Access Analyzer filter keys
You can use the filter keys below to define an archive rule CreateArchiveRule, update an archive rule UpdateArchiveRule, retrieve a list of findings ListFindings, or retrieve a list of access preview findings
for a resource ListAccessPreviewFindings. There is no difference between
using IAM API and Amazon CloudFormation for configuring archive rules.
| Criterion | Description | Type | Archive rule | List findings | List access preview findings |
|---|---|---|---|---|---|
| resource | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see Amazon resource names (ARNs). | String | |||
| resourceType
|
The type of resource that the external principal has access to. | String | |||
| resourceOwnerAccount | The 12 digit Amazon account ID that owns the resource. To learn more, see Amazon account identifiers. | String | |||
| isPublic | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean | |||
| status
|
The current status of the finding. | String | |||
| error | Indicates the error reported for the finding. | String | |||
| principal.AWS | The ARN of of the account granted access to the resource in the
Principal field of the finding. To learn more, see Amazon
account identifiers. |
String | |||
| principal.Federated | The ARN of the federated identity that has access to the resource in the finding. To learn more, see Identity providers and federation | String | |||
| condition.aws:PrincipalArn | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see Amazon global condition context keys. | String | |||
| condition.aws:PrincipalOrgID | The organization identifier of the principal indicated as the condition for resource access. To learn more, see Amazon global condition context keys. | String | |||
| condition.aws:PrincipalOrgPaths | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see Amazon global condition context keys. | String | |||
| condition.aws:SourceIp | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see Amazon global condition context keys. | IP address | |||
| condition.aws:SourceVpc | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see Amazon global condition context keys. | String | |||
| condition.aws:UserId | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see Amazon global condition context keys. | String | |||
| condition.cognito-identity.amazonaws.com:aud | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see IAM and Amazon STS condition context keys. | String | |||
| condition.graph.facebook.com:app_id | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see IAM and Amazon STS condition context keys. | String | |||
| condition.accounts.google.com:aud | The Google application ID specified as a condition for access to the IAM role. To learn more, see IAM and Amazon STS condition context keys. | String | |||
| condition.kms:CallerAccount | The Amazon account ID that owns the calling entity (IAM user, role or account root user) used by services calling Amazon KMS. To learn more, see Condition keys for Amazon Key Management Service. | String | |||
| condition.www.amazon.com:app_id | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String | |||
| id | The ID of the finding. | String | |||
| changeType | Provides context on how the access preview finding compares to existing access identified in Access Analyzer. | String | |||
| existingFindingId | The existing ID of the finding in Access Analyzer, provided only for existing findings in the access preview. | String | |||
| existingFindingStatus | The existing status of the finding, provided only for existing findings in the access preview. | String |