Skip to content

IAM Access Analyzer


Access Analyzer analyzes the resource-based policies that are applied to AWS resources in the Region where you enabled Access Analyzer. Only resource-based policies are analyzed.

Supported resource types:

  • Amazon Simple Storage Service buckets
  • AWS Identity and Access Management roles
  • AWS Key Management Service keys
  • AWS Lambda functions and layers
  • Amazon Simple Queue Service queues
  • AWS Secrets Manager secrets


Figure: AWS IAM access analysis features. (Source: AWS, "How it works - monitoring external access to resources", AWS Documentation, accessed June 11th 2021).

AWS Organizations

CONSIDERATION: AWS Organization integration

In order to enable AccessAnalyzer with the Organization at the zone of of trust in the Security account, this account needs to be set as a delegated administrator.

Such step cannot be performed by Terraform yet so it was set up manually as described below:

If you're configuring AWS IAM Access Analyzer in your AWS Organizations management account, you can add a member account in the organization as the delegated administrator to manage Access Analyzer for your organization. The delegated administrator has permissions to create and manage analyzers with the organization as the zone of trust. Only the management account can add a delegated administrator.

Reference Architecture implementation code

Reference Architecture Code: le-tf-infra-aws/security/security-base/

resource "aws_accessanalyzer_analyzer" "default" {
    analyzer_name = "ConsoleAnalyzer-bc3bc4d6-09cb-XXXX-XXXX-XXXXXXXXXX"
    type          = "ORGANIZATION"
    tags          = local.tags

AWS Web Console


Figure: AWS Web Console screenshot. (Source: binbash, "IAM access analyzer service", accessed June 11th 2021).