Access Analyzer provides permission administration features. When the analyzer identifies an over-privileged identity, it generates an administration suggestion. This helps you quickly reduce unused permissions and lower security risks.
This feature is in beta and does not support all products. For more information, see Alibaba Cloud services that support permission auditing. Before you perform permission administration, you must verify and evaluate the operations based on your business needs.
Overview
Over-privileged access occurs when a RAM identity, such as a user or role, is granted more permissions than required for its business needs. This not only increases security risks from misoperations or credential leaks but also creates challenges for compliance auditing. Manually auditing and reducing permissions is time-consuming, labor-intensive, and difficult to sustain.
The over-privileged access analyzer is one of two types of Access Analyzer. The other type is used to identify external access. It automatically detects and manages security risks that arise from over-privileged RAM identities, such as RAM users and RAM roles. It continuously analyzes access behavior in the current account or resource directory. It automatically identifies super administrators, privileged identities, inactive identities, and identities with underutilized permissions. Then, it provides clear, actionable administration suggestions. Based on these suggestions, you can securely and efficiently reduce permissions with a single click or through simple operations. This minimizes security risks and simplifies permission management.
Core concepts
Analysis findings
An analysis finding is a data object that Access Analyzer generates. It contains the following key information:
Finding type: The category of the analysis finding, such as:
Super administrator user/role
Privileged user/role
Inactive user/role
Over-privileged user/role
Finding status: The processing status, such as Pending, Resolved, or Archived.
Resource information: The name, type, and owner of the target resource.
Time information: The creation time, analysis time, and update time.
Finding ID: The unique identifier of the analysis finding.
Administration suggestions
An administration suggestion is a solution that Access Analyzer generates for an analysis finding. It includes:
Replace permission: Replace a policy that has extensive permissions with a policy that has a smaller scope of permissions. For example, replace the super administrator permission (
AdministratorAccess) with the system administrator permission (PowerUserAccess).Remove permission: Remove an unused access policy.
Manage identity: Disable or delete an inactive identity.
Archive finding: Archive an authorization behavior that meets expectations.
Detection logic
Access Analyzer uses the following logic to determine the type of over-privileged access. If an identity meets multiple conditions, it is classified into a single finding type based on priority, from highest to lowest.
Priority | Finding type | Logic description |
1 | Super administrator user/role | A RAM identity has management permissions for all resources in the account. For example, the identity is granted the |
2 | Privileged user/role | A RAM identity is granted important operation permissions other than the |
3 | Inactive user/role | A RAM identity has not accessed any resources or data within the specified Idle Access Period (90 days by default) and does not meet the conditions for Priority 1 or 2. Note: A user or role that is not granted any permissions is not classified as inactive, even if it is inactive. |
4 | Over-privileged user/role | A RAM identity has unused service-level or action-level permissions within the specified Idle Access Period and does not meet any of the preceding conditions. Note: The supported granularity varies for different services. For more information, see the Supported granularity section in Limits. |
Quick Start: Reduce permissions
You can quickly use Access Analyzer to perform a basic permission administration operation: disable an inactive RAM user.
Prerequisites
Before you start, make sure that the following conditions are met:
Create an analyzer: In the Access Analyzer console, create an Over-privileged Access analyzer.
Have the required permissions: To perform administration operations, you need the corresponding RAM permissions. You must grant the
AliyunRAMAccessAnalyzerFullAccessandAliyunRAMFullAccesspermissions to the operator.
Procedure
Profiling results
Log on to the RAM console.
In the navigation pane on the left, click .
In the top navigation bar, select the region where the analyzer instance is located.
On the tab, find and click a pending finding of the Inactive User type.
View and apply the administration suggestion
In the Finding List, select a target RAM user that you confirm is no longer needed. Click the corresponding Finding ID.
On the Analysis Finding details page, click the Governance Suggestion tab. After a short wait, the system displays the Remove Unused Identity suggestion. Click Go to Governance.
The page redirects to the user details page in the RAM console. You can then disable console logon, disable the AccessKey, or delete the user, as needed.
Verify the result. Return to the Access Analyzer console. You can archive the finding, or wait for it to be automatically marked as Resolved after the next analysis cycle.
Guidelines for administration suggestions
If you are familiar with the finding types, you can follow these guidelines to apply the appropriate administration measures for different types of findings.
Manage a super administrator user/role - Replace permissions with system administrator permissions
This operation reduces unnecessary super administrator permissions to the more secure system administrator (PowerUserAccess) permissions.
On the or tab, find an entry whose Finding Type is Super administrator user/role. Click the specific Finding ID.
On the Analysis Finding details page, click the Administration Suggestion tab in the Actions column.
In the Administration Suggestion panel, find the suggestion to replace the permissions with system administrator (
PowerUserAccess) permissions.Perform the appropriate operation based on the resource owner:
Current account: Click Apply Suggestion. The system automatically attaches the
PowerUserAccesspolicy to the target identity and then detaches theAdministratorAccesspolicy.
Cross-account: The system does not support automatic application. Click Copy URL. Then, log on to the account where the target resource resides, access the URL, and manually replace the permissions.
(Optional) If the analyzer does not provide an administration suggestion, see Why is the administration suggestion empty?
Risks and rollback: This operation changes core permissions. Before you proceed, make sure that PowerUserAccess meets the daily operational needs of the identity. If issues occur after the operation, immediately go to the RAM console and re-grant the AdministratorAccess permission to the identity.
Manage a super administrator user/role - Remove unused access policies
If other unused system policies or custom policies are attached to the super administrator identity, the system also suggests removing them. If multiple access policies match the administration suggestion, a separate suggestion is generated for each policy.
On the or tab, find an entry whose Finding Type is Super administrator user/role. Click the specific Finding ID.
On the Analysis Finding details page, click the Administration Suggestion tab in the Actions column.
In the Administration Suggestion panel, find the suggestion to remove the policy.
Perform the appropriate operation based on the resource owner:
Current account: Click Apply Suggestion. The system automatically detaches the policy.
Cross-account: Click Copy URL. Log on to the target account, access the URL, and manually detach the policy.
(Optional) If the analyzer does not provide an administration suggestion, see Why is the administration suggestion empty?
Risks and rollback: Confirm that the policy is no longer needed. If you delete it by mistake, go to the RAM console and re-grant the removed access policy to the identity.
Manage a privileged user/role - Remove unused important access policies
For a privileged user/role, the administration suggestion is to remove unused important access policies. The procedure is the same as for Manage a super administrator user/role - Remove unused access policies.
Manage an inactive user/role - Disable or delete the identity
For an identity that has not been used for a long time, the best practice is to disable or delete it to completely eliminate its security risks.
On the or tab, find an entry of the Inactive User/role type. Click the specific Finding ID.
On the Analysis Finding details page, click the Administration Suggestion tab in the Actions column.
In the Administration Suggestion panel, find the suggestion to Remove Unused Identity.
Perform the appropriate operation based on the resource owner:
Current account: Click Go To Manage. The page redirects to the corresponding user or role details page in the RAM console. As needed, you can disable logon by clearing logon settings, disable or delete the AccessKey, or delete the identity.
Cross-account: Click Copy Resource URL. Log on to the target account and access the URL to process the request.
(Optional) If the analyzer does not provide an administration suggestion, see Why is the administration suggestion empty?
Manage an over-privileged user/role - Remove unused access policies
For an over-privileged user/role, the administration suggestion is to remove unused access policies. The procedure is the same as for Manage a super administrator user/role - Remove unused access policies.
Archive analysis findings
You can archive an analysis finding if it meets your business expectations and requires no further action. Archiving a finding changes its Finding Status from Pending to Archived.
Archive a single finding: In the Actions column of the Analysis Findings list or in the Administration Suggestion panel, click Archive Finding.
Automatically archive findings in batches: If you want the system to automatically ignore specific types of analysis findings, such as ignoring the inactive status of a specific role, click Save As Archive Rule. By setting rule conditions, all future analysis findings that match the rule are automatically archived. For more information, see Automatically archive analysis findings.
View and restore findings: By default, the system displays only pending analysis findings. To view or restore archived analysis findings, on the Finding List page, set the Finding Status filter to Archived to view all archived findings. For items that need to be reprocessed, click Unarchive. The item's status changes back to Pending.
Limits
Analyzer type: This feature supports only analyzer instances of the Over-privileged Access type. It does not support the External Access type.
Supported granularity: The over-privileged access analyzer analyzes the permissions of all RAM identities (excluding service-linked roles) in a resource directory or the current account based on permission audit information. The supported policy types, Alibaba Cloud services, and granularity are the same as those for permission auditing. For more information, see Alibaba Cloud services that support permission auditing. If a policy contains services that are not on the support list, the analyzer cannot provide a suggestion to remove the permission.
Policy type (for super administrator replacement only): The administration suggestion to replace super administrator permissions supports only the system policy
AdministratorAccess. It does not support custom administrator policies.Policy content: If the policy content includes a
DenyorNotActionstatement, the analyzer cannot provide a suggestion to remove the permission.Authorization scope: If the authorization scope of an administrator permission is a Resource Group instead of an Account, the identity is not identified as a super administrator.
Authorization method: Permissions can be granted directly to a user or role, or inherited through a user group. The analyzer can identify both methods but does not provide automatic administration suggestions for permissions inherited from a user group. An administrator must handle these cases manually.
Data latency: Administration suggestions are generated based on analysis findings, and there is a latency of up to 24 hours in generating these findings. If the timeliness of the administration suggestion is a concern, you can manually trigger a rescan. On the analysis finding details page, click Rescan and then view the administration suggestion again.
FAQ
Can I process administration suggestions in batches?
The Apply Suggestion action does not support batch processing. However, for specific types of administration suggestions, you can create archive rules to automatically archive them, which has the same effect as ignoring them in a batch.
How do I check the freshness of the analysis finding data?
On the Analysis Findings list page, you can view the Update Time field for each finding. You can also view the Analysis Time and Update Time on the finding details page to confirm the data's timeliness. All times are displayed in your local time zone.
Why is the administration suggestion empty?
On the analysis finding details page, if no suggestion is displayed when you click Administration Suggestion, it means you need to handle the finding manually. For example, you can manually remove the permission or archive the finding.
Common reasons for an empty administration suggestion include the following:
Super administrator permission replacement: If the RAM identity has used a permission that is the difference between
AdministratorAccessandPowerUserAccesswithin the idle access period, the analyzer cannot recommend a permission downgrade.Remove unused permissions: If the RAM identity has used some services in an access policy within the idle access period, the analyzer will not suggest removing that policy.
If permissions are inherited through a user group, or if some services in the policy are not within the supported scope, the system will not generate an administration suggestion. For more information, see Limits.
How do I determine if permissions meet my needs?
When you view a specific analysis finding, you can check the following key properties on the details page to determine whether the current permissions meet your business needs. If the permissions exceed what is needed, you can adjust them based on the administration suggestion or manually optimize the permission configuration.
Accessed services/Granted services:
Granted services indicates the total number of supported Alibaba Cloud services included in the access policies assigned to the identity. You can view the Access Records list for details about these services.
Accessed services indicates the number of Alibaba Cloud services that the analyzer detected the identity used during the idle period. Accessed services are prioritized in the Access Records list and show the last access time. You can also filter for all services accessed during the period.
Accessed operations/Granted operations:
Granted operations refers to the total number of all operation permissions included under each granted service.
Accessed operations refers to the number of permission operations that the analyzer detected the identity used during the idle period.
NoteNote: The supported granularity of permission auditing varies for different Alibaba Cloud services. Some services do not currently support access statistics at the operation-level granularity. For these services, the Accessed operations/Granted operations column is empty. For a list of supported services, see Alibaba Cloud services that support permission auditing.
Last accessed time: Shows the specific time each accessed service was last accessed.
For Alibaba Cloud services that support operation-level permission auditing, you can click View Authenticated Operations in the Actions column to see the specific operations the identity actually accessed and their last access times. Operations marked with a Privileged tag are important operations and require special attention.
