Access Analyzer continuously analyzes RAM identity permissions and access activities within your account or resource directory, as well as the permission configuration of resources shared with external accounts. It identifies security risks such as over-privileged access, inactive identities, and external access, and provides remediation advice. This topic describes the general principles for permission convergence, governance guidelines for each scenario, and rollback procedures.
Overview
Over-privileged access occurs when a RAM identity (user or role) has permissions beyond its business needs. This increases security risks from operational errors or credential leaks and complicates compliance audits. Manual permission auditing is time-consuming and hard to sustain.
Access Analyzer includes two types: the over-privileged access analyzer and the external access analyzer. The over-privileged access analyzer automatically identifies and remediates security risks caused by excessive permissions granted to RAM identities (users and roles). The external access analyzer identifies resource configurations that allow access from identities outside your trust zone. Together they provide comprehensive permission risk management.
Access Analyzer is an assistive analysis tool. Its findings are based on identity and resource permission configurations and call records collected by ActionTrail. We recommend using the findings as a starting point for investigation and confirming with your business context before performing governance operations.
General governance principles
Regardless of the finding type, follow these principles before performing permission convergence:
Investigate before acting
Remediation advice is generated based on algorithms and access data, and cannot fully understand your business context. Before applying any recommendation, confirm that the target identity or resource no longer requires the permissions in question.
-
For production-critical identities (such as operations roles, CI/CD roles, or RAM roles used by core applications), contact the responsible business owner for confirmation.
-
For policy removal recommendations, check the Accessed services, Granted services, and Last accessed time on the finding details page to determine whether the permission is truly unused.
-
For external access findings, check the specific external principal on the details page to confirm whether the access relationship is required by your business.
Choose an appropriate change window
Permission convergence may affect running workloads. We recommend:
-
Avoid making permission changes during peak business hours or important release windows.
-
For RAM identities used by online production applications, verify the impact of equivalent permission changes in a test environment first.
-
For cross-account resources (resource directory scenarios), coordinate the change window with the administrator of the target account in advance.
Prepare rollback procedures
Before performing any permission convergence operation, ensure you have the ability to quickly roll back. Specific measures include:
-
Record the pre-change state: Before removing a policy, record all policies currently attached to the target identity, including the policy name and type (system or custom).
-
Keep a copy of custom policies: Before removing a custom policy, export and back up the policy content to prevent re-authorization failure if the policy definition is accidentally deleted.
-
Avoid deleting identities immediately: For inactive RAM users, disable console logon and AccessKeys first. Observe for a period before deciding whether to delete, so you can quickly restore access if errors occur.
-
Know the rollback commands: For de-authorization operations performed in the console, you can use RAM OpenAPI (AttachPolicyToUser, AttachPolicyToRole) to quickly restore permissions when needed. For details, see the Rollback and recovery section in this topic.
Key concepts
Finding
A finding is a data object generated by Access Analyzer that contains:
-
Finding type: The category of the finding. Examples:
-
super user/role
-
privileged user/role
-
inactive user/role
-
over-privileged user/role
-
-
Status: The status of the finding. Valid values: Active, Resolved, and Archived.
-
Resource information: The name, type, and owner of the target resource.
-
Timestamps: Created At, Analysis Time, and Updated At.
-
Finding ID: The unique identifier of the finding.
Remediation advice
Remediation advice is the solution that Access Analyzer generates for a finding:
-
Permission replacement: Replace a policy that grants broad permissions with a more restrictive policy. For example, you can replace the super administrator permission (
AdministratorAccess) with the system administrator permission (PowerUserAccess). -
Permission removal: Remove an unused policy.
-
Identity management: Disable or delete an inactive identity.
-
Finding archival: Archive findings that are associated with intended authorization behaviors.
Decision logic
Access Analyzer classifies over-privileged access by the following priority. If a RAM identity matches multiple conditions, the highest-priority type applies.
|
Priority |
Finding type |
Description |
|
1 |
super user/role |
The RAM identity has management permissions on all account resources. For example, the identity holds the |
|
2 |
privileged user/role |
The RAM identity holds high-risk operational permissions outside the |
|
3 |
inactive user/role |
The RAM identity did not access any resources or data within the specified Unused Access Age (90 days by default), and does not meet the conditions for priority 1 or 2. Note: A user or role with no permissions is not classified as an inactive user/role, even if it is inactive. |
|
4 |
over-privileged user/role |
The RAM identity has unused service-level or action-level permissions within the specified Unused Access Age and does not meet any of the preceding conditions. Note: The supported granularity varies by service, as described in the Supported granularity section in Limitations. |
Quick start: Permission right-sizing
This walkthrough uses Access Analyzer to disable an inactive RAM user.
Prerequisites
Ensure the following requirements are met:
-
An analyzer of the Over-privileged Access type exists in the Access Analyzer console.
-
You have the required permissions. We recommend that you grant the
AliyunRAMAccessAnalyzerFullAccessandAliyunRAMFullAccesspolicies to the operator.
Procedure
-
Locate a finding
-
Log on to the RAM console.
-
In the left-side navigation pane, choose .
-
In the top navigation bar, select the region where the analyzer is located.
-
On the tab, find an Active finding of the Inactive User type and click the number.

-
-
View and apply remediation advice
-
In the Findings list, select a RAM user that you have confirmed is no longer needed, and click the corresponding Finding ID.
-
On the Findings details page, click the Advices tab in the Actions column. After a short wait, the system displays the Remove unused identities suggestion. Click Go for Governance.

-
-
You are redirected to the user details page in the RAM console. You can disable console logon, disable an AccessKey, or delete the user based on your business requirements.
-
Verify the result. Return to the Access Analyzer console. You can archive the finding. Otherwise, its status automatically changes to Resolved after the next analysis cycle.
Over-privileged access remediation playbooks
Use these playbooks to apply the correct remediation for each finding type.
The over-privileged access analyzer findings reflect permission usage within the analysis period. Some permissions may not have been used during this period but are still required in specific scenarios (such as quarterly settlements, disaster recovery drills, or release deployments). Evaluate based on your actual business needs before taking action.
Remediate super users/roles: Replace with system administrator permissions
Super administrator identities typically hold the AdministratorAccess policy, which grants management permissions on all resources in the account. These identities have the highest risk level — a credential leak would have account-wide impact. If the identity genuinely requires administrator permissions (expected), enable MFA for the RAM user and archive the finding. If the identity does not need full administrator permissions (unexpected), replace with PowerUserAccess (retains all management permissions except RAM and billing-related permissions).
-
On the or tab, find an entry whose Finding Type is super user/role and click the specific Finding ID.
-
On the Findings details page, click the Advices tab.
-
On the Advices panel, find the advice to replace the permissions with system administrator (
PowerUserAccess) permissions. -
Perform the appropriate operation based on the resource owner:
-
Current account: Click Apply Recommendation. The system automatically attaches the
PowerUserAccesspolicy to the target identity and then detaches theAdministratorAccesspolicy.
-
Cross-account: Automatic application is not supported. Click Repeat to copy the URL. Then, log on to the account to which the target resource belongs, access the URL, and manually replace the permissions.

-
-
(Optional) If the analyzer does not provide remediation advice, see Why is there no remediation advice for my finding?
Risks and rollback: This operation changes core permissions. Before you proceed, make sure that the PowerUserAccess policy meets the daily work requirements of the identity. If an issue occurs after the operation, go to the RAM console and immediately re-grant the AdministratorAccess permission to the identity.
Remediate super users/roles: Remove unused policies
If unused system or custom policies are also attached to the super user identity, the system recommends removing them. Separate advice is generated for each policy.
-
On the or tab, find an entry whose Finding Type is super user/role and click the specific Finding ID.
-
On the Findings details page, click the Advices tab in the Actions column.
-
On the Advices panel, find the advice to remove the policy.
-
Perform the appropriate operation based on the resource owner:
-
Current account: Click Apply Recommendation. The system automatically detaches the policy.

-
Cross-account: Click Repeat to copy the URL. Log on to the target account, access the URL, and manually detach the policy.
-
-
(Optional) If the analyzer does not provide remediation advice, see Why is there no remediation advice for my finding?
Risks and rollback: Confirm the policy is no longer needed. If you accidentally remove it, re-grant the removed permission policy to the identity in the RAM console.
Remediate privileged users/roles: Remove unused high-risk policies
For a privileged user/role, the remediation advice is to remove unused high-risk permission policies. The procedure is the same as for Remediate super users/roles: Remove unused permission policies.
Remediate inactive users/roles: Disable or delete identities
Inactive identities have had no access activity within the specified unused access period. Long-idle identities with valid credentials are a potential security risk.
Before taking action, confirm: whether the identity is used seasonally or periodically (such as for month-end financial settlements or quarterly audits); whether it is a standby or disaster recovery account (which is typically inactive but critical during failover); for RAM roles, whether a backend service only invokes the role under exceptional conditions (such as emergency operations or alert-handling roles). If any of these apply, archive the finding instead of deleting the identity.
If you confirm the identity is no longer needed, the best practice is to disable first, observe, then delete:
-
On the or tab, find an entry of the inactive user/role type and click the specific Finding ID.
-
On the Findings details page, click the Advices tab in the Actions column.
-
On the Advices panel, find the advice to Remove Unused Principals.
-
Perform the appropriate operation based on the resource owner:
-
Current account: Click Go for Governance. You are redirected to the user or role details page in the RAM console. You can clear logon settings, disable or delete an AccessKey, or delete the identity.

-
Cross-account: Click Copy Resource URL. Log on to the target account and access the URL to process the request.

-
-
(Optional) If the analyzer does not provide remediation advice, see Why is there no remediation advice for my finding?
Remediate over-privileged users/roles: Remove unused policies
For an over-privileged user/role, the remediation advice is to remove unused permission policies. The procedure is the same as for Remediate super users/roles: Remove unused permission policies.
Archive findings
If a finding requires no action, archive it. After archival, the Findings's Status will change from Active to Archived.
-
Archive a single finding: In the Actions column of the Findings list or on the Advices panel, click Archive.
-
To automatically ignore specific finding types, click Save as Archive Rule. Set rule conditions to ensure all future matching findings are automatically archived. Automatically archive findings.
-
View and unarchive findings: By default, only Active findings are displayed. To view or unarchive Archived findings, set the Status filter to Archived on the Findings page. For an entry that needs to be reprocessed, click Unarchive. The status of the entry changes back to Active.

External access governance best practices
The external access analyzer examines OSS Bucket Policies, ACLs, and RAM role trust policies to identify resource configurations that allow access from identities outside your trust zone. The core objective is access boundary management — ensuring only intended external identities can access your resources.
Unlike the over-privileged access analyzer, the external access analyzer performs static analysis of resource policy configurations rather than dynamic access behavior statistics. Therefore, "externally accessible" means only that the policy configuration allows external access — it does not indicate that the resource has been actually accessed or that a data leak has occurred.
Investigation workflow
Before remediating external access findings, follow these investigation steps:
-
Identify the external principal: On the finding details page, check the specific external principal. For OSS Buckets, check whether it includes anonymous users (AllUsers) or specific Alibaba Cloud accounts. For RAM roles, review the trusted entities in the trust policy.
-
Determine whether the access is business-required: Check if the external access is part of normal business collaboration (such as partner account access, cross-department resource sharing within a group, or cross-account deployment in a multi-cloud architecture).
-
Verify the permission scope is appropriate: Even if external access is expected, check that the granted permissions follow the least privilege principle. For example, whether a partner has been granted overly broad operation permissions.
-
Coordinate across accounts: If the external access involves other Alibaba Cloud accounts, confirm the business dependency with both the accessing party and the resource owner before tightening policies, to avoid disrupting partner business.
Remediate OSS Bucket external access
External access to OSS Buckets typically results from Bucket Policy, Bucket ACL configurations, or the absence of the "Block Public Access" setting.
If the external access is expected (for example, a partner needs to read a specific Bucket):
-
Check that the current authorization follows the least privilege principle. For example, verify that only necessary Object-level operations (such as
GetObject) are granted, rather than full Bucket-level permissions. -
Narrow the authorization scope in the Bucket Policy from wildcards (*) to specific account IDs or RAM role ARNs.
-
Archive the finding to prevent repeated alerts.
If the external access is unexpected (for example, the Bucket is configured for public access):
-
Go to the OSS console and enable the Bucket-level "Block Public Access" feature. This globally prevents public access to the Bucket and is the quickest remediation measure.
-
Review the Bucket Policy and remove any unintended cross-account authorization or anonymous access (Principal set to *) configurations.
-
Check the Bucket ACL to ensure it is not set to "Public Read" or "Public Read/Write".
-
After making changes, wait for the external access analyzer to re-analyze (typically 3-5 minutes after a policy change) and confirm that the finding status changes to "Resolved".
Remediate RAM role cross-account trust
A RAM role's trust policy determines which external identities can assume the role. An overly permissive trust policy creates cross-account privilege escalation risks.
If the cross-account trust is expected (such as cross-account authorization in a multi-cloud architecture):
-
Review the Condition elements in the trust policy. Add constraints where possible (such as specifying source IP ranges or requiring MFA) to reduce the blast radius of a credential leak.
-
Review the permissions policies attached to the role and ensure they follow the least privilege principle.
-
Archive the finding.
If the cross-account trust is unexpected:
-
Go to the RAM console, open the role details page, and edit the trust policy.
-
Narrow the Principal scope in the trust policy to include only the necessary account IDs or service identifiers.
-
Remove any unnecessary wildcard authorizations or authorizations for expired accounts.
-
After making changes, monitor the dependent business systems. Pay special attention to applications that assume this role from other accounts — if the tightened trust policy causes STS AssumeRole failures, restore the policy immediately.
Rollback and recovery
If you discover a business issue or an operational error after performing permission convergence, use the following methods to quickly recover:
Restore detached permission policies
If you detached a policy using the Access Analyzer console, use the following OpenAPI commands to re-attach it:
-
RAM user:
aliyun ram AttachPolicyToUser --PolicyType <System|Custom> --PolicyName <PolicyName> --UserName <UserName> -
RAM role:
aliyun ram AttachPolicyToRole --PolicyType <System|Custom> --PolicyName <PolicyName> --RoleName <RoleName> -
User group:
aliyun ram AttachPolicyToGroup --PolicyType <System|Custom> --PolicyName <PolicyName> --GroupName <GroupName>
-
For system policies, simply re-attach the policy with the same name.
-
For custom policies, if the policy definition itself has been deleted, the above commands cannot restore it. Always back up custom policy content on the Policies page of the RAM console before removing them.
Restore disabled identities
-
RAM user: If you only disabled console logon and AccessKeys, re-create the logon configuration (CreateLoginProfile) and re-enable AccessKeys (UpdateAccessKey --Status Active).
-
RAM role: If you deleted the role without backing up the trust policy and attached policy information, you must manually re-create and configure it.
Restore a modified RAM role trust policy
If modifying a trust policy caused cross-account business issues, restore the original trust policy immediately:
-
Go to the RAM console and open the Trust Policy tab on the role details page.
-
If you backed up the original trust policy, paste it back directly.
-
If you did not back up, manually re-add the mistakenly removed trusted entities. For uncertain account IDs, query recent AssumeRole call records in ActionTrail to identify which external identities have legitimately assumed the role recently.
Restore archived findings
If a finding was archived by mistake, filter the finding list by Archived status, locate the entry, and click Unarchive. The finding returns to Active status.
Limitations
-
Analyzer type: This feature supports only analyzers of the Over-privileged Access type and does not support analyzers of the External Access type.
-
Supported granularity: The over-privileged access analyzer analyzes the permissions of all RAM identities except service-linked roles in a resource directory or the current account based on permission audit information. The supported policy types, cloud services, and granularity are the same as for permission auditing, as listed in Services that work with the permission audit feature. If a policy contains permissions for unsupported services, the analyzer cannot provide remediation advice for removing permissions.
-
Policy type (for super administrator replacement only): The remediation advice for replacing permissions of super administrators supports only the
AdministratorAccesssystem policy. Custom administrator policies are not supported. -
Policy content: If a policy contains a
DenyorNotActionstatement, the analyzer cannot provide remediation advice for removing permissions. -
Authorization scope: If the authorization scope of an administrator permission is a Resource Group instead of an Account, the identity is not identified as a super administrator.
-
Authorization method: Permissions can be granted directly to a user or role, or inherited through a user group. The analyzer can identify both authorization methods but does not provide automatic remediation advice for permissions inherited from a user group. You must remediate these findings manually.
-
Data latency : Remediation advice is generated from findings, which may have a data latency of up to 24 hours. If the timeliness of the advice is critical, you can manually trigger a rescan by clicking Rescan on the finding details page and then check the advice again.

FAQ
Can I apply remediation advice in batches?
Batch Apply Recommendation is not supported. However, you can create archive rules to automatically ignore expected finding types.
How fresh is the finding data?
You can view the Updated At field for each finding in the Findings list, or check the Analyzed At and Updated At time on the finding details page to confirm the data's recency. All times are displayed in your local time zone.

Why is remediation advice missing?
On the finding details page, if no advice is displayed when you click the Advices tab, you must remediate the finding manually, for example, by removing the permission or archiving the finding.
Common reasons:
-
Super administrator permission replacement: If the identity used a permission during the idle period that exists in the
AdministratorAccesspolicy but not in thePowerUserAccesspolicy, the analyzer cannot recommend a downgrade. -
Removal of unused permissions: If the identity used some services in a policy during the idle period, the analyzer does not recommend removing it.
-
The system does not generate remediation advice for permissions inherited through user groups or for services outside the supported scope. Limitations.
Why is "Accessed services" empty? Does this mean the identity was never used?
Not necessarily. Possible reasons include:
-
The identity was created and used before the tracking start date (February 1, 2024) but has had no access activity recently.
-
The identity's access involves data-plane operations or internal service delegate calls that are outside the current analysis scope.
-
ActionTrail log delivery has a delay (up to 24 hours at most).
We recommend checking ActionTrail logs directly to further investigate the identity's historical access behavior.
Does "public access" in external access findings mean my data has been leaked?
Not necessarily. The external access analyzer determines whether public access exists based on static analysis of policy configurations. It cannot determine whether data in the bucket has actually been downloaded or accessed. Even if the policy allows public access, the actual risk may be low if the bucket contains no sensitive data or if the access path is not publicly known. However, any unintended public access configuration should be remediated as soon as possible.
Why doesn't a finding disappear immediately after I apply remediation advice?
After Access Analyzer detects a permission change, it needs time (typically 3 to 5 minutes) to re-analyze the affected identity. During this period, the original finding status is updated to Resolved. If the identity still meets risk conditions under the new permission configuration, a new finding is generated. If the identity no longer meets any risk conditions after the change, no new finding is generated.
Are there risks with batch remediation?
Yes. Although Access Analyzer supports one-click remediation for some findings, batch operations change the permission state of multiple identities simultaneously. If one of those identities is critical to your business, the impact can be widespread. We recommend following an incremental approach: confirm each finding individually and process them one by one, especially when you first use Access Analyzer for governance.
How do I handle findings for member accounts in a resource directory scenario?
An analyzer created at the resource directory scope analyzes RAM identities across all member accounts. For cross-account findings:
-
Remediation advice for unused permission policies cannot be applied directly from the current account. The console provides resource links for you to sign in to the target account and handle the finding manually.
-
Deletion or deactivation of inactive identities also requires signing in to the target account.
-
External access governance for OSS buckets and RAM roles can analyze resources in member accounts, but policy modifications still need to be performed in the target account or the corresponding cloud service console.
-
We recommend regularly syncing governance progress with member account administrators, or using archive rules to automatically archive known and expected findings to reduce cross-account coordination cost.
How do I determine if permissions meet requirements?
On a finding's details page, check these attributes to determine if permissions align with business needs. If permissions exceed requirements, apply the remediation advice or manually adjust the configuration.
-
Accessed Services/Authorized Services:
-
Authorized Services is the number of analyzer-supported services in the identity's policies. View the Access Records list for details.
-
Accessed Services is the number of services the identity used during the idle period. These are prioritized in the Access Records list with last access times. You can filter for services accessed during the period.
-
-
Performed Actions/Authorized Actions:
-
Authorized Actions is the total number of operational permissions under each authorized service.
-
Performed Actions is the number of actions the identity performed during the idle period, as detected by the analyzer.
NoteNote: The granularity of supported permission auditing varies by cloud service. Some services do not support action-level access statistics. For these services, the Performed Actions/Authorized Actions column is empty. Services that work with the permission audit feature.
-
-
Last Accessed At: The time each service was last accessed.

For services that support action-level auditing, click View Actions in the Actions column to view the actions the identity accessed and their last access times. Actions with a Privileged tag are high-risk and require attention.
