# Getting started with AWS Identity and Access Management Access Analyzer
Use the information in this topic to learn about the requirements necessary to use and manage AWS Identity and Access Management Access Analyzer.
## Permissions required to use IAM Access Analyzer
To successfully configure and use IAM Access Analyzer, the account you use must be granted the required permissions.
### AWS managed policies for IAM Access Analyzer
AWS Identity and Access Management Access Analyzer provides AWS managed policies to help you get started quickly.
+ [IAMAccessAnalyzerFullAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAccessAnalyzerFullAccess) - Allows full access to IAM Access Analyzer for administrators. This policy also allows creating the service-linked roles that are required to allow IAM Access Analyzer to analyze resources in your account or AWS organization.
+ [IAMAccessAnalyzerReadOnlyAccess](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAccessAnalyzerReadOnlyAccess) - Allows read-only access to IAM Access Analyzer. You must add additional policies to your IAM identities (users, groups of users, or roles) to allow them to view their findings.
### Resources defined by IAM Access Analyzer
To view the resources defined by IAM Access Analyzer, see [Resource types defined by IAM Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html#awsiamaccessanalyzer-resources-for-iam-policies) in the *Service Authorization Reference*.
### Required IAM Access Analyzer service permissions
IAM Access Analyzer uses a service-linked role (SLR) named `AWSServiceRoleForAccessAnalyzer`. This SLR grants the service read-only access to analyze AWS resources with resource-based policies and analyze unused access on your behalf. The service creates the role in your account in the following scenarios:
+ You create an external access analyzer with your account as the zone of trust.
+ You create an unused access analyzer with your account as the selected account.
+ You create an internal access analyzer with your account as the zone of trust.
For more information, see [Using service-linked roles for AWS Identity and Access Management Access Analyzer](access-analyzer-using-service-linked-roles.md).
**Note**
IAM Access Analyzer is Regional. For external and internal access, you must enable IAM Access Analyzer in each Region independently.
For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.
In some cases, after you create an analyzer in IAM Access Analyzer, the **Findings** page or dashboard loads with no findings or summary. This might be due to a delay in the console for populating your findings. You might need to manually refresh the browser or check back later to view your findings or summary. If you still don't see any findings for an external access analyzer, it's because you have no supported resources in your account that can be accessed by an external entity. If a policy that grants access to an external entity is applied to a resource, IAM Access Analyzer generates a finding.
**Note**
For external access analyzers, it may take up to 30 minutes after a policy is modified for IAM Access Analyzer to analyze the resource and then either generate a new finding or update an existing finding for the access to the resource.
When you create an internal access analyzer, it might take several minutes or hours before findings are available. After the initial scan, IAM Access Analyzer automatically rescans all policies every 24 hours.
For all types of access analyzers, updates for findings might not be reflected in the dashboard immediately.
### Required IAM Access Analyzer permissions to view the findings dashboard
To view the [IAM Access Analyzer findings dashboard](access-analyzer-dashboard.md), the account you use must be granted access to perform the following required actions:
+ [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzer.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzer.html)
+ [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzers.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzers.html)
+ [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingsStatistics.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingsStatistics.html)
To view all of the actions defined by IAM Access Analyzer, see [Actions defined by IAM Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html#awsiamaccessanalyzer-actions-as-permissions) in the *Service Authorization Reference*.
## IAM Access Analyzer status
To view the status of your analyzers, choose **Analyzers**. Analyzers created for an organization or account can have the following status:
| Status | Description |
| --- | --- |
| Active | For external and internal access analyzers, the analyzer is actively monitoring resources within its zone of trust. The analyzer actively generates new findings and updates existing findings. For unused access analyzers, the analyzer is actively monitoring unused access within the selected organization or AWS account in the specified tracking period. The analyzer actively generates new findings and updates existing findings. |
| Creating | The creation of the analyzer is still in progress. The analyzer becomes active once creation is complete. |
| Disabled | The analyzer is disabled due to an action taken by the AWS Organizations administrator. For example, removing the analyzer’s account as the delegated administrator for IAM Access Analyzer. When the analyzer is in a disabled state, it does not generate new findings or update existing findings. |
| Failed | The creation of the analyzer failed due to a configuration issue. The analyzer won't generate any findings. Delete the analyzer and create a new analyzer. |
# Create an IAM Access Analyzer external access analyzer
To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources.
**Note**
After you create or update an analyzer, it can take time for findings to be available.
## Create an external access analyzer with the AWS account as the zone of trust
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. Choose **Create analyzer**.
1. In the **Analysis** section, choose **Resource analysis - External access**.
1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.
1. Enter a name for the analyzer.
1. Choose **Current account** as the zone of trust for the analyzer.
**Note**
If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the zone of trust.
1. Optional. Add any tags that you want to apply to the analyzer.
1. Choose **Create analyzer**.
When you create an external access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.
## Create an external access analyzer with the organization as the zone of trust
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. Choose **Create analyzer**.
1. In the **Analysis** section, choose **Resource analysis - External access**.
1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.
1. Enter a name for the analyzer.
1. Choose **Current organization** as the zone of trust for the analyzer.
1. Optional. Add any tags that you want to apply to the analyzer.
1. Choose **Submit**.
When you create an external access analyzer with the organization as the zone of trust, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in each account of your organization.
# Manage an IAM Access Analyzer external access analyzer
To enable an external access analyzer in a Region, you must create an analyzer in that Region. You must create an external access analyzer in each Region in which you want to monitor access to your resources.
**Note**
After you create or update an analyzer, it can take time for findings to be available.
## Update an external access analyzer
Use the following procedure to update an external access analyzer.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. In the **Analyzers** section, choose the name of the external access analyzer to manage.
1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md).
1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).
## Delete an external access analyzer
Use the following procedure to delete an external access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. In the **Analyzers** section, choose the name of the external access analyzer to delete.
1. Choose **Delete analyzer**.
1. Enter **delete** and choose **Delete** to confirm deleting the analyzer.
# Create an IAM Access Analyzer internal access analyzer
To enable an internal access analyzer in a Region, you must create an analyzer in that Region. You must create an internal access analyzer in each Region in which you want to monitor access to your resources.
IAM Access Analyzer charges for internal access analysis based on the number of resources monitored per analyzer per month. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
**Note**
After you create or update an analyzer, it can take time for findings to be available.
IAM Access Analyzer cannot generate internal access findings for organizations that contain more than 70,000 principals (IAM users and roles combined).
You can only create one organization-level internal access analyzer in an AWS organization.
## Create an internal access analyzer with the AWS account as the zone of trust
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. Choose **Create analyzer**.
1. In the **Analysis** section, choose **Resource analysis - Internal access**.
1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.
1. Enter a name for the analyzer.
1. Choose **Current account** as the zone of trust for the analyzer.
**Note**
If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the zone of trust.
1. In the **Resources to analyze** section, add resources for the analyzer to monitor.
+ To add resources by account, choose **Add > Add resources from selected accounts**.
1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list.
Internal access analyzers support the following resource types:
+ [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
+ [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
+ [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
+ [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
+ [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
+ [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)
1. Choose **Add resources**.
+ To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**.
**Note**
ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported.
1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line.
1. Choose **Add resources**.
+ To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**.
You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor.
1. Choose **Choose file** and select the CSV file from your computer.
1. Choose **Add resources**.
1. Optional. Add any tags that you want to apply to the analyzer.
1. Choose **Create analyzer**.
When you create an internal access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.
## Create an internal access analyzer with the organization as the zone of trust
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. Choose **Create analyzer**.
1. In the **Analysis** section, choose **Resource analysis - Internal access**.
1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.
1. Enter a name for the analyzer.
1. Choose **Entire organization** as the zone of trust for the analyzer.
1. In the **Resources to analyze** section, add resources for the analyzer to monitor.
+ To add resources for the account, choose **Add resources > Add resources from selected accounts**.
1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list.
Internal access analyzers support the following resource types:
+ [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
+ [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
+ [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
+ [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
+ [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
+ [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)
1. To select accounts from your organization, choose **Select from organization**. In the **Select accounts** section, choose **Hierarchy** to select accounts by organizational structure or **List** to select accounts from a list of all accounts in your organization.
To manually enter accounts from your organization, choose **Enter AWS account ID**. Enter one or more AWS account IDs separated by commas in the **AWS account ID** field.
1. Choose **Add resources**.
+ To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**.
**Note**
ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported.
1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line.
1. Choose **Add resources**.
+ To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**.
You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor.
1. Choose **Choose file** and select the CSV file from your computer.
1. Choose **Add resources**.
1. Optional. Add any tags that you want to apply to the analyzer.
1. Choose **Submit**.
When you create an internal access analyzer with the organization as the zone of trust, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in each account of your organization.
# Manage an IAM Access Analyzer internal access analyzer
To enable an internal access analyzer in a Region, you must create an analyzer in that Region. You must create an internal access analyzer in each Region in which you want to monitor access to your resources.
**Note**
After you create or update an analyzer, it can take time for findings to be available.
## Update an internal access analyzer
Use the following procedure to update an internal access analyzer.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. In the **Analyzers** section, choose the name of the internal access analyzer to manage.
1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md).
1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).
1. On the **Resources** tab, choose **Edit** in the **Resources to analyze** section.
1. To add resources by account, choose **Add resources > Add resources from selected accounts**.
1. Choose **All supported resource types** or choose **Define specific resource types** and select the resource types from the **Resource type** list.
Internal access analyzers support the following resource types:
+ [Amazon Simple Storage Service buckets](access-analyzer-resources.md#access-analyzer-s3)
+ [Amazon Simple Storage Service directory buckets](access-analyzer-resources.md#access-analyzer-s3-directory)
+ [Amazon Relational Database Service DB snapshots](access-analyzer-resources.md#access-analyzer-rds-db)
+ [Amazon Relational Database Service DB cluster snapshots](access-analyzer-resources.md#access-analyzer-rds-db-cluster)
+ [Amazon DynamoDB streams](access-analyzer-resources.md#access-analyzer-ddb-stream)
+ [Amazon DynamoDB tables](access-analyzer-resources.md#access-analyzer-ddb-table)
1. Choose **Add resources**.
1. To add resources by Amazon Resource Name (ARN), choose **Add resources > Add resources by pasting in resource ARN**.
**Note**
ARNs must be exact matches – wildcards are not supported. For Amazon S3, only bucket ARNs are supported. Amazon S3 object ARNs and prefixes are not supported.
1. For each resource ARN, enter the account owner ID and the resource ARN separated by a comma. Enter one account owner ID and resource ARN per line.
1. Choose **Add resources**.
1. To add resources by a CSV file, choose **Add resources > Add resources by uploading a CSV**.
You can use [AWS Resource Explorer](https://docs.aws.amazon.com/resource-explorer/latest/userguide/using-search.html) to search for resources in your accounts and export a CSV file. Then you can upload the CSV file to configure the resources for the analyzer to monitor.
1. Choose **Choose file** and select the CSV file from your computer.
1. Choose **Add resources**.
1. To remove resources from the analyzer, select the check box next to the resources to remove and choose **Remove**.
1. Choose **Save changes**.
**Note**
Any updates to the analyzer will be evaluated at the next automatic rescan within 24 hours.
## Delete an internal access analyzer
Use the following procedure to delete an internal access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. In the **Analyzers** section, choose the name of the internal access analyzer to delete.
1. Choose **Delete analyzer**.
1. Enter **delete** and choose **Delete** to confirm deleting the analyzer.
# Create an IAM Access Analyzer unused access analyzer
## Create an unused access analyzer for the current account
Use the following procedure to create an unused access analyzer for a single AWS account. For unused access, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.
IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
**Note**
After you create or update an analyzer, it can take time for findings to be available.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. Choose **Create analyzer**.
1. In the **Analysis** section, choose **Principal analysis - Unused access**.
1. Enter a name for the analyzer.
1. For **Tracking period**, enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the selected account that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days.
1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.
1. For **Selected accounts**, choose **Current account**.
**Note**
If your account is not the AWS Organizations management account or [delegated administrator](access-analyzer-delegated-administrator.md) account, you can create only one analyzer with your account as the selected account.
1. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude.
1. Optional. Add any tags that you want to apply to the analyzer.
1. Choose **Create analyzer**.
When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.
## Create an unused access analyzer with the current organization
Use the following procedure to create an unused access analyzer for an organization to centrally review all AWS accounts in an organization. For unused access analysis, findings for the analyzer do not change based on Region. Creating an analyzer in each Region where you have resources is not required.
IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
**Note**
If a member account is removed from the organization, the unused access analyzer will stop generating new findings and updating existing findings for that account after 24 hours. Findings associated with the member account that is removed from the organization will be removed permanently after 90 days.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. Choose **Create analyzer**.
1. In the **Analysis** section, choose **Principal analysis - Unused access**.
1. Enter a name for the analyzer.
1. For **Tracking period**, enter the number of days for analysis. The analyzer will only evaluate permissions for IAM entities within the accounts of the selected organization that have existed for the entire tracking period. For example, if you set a tracking period of 90 days, only permissions that are at least 90 days old will be analyzed, and findings will be generated if they show no usage during this period. You can enter a value between 1 and 365 days.
1. In the **Analyzer details** section, confirm that the Region displayed is the Region where you want to enable IAM Access Analyzer.
1. For **Selected accounts**, choose **Current organization**.
1. Optional. In the **Exclude AWS accounts from analysis** section, you can choose AWS accounts in your organization to exclude from unused access analysis. Findings will not be generated for excluded accounts.
1. To specify individual account IDs to exclude, choose **Specify AWS account ID** and enter the account IDs separated by commas in the **AWS account ID** field. Choose **Exclude**. The accounts are then listed in the **AWS accounts to exclude** table.
1. To choose from a list of accounts in your organization to exclude, choose **Choose from organization**.
1. You can search for accounts by name, email, and account ID in the **Exclude accounts from organization** field.
1. Choose **Hierarchy** to view your accounts by organizational unit or choose **List** to view a list of all individual accounts in your organization.
1. Choose **Exclude all current accounts** to exclude all accounts in an organizational unit or choose **Exclude** to exclude individual accounts.
The accounts are then listed in the **AWS accounts to exclude** table.
**Note**
Excluded accounts cannot include the organization analyzer owner account. When new accounts are added to your organization, they are not excluded from analysis, even if you previously excluded all current accounts within an organizational unit. For more information on excluding accounts after creating an unused access analyzer, see [Manage an IAM Access Analyzer unused access analyzer](access-analyzer-manage-unused.md).
1. Optional. In the **Exclude IAM users and roles with tags** section, you can specify key-value pairs for IAM users and roles to exclude from unused access analysis. Findings will not be generated for excluded IAM users and roles that match the key-value pairs. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**. Choose **Add new exclusion** to add additional key-value pairs to exclude.
1. Optional. Add any tags that you want to apply to the analyzer.
1. Choose **Create analyzer**.
When you create an unused access analyzer to enable IAM Access Analyzer, a service-linked role named `AWSServiceRoleForAccessAnalyzer` is created in your account.
# Manage an IAM Access Analyzer unused access analyzer
Use the information in this topic to learn about how to update or delete an existing unused access analyzer.
**Note**
After you create or update an analyzer, it can take time for findings to be available.
## Update an unused access analyzer
Use the following procedure to update an unused access analyzer.
IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month per analyzer. For more details about pricing, see [IAM Access Analyzer pricing](https://aws.amazon.com/iam/access-analyzer/pricing).
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Analyzer settings**.
1. In the **Analyzers** section, choose the name of the unused access analyzer to manage.
1. On the **Exclusion** tab, if the analyzer was created for an organization as the scope of analysis, choose **Manage** in the **Excluded AWS accounts** section.
1. To specify individual account IDs to exclude, choose **Specify AWS account ID** and enter the account IDs separated by commas in the **AWS account ID** field. Choose **Exclude**. The accounts are then listed in the **AWS accounts to exclude** table.
1. To choose from a list of accounts in your organization to exclude, choose **Choose from organization**.
1. You can search for accounts by name, email, and account ID in the **Exclude accounts from organization** field.
1. Choose **Hierarchy** to view your accounts by organizational unit or choose **List** to view a list of all individual accounts in your organization.
1. Choose **Exclude all current accounts** to exclude all accounts in an organizational unit or choose **Exclude** to exclude individual accounts.
The accounts are then listed in the **AWS accounts to exclude** table.
1. To remove accounts to exclude, choose **Remove** next to the account in the **AWS accounts to exclude** table.
1. Choose **Save changes**.
**Note**
Excluded accounts cannot include the organization analyzer owner account.
When new accounts are added to your organization, they are not excluded from analysis, even if you previously excluded all current accounts within an organizational unit.
After you update the exclusions for an analyzer, it can take up to two days for the list of excluded accounts to be updated.
1. On the **Exclusion** tab, choose **Manage** in the **Excluded IAM users and roles with tags** section.
1. You can specify key-value pairs for IAM users and roles to exclude from unused access analysis. For the **Tag key**, enter a value that is 1 to 128 characters in length and not prefixed with `aws:`. For the **Value**, you can enter a value that is 0 to 256 characters in length. If you don't enter a **Value**, the rule is applied to all principals with the specified **Tag key**.
1. Choose **Add new exclusion** to add additional key-value pairs to exclude.
1. To remove key-value pairs to exclude, choose **Remove** next to the key-value pair.
1. Choose **Save changes**.
1. On the **Archive rules** tab, you can create, edit, or delete archive rules for the analyzer. For more information, see [Archive rules](access-analyzer-archive-rules.md).
1. On the **Tags** tab, you can manage and create tags for the analyzer. For more information, see [Tags for AWS Identity and Access Management resources](id_tags.md).
## Delete an unused access analyzer
Use the following procedure to delete an unused access analyzer. When you delete an analyzer, the resources are no longer monitored and no new findings are generated. All findings that were generated by the analyzer are deleted.
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Under **Access analyzer**, choose **Unused access**.
1. Under **Access analyzer**, choose **Analyzer settings**.
1. In the **Analyzers** section, choose the name of the unused access analyzer to delete.
1. Choose **Delete analyzer**.
1. Enter **delete** and choose **Delete** to confirm deleting the analyzer.