Reviewing Findings

After you enable IAM Access Analyzer, you can review any findings to determine whether the access identified in the finding is intended or unintended. If the access is unintended, you can make adjustments as needed. You can also review findings to determine similar findings for intended access, and then archive these findings by referring to Creating Archive Rules.

Prerequisites

An access analyzer has been created and at least one analysis has been conducted.

Reviewing External Access Findings

Log in to the new IAM console.
In the navigation pane, choose Access Analyzer > External Access.
In the upper left corner of the displayed page, select a target analyzer from the drop-down list.

Figure 1 Selecting an analyzer
Click the Active, Resolved, Archived, or All tab to view the findings.
- Active: displays findings that are not processed.
- Resolved: displays the findings that have been resolved. The status of an active finding changes to Resolved after it is resolved.
  
  Resolved findings will be deleted 90 days after the last update to the findings. Active and archived findings will not be deleted unless you delete the analyzers that generate them.
- Archived: displays the findings that are archived. You can archive findings that do not need to be processed so that you can focus on unintended access findings.
- All: displays all findings generated by your access analyzer.

View basic information about the findings.

**Table 1** Parameters about findings
Parameter	Description
Finding ID	Unique ID assigned to the finding. You can click a finding ID to view details about the finding.
Resource	Type and URN of a resource analyzed by the external access analyzer.
Resource Owner Account	Account ID of the resource owner.
External Principal	Principal that is not within your zone of trust but is granted access to the resource. all_principal: any principal account: any principal under a specific account all_user_in_account: all users under a specified account all_agency_in_account: all agencies and trust agencies under a specific account all_identity_provider_in_account: all federated identity providers under a specific account specific_user: specific users under a specific account specific_agency: specific agencies or trust agencies under a specific account specific_group: specific user groups under a specific account specific_identity_provider: federated identity providers under a specific account
Condition	Condition from the policy statement that grants the access. It can be a global or service-specific condition key.
Shared Through	The way of granting access. The access can be granted in either of the following ways: bucket_policy: OBS bucket policy bucket_acl: OBS bucket ACL
Access Level	Level of access granted to the external principal. Access levels include: List: Permissions to list resources but not to view the content of any resources. Write: Permissions to create, modify, or delete resources. Read: Permissions to view but not to modify any resources. Tag: Permissions to modify resource tags. Permissions: Permissions to grant or modify permissions to resources.
Updated	The time when the finding was generated or updated.

Click a finding ID to view details about the finding.

Reviewing Unused Access Findings

Log in to the new IAM console.
In the navigation pane, choose Access Analyzer > Unused Access.
In the upper left corner of the displayed page, select a target analyzer from the drop-down list.

Figure 2 Selecting an analyzer
Click the Active, Resolved, Archived, or All tab to view the findings.
- Active: displays the findings that are not processed.
- Resolved: displays the findings that have been resolved. The status of an active finding changes to Resolved after it is resolved.
- Archived: displays the findings that are archived. You can archive findings that do not need to be processed so that you can focus on unintended access findings.
- All: displays all findings generated by your access analyzer.

View basic information about the findings.

**Table 2** Parameters about findings
Parameter	Description
Finding ID	Unique ID assigned to the finding. You can click a finding ID to view details about the finding.
Finding Type	Types of unused access findings, including: Unused access key Unused agencies or trust agencies Unused password Unused permissions
Resource	Type and URN of a resource analyzed by an unused access analyzer
Resource Owner Account	Account ID of the resource owner. This parameter is displayed when unused access findings are filtered.
Updated	The time when the finding was generated or updated.

Click a finding ID to view details about the finding.

Reviewing Best Practice Compliance Findings

Log in to the new IAM console.
In the navigation pane, choose Access Analyzer > Best Practice Compliance.
In the upper left corner of the displayed page, select a target analyzer from the drop-down list.

Figure 3 Selecting an analyzer
Click the Active, Resolved, Archived, or All tab to view the findings.
- Active: displays findings that are not processed.
- Resolved: displays the findings that have been resolved. The status of an active finding changes to Resolved after it is resolved.
  - Resolved findings will be deleted 90 days after the last update to the findings. Active and archived findings will not be deleted unless you delete the analyzers that generate them.
- Archived: displays the findings that are archived. You can archive findings that do not need to be processed so that you can focus on unintended access findings.
- All: displays all findings generated by your access analyzer.

View basic information about the findings.

**Table 3** Parameters about findings
Parameter	Description
Finding ID	Unique ID assigned to the finding. You can click a finding ID to view details about the finding.
Finding Type	Types of best practice compliance findings, including: Access keys bound to the root user API access with a password Login protection not enabled MFA device not added High-risk system-defined policies or roles attached to the user High-risk system-defined identity policies attached to the user High-risk system-defined policies or roles attached to the agency High-risk system-defined identity policies attached to the agency
Resource	Type and URN of a resource analyzed by a best practice compliance analyzer.
Updated	Time when the finding was generated or updated.

Click a finding ID to view details about the finding.

Parent topic: Managing Findings

Previous topic: Managing Findings

Next topic: Resolving Findings

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot