Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Access Analyzer/ Setting Access Analyzers/ Creating an External Access Analyzer
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Creating an External Access Analyzer

This section describes how to create an external access analyzer. After an external access analyzer is created, it automatically analyzes the policies attached to all principals within your zone of trust and generates findings for external access.

Constraints

Only the organization administrator and delegated administrator can create organization-level analyzers.

Creating an Access Analyzer with the Account as the Zone of Trust

  1. Log in to the new IAM console.
  2. In the navigation pane, choose Access Analyzer > Analyzers Settings, and click Create Analyzer.

    Figure 1 Creating an access analyzer

  3. On the Create Analyzer page, select External access analysis for Analyzer Type in the Analysis area.

    Figure 2 Selecting the external access analysis

  4. Enter an analyzer name.

    Figure 3 Entering an analyzer name

  5. Select Current account for Zone of Trust. The access analyzer will analyze all supported resources in the zone of trust.
  6. (Optional) In the Tags area, click Add and enter a tag key and tag value.
  7. Click OK. The service-linked agency and access analyzer are created. The new access analyzer will be displayed in the analyzer list.

Creating an Access Analyzer with the Organization as the Zone of Trust

  1. Log in to the new IAM console.
  2. In the navigation pane, choose Access Analyzer > Analyzers Settings, and click Create Analyzer.

    Figure 4 Creating an access analyzer

  3. On the Create Analyzer page, select External access analysis for Analyzer Type in the Analysis area.

    Figure 5 Selecting the external access analysis

  4. Enter an analyzer name.

    Figure 6 Entering an analyzer name

  5. Select Current organization for Zone of Trust. The access analyzer will analyze all supported resources in the zone of trust.
  6. (Optional) Click View Permission Details to view the service-linked agency that is created along with an organization-level analyzer.

    When an organization-level analyzer is created, trusted services are enabled on the Organizations console, and a service-linked agency is created for all accounts in the organization. The service-linked agency then grants the analyzer permissions for interacting with resources on your behalf.

    Figure 7 Service-linked agency details

  7. (Optional) In the Tags area, click Add and enter a tag key and tag value.
  8. Click OK. The new access analyzer will be displayed in the analyzer list.

Follow-Up Operations

After an access analyzer is created, you can go to the External Access page to view the findings and perform other operations as needed.

Figure 8 External access findings

Parent topic: Setting Access Analyzers