Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Access Analyzer/ Setting Access Analyzers/ Creating an Unused Access Analyzer
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Creating an Unused Access Analyzer

This section describes how to create an unused access analyzer. After an unused access analyzer is created, it automatically analyzes permissions, passwords, and access keys of IAM users, as well as trust agencies and their permissions in your organization or account within the zone of trust, and generates findings.

Constraints

  • Only the organization administrator and delegated administrator can create organization-level analyzers.
  • When the Tracking Period setting exceeds 7 days, the tracking period for unused permissions supports up to a maximum of 7 days. When the setting is less than or equal to 7 days, the specified number of days in the tracking period will be applied. This restriction does not apply to unused access analyzers for IAM user passwords, access keys, agencies, and trust agencies.

Creating an Access Analyzer with the Account as the Zone of Trust

  1. Log in to the new IAM console.
  2. In the navigation pane, choose Access Analyzer > Analyzers Settings, and click Create Analyzer.

    Figure 1 Creating an access analyzer

  3. On the Create Analyzer page, select Unused access analysis for Analyzer Type in the Analysis area.

    Figure 2 Selecting unused access analysis

  4. Enter an analyzer name.

    Figure 3 Entering an analyzer name

  5. Specify the number of days in the Tracking Period. Findings will be generated for IAM passwords and access keys that have not been used for more than the specified number of days. Enter an integer ranging from 1 to 180.
  6. Specify a zone of trust. The access analyzer will analyze all supported resources in the zone of trust. Select Current account.
  7. (Optional) If you do not want findings for some IAM users and trust agencies, you can exclude IAM users and trust agencies by tag.

    • If the zone of trust is set to Current account, you can exclude IAM users and trust agencies with tags.
    • If you leave tag values blank, all IAM users and trust agencies with the specified tag keys will be excluded.

  8. (Optional) In the Tags area, click Add and enter a tag key and tag value.
  9. (Optional) Click View Permission Details to view the service-linked agency that is created along with an organization-level analyzer.

    When an organization-level analyzer is created, trusted services are enabled on the Organizations console, and a service-linked agency is created for all accounts in the organization. The service-linked agency then grants the analyzer permissions for interacting with resources on your behalf.

    Figure 4 Service-linked agency details

  10. Click OK. The new access analyzer will be displayed in the analyzer list.

Creating an Access Analyzer with the Organization as the Zone of Trust

  1. Log in to the new IAM console.
  2. In the navigation pane, choose Access Analyzer > Analyzers Settings, and click Create Analyzer.

    Figure 5 Creating an access analyzer

  3. On the Create Analyzer page, select Unused access analysis for Analyzer Type in the Analysis area.

    Figure 6 Selecting unused access analysis

  4. Enter an analyzer name.

    Figure 7 Entering an analyzer name

  5. Specify the number of days in the Tracking Period. Findings will be generated for IAM passwords and access keys that have not been used for more than the specified number of days.

    The default value is 90. Enter an integer from 1 to 180.

  6. Specify a zone of trust. The access analyzer will analyze all supported resources in the zone of trust. Select Current organization.
  7. (Optional) If you do not want the findings for some accounts in your organization, exclude these accounts. Specify the ID of the account to be excluded in the organization or select the target account the account list.
  8. (Optional) If you do not want findings for some IAM users and trust agencies, you can exclude IAM users and trust agencies by tag.

    • If the zone of trust is Current organization, you can exclude IAM users, trust agencies, management accounts, and member accounts with tags in the organization.
    • If you leave tag values blank, all IAM users and trust agencies with the specified tag keys will be excluded.

  9. (Optional) Click View Permission Details to view the service-linked agency that is created along with an organization-level analyzer.

    When an organization-level analyzer is created, trusted services are enabled on the Organizations console, and a service-linked agency is created for all accounts in the organization. The service-linked agency then grants the analyzer permissions for interacting with resources on your behalf.

    Figure 8 Service-linked agency details

  10. (Optional) In the Tags area, click Add and enter a tag key and tag value.
  11. Click OK. The new access analyzer will be displayed in the analyzer list.

Follow-Up Operations

After an access analyzer is created, you can go to the Unused Access page to view the findings and perform other operations as needed.

Figure 9 Unused access findings

Parent topic: Setting Access Analyzers