Access Analyzer
Access Analyzer
AWS IAM Access Analyzer API analyzes IAM resource policies for over-privileged access or external access — proactively surfaces security risks.
Formal-methods-based policy analysis (Zelkova engine)
Detects policy issues only — does not prevent policy modifications
POST /access/analyzer/analyzers to create an analyzer (one per region). Findings are auto-aggregated from IAM/S3/SQS and other resources.
Uptime · 30-day window
GitHub activity
About this API
Access Analyzer is AWS's security enhancement on top of IAM. Traditional IAM checks are "post-incident audit" — investigate policies after something happens, but misconfigured policies can exist for a long time unnoticed. Access Analyzer is "proactive scanning" — using formal methods (Zelkova engine, mathematically proving policy equivalence) to analyze every policy, surfacing anomalies like "this S3 bucket allows anyone access", "this IAM role has *.* permissions". Also generates precise least-privilege policy recommendations based on CloudTrail history — e.g. a role configured with s3:* but actually only using s3:GetObject and s3:PutObject gets narrowed-down recommendations. Essential tool for AWS security governance.
What you can build
- 1Scan S3 buckets for unintended public access
- 2Audit IAM role actual usage vs. configured permissions
- 3Identify cross-account access grants
- 4Generate least-privilege policy recommendations
Strengths & limitations
Strengths
- Formal-methods-based policy analysis (Zelkova engine)
- Proactively surfaces risks (no manual review needed)
- Recommends least-privilege based on CloudTrail actual call history
Limitations
- Detects policy issues only — does not prevent policy modifications
- Limited support for some non-standard services
Example request
curl https://github.com/mermade/aws2openapi/<endpoint>Getting started
POST /access/analyzer/analyzers to create an analyzer (one per region). Findings are auto-aggregated from IAM/S3/SQS and other resources.
FAQ
Is it free?+
Account-level analyzer is free. Organization-level (across AWS Organizations) and unused access detection are paid.
Technical details
- Auth type
- unknown
- Pricing
- unknown
- Protocols
- REST
- SDKs
- python, javascript, go, java, csharp
- Response time
- 863 ms
- Last health check
- 5/12/2026, 7:36:33 AM
More from Amazon Web Services
Amazon Chime SDK API embeds real-time audio/video calling and chat into apps (meetings, messaging, PSTN calls).
Amazon CloudFront is the AWS CDN and edge service — accelerates static and dynamic content delivery, a standard for web performance.
Amazon CloudSearch is AWS's managed search service (gradually superseded by OpenSearch Service).
CloudWatch Application Insights API auto-detects application problems — intelligently identifies anomalies (slow SQL queries, memory leaks), reducing manual alarm configuration.
AWS Cognito Identity Pools API issues temporary AWS credentials to frontend apps — identity federation, guest users, direct AWS resource access.
Amazon Cognito User Pools deliver managed user signup, login, password reset, and MFA for applications.
Amazon Connect Contact Lens API uses AI to analyze Amazon Connect calls in real time — sentiment, keywords, compliance detection, auto-summary.
Amazon Connect Customer Profiles API merges contact-center customer info with multi-source CRM data into unified profiles.