AWS Extends Identity Analysis to Internal Identities
At their annual Amazon Web Services (AWS) re:Inforce conference, AWS announced a major update to AWS IAM Access Analyzer with the introduction of Internal Access Analyzer. Prior to this, Access Analyzer only identified external users who had access to critical AWS resources. As the name suggests, this enhancement uses automated reasoning to evaluate any identity, resource, service control (SCPs), and resource control policies (RCPs) to surface all IAM users and roles that have access to your selected critical resources. Specifically, this new capability:
While powerful, identity management for AWS environments is still split between Access Analyzer and AWS IAM Identity Center. This is because each serves a distinct but complementary role in managing identity and access in AWS. Access Analyzer helps security teams identify and mitigate risks by analyzing resource-based and IAM policies to detect unintended public or cross-account access. In contrast, Identity Center centrally manages workforce identities and assigns user access across multiple AWS accounts using permission sets, simplifying authentication and authorization. In other words, Access Analyzer focuses on who can access what, while Identity Center controls who gets access and how.
While Access Analyzer and Identity Center work together, organizations can face challenges correlating identity assignments with actual risk by relying on manual processes, navigating inconsistent policy management, and delaying risk detection—slowing the identification and removal of identity-based enterprise risk.
Delivering Comprehensive Identity Management
Leading up to the announcement of Internal Access Analyzer, Saviynt worked closely with AWS to enhance our capabilities supporting identity access management for AWS environments in regards to integrating Access Analyzer’s new internal visibility with our existing functionality.
Building on its ability to identify external accounts accessing AWS resources, Saviynt leverages Internal Access Analyzer to provide precise visibility into effective permissions at the resource level. This capability delivers comprehensive insight into access across AWS environments—from AWS organization to individual AWS accounts, resources, and actions—enabling organizations to confidently manage access risks, enforce least-privilege policies, and maintain clarity and control at every layer.
Converge data from Identity Center and Access Analyzer to quickly identify and remediate risky access.
The enhanced integration also provides automated remediation workflows, including just-in-time access, access remodeling, clipping of unused roles, and approving findings, helping security teams swiftly address unintended or excessive permissions. What also sets Saviynt apart is its unique ability to integrate security data from Identity Center, traversing complex access relationships between groups, permission sets, IAM roles and policies, to accurately determine effective permissions at the resource level. This innovation further strengthens an organization’s ability to get full visibility and proactively monitor, prioritize and remediate access risks across dynamic AWS environments.
Consolidated management of AWS access helps:
Extending Beyond AWS – Saviynt’s Identity Security Posture Management (ISPM)
Not only does Saviynt Identity Cloud support strong governance of AWS environments, but Saviynt’s ISPM allows identity data ingestion (identities, access, policies, configurations, activity, etc.) from a variety of sources to build deep and intelligent insights by correlating this data to help proactively identify identity risk. ISPM provides actionable insights and instant access to access trends and anomalies.
This helps deliver a clear understanding of where identity-related risks are being generated, regardless of platform or location, but an easy way to efficiently manage governance controls, simplify evidence collection, and maintain continuous compliance with relevant regulations.
Consolidating identity management for AWS environments is a critical step toward simplifying control over access and minimizing risk. Unifying visibility with provisioning and actual usage helps organizations identify where potential exposures lie, while integrating internal and external access data with activity insights enables faster detection of identity-related risks, reduces the potential exposure scope, and enforces least privilege more effectively. This approach also improves security postures and enhances operational efficiency and resilience against evolving risks.
Want to learn more? Join our upcoming webinar on September 10, “From Fragmented to Frictionless: AI-Driven Identity Security for AWS at Scale”, where we’ll discuss how organizations can unify identity access across AWS services and:
Visit our Saviynt for AWS page or request more information or a demo on how we can help you implement a more comprehensive and more resilient identity security strategy for your AWS environment.