IAM Access Analyzer filter keys - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM Access Analyzer filter keys

You can use the filter keys below to define an archive rule (CreateArchiveRule), update an archive rule (UpdateArchiveRule), retrieve a list of findings (ListFindings and ListFindingsV2), or retrieve a list of access preview findings for a resource (ListAccessPreviewFindings). There is no difference between using IAM API and Amazon CloudFormation for configuring archive rules.

Criterion Description Type Archive rule List findings List access preview findings
resource The ARN uniquely identifying the resource that the external principal has access to. To learn more, see Amazon resource names (ARNs). String Yes Yes Yes
resourceType

AWS::IAM::Role | AWS::KMS::Key | AWS::Lambda::Function | AWS::Lambda::LayerVersion | AWS::S3::Bucket | AWS::S3Express::DirectoryBucket | AWS::SQS::Queue | AWS::SecretsManager::Secret | AWS::EFS::FileSystem | AWS::EC2::Snapshot | AWS::ECR::Repository | AWS::RDS::DBSnapshot | AWS::RDS::DBClusterSnapshot | AWS::SNS::Topic | AWS::DynamoDB::Stream | AWS::DynamoDB::Table

 The type of resource that the external principal has access to. String Yes Yes Yes
resourceOwnerAccount The 12 digit Amazon account ID that owns the resource. To learn more, see Amazon account identifiers. String Yes Yes Yes
isPublic Indicates whether the finding reports a resource that has a policy that allows public access. Boolean Yes Yes Yes
findingType

UnusedIAMRole | UnusedIAMUserAccessKey | UnusedIAMUserPassword | UnusedPermission

 The type of the finding. You can only filter by finding type for unused access findings. String Yes Yes Yes
status

ACTIVE | ARCHIVED | RESOLVED

 The current status of the finding. String No Yes Yes
error Indicates the error reported for the finding. String Yes Yes Yes
principal.AWS The account granted access to the resource in the Principal field of the finding. Enter the 12-digit Amazon account ID or the ARN of the external Amazon user or role. To learn more, see Amazon account identifiers. String Yes Yes Yes
principal.Federated The ARN of the federated identity that has access to the resource in the finding. To learn more, see Identity providers and federation String Yes Yes Yes
condition.aws:PrincipalArn The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see Amazon global condition context keys. String Yes Yes Yes
condition.aws:PrincipalOrgID The organization identifier of the principal indicated as the condition for resource access. To learn more, see Amazon global condition context keys. String Yes Yes Yes
condition.aws:PrincipalOrgPaths The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see Amazon global condition context keys. String Yes Yes Yes
condition.aws:SourceIp The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see Amazon global condition context keys. IP address Yes Yes Yes
condition.aws:SourceVpc The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see Amazon global condition context keys. String Yes Yes Yes
condition.aws:UserId The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see Amazon global condition context keys. String Yes Yes Yes
condition.cognito-identity.amazonaws.com:aud The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see IAM and Amazon STS condition context keys. String Yes Yes Yes
condition.graph.facebook.com:app_id The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see IAM and Amazon STS condition context keys. String Yes Yes Yes
condition.accounts.google.com:aud The Google application ID specified as a condition for access to the IAM role. To learn more, see IAM and Amazon STS condition context keys. String Yes Yes Yes
condition.kms:CallerAccount The Amazon account ID that owns the calling entity (IAM user, role or account root user) used by services calling Amazon KMS. To learn more, see Condition keys for Amazon Key Management Service. String Yes Yes Yes
condition.www.amazon.com:app_id The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see String Yes Yes Yes
id The ID of the finding. String No Yes Yes
changeType Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. String No No Yes
existingFindingId The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. String No No Yes
existingFindingStatus The existing status of the finding, provided only for existing findings in the access preview. String No No Yes