initial policy are maintained in the recommendations if the actions they’re related to are used.

   The remediations suggested are to do the following:

   1. Detach AmazonBedrockReadOnly policy because it is unused: DETACH_POLICY
   2. Create a new recommended policy with scoped down permissions from the managed policy AmazonS3ReadOnlyAccess: CREATE_POLICY
   3. Detach AmazonS3ReadOnlyAccess: DETACH_POLICY
   4. Embed a new recommended policy with scoped down permissions from the inline policy: CREATE_POLICY
   5. Delete the inline policy.

   {
       "recommendedSteps": [
           {
               "unusedPermissionsRecommendedStep": {
                   "policyUpdatedAt": "2023-12-06T15:48:19+00:00",
                   "recommendedAction": "DETACH_POLICY",
                   "existingPolicyId": "arn:aws:iam::aws:policy/AmazonBedrockReadOnly"
               }
           },
           {
               "unusedPermissionsRecommendedStep": {
                   "policyUpdatedAt": "2023-08-10T21:31:39+00:00",
                   "recommendedAction": "CREATE_POLICY",
                   "recommendedPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:GetBucketObjectLockConfiguration\",\"s3:GetBucketOwnershipControls\",\"s3:GetBucketTagging\",\"s3:GetBucketVersioning\",\"s3:GetJobTagging\",\"s3:GetObject\",\"s3:GetObjectAcl\",\"s3:GetObjectLegalHold\",\"s3:GetObjectRetention\",\"s3:GetObjectTagging\",\"s3:GetObjectTorrent\",\"s3:GetObjectVersion*\",\"s3:GetStorage*\",\"s3:ListAllMyBuckets\",\"s3:ListBucket\",\"s3:ListBucketVersions\",\"s3:ListMultipartUploadParts\",\"s3:ListStorageLensGroups\",\"s3:ListTagsForResource\"],\"Resource\":\"*\"}]}",
                   "existingPolicyId": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
               }
           },
           {
               "unusedPermissionsRecommendedStep": {
                   "policyUpdatedAt": "2023-08-10T21:31:39+00:00",
                   "recommendedAction": "DETACH_POLICY",
                   "existingPolicyId": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
               }
           },
           {
               "unusedPermissionsRecommendedStep": {
                   "recommendedAction": "CREATE_POLICY",
                   "recommendedPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"InlinePolicyLambda\",\"Effect\":\"Allow\",\"Action\":[\"lambda:ListFunctions\",\"lambda:ListLayers\"],\"Resource\":\"*\",\"Condition\":{\"NotIpAddress\":{\"aws:SourceIp\":\"1.100.150.200/32\"}}}]}",
                   "existingPolicyId": "InlinePolicyListLambda"
               }
           },
           {
               "unusedPermissionsRecommendedStep": {
                   "recommendedAction": "DETACH_POLICY",
                   "existingPolicyId": "InlinePolicyListLambda"
               }
           }
       ],
       "status": "SUCCEEDED",
       "error": null,
       "completedAt": "2024-07-22T20:40:58.413698+00:00",
       "recommendationType": "UNUSED_PERMISSION_RECOMMENDATION",
       "resourceArn": "arn:aws:iam::123456789012:role/IAMRole_IA2_Blog_EC2Role",
       "startedAt": "2024-07-22T20:40:54+00:00"
   }

Generate recommendations for unused permissions using EventBridge and AWS API

We have described how to use AWS CLI and the console to find unused permissions findings and to generate recommendations.

In this section, we show you how to use an Amazon EventBridge rule to find the active unused permissions findings from IAM Access Analyzer. Then we show you how to generate recommendations using two IAM Access Analyzer APIs to generate the finding recommendations and get the finding recommendations.

To create an EventBridge rule to detect unused permissions findings

Create an EventBridge rule to detect new unused permissions findings from IAM Access Analyzer.

1. Go to the Amazon EventBridge console.
2. Choose Rules, and then choose Create rule.
3. Enter a name for your rule. Leave the Event bus value as the default.
4. Under Rule type, select Rule with an event pattern.
5. In the Event Source section, select AWS events or EventBridge partner events.
6. For Creation method, select Use pattern form.
7. Under Event pattern:
   1. For Event source, select AWS services.
   2. For AWS service, select Access Analyzer.
   3. For Event type, select Unused Access Finding for IAM entities.

   Note: There is no event for generated recommendations, only for unused access findings.

   

   Figure 8: Listing unused permissions by filtering events using an EventBridge rule

8. Configure the Event pattern by changing the default values to the following:
   1. resources: Enter the ARN of your unused access analyzer.
   2. status: ACTIVE indicates that you are only looking for active findings.
   3. findingType: UnusedPermission.
9. You can select a target Amazon Simple Notification Service (Amazon SNS) to be notified of new active findings for a specific analyzer for unused permissions.

To generate recommendations for unused permissions using the IAM Access Analyzer API

The findings are generated on-demand. For that purpose, IAM Access Analyzer API GenerateFindingRecommendation can be called with two parameters: the ARN of the analyzer and the finding ID.

1. You can use AWS Software Development Kit (SDK) for Python(boto3) for the API call.
2. Run the call as follows:

   ia2_client = boto3.client('accessanalyzer')
   response = ia2_client.generate_finding_recommendation(
       analyzerArn=analyzer,
       id=findingId
       )

To obtain the finding recommendations

1. After the recommendations are generated, they can be obtained by calling the API GetFindingRecommendation with the same parameters: the ARN of the analyzer and the finding ID.
2. Use AWS SDK for Python (boto3) for the API call as follows:

   ia2_client = boto3.client('accessanalyzer')
   response = ia2_client.get_finding_recommendation(
       analyzerArn=analyzer,
       id=findingId
   )

Remediate based on the generated recommendations

The recommendations are generated as actionable guidance that you can follow. They propose new IAM policies that exclude the unused actions, helping you rightsize your permissions.

Anatomy of a recommendation

The recommendations are usually presented in the following way:

• Date and time: startedAt, completedAt. Respectively when the API call was made and when the analysis was completed and the results were provided.
• Resource ARN: The ARN of the resource being analyzed.
• Recommended steps: The recommended steps, such as creating a new policy based on the actions used and detaching the existing policy.
• Recommendation type: UNUSED_PERMISSION_RECOMMENDATION.
• Status: The status of retrieving the finding recommendation. The status values include SUCCEEDED, FAILED, and IN_PROGRESS.

For more information about the structure of recommendations, see the output section of get-finding-recommendation.

Recommended policy review

You must review the recommended policy. The recommended actions depend on the original policy. The original policy will be one of the following:

• An AWS managed policy: You need to create a new IAM policy using recommendedPolicy. Attach this newly created policy to your IAM role. Then detach the former policy.
• A customer managed policy or an inline policy: Review the policy, verify its scope, consider how often it’s attached to other principals (customer managed policy only), and when you are confident to proceed, use the recommended policy to create a new policy and detach the former policy.

Use cases to consider when reviewing recommendations

During your review process, keep in mind that the unused actions are determined based on the time defined in your tracking period. The following are some use cases you might have where a necessary role or action might be identified as unused (this is not an exhaustive list of use cases). It’s important to review the recommendations based on your business needs. You can also archive some findings related to the use cases such as the ones that follow:

• Backup activities: If your tracking period is 28 days and you have a specific role for your backup activities running at the end of each month, you might discover that after 29 days some of the permissions for that backup role are identified as unused.
• IAM permissions associated to an infrastructure as code deployment pipeline: You should also consider the permissions associated to specific IAM roles such an IAM for infrastructure as code (IaC) deployment pipeline. Your pipeline can be used to deploy Amazon Simple Storage Service (Amazon S3) buckets based on your internal guidelines. After deployment is complete, the pipeline permissions can become unused after your tracking period, but removing those unused permissions can prevent you from updating your S3 buckets configuration or from deleting it.
• IAM roles associated with disaster recovery activities: While it’s recommended to have a disaster recovery plan, the IAM roles used to perform those activities might be flagged by IAM Access Analyzer for having unused permissions or being unused roles.

To apply the suggested recommendations

Of the three original policies attached to IAMRole_IA2_Blog_EC2Role, AmazonBedrockReadOnly can be detached and AmazonS3ReadOnlyAccess and InlinePolicyListLambda can be refined.

1. Detach AmazonBedrockReadOnly

   No permissions are used in this policy, and the recommended action is to detach it from your IAM role. To detach it, you can use the IAM console, the AWS CLI, or the AWS API.

2. Create a new policy called AmazonS3ReadOnlyAccess-recommended and detach AmazonS3ReadOnlyAccess.

   The unused access analyzer has identified unused permissions in the managed policy AmazonS3ReadOnlyAccess and proposed a new policy AmazonS3ReadOnlyAccess-recommended that contains only the used actions. This is a step towards least privilege because the unused actions can be removed by using the recommended policy.

   1. Create a new IAM policy named AmazonS3ReadOnlyAccess-recommended that contains only the following recommended policy or one based on the downloaded JSON file.

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:getbuckettagging",
              "s3:getjobtagging",
              "s3:getobject",
              "s3:getobjectacl",
              "s3:getobjectlegalhold",
              "s3:getobjectretention",
              "s3:getobjecttagging",
              "s3:getobjecttorrent",
              "s3:getobjectversion",
              "s3:getobjectversionacl",
              "s3:getobjectversionattributes",
              "s3:getobjectversionforreplication",
              "s3:getobjectversiontagging",
              "s3:getobjectversiontorrent",
              "s3:getstoragelensconfigurationtagging",
              "s3:getstoragelensgroup",
              "s3:listbucket",
              "s3:listbucketversions",
              "s3:listmultipartuploadparts",
              "s3:liststoragelensgroups",
              "s3:listtagsforresource"
            ],
            "Resource": "*"
          }
        ]
      }

   2. Detach the managed policy AmazonS3ReadOnlyAccess.
3. Embed a new inline policy InlinePolicyListLambda-recommended and delete InlinePolicyListLambda. This inline policy lists AWS Lambda aliases, functions, layers, and function URLs only when coming from a specific source IP address.
   1. Embed the recommended inline policy.

      The recommended policy follows. You can embed an inline policy for the IAM role using the console, AWS CLI, or the AWS API PutRolePolicy.

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "InlinePolicyLambda",
            "Effect": "Allow",
            "Action": [
              "lambda:ListFunctions",
              "lambda:ListLayers"
            ],
            "Resource": "*",
            "Condition": {
              "NotIpAddress": {
                "aws:SourceIp": "1.100.150.200/32"
              }
            }
          }
        ]
      }

   2. Delete the inline policy.
4. After updating the policies based on the Recommended policy proposed, the finding Status will change from Active to Resolved.
   

   Figure 9: The finding is resolved

Pricing

There is no additional pricing for using the prescriptive recommendations after you have enabled unused access findings.

Conclusion

As a developer writing policies, you can use the actionable guidance provided in recommendations to continually rightsize your policies to include only the roles and actions you need. You can export the recommendations through the console or set up automated workflows to notify your developers about new IAM Access Analyzer findings.

This new IAM Access Analyzer unused access recommendations feature streamlines the process towards least privilege by selecting the permissions that are used and retaining the resource and condition context from existing policies. It saves an impressive amount of time by the actions used by your principals and guiding you to refine them.

By using the IAM Access Analyzer findings and access recommendations, you can quickly see how to refine the permissions granted. We have shown in this blog post how to generate prescriptive recommendations with actionable guidance for unused permissions using AWS CLI, API calls, and the console.

• To learn more about IAM Access Analyzer Unused Access, see Findings for external and unused access.
• To learn about the creation of unused access findings, see IAM Access Analyzer simplifies inspection of unused access in your organization.
• To learn about the strategies for achieving least privilege at scale, see Strategies for achieving least privilege at scale Part 1 and Part 2.
• To practice, use the Refining IAM Permissions Like A Pro the workshop.

 
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.