Archive rules
Archive rules automatically archive new findings that meet the criteria you define when you create the rule. You can also apply archive rules retroactively to archive existing findings that meet the archive rule criteria. For example, you can create an archive rule to automatically archive any findings for a specific S3 bucket that you regularly grant access to. Or if you grant access to multiple resources to a specific principal, you can create a rule that automatically archives any new finding generated for access granted to that principal. This lets you focus only on active findings that may indicate a security risk.
Use the information provided in the finding details to identify the specific resource and external entity to use when creating or editing a rule. When you create an archive rule, only new findings that match the rule criteria are automatically archived. Existing findings are not automatically archived. When you create a rule, you can include up to 20 values per criterion in the rule. For a list of filter keys that you can use to create or update an archive rule, see IAM Access Analyzer filter keys.
When you create or edit an archive rule, IAM Access Analyzer does not validate the values you include in the filter for the rule. For example, if you add a rule to match an Amazon Account, IAM Access Analyzer accepts any value in the field, even if it is not a valid Amazon account number.
To create an archive rule
Open the IAM console at https://console.amazonaws.cn/iam/
. -
Choose Access analyzer, then choose Archive rules.
-
Choose Create archive rule.
-
Enter a name for the rule if you want to change the default name.
-
In the Rule section, under Criteria, select a property to match for the rule.
-
Choose an operator for the property value, such as contains.
The operators available depend on the property you choose.
-
Optionally, add additional values for the property, or add additional criteria for the rule. To ensure your rule won’t archive new findings for public access, you can also include the criterion Public access and set it to false.
To add another value for a criterion, choose Add another value. To add another criterion for the rule, choose the Add button.
-
When you finish adding criteria and values, choose Create rule to apply the rule to new findings only. Choose Create and archive active findings to archive new and existing findings based on the rule criteria. In the Results section, you can review the list of active findings the archive rule applies to.
For example, to create a rule that automatically archives any findings for S3 buckets: choose Resource type, and then choose is for the operator. Next choose S3 bucket from the Select resource type list, and then choose Add.
Continue to define criteria to customize the rule as appropriate for your environment, and then choose Create archive rule.
If you are create a new rule and add multiple criteria, you can remove a single criterion from the rule by choosing Remove this criterion. You can remove a value added for a criterion by choosing Remove value.
To edit an archive rule
-
Choose name of the rule to edit in the Name.
You can edit only one archive rule at a time.
-
Add new or remove the existing criteria and values for each criterion. To ensure your rule won’t archive new findings for public access, you can also include the criterion Public access and set it to false.
-
Choose Save changes to apply the rule to new findings only. Choose Save and archive active findings to archive new and existing findings based on the rule criteria.
To delete an archive rule
-
Select the check box for the rules to delete.
You can delete one, many, or all rules at the same time.
-
Choose Delete.
-
Type
delete
in the Delete archive rule confirmation dialog, and then choose Delete.
The rules are deleted only from the analyzer in the current Region. You must delete archive rules separately for each analyzer that you created in other Regions.