> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/scans/policies/aws-policies.md).
# AWS Policies
**AWS Policies**
AWS Policies define security controls and assessment rules tailored for AWS IAM environments.
These policies focus on analyzing identity-related risks, role assignments, access key configurations, and access control mechanisms within AWS IAM.
By using AWS-specific policies, FSProtect helps identify privilege misuse, risky identity configurations, and exposure points in AWS cloud identity infrastructures.
***
**Edit Scan Policy (AWS)**
This section allows users to configure scan settings specific to AWS environments, including enabled modules, exclusions, and scan options.
AWS Scan Policy Settings
***
**AWS Scan Policy Settings**
***
**Vulnerability Policies and Tiering (AWS)**
This section defines vulnerability policies and tiering configurations specific to AWS environments. Vulnerability policies determine which AWS-specific security checks are executed during the scan, while tiering helps identify critical cloud identities and roles based on their potential security impact.
***
**AWS Scan Modules**
**AWS Assessment:** This module enables users to identify and evaluate vulnerabilities, misconfigurations, and security risks within their AWS environment, including IAM users, roles, groups, policies, and access keys. It provides deep visibility into the cloud configuration and access relationships across accounts and organizations. As a core component of the engine for AWS-based assessments, this module is a mandatory option.
**Tier 0 Analysis:** This module analyzes attack paths and privilege escalation routes within the AWS environment to identify identities that can reach Tier 0 assets through dangerous permissions or policy configurations.
***
**General Settings**
| Setting | Description |
| ------------------------- | ---------------------------------------------------------------------------------- |
| Name | The name of the scan policy. |
| Include Inactive Accounts | When enabled, inactive IAM users, roles, and access keys are included in the scan. |
| Include Disabled Accounts | When enabled, disabled IAM accounts are included in the scan. |
| Inactivity Threshold | The number of days after which an IAM identity is considered inactive. |
| Exclusions | Specific IAM identities or resources to be excluded from the scan. |
***
**Tier 0 Assets (AWS)**
Tier 0 Assets settings allow users to designate critical AWS IAM identities as privileged. Selected AWS users, roles, and groups are treated as high-impact identities and are prioritized during privilege exposure and attack path analysis. Identities marked as Tier 0 Assets represent potential account-level or organization-level compromise if misused or exposed.
Adding Tier 0 Assets
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.forestall.io/fsprotect/scans/policies/aws-policies.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.