
Amazon Access Analyzer
Amazon Web Services- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
Integrates with AWS IAM Access Analyzer to retrieve
findings that flag resources granting access to external (cross-account) or public principals — S3
buckets, IAM roles, KMS keys, Lambda functions, Secrets Manager secrets, SQS queues, and more. For
each configured AWS account and region the connector lists the account's analyzers and walks every
finding under them. It emits two paired models: a Finding per raw finding occurrence, and a
synthetic FindingDefinition per exposure shape (resourceType + isPublic). Both models are
served from a single API-response cache per sync so the Access Analyzer API is called only once even
though the two models sync independently.
Data retrieved from Amazon Access Analyzer
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Finding | Yes | Finding |
| FindingDefinition | Yes | Finding Definition |
For detailed steps on how to view the data retrieved from Amazon Access Analyzer in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Amazon Access Analyzer from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| Access key ID | No | — | AWS user access key ID, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Secret access key | No | — | AWS user secret access key, if not specified, the connector consults the default credentials provider chain to try and determine the \ |
| Default region | No | us-east-1 | Default AWS region, if not specified, the connector consults the default region provider chain to try and determine the region to use. |
| Assume role | No | — | Amazon Resource Name for the role to assume. |
| Session duration | No | — | Assume role session duration in seconds. |
| Page size | No | 100 | The maximum number of results to retrieve per operation. |
Authentication
Authentication is shared across the AWS connector bundle via the AwsConfiguration base class. The
Access Analyzer sub-connector uses the AWS SDK for Java v2 AccessAnalyzerClient, which signs every
request with AWS SigV4 using credentials resolved through the following chain (in order):
- STS AssumeRole — if
assumeRoleARNis configured, the connector assumes that role (using the credentials below as the principal) and uses the resulting temporary session credentials. - Static access keys — if
accessKey/secretKeyare configured, they are used directly. - Default credentials provider chain — environment variables,
~/.aws/credentials, container role, or EC2 instance metadata.
Assumed-role sessions use the configurable sessionDuration (default 900 s) with a unique session
name per sync. assumeRoleARN may be a comma-separated list to sync multiple accounts in one run. An
AccessAnalyzerClient is constructed per role per region and closed once that region has been fully
synced.
Required AWS API permissions
| Permission | Purpose |
|---|---|
access-analyzer:ListAnalyzers | Enumerate the analyzers in each account/region. |
access-analyzer:ListFindings | List the findings under each analyzer (returns full FindingSummary records; GetFinding is not called). |
sts:AssumeRole | Only when assumeRoleARN is set. |
How to obtain Amazon Access Analyzer credentials
Create an IAM user for AWS access
The connector authenticates using the AWS SDK's credential resolution chain. If an assume-role ARN is configured, the connector assumes that IAM role using the provided credentials. Otherwise, it uses the provided access keys directly, falling back to the AWS Default Credential Provider Chain (environment variables, ~/.aws/credentials, or EC2 instance metadata).
The IAM user or role must have the following permissions:
access-analyzer:ListAnalyzers
access-analyzer:ListFindings
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Finding
| Source Field Name | SDM Attribute |
|---|---|
AccessAnalyzer:<resourceType>:public=<bool> (from FindingSummary.resourceType + isPublic) | Type |
| analyzer client region | Region |
AnalyzerSummary.arn | Analyzer ARN |
AnalyzerSummary.arn + / + FindingSummary.id | UID |
| constant AWS | Cloud provider |
FindingSummary.action | Actions (multivalued) |
FindingSummary.analyzedAt | Analyzed at |
FindingSummary.condition entries rendered key=value | Condition (multivalued) |
FindingSummary.createdAt | First found |
FindingSummary.error | Error |
FindingSummary.id | Name |
FindingSummary.id | Finding ID |
FindingSummary.principal entries rendered key=value | Principal (multivalued) |
FindingSummary.resource | Resource |
FindingSummary.resource | Targets |
FindingSummary.resourceOwnerAccount | Resource owner account |
FindingSummary.statusAsString() | Provider status |
FindingSummary.updatedAt | Last found |
FindingUtils.normalizeFindingStatus(rawStatus) | Source status |
| sync timestamp | Last captured |
FindingDefinition
| Source Field Name | SDM Attribute |
|---|---|
AccessAnalyzer:<resourceType>:public=<bool> (from FindingSummary.resourceType + isPublic) | UID |
| constant Access Analyzer | Categories |
| constant AWS | Cloud provider |
FindingSummary.isPublic | Is public |
FindingSummary.resourceType (or Unknown) | Tags |
FindingSummary.resourceTypeAsString() | Resource type |
Generated from the sample finding, e.g. <resourceType> allows public access / ... allows external access | Name |
Generated narrative describing the shape (public-internet vs cross-account exposure). | Description |
Generated remediation narrative (review the resource policy, apply SCP / Permissions Boundary, archive if intended). | Recommendation |
| sync timestamp | Last captured |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Finding
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
region / regions | Comma-separated list of regions to query (one client per region). | Resolved from configuration / default region provider chain | |
pageSize | Page size (maxResults) for ListAnalyzers and ListFindings. | Shared pageSize configuration (100) |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
AccessAnalyzerClient) · Endpoint:access-analyzer:ListAnalyzers
FindingDefinition
Operation options
| Option | Type | Default | Description |
|---|---|---|---|
region / regions | Comma-separated list of regions to query (one client per region). | Resolved from configuration / default region provider chain | |
pageSize | Page size (maxResults) for ListAnalyzers and ListFindings. | Shared pageSize configuration (100) |
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: AWS SDK for Java v2 (
AccessAnalyzerClient) · Endpoint:access-analyzer:ListAnalyzers
Changelog
The Amazon Access Analyzer connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.2.1 | No changes in this release. | N/A |
| 3.2.0 | No changes in this release. | N/A |
| 3.1.0 | New Features - The connector now syncs findings paired with finding definitions, so each detected exposure is grouped under a shared definition for severity, recommendation, and metadata. Improvements - Sync failures are now visible. Previously, certain AWS API errors (throttling, server errors, transient network failures, validation errors) could be silently swallowed during multi-region sync, producing empty results without indicating a problem. These now surface as sync failures with a clear log entry detailing the HTTP status, AWS error code, request id, and service name. Per-region permission gaps (HTTP 401 / 403) still allow the sync to continue across other regions, but are now visible in logs. Bug Fixes - Finding correlation. Findings now reference their finding definitions correctly. Prior to this release, the link between a finding instance and its definition was incorrect, breaking deduplication and correlation in the platform. | • Findings: the unique identifier for finding definitions has changed. Existing Access Analyzer data must be re-synced. Action: Run a full sync for the Amazon Access Analyzer connector. |