IAM Access Analyzer examples using Amazon CLI

The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with IAM Access Analyzer.

Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.

Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.

Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.

Topics

Actions

Actions

The following code example shows how to use apply-archive-rule.

Amazon CLI

To apply an archive rule to existing findings that meet the archive rule criteria

The following apply-archive-rule example applies an archive rule to existing findings that meet the archive rule criteria.


aws accessanalyzer apply-archive-rule \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization \
    --rule-name MyArchiveRule

This command produces no output.

For more information, see Archive rules in the Amazon IAM User Guide.

For API details, see ApplyArchiveRule in Amazon CLI Command Reference.

The following code example shows how to use cancel-policy-generation.

Amazon CLI

To cancel the requested policy generation

The following cancel-policy-generation example cancels the requested policy generation job id.


aws accessanalyzer cancel-policy-generation \
    --job-id 923a56b0-ebb8-4e80-8a3c-a11ccfbcd6f2

This command produces no output.

For more information, see IAM Access Analyzer policy generation in the Amazon IAM User Guide.

For API details, see CancelPolicyGeneration in Amazon CLI Command Reference.

The following code example shows how to use check-access-not-granted.

Amazon CLI

To check whether the specified access isn't allowed by a policy

The following check-access-not-granted example checks whether the specified access isn't allowed by a policy.


aws accessanalyzer check-access-not-granted \
    --policy-document file://myfile.json \
    --access actions="s3:DeleteBucket","s3:GetBucketLocation" \
    --policy-type IDENTITY_POLICY

Contents of myfile.json:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Output:


{
    "result": "PASS",
    "message": "The policy document does not grant access to perform the listed actions."
}

For more information, see Previewing access with IAM Access Analyzer APIs in the Amazon IAM User Guide.

For API details, see CheckAccessNotGranted in Amazon CLI Command Reference.

The following code example shows how to use check-no-new-access.

Amazon CLI

To check whether new access is allowed for an updated policy when compared to the existing policy

The following check-no-new-access example checks whether new access is allowed for an updated policy when compared to the existing policy.


aws accessanalyzer check-no-new-access \
    --existing-policy-document file://existing-policy.json \
    --new-policy-document file://new-policy.json \
    --policy-type IDENTITY_POLICY

Contents of existing-policy.json:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Contents of new-policy.json:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Output:


{
    "result": "FAIL",
    "message": "The modified permissions grant new access compared to your existing policy.",
    "reasons": [
        {
            "description": "New access in the statement with index: 0.",
            "statementIndex": 0
        }
    ]
}

For more information, see Previewing access with IAM Access Analyzer APIs in the Amazon IAM User Guide.

For API details, see CheckNoNewAccess in Amazon CLI Command Reference.

The following code example shows how to use create-access-preview.

Amazon CLI

To create an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions

The following create-access-preview example creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions in your Amazon account.


aws accessanalyzer create-access-preview \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --configurations file://myfile.json

Contents of myfile.json:


{
    "arn:aws:s3:::DOC-EXAMPLE-BUCKET": {
        "s3Bucket": {
            "bucketPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::111122223333:root\"]},\"Action\":[\"s3:PutObject\",\"s3:PutObjectAcl\"],\"Resource\":\"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*\"}]}",
            "bucketPublicAccessBlock": {
                "ignorePublicAcls": true,
                "restrictPublicBuckets": true
            },
            "bucketAclGrants": [
                {
                    "grantee": {
                        "id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
                    },
                    "permission": "READ"
                }
            ]
        }
    }
}

Output:


{
    "id": "3c65eb13-6ef9-4629-8919-a32043619e6b"
}

For more information, see Previewing access with IAM Access Analyzer APIs in the Amazon IAM User Guide.

For API details, see CreateAccessPreview in Amazon CLI Command Reference.

The following code example shows how to use create-analyzer.

Amazon CLI

To create an analyzer

The following create-analyzer example creates an analyzer in your Amazon account.


aws accessanalyzer create-analyzer \
    --analyzer-name example \
    --type ACCOUNT

Output:


{
    "arn": "arn:aws:access-analyzer:us-east-2:111122223333:analyzer/example"
}

For more information, see Getting started with Amazon Identity and Access Management Access Analyzer findings in the Amazon IAM User Guide.

For API details, see CreateAnalyzer in Amazon CLI Command Reference.

The following code example shows how to use create-archive-rule.

Amazon CLI

To create an archive rule for the specified analyzer

The following create-archive-rule example creates an archive rule for the specified analyzer in your Amazon account.


aws accessanalyzer create-archive-rule \
    --analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
    --rule-name MyRule \
    --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'

This command produces no output.

For more information, see Archive rules in the Amazon IAM User Guide.

For API details, see CreateArchiveRule in Amazon CLI Command Reference.

The following code example shows how to use delete-analyzer.

Amazon CLI

To delete the specified analyzer

The following delete-analyzer example deletes the specified analyzer in your Amazon account.


aws accessanalyzer delete-analyzer \
    --analyzer-name example

This command produces no output.

For more information, see Archive rules in the Amazon IAM User Guide.

For API details, see DeleteAnalyzer in Amazon CLI Command Reference.

The following code example shows how to use delete-archive-rule.

Amazon CLI

To delete the specified archive rule

The following delete-archive-rule example deletes the specified archive rule in your Amazon account.


aws accessanalyzer delete-archive-rule \
    --analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
    --rule-name MyRule

This command produces no output.

For more information, see Archive rules in the Amazon IAM User Guide.

For API details, see DeleteArchiveRule in Amazon CLI Command Reference.

The following code example shows how to use get-access-preview.

Amazon CLI

To retrieves information about an access preview for the specified analyzer

The following get-access-preview example retrieves information about an access preview for the specified analyzer in your Amazon account.


aws accessanalyzer get-access-preview \
    --access-preview-id 3c65eb13-6ef9-4629-8919-a32043619e6b \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account

Output:


{
    "accessPreview": {
        "id": "3c65eb13-6ef9-4629-8919-a32043619e6b",
        "analyzerArn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
        "configurations": {
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET": {
                "s3Bucket": {
                    "bucketPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::111122223333:root\"]},\"Action\":[\"s3:PutObject\",\"s3:PutObjectAcl\"],\"Resource\":\"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*\"}]}",
                    "bucketAclGrants": [
                        {
                            "permission": "READ",
                            "grantee": {
                                "id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
                            }
                        }
                    ],
                    "bucketPublicAccessBlock": {
                        "ignorePublicAcls": true,
                        "restrictPublicBuckets": true
                    }
                }
            }
        },
        "createdAt": "2024-02-17T00:18:44+00:00",
        "status": "COMPLETED"
    }
}

For more information, see Previewing access with IAM Access Analyzer APIs in the Amazon IAM User Guide.

For API details, see GetAccessPreview in Amazon CLI Command Reference.

The following code example shows how to use get-analyzed-resource.

Amazon CLI

To retrieve information about a resource that was analyzed

The following get-analyzed-resource example retrieves information about a resource that was analyzed in your Amazon account.


aws accessanalyzer get-analyzed-resource \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --resource-arn arn:aws:s3:::DOC-EXAMPLE-BUCKET

Output:


{
    "resource": {
        "analyzedAt": "2024-02-15T18:01:53.002000+00:00",
        "isPublic": false,
        "resourceArn": "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "resourceOwnerAccount": "111122223333",
        "resourceType": "AWS::S3::Bucket"
    }
}

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see GetAnalyzedResource in Amazon CLI Command Reference.

The following code example shows how to use get-analyzer.

Amazon CLI

To retrieve information about the specified analyzer

The following get-analyzer example retrieves information about the specified analyzer in your Amazon account.


aws accessanalyzer get-analyzer \
    --analyzer-name ConsoleAnalyzer-account

Output:


{
    "analyzer": {
        "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
        "createdAt": "2019-12-03T07:28:17+00:00",
        "lastResourceAnalyzed": "arn:aws:sns:us-west-2:111122223333:config-topic",
        "lastResourceAnalyzedAt": "2024-02-15T18:01:53.003000+00:00",
        "name": "ConsoleAnalyzer-account",
        "status": "ACTIVE",
        "tags": {
            "auto-delete": "no"
        },
        "type": "ACCOUNT"
    }
}

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see GetAnalyzer in Amazon CLI Command Reference.

The following code example shows how to use get-archive-rule.

Amazon CLI

To retrieve information about an archive rule

The following get-archive-rule example retrieves information about an archive rule in your Amazon account.


aws accessanalyzer get-archive-rule \
    --analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
    --rule-name MyArchiveRule

Output:


{
    "archiveRule": {
        "createdAt": "2024-02-15T00:49:27+00:00",
        "filter": {
            "resource": {
                "contains": [
                    "Cognito"
                ]
            },
            "resourceType": {
                "eq": [
                    "AWS::IAM::Role"
                ]
            }
        },
        "ruleName": "MyArchiveRule",
        "updatedAt": "2024-02-15T00:49:27+00:00"
    }
}

For more information, see Archive rules in the Amazon IAM User Guide.

For API details, see GetArchiveRule in Amazon CLI Command Reference.

The following code example shows how to use get-finding-v2.

Amazon CLI

To retrieve information about the specified finding

The following get-finding-v2 example etrieves information about the specified finding in your Amazon account.


aws accessanalyzer get-finding-v2 \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization \
    --id 0910eedb-381e-4e95-adda-0d25c19e6e90

Output:


{
    "findingDetails": [
        {
            "externalAccessDetails": {
                "action": [
                    "sts:AssumeRoleWithWebIdentity"
                ],
                "condition": {
                    "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
                },
                "isPublic": false,
                "principal": {
                    "Federated": "cognito-identity.amazonaws.com"
                }
            }
        }
    ],
    "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
    "status": "ACTIVE",
    "error": null,
    "createdAt": "2021-02-26T21:17:50.905000+00:00",
    "resourceType": "AWS::IAM::Role",
    "findingType": "ExternalAccess",
    "resourceOwnerAccount": "111122223333",
    "analyzedAt": "2024-02-16T18:17:47.888000+00:00",
    "id": "0910eedb-381e-4e95-adda-0d25c19e6e90",
    "updatedAt": "2021-02-26T21:17:50.905000+00:00"
}

For more information, see Reviewing findings in the Amazon IAM User Guide.

For API details, see GetFindingV2 in Amazon CLI Command Reference.

The following code example shows how to use get-finding.

Amazon CLI

To retrieve information about the specified finding

The following get-finding example etrieves information about the specified finding in your Amazon account.


aws accessanalyzer get-finding \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization \
    --id 0910eedb-381e-4e95-adda-0d25c19e6e90

Output:


{
    "finding": {
        "id": "0910eedb-381e-4e95-adda-0d25c19e6e90",
        "principal": {
            "Federated": "cognito-identity.amazonaws.com"
        },
        "action": [
            "sts:AssumeRoleWithWebIdentity"
        ],
        "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
        "isPublic": false,
        "resourceType": "AWS::IAM::Role",
        "condition": {
            "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
        },
        "createdAt": "2021-02-26T21:17:50.905000+00:00",
        "analyzedAt": "2024-02-16T18:17:47.888000+00:00",
        "updatedAt": "2021-02-26T21:17:50.905000+00:00",
        "status": "ACTIVE",
        "resourceOwnerAccount": "111122223333"
    }
}

For more information, see Reviewing findings in the Amazon IAM User Guide.

For API details, see GetFinding in Amazon CLI Command Reference.

The following code example shows how to use get-generated-policy.

Amazon CLI

To retrieve the policy that was generated using the `StartPolicyGeneration` API

The following get-generated-policy example retrieves the policy that was generated using the StartPolicyGeneration API in your Amazon account.


aws accessanalyzer get-generated-policy \
    --job-id c557dc4a-0338-4489-95dd-739014860ff9

Output:


{
    "generatedPolicyResult": {
        "generatedPolicies": [
            {
                "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"SupportedServiceSid0\",\"Effect\":\"Allow\",\"Action\":[\"access-analyzer:GetAnalyzer\",\"access-analyzer:ListAnalyzers\",\"access-analyzer:ListArchiveRules\",\"access-analyzer:ListFindings\",\"cloudtrail:DescribeTrails\",\"cloudtrail:GetEventDataStore\",\"cloudtrail:GetEventSelectors\",\"cloudtrail:GetInsightSelectors\",\"cloudtrail:GetTrailStatus\",\"cloudtrail:ListChannels\",\"cloudtrail:ListEventDataStores\",\"cloudtrail:ListQueries\",\"cloudtrail:ListTags\",\"cloudtrail:LookupEvents\",\"ec2:DescribeRegions\",\"iam:GetAccountSummary\",\"iam:GetOpenIDConnectProvider\",\"iam:GetRole\",\"iam:ListAccessKeys\",\"iam:ListAccountAliases\",\"iam:ListOpenIDConnectProviders\",\"iam:ListRoles\",\"iam:ListSAMLProviders\",\"kms:ListAliases\",\"s3:GetBucketLocation\",\"s3:ListAllMyBuckets\"],\"Resource\":\"*\"}]}"
            }
        ],
        "properties": {
            "cloudTrailProperties": {
                "endTime": "2024-02-14T22:44:40+00:00",
                "startTime": "2024-02-13T00:30:00+00:00",
                "trailProperties": [
                    {
                        "allRegions": true,
                        "cloudTrailArn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/my-trail",
                        "regions": []
                    }
                ]
            },
            "isComplete": false,
            "principalArn": "arn:aws:iam::111122223333:role/Admin"
        }
    },
    "jobDetails": {
        "completedOn": "2024-02-14T22:47:01+00:00",
        "jobId": "c557dc4a-0338-4489-95dd-739014860ff9",
        "startedOn": "2024-02-14T22:44:41+00:00",
        "status": "SUCCEEDED"
    }
}

For more information, see IAM Access Analyzer policy generation in the Amazon IAM User Guide.

For API details, see GetGeneratedPolicy in Amazon CLI Command Reference.

The following code example shows how to use list-access-preview-findings.

Amazon CLI

To retrieve a list of access preview findings generated by the specified access preview

The following list-access-preview-findings example retrieves a list of access preview findings generated by the specified access preview in your Amazon account.


aws accessanalyzer list-access-preview-findings \
    --access-preview-id 3c65eb13-6ef9-4629-8919-a32043619e6b \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account

Output:


{
    "findings": [
        {
            "id": "e22fc158-1c87-4c32-9464-e7f405ce8d74",
            "principal": {
                "AWS": "111122223333"
            },
            "action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "condition": {},
            "resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
            "isPublic": false,
            "resourceType": "AWS::S3::Bucket",
            "createdAt": "2024-02-17T00:18:46+00:00",
            "changeType": "NEW",
            "status": "ACTIVE",
            "resourceOwnerAccount": "111122223333",
            "sources": [
                {
                    "type": "POLICY"
                }
            ]
        }
    ]
}

For more information, see Previewing access with IAM Access Analyzer APIs in the Amazon IAM User Guide.

For API details, see ListAccessPreviewFindings in Amazon CLI Command Reference.

The following code example shows how to use list-access-previews.

Amazon CLI

To retrieve a list of access previews for the specified analyzer

The following list-access-previews example retrieves a list of access previews for the specified analyzer in your Amazon account.


aws accessanalyzer list-access-previews \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account

Output:


{
    "accessPreviews": [
        {
            "id": "3c65eb13-6ef9-4629-8919-a32043619e6b",
            "analyzerArn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
            "createdAt": "2024-02-17T00:18:44+00:00",
            "status": "COMPLETED"
        }
    ]
}

For more information, see Previewing access with IAM Access Analyzer APIs in the Amazon IAM User Guide.

For API details, see ListAccessPreviews in Amazon CLI Command Reference.

The following code example shows how to use list-analyzed-resources.

Amazon CLI

To list the available widgets

The following list-analyzed-resources example lists the available widgets in your Amazon account.


aws accessanalyzer list-analyzed-resources \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --resource-type AWS::IAM::Role

Output:


{
    "analyzedResources": [
        {
            "resourceArn": "arn:aws:sns:us-west-2:111122223333:Validation-Email",
            "resourceOwnerAccount": "111122223333",
            "resourceType": "AWS::SNS::Topic"
        },
        {
            "resourceArn": "arn:aws:sns:us-west-2:111122223333:admin-alerts",
            "resourceOwnerAccount": "111122223333",
            "resourceType": "AWS::SNS::Topic"
        },
        {
            "resourceArn": "arn:aws:sns:us-west-2:111122223333:config-topic",
            "resourceOwnerAccount": "111122223333",
            "resourceType": "AWS::SNS::Topic"
        },
        {
            "resourceArn": "arn:aws:sns:us-west-2:111122223333:inspector-topic",
            "resourceOwnerAccount": "111122223333",
            "resourceType": "AWS::SNS::Topic"
        }
    ]
}

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see ListAnalyzedResources in Amazon CLI Command Reference.

The following code example shows how to use list-analyzers.

Amazon CLI

To retrieve a list of analyzers

The following list-analyzers example retrieves a list of analyzers in your Amazon account.


aws accessanalyzer list-analyzers

Output:


{
    "analyzers": [
        {
            "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization",
            "createdAt": "2024-02-15T00:46:40+00:00",
            "name": "UnusedAccess-ConsoleAnalyzer-organization",
            "status": "ACTIVE",
            "tags": {
                "auto-delete": "no"
            },
            "type": "ORGANIZATION_UNUSED_ACCESS"
        },
        {
            "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization",
            "createdAt": "2020-04-25T07:43:28+00:00",
            "lastResourceAnalyzed": "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
            "lastResourceAnalyzedAt": "2024-02-15T21:51:56.517000+00:00",
            "name": "ConsoleAnalyzer-organization",
            "status": "ACTIVE",
            "tags": {
                "auto-delete": "no"
            },
            "type": "ORGANIZATION"
        },
        {
            "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
            "createdAt": "2019-12-03T07:28:17+00:00",
            "lastResourceAnalyzed": "arn:aws:sns:us-west-2:111122223333:config-topic",
            "lastResourceAnalyzedAt": "2024-02-15T18:01:53.003000+00:00",
            "name": "ConsoleAnalyzer-account",
            "status": "ACTIVE",
            "tags": {
                "auto-delete": "no"
            },
            "type": "ACCOUNT"
        }
    ]
}

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see ListAnalyzers in Amazon CLI Command Reference.

The following code example shows how to use list-archive-rules.

Amazon CLI

To retrieve a list of archive rules created for the specified analyzer

The following list-archive-rules example retrieves a list of archive rules created for the specified analyzer in your Amazon account.


aws accessanalyzer list-archive-rules \
    --analyzer-name UnusedAccess-ConsoleAnalyzer-organization

Output:


{
    "archiveRules": [
        {
            "createdAt": "2024-02-15T00:49:27+00:00",
            "filter": {
                "resource": {
                    "contains": [
                        "Cognito"
                    ]
                },
                "resourceType": {
                    "eq": [
                        "AWS::IAM::Role"
                    ]
                }
            },
            "ruleName": "MyArchiveRule",
            "updatedAt": "2024-02-15T00:49:27+00:00"
        },
        {
            "createdAt": "2024-02-15T23:27:45+00:00",
            "filter": {
                "findingType": {
                    "eq": [
                        "UnusedIAMUserAccessKey"
                    ]
                }
            },
            "ruleName": "ArchiveRule-56125a39-e517-4ff8-afb1-ef06f58db612",
            "updatedAt": "2024-02-15T23:27:45+00:00"
        }
    ]
}

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see ListArchiveRules in Amazon CLI Command Reference.

The following code example shows how to use list-findings-v2.

Amazon CLI

To retrieve a list of findings generated by the specified analyzer

The following list-findings-v2 example retrieves a list of findings generated by the specified analyzer in your Amazon account. This example filters the results to include only IAM roles whose name contains Cognito.


aws accessanalyzer list-findings-v2 \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'

Output:


{
    "findings": [
        {
            "analyzedAt": "2024-02-16T18:17:47.888000+00:00",
            "createdAt": "2021-02-26T21:17:24.710000+00:00",
            "id": "597f3bc2-3adc-4c18-9879-5c4b23485e46",
            "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolUnauth_Role",
            "resourceType": "AWS::IAM::Role",
            "resourceOwnerAccount": "111122223333",
            "status": "ACTIVE",
            "updatedAt": "2021-02-26T21:17:24.710000+00:00",
            "findingType": "ExternalAccess"
        },
        {
            "analyzedAt": "2024-02-16T18:17:47.888000+00:00",
            "createdAt": "2021-02-26T21:17:50.905000+00:00",
            "id": "ce0e221a-85b9-4d52-91ff-d7678075442f",
            "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
            "resourceType": "AWS::IAM::Role",
            "resourceOwnerAccount": "111122223333",
            "status": "ACTIVE",
            "updatedAt": "2021-02-26T21:17:50.905000+00:00",
            "findingType": "ExternalAccess"
        }
    ]
}

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see ListFindingsV2 in Amazon CLI Command Reference.

The following code example shows how to use list-findings.

Amazon CLI

To retrieve a list of findings generated by the specified analyzer

The following list-findings example retrieves a list of findings generated by the specified analyzer in your Amazon account. This example filters the results to include only IAM roles whose name contains Cognito.


aws accessanalyzer list-findings \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'

Output:


{
    "findings": [
        {
            "id": "597f3bc2-3adc-4c18-9879-5c4b23485e46",
            "principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "action": [
                "sts:AssumeRoleWithWebIdentity"
            ],
            "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolUnauth_Role",
            "isPublic": false,
            "resourceType": "AWS::IAM::Role",
            "condition": {
                "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
            },
            "createdAt": "2021-02-26T21:17:24.710000+00:00",
            "analyzedAt": "2024-02-16T18:17:47.888000+00:00",
            "updatedAt": "2021-02-26T21:17:24.710000+00:00",
            "status": "ACTIVE",
            "resourceOwnerAccount": "111122223333"
        },
        {
            "id": "ce0e221a-85b9-4d52-91ff-d7678075442f",
            "principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "action": [
                "sts:AssumeRoleWithWebIdentity"
            ],
            "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
            "isPublic": false,
            "resourceType": "AWS::IAM::Role",
            "condition": {
                "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
            },
            "createdAt": "2021-02-26T21:17:50.905000+00:00",
            "analyzedAt": "2024-02-16T18:17:47.888000+00:00",
            "updatedAt": "2021-02-26T21:17:50.905000+00:00",
            "status": "ACTIVE",
            "resourceOwnerAccount": "111122223333"
        }
    ]
}

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see ListFindings in Amazon CLI Command Reference.

The following code example shows how to use list-policy-generations.

Amazon CLI

To list all of the policy generations requested in the last seven days

The following list-policy-generations example lists all of the policy generations requested in the last seven days in your Amazon account.


aws accessanalyzer list-policy-generations

Output:


{
    "policyGenerations": [
        {
            "completedOn": "2024-02-14T23:43:38+00:00",
            "jobId": "923a56b0-ebb8-4e80-8a3c-a11ccfbcd6f2",
            "principalArn": "arn:aws:iam::111122223333:role/Admin",
            "startedOn": "2024-02-14T23:43:02+00:00",
            "status": "CANCELED"
        },
        {
            "completedOn": "2024-02-14T22:47:01+00:00",
            "jobId": "c557dc4a-0338-4489-95dd-739014860ff9",
            "principalArn": "arn:aws:iam::111122223333:role/Admin",
            "startedOn": "2024-02-14T22:44:41+00:00",
            "status": "SUCCEEDED"
        }
    ]
}

For more information, see IAM Access Analyzer policy generation in the Amazon IAM User Guide.

For API details, see ListPolicyGenerations in Amazon CLI Command Reference.

The following code example shows how to use list-tags-for-resource.

Amazon CLI

To retrieve a list of tags applied to the specified resource

The following list-tags-for-resource example retrieves a list of tags applied to the specified resource in your Amazon account.


aws accessanalyzer list-tags-for-resource \
    --resource-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account

Output:


{
    "tags": {
        "Zone-of-trust": "Account",
        "Name": "ConsoleAnalyzer"
    }
}

For more information, see IAM Access Analyzer policy generation in the Amazon IAM User Guide.

For API details, see ListTagsForResource in Amazon CLI Command Reference.

The following code example shows how to use start-policy-generation.

Amazon CLI

To start a policy generation request

The following start-policy-generation example starts a policy generation request in your Amazon account.


aws accessanalyzer start-policy-generation \
    --policy-generation-details '{"principalArn":"arn:aws:iam::111122223333:role/Admin"}' \
    --cloud-trail-details file://myfile.json

Contents of myfile.json:


{
    "accessRole": "arn:aws:iam::111122223333:role/service-role/AccessAnalyzerMonitorServiceRole",
    "startTime": "2024-02-13T00:30:00Z",
    "trails": [
        {
            "allRegions": true,
            "cloudTrailArn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/my-trail"
        }
    ]
}

Output:


{
    "jobId": "c557dc4a-0338-4489-95dd-739014860ff9"
}

For more information, see IAM Access Analyzer policy generation in the Amazon IAM User Guide.

For API details, see StartPolicyGeneration in Amazon CLI Command Reference.

The following code example shows how to use start-resource-scan.

Amazon CLI

To immediately start a scan of the policies applied to the specified resource

The following start-resource-scan example mmediately starts a scan of the policies applied to the specified resource in your Amazon account.


aws accessanalyzer start-resource-scan \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --resource-arn arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role

This command produces no output.

For more information, see IAM Access Analyzer policy generation in the Amazon IAM User Guide.

For API details, see StartResourceScan in Amazon CLI Command Reference.

The following code example shows how to use tag-resource.

Amazon CLI

To add a tag to the specified resource

The following tag-resource example adds a tag to the specified resource in your Amazon account.


aws accessanalyzer tag-resource \
    --resource-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --tags Environment=dev,Purpose=testing

This command produces no output.

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see TagResource in Amazon CLI Command Reference.

The following code example shows how to use untag-resource.

Amazon CLI

To remove tags from the specified resources

The following untag-resource example removes tags from the specified resource in your Amazon account.


aws accessanalyzer untag-resource \
    --resource-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
    --tag-keys Environment Purpose

This command produces no output.

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see UntagResource in Amazon CLI Command Reference.

The following code example shows how to use update-archive-rule.

Amazon CLI

To update the criteria and values for the specified archive rule

The following update-archive-rule example updates the criteria and values for the specified archive rule in your Amazon account.


aws accessanalyzer update-archive-rule \
    --analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
    --rule-name MyArchiveRule \
    --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'

This command produces no output.

For more information, see Archive rules in the Amazon IAM User Guide.

For API details, see UpdateArchiveRule in Amazon CLI Command Reference.

The following code example shows how to use update-findings.

Amazon CLI

To update the status for the specified findings

The following update-findings example updates the status for the specified findings in your Amazon account.


aws accessanalyzer update-findings \
    --analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization \
    --ids 4f319ac3-2e0c-4dc4-bf51-7013a086b6ae 780d586a-2cce-4f72-aff6-359d450e7500 \
    --status ARCHIVED

This command produces no output.

For more information, see Using Amazon Identity and Access Management Access Analyzer in the Amazon IAM User Guide.

For API details, see UpdateFindings in Amazon CLI Command Reference.

The following code example shows how to use validate-policy.

Amazon CLI

To request the validation of a policy and returns a list of findings

The following validate-policy example requests the validation of a policy and returns a list of findings. The policy in the example is a role trust policy for an Amazon Cognito role used for web identity federation. The findings generated from the trust policy relate to an empty Sid element value and a mismatched policy principal due to the incorrect assume role action being used, sts:AssumeRole. The correct assume role action for use with Cognito is sts:AssumeRoleWithWebIdentity.


aws accessanalyzer validate-policy \
    --policy-document file://myfile.json \
    --policy-type RESOURCE_POLICY

Contents of myfile.json:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "us-west-2_EXAMPLE"
                }
            }
        }
    ]
}

Output:


{
    "findings": [
        {
            "findingDetails": "Add a value to the empty string in the Sid element.",
            "findingType": "SUGGESTION",
            "issueCode": "EMPTY_SID_VALUE",
            "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value",
            "locations": [
                {
                    "path": [
                        {
                            "value": "Statement"
                        },
                        {
                            "index": 0
                        },
                        {
                            "value": "Sid"
                        }
                    ],
                    "span": {
                        "end": {
                            "column": 21,
                            "line": 5,
                            "offset": 81
                        },
                        "start": {
                            "column": 19,
                            "line": 5,
                            "offset": 79
                        }
                    }
                }
            ]
        },
        {
            "findingDetails": "The sts:AssumeRole action is invalid with the following principal(s): cognito-identity.amazonaws.com. Use a SAML provider principal with the sts:AssumeRoleWithSAML action or use an OIDC provider principal with the sts:AssumeRoleWithWebIdentity action. Ensure the provider is Federated if you use either of the two options.",
            "findingType": "ERROR",
            "issueCode": "MISMATCHED_ACTION_FOR_PRINCIPAL",
            "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-mismatched-action-for-principal",
            "locations": [
                {
                    "path": [
                        {
                            "value": "Statement"
                        },
                        {
                            "index": 0
                        },
                        {
                            "value": "Action"
                        },
                        {
                            "index": 0
                        }
                    ],
                    "span": {
                        "end": {
                            "column": 32,
                            "line": 11,
                            "offset": 274
                        },
                        "start": {
                            "column": 16,
                            "line": 11,
                            "offset": 258
                        }
                    }
                },
                {
                    "path": [
                        {
                            "value": "Statement"
                        },
                        {
                            "index": 0
                        },
                        {
                            "value": "Principal"
                        },
                        {
                            "value": "Federated"
                        }
                    ],
                    "span": {
                        "end": {
                            "column": 61,
                            "line": 8,
                            "offset": 202
                        },
                        "start": {
                            "column": 29,
                            "line": 8,
                            "offset": 170
                        }
                    }
                }
            ]
        },
        {
            "findingDetails": "The following actions: sts:TagSession are not supported by the condition key cognito-identity.amazonaws.com:aud. The condition will not be evaluated for these actions. We recommend that you move these actions to a different statement without this condition key.",
            "findingType": "ERROR",
            "issueCode": "UNSUPPORTED_ACTION_FOR_CONDITION_KEY",
            "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-unsupported-action-for-condition-key",
            "locations": [
                {
                    "path": [
                        {
                            "value": "Statement"
                        },
                        {
                            "index": 0
                        },
                        {
                            "value": "Action"
                        },
                        {
                            "index": 1
                        }
                    ],
                    "span": {
                        "end": {
                            "column": 32,
                            "line": 12,
                            "offset": 308
                        },
                        "start": {
                            "column": 16,
                            "line": 12,
                            "offset": 292
                        }
                    }
                },
                {
                    "path": [
                        {
                            "value": "Statement"
                        },
                        {
                            "index": 0
                        },
                        {
                            "value": "Condition"
                        },
                        {
                            "value": "StringEquals"
                        },
                        {
                            "value": "cognito-identity.amazonaws.com:aud"
                        }
                    ],
                    "span": {
                        "end": {
                            "column": 79,
                            "line": 16,
                            "offset": 464
                        },
                        "start": {
                            "column": 58,
                            "line": 16,
                            "offset": 443
                        }
                    }
                }
            ]
        }
    ]
}

For more information, see Checks for validating policies in the Amazon IAM User Guide.

For API details, see ValidatePolicy in Amazon CLI Command Reference.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

IAM

Image Builder