IAM Access Analyzer
Contains information about findings from your IAM Access Analyzer.
Details
AWS IAM Access Analyzer helps identify resources in your organization and accounts that are shared with external entities. It uses mathematical analysis and automated reasoning about policies to help you understand resource access permissions and identify unintended access. This input connector retrieves findings from your IAM Access Analyzer, allowing you to monitor and analyze potential security risks related to resource sharing.
Functionality
On initialization, Monad connects to the specified IAM Access Analyzer in the configured region and retrieves findings. The connector supports optional filtering to narrow down the findings based on various criteria such as resource type, finding status, principal information, and more. The connector maintains state to ensure efficient processing and handles large datasets through automatic pagination using the ListFindingsV2 API.
Requirements
- IAM Role Assumption / Static Credentials
- Example permission to attach to the role/user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"access-analyzer:ListFindings",
"access-analyzer:GetAnalyzer",
"access-analyzer:ListAnalyzers"
],
"Resource": "*"
}
]
}
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Region | string | Yes | The AWS region where IAM Access Analyzer is enabled. |
| Role ARN | string | Yes | The ARN of the IAM role to assume for accessing IAM Access Analyzer. |
| Severity | string | Yes | Minimum severity level of findings to fetch. Accepts one value: Critical, High, Medium, or Low. All findings at this level and above will be collected. |
Note: Filter keys must be unique within the filters array.
Secrets (Static Credentials Only)
| Setting | Type | Required | Description |
|---|---|---|---|
| Access Key | string | Conditional | AWS Access Key ID |
| Secret Key | string | Conditional | AWS Secret Access Key |
⚠️ Authentication: Choose either Role ARN (recommended) or static credentials. See AWS Authentication Guide for setup instructions.
Related Articles
Alternate Method: Real-time Events via EventBridge + SQS
This method provides real-time streaming of Access Analyzer findings as they occur, offering immediate visibility into new security issues. When Access Analyzer discovers a new finding, it automatically sends the event to an SQS queue via EventBridge, which Monad can then consume using the AWS SQS input connector.
Benefits
- Real-time alerts: Receive findings immediately as they're discovered
- Reduced API calls: No need for periodic polling of the Access Analyzer API
- Event-driven architecture: Integrates seamlessly with other AWS services
This assumes that you have an IAM Access Analyzer setup, if not, please do so.
Step 1: Create SQS Queue
- Navigate to SQS Console
- Click "Create queue"
- Configure:
- Type: Standard
- Name: access-analyzer-findings
- Click "Create queue"
- Save the queue URL for later use
Step 2: Configure SQS Queue Permissions
- In your SQS queue, go to Access policy tab
- Click "Edit"
- Replace with this policy (update with your account ID and region):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEventBridgeAccess",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sqs:SendMessage",
"Resource": "arn:aws:sqs:YOUR-REGION:YOUR-ACCOUNT-ID:access-analyzer-findings",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "YOUR-ACCOUNT-ID"
}
}
}
]
}
Step 3: Create EventBridge Rule
- Navigate to EventBridge Console → Rules
- Click "Create rule"
- Configure basic details:
- Name: access-analyzer-to-sqs
- Description: Send Access Analyzer findings to SQS
- Event bus: default
- Rule type: Rule with an event pattern
- Click "Next"
Step 5: Configure Event Pattern
- Event source: AWS services
- AWS service: Access Analyzer
- Event type: Access Analyzer Finding
- Click "Next"
Step 6: Configure Target
- Target type: AWS service
- Select a target: SQS queue
- Queue: Select your access-analyzer-findings queue
- Click "Next" → "Next" → "Create rule"
Sample Record
{
"AnalyzedAt": "2025-08-11T23:46:57.001928Z",
"CreatedAt": "2025-08-11T23:46:57.001936Z",
"Id": "bda39d0a-f5ef-fbd7-8dce-6ad5c46c1b53",
"ResourceOwnerAccount": "515922042425",
"ResourceType": "AWS::ECR::Repository",
"Status": "ARCHIVED",
"UpdatedAt": "2025-08-11T23:46:57.002008Z",
"Error": "Timeout during analysis",
"FindingType": "ExternalAccess",
"Resource": "arn:aws:rds:us-east-1:123456789012:snapshot:my-snapshot"
}