This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
IAM Access Analyzer examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with IAM Access Analyzer.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use apply-archive-rule
.
- Amazon CLI
-
To apply an archive rule to existing findings that meet the archive rule criteria
The following
apply-archive-rule
example applies an archive rule to existing findings that meet the archive rule criteria.aws accessanalyzer apply-archive-rule \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization
\ --rule-nameMyArchiveRule
This command produces no output.
For more information, see Archive rules
in the Amazon IAM User Guide. -
For API details, see ApplyArchiveRule
in Amazon CLI Command Reference.
-
The following code example shows how to use cancel-policy-generation
.
- Amazon CLI
-
To cancel the requested policy generation
The following
cancel-policy-generation
example cancels the requested policy generation job id.aws accessanalyzer cancel-policy-generation \ --job-id
923a56b0-ebb8-4e80-8a3c-a11ccfbcd6f2
This command produces no output.
For more information, see IAM Access Analyzer policy generation
in the Amazon IAM User Guide. -
For API details, see CancelPolicyGeneration
in Amazon CLI Command Reference.
-
The following code example shows how to use check-access-not-granted
.
- Amazon CLI
-
To check whether the specified access isn't allowed by a policy
The following
check-access-not-granted
example checks whether the specified access isn't allowed by a policy.aws accessanalyzer check-access-not-granted \ --policy-document
file://myfile.json
\ --access actions="s3:DeleteBucket","s3:GetBucketLocation" \ --policy-typeIDENTITY_POLICY
Contents of
myfile.json
:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] } ] }
Output:
{ "result": "PASS", "message": "The policy document does not grant access to perform one or more of the listed actions." }
For more information, see Previewing access with IAM Access Analyzer APIs
in the Amazon IAM User Guide. -
For API details, see CheckAccessNotGranted
in Amazon CLI Command Reference.
-
The following code example shows how to use check-no-new-access
.
- Amazon CLI
-
To check whether new access is allowed for an updated policy when compared to the existing policy
The following
check-no-new-access
example checks whether new access is allowed for an updated policy when compared to the existing policy.aws accessanalyzer check-no-new-access \ --existing-policy-document
file://existing-policy.json
\ --new-policy-documentfile://new-policy.json
\ --policy-typeIDENTITY_POLICY
Contents of
existing-policy.json
:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] } ] }
Contents of
new-policy.json
:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] } ] }
Output:
{ "result": "FAIL", "message": "The modified permissions grant new access compared to your existing policy.", "reasons": [ { "description": "New access in the statement with index: 0.", "statementIndex": 0 } ] }
For more information, see Previewing access with IAM Access Analyzer APIs
in the Amazon IAM User Guide. -
For API details, see CheckNoNewAccess
in Amazon CLI Command Reference.
-
The following code example shows how to use check-no-public-access
.
- Amazon CLI
-
To check whether a resource policy can grant public access to the specified resource type
The following
check-no-public-access
example checks whether a resource policy can grant public access to the specified resource type.aws accessanalyzer check-no-public-access \ --policy-document
file://check-no-public-access-myfile.json
\ --resource-typeAWS::S3::Bucket
Contents of
myfile.json
:{ "Version": "2012-10-17", "Statement": [ { "Sid": "CheckNoPublicAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/JohnDoe" }, "Action": [ "s3:GetObject" ] } ] }
Output:
{ "result": "PASS", "message": "The resource policy does not grant public access for the given resource type." }
For more information, see Previewing access with IAM Access Analyzer APIs
in the Amazon IAM User Guide. -
For API details, see CheckNoPublicAccess
in Amazon CLI Command Reference.
-
The following code example shows how to use create-access-preview
.
- Amazon CLI
-
To create an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions
The following
create-access-preview
example creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions in your Amazon account.aws accessanalyzer create-access-preview \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --configurationsfile://myfile.json
Contents of
myfile.json
:{ "arn:aws:s3:::DOC-EXAMPLE-BUCKET": { "s3Bucket": { "bucketPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::111122223333:root\"]},\"Action\":[\"s3:PutObject\",\"s3:PutObjectAcl\"],\"Resource\":\"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*\"}]}", "bucketPublicAccessBlock": { "ignorePublicAcls": true, "restrictPublicBuckets": true }, "bucketAclGrants": [ { "grantee": { "id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" }, "permission": "READ" } ] } } }
Output:
{ "id": "3c65eb13-6ef9-4629-8919-a32043619e6b" }
For more information, see Previewing access with IAM Access Analyzer APIs
in the Amazon IAM User Guide. -
For API details, see CreateAccessPreview
in Amazon CLI Command Reference.
-
The following code example shows how to use create-analyzer
.
- Amazon CLI
-
To create an analyzer
The following
create-analyzer
example creates an analyzer in your Amazon account.aws accessanalyzer create-analyzer \ --analyzer-name
example
\ --typeACCOUNT
Output:
{ "arn": "arn:aws:access-analyzer:us-east-2:111122223333:analyzer/example" }
For more information, see Getting started with Amazon Identity and Access Management Access Analyzer findings
in the Amazon IAM User Guide. -
For API details, see CreateAnalyzer
in Amazon CLI Command Reference.
-
The following code example shows how to use create-archive-rule
.
- Amazon CLI
-
To create an archive rule for the specified analyzer
The following
create-archive-rule
example creates an archive rule for the specified analyzer in your Amazon account.aws accessanalyzer create-archive-rule \ --analyzer-name
UnusedAccess-ConsoleAnalyzer-organization
\ --rule-nameMyRule
\ --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}
'This command produces no output.
For more information, see Archive rules
in the Amazon IAM User Guide. -
For API details, see CreateArchiveRule
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-analyzer
.
- Amazon CLI
-
To delete the specified analyzer
The following
delete-analyzer
example deletes the specified analyzer in your Amazon account.aws accessanalyzer delete-analyzer \ --analyzer-name
example
This command produces no output.
For more information, see Archive rules
in the Amazon IAM User Guide. -
For API details, see DeleteAnalyzer
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-archive-rule
.
- Amazon CLI
-
To delete the specified archive rule
The following
delete-archive-rule
example deletes the specified archive rule in your Amazon account.aws accessanalyzer delete-archive-rule \ --analyzer-name
UnusedAccess-ConsoleAnalyzer-organization
\ --rule-nameMyRule
This command produces no output.
For more information, see Archive rules
in the Amazon IAM User Guide. -
For API details, see DeleteArchiveRule
in Amazon CLI Command Reference.
-
The following code example shows how to use get-access-preview
.
- Amazon CLI
-
To retrieves information about an access preview for the specified analyzer
The following
get-access-preview
example retrieves information about an access preview for the specified analyzer in your Amazon account.aws accessanalyzer get-access-preview \ --access-preview-id
3c65eb13-6ef9-4629-8919-a32043619e6b
\ --analyzer-arnarn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
Output:
{ "accessPreview": { "id": "3c65eb13-6ef9-4629-8919-a32043619e6b", "analyzerArn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account", "configurations": { "arn:aws:s3:::DOC-EXAMPLE-BUCKET": { "s3Bucket": { "bucketPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::111122223333:root\"]},\"Action\":[\"s3:PutObject\",\"s3:PutObjectAcl\"],\"Resource\":\"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*\"}]}", "bucketAclGrants": [ { "permission": "READ", "grantee": { "id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" } } ], "bucketPublicAccessBlock": { "ignorePublicAcls": true, "restrictPublicBuckets": true } } } }, "createdAt": "2024-02-17T00:18:44+00:00", "status": "COMPLETED" } }
For more information, see Previewing access with IAM Access Analyzer APIs
in the Amazon IAM User Guide. -
For API details, see GetAccessPreview
in Amazon CLI Command Reference.
-
The following code example shows how to use get-analyzed-resource
.
- Amazon CLI
-
To retrieve information about a resource that was analyzed
The following
get-analyzed-resource
example retrieves information about a resource that was analyzed in your Amazon account.aws accessanalyzer get-analyzed-resource \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --resource-arnarn:aws:s3:::DOC-EXAMPLE-BUCKET
Output:
{ "resource": { "analyzedAt": "2024-02-15T18:01:53.002000+00:00", "isPublic": false, "resourceArn": "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "resourceOwnerAccount": "111122223333", "resourceType": "AWS::S3::Bucket" } }
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see GetAnalyzedResource
in Amazon CLI Command Reference.
-
The following code example shows how to use get-analyzer
.
- Amazon CLI
-
To retrieve information about the specified analyzer
The following
get-analyzer
example retrieves information about the specified analyzer in your Amazon account.aws accessanalyzer get-analyzer \ --analyzer-name
ConsoleAnalyzer-account
Output:
{ "analyzer": { "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account", "createdAt": "2019-12-03T07:28:17+00:00", "lastResourceAnalyzed": "arn:aws:sns:us-west-2:111122223333:config-topic", "lastResourceAnalyzedAt": "2024-02-15T18:01:53.003000+00:00", "name": "ConsoleAnalyzer-account", "status": "ACTIVE", "tags": { "auto-delete": "no" }, "type": "ACCOUNT" } }
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see GetAnalyzer
in Amazon CLI Command Reference.
-
The following code example shows how to use get-archive-rule
.
- Amazon CLI
-
To retrieve information about an archive rule
The following
get-archive-rule
example retrieves information about an archive rule in your Amazon account.aws accessanalyzer get-archive-rule \ --analyzer-name
UnusedAccess-ConsoleAnalyzer-organization
\ --rule-nameMyArchiveRule
Output:
{ "archiveRule": { "createdAt": "2024-02-15T00:49:27+00:00", "filter": { "resource": { "contains": [ "Cognito" ] }, "resourceType": { "eq": [ "AWS::IAM::Role" ] } }, "ruleName": "MyArchiveRule", "updatedAt": "2024-02-15T00:49:27+00:00" } }
For more information, see Archive rules
in the Amazon IAM User Guide. -
For API details, see GetArchiveRule
in Amazon CLI Command Reference.
-
The following code example shows how to use get-finding-v2
.
- Amazon CLI
-
To retrieve information about the specified finding
The following
get-finding-v2
example etrieves information about the specified finding in your Amazon account.aws accessanalyzer get-finding-v2 \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization
\ --id0910eedb-381e-4e95-adda-0d25c19e6e90
Output:
{ "findingDetails": [ { "externalAccessDetails": { "action": [ "sts:AssumeRoleWithWebIdentity" ], "condition": { "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000" }, "isPublic": false, "principal": { "Federated": "cognito-identity.amazonaws.com" } } } ], "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role", "status": "ACTIVE", "error": null, "createdAt": "2021-02-26T21:17:50.905000+00:00", "resourceType": "AWS::IAM::Role", "findingType": "ExternalAccess", "resourceOwnerAccount": "111122223333", "analyzedAt": "2024-02-16T18:17:47.888000+00:00", "id": "0910eedb-381e-4e95-adda-0d25c19e6e90", "updatedAt": "2021-02-26T21:17:50.905000+00:00" }
For more information, see Reviewing findings
in the Amazon IAM User Guide. -
For API details, see GetFindingV2
in Amazon CLI Command Reference.
-
The following code example shows how to use get-finding
.
- Amazon CLI
-
To retrieve information about the specified finding
The following
get-finding
example etrieves information about the specified finding in your Amazon account.aws accessanalyzer get-finding \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization
\ --id0910eedb-381e-4e95-adda-0d25c19e6e90
Output:
{ "finding": { "id": "0910eedb-381e-4e95-adda-0d25c19e6e90", "principal": { "Federated": "cognito-identity.amazonaws.com" }, "action": [ "sts:AssumeRoleWithWebIdentity" ], "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role", "isPublic": false, "resourceType": "AWS::IAM::Role", "condition": { "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000" }, "createdAt": "2021-02-26T21:17:50.905000+00:00", "analyzedAt": "2024-02-16T18:17:47.888000+00:00", "updatedAt": "2021-02-26T21:17:50.905000+00:00", "status": "ACTIVE", "resourceOwnerAccount": "111122223333" } }
For more information, see Reviewing findings
in the Amazon IAM User Guide. -
For API details, see GetFinding
in Amazon CLI Command Reference.
-
The following code example shows how to use get-generated-policy
.
- Amazon CLI
-
To retrieve the policy that was generated using the `StartPolicyGeneration` API
The following
get-generated-policy
example retrieves the policy that was generated using the StartPolicyGeneration API in your Amazon account.aws accessanalyzer get-generated-policy \ --job-id
c557dc4a-0338-4489-95dd-739014860ff9
Output:
{ "generatedPolicyResult": { "generatedPolicies": [ { "policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"SupportedServiceSid0\",\"Effect\":\"Allow\",\"Action\":[\"access-analyzer:GetAnalyzer\",\"access-analyzer:ListAnalyzers\",\"access-analyzer:ListArchiveRules\",\"access-analyzer:ListFindings\",\"cloudtrail:DescribeTrails\",\"cloudtrail:GetEventDataStore\",\"cloudtrail:GetEventSelectors\",\"cloudtrail:GetInsightSelectors\",\"cloudtrail:GetTrailStatus\",\"cloudtrail:ListChannels\",\"cloudtrail:ListEventDataStores\",\"cloudtrail:ListQueries\",\"cloudtrail:ListTags\",\"cloudtrail:LookupEvents\",\"ec2:DescribeRegions\",\"iam:GetAccountSummary\",\"iam:GetOpenIDConnectProvider\",\"iam:GetRole\",\"iam:ListAccessKeys\",\"iam:ListAccountAliases\",\"iam:ListOpenIDConnectProviders\",\"iam:ListRoles\",\"iam:ListSAMLProviders\",\"kms:ListAliases\",\"s3:GetBucketLocation\",\"s3:ListAllMyBuckets\"],\"Resource\":\"*\"}]}" } ], "properties": { "cloudTrailProperties": { "endTime": "2024-02-14T22:44:40+00:00", "startTime": "2024-02-13T00:30:00+00:00", "trailProperties": [ { "allRegions": true, "cloudTrailArn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/my-trail", "regions": [] } ] }, "isComplete": false, "principalArn": "arn:aws:iam::111122223333:role/Admin" } }, "jobDetails": { "completedOn": "2024-02-14T22:47:01+00:00", "jobId": "c557dc4a-0338-4489-95dd-739014860ff9", "startedOn": "2024-02-14T22:44:41+00:00", "status": "SUCCEEDED" } }
For more information, see IAM Access Analyzer policy generation
in the Amazon IAM User Guide. -
For API details, see GetGeneratedPolicy
in Amazon CLI Command Reference.
-
The following code example shows how to use list-access-preview-findings
.
- Amazon CLI
-
To retrieve a list of access preview findings generated by the specified access preview
The following
list-access-preview-findings
example retrieves a list of access preview findings generated by the specified access preview in your Amazon account.aws accessanalyzer list-access-preview-findings \ --access-preview-id
3c65eb13-6ef9-4629-8919-a32043619e6b
\ --analyzer-arnarn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
Output:
{ "findings": [ { "id": "e22fc158-1c87-4c32-9464-e7f405ce8d74", "principal": { "AWS": "111122223333" }, "action": [ "s3:PutObject", "s3:PutObjectAcl" ], "condition": {}, "resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "isPublic": false, "resourceType": "AWS::S3::Bucket", "createdAt": "2024-02-17T00:18:46+00:00", "changeType": "NEW", "status": "ACTIVE", "resourceOwnerAccount": "111122223333", "sources": [ { "type": "POLICY" } ] } ] }
For more information, see Previewing access with IAM Access Analyzer APIs
in the Amazon IAM User Guide. -
For API details, see ListAccessPreviewFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use list-access-previews
.
- Amazon CLI
-
To retrieve a list of access previews for the specified analyzer
The following
list-access-previews
example retrieves a list of access previews for the specified analyzer in your Amazon account.aws accessanalyzer list-access-previews \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
Output:
{ "accessPreviews": [ { "id": "3c65eb13-6ef9-4629-8919-a32043619e6b", "analyzerArn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account", "createdAt": "2024-02-17T00:18:44+00:00", "status": "COMPLETED" } ] }
For more information, see Previewing access with IAM Access Analyzer APIs
in the Amazon IAM User Guide. -
For API details, see ListAccessPreviews
in Amazon CLI Command Reference.
-
The following code example shows how to use list-analyzed-resources
.
- Amazon CLI
-
To list the available widgets
The following
list-analyzed-resources
example lists the available widgets in your Amazon account.aws accessanalyzer list-analyzed-resources \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --resource-typeAWS::IAM::Role
Output:
{ "analyzedResources": [ { "resourceArn": "arn:aws:sns:us-west-2:111122223333:Validation-Email", "resourceOwnerAccount": "111122223333", "resourceType": "AWS::SNS::Topic" }, { "resourceArn": "arn:aws:sns:us-west-2:111122223333:admin-alerts", "resourceOwnerAccount": "111122223333", "resourceType": "AWS::SNS::Topic" }, { "resourceArn": "arn:aws:sns:us-west-2:111122223333:config-topic", "resourceOwnerAccount": "111122223333", "resourceType": "AWS::SNS::Topic" }, { "resourceArn": "arn:aws:sns:us-west-2:111122223333:inspector-topic", "resourceOwnerAccount": "111122223333", "resourceType": "AWS::SNS::Topic" } ] }
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see ListAnalyzedResources
in Amazon CLI Command Reference.
-
The following code example shows how to use list-analyzers
.
- Amazon CLI
-
To retrieve a list of analyzers
The following
list-analyzers
example retrieves a list of analyzers in your Amazon account.aws accessanalyzer list-analyzers
Output:
{ "analyzers": [ { "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization", "createdAt": "2024-02-15T00:46:40+00:00", "name": "UnusedAccess-ConsoleAnalyzer-organization", "status": "ACTIVE", "tags": { "auto-delete": "no" }, "type": "ORGANIZATION_UNUSED_ACCESS" }, { "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization", "createdAt": "2020-04-25T07:43:28+00:00", "lastResourceAnalyzed": "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "lastResourceAnalyzedAt": "2024-02-15T21:51:56.517000+00:00", "name": "ConsoleAnalyzer-organization", "status": "ACTIVE", "tags": { "auto-delete": "no" }, "type": "ORGANIZATION" }, { "arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account", "createdAt": "2019-12-03T07:28:17+00:00", "lastResourceAnalyzed": "arn:aws:sns:us-west-2:111122223333:config-topic", "lastResourceAnalyzedAt": "2024-02-15T18:01:53.003000+00:00", "name": "ConsoleAnalyzer-account", "status": "ACTIVE", "tags": { "auto-delete": "no" }, "type": "ACCOUNT" } ] }
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see ListAnalyzers
in Amazon CLI Command Reference.
-
The following code example shows how to use list-archive-rules
.
- Amazon CLI
-
To retrieve a list of archive rules created for the specified analyzer
The following
list-archive-rules
example retrieves a list of archive rules created for the specified analyzer in your Amazon account.aws accessanalyzer list-archive-rules \ --analyzer-name
UnusedAccess-ConsoleAnalyzer-organization
Output:
{ "archiveRules": [ { "createdAt": "2024-02-15T00:49:27+00:00", "filter": { "resource": { "contains": [ "Cognito" ] }, "resourceType": { "eq": [ "AWS::IAM::Role" ] } }, "ruleName": "MyArchiveRule", "updatedAt": "2024-02-15T00:49:27+00:00" }, { "createdAt": "2024-02-15T23:27:45+00:00", "filter": { "findingType": { "eq": [ "UnusedIAMUserAccessKey" ] } }, "ruleName": "ArchiveRule-56125a39-e517-4ff8-afb1-ef06f58db612", "updatedAt": "2024-02-15T23:27:45+00:00" } ] }
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see ListArchiveRules
in Amazon CLI Command Reference.
-
The following code example shows how to use list-findings-v2
.
- Amazon CLI
-
To retrieve a list of findings generated by the specified analyzer
The following
list-findings-v2
example retrieves a list of findings generated by the specified analyzer in your Amazon account. This example filters the results to include only IAM roles whose name containsCognito
.aws accessanalyzer list-findings-v2 \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}
'Output:
{ "findings": [ { "analyzedAt": "2024-02-16T18:17:47.888000+00:00", "createdAt": "2021-02-26T21:17:24.710000+00:00", "id": "597f3bc2-3adc-4c18-9879-5c4b23485e46", "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolUnauth_Role", "resourceType": "AWS::IAM::Role", "resourceOwnerAccount": "111122223333", "status": "ACTIVE", "updatedAt": "2021-02-26T21:17:24.710000+00:00", "findingType": "ExternalAccess" }, { "analyzedAt": "2024-02-16T18:17:47.888000+00:00", "createdAt": "2021-02-26T21:17:50.905000+00:00", "id": "ce0e221a-85b9-4d52-91ff-d7678075442f", "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role", "resourceType": "AWS::IAM::Role", "resourceOwnerAccount": "111122223333", "status": "ACTIVE", "updatedAt": "2021-02-26T21:17:50.905000+00:00", "findingType": "ExternalAccess" } ] }
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see ListFindingsV2
in Amazon CLI Command Reference.
-
The following code example shows how to use list-findings
.
- Amazon CLI
-
To retrieve a list of findings generated by the specified analyzer
The following
list-findings
example retrieves a list of findings generated by the specified analyzer in your Amazon account. This example filters the results to include only IAM roles whose name containsCognito
.aws accessanalyzer list-findings \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}
'Output:
{ "findings": [ { "id": "597f3bc2-3adc-4c18-9879-5c4b23485e46", "principal": { "Federated": "cognito-identity.amazonaws.com" }, "action": [ "sts:AssumeRoleWithWebIdentity" ], "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolUnauth_Role", "isPublic": false, "resourceType": "AWS::IAM::Role", "condition": { "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000" }, "createdAt": "2021-02-26T21:17:24.710000+00:00", "analyzedAt": "2024-02-16T18:17:47.888000+00:00", "updatedAt": "2021-02-26T21:17:24.710000+00:00", "status": "ACTIVE", "resourceOwnerAccount": "111122223333" }, { "id": "ce0e221a-85b9-4d52-91ff-d7678075442f", "principal": { "Federated": "cognito-identity.amazonaws.com" }, "action": [ "sts:AssumeRoleWithWebIdentity" ], "resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role", "isPublic": false, "resourceType": "AWS::IAM::Role", "condition": { "cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000" }, "createdAt": "2021-02-26T21:17:50.905000+00:00", "analyzedAt": "2024-02-16T18:17:47.888000+00:00", "updatedAt": "2021-02-26T21:17:50.905000+00:00", "status": "ACTIVE", "resourceOwnerAccount": "111122223333" } ] }
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see ListFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use list-policy-generations
.
- Amazon CLI
-
To list all of the policy generations requested in the last seven days
The following
list-policy-generations
example lists all of the policy generations requested in the last seven days in your Amazon account.aws accessanalyzer list-policy-generations
Output:
{ "policyGenerations": [ { "completedOn": "2024-02-14T23:43:38+00:00", "jobId": "923a56b0-ebb8-4e80-8a3c-a11ccfbcd6f2", "principalArn": "arn:aws:iam::111122223333:role/Admin", "startedOn": "2024-02-14T23:43:02+00:00", "status": "CANCELED" }, { "completedOn": "2024-02-14T22:47:01+00:00", "jobId": "c557dc4a-0338-4489-95dd-739014860ff9", "principalArn": "arn:aws:iam::111122223333:role/Admin", "startedOn": "2024-02-14T22:44:41+00:00", "status": "SUCCEEDED" } ] }
For more information, see IAM Access Analyzer policy generation
in the Amazon IAM User Guide. -
For API details, see ListPolicyGenerations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-tags-for-resource
.
- Amazon CLI
-
To retrieve a list of tags applied to the specified resource
The following
list-tags-for-resource
example retrieves a list of tags applied to the specified resource in your Amazon account.aws accessanalyzer list-tags-for-resource \ --resource-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
Output:
{ "tags": { "Zone-of-trust": "Account", "Name": "ConsoleAnalyzer" } }
For more information, see IAM Access Analyzer policy generation
in the Amazon IAM User Guide. -
For API details, see ListTagsForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use start-policy-generation
.
- Amazon CLI
-
To start a policy generation request
The following
start-policy-generation
example starts a policy generation request in your Amazon account.aws accessanalyzer start-policy-generation \ --policy-generation-details '
{"principalArn":"arn:aws:iam::111122223333:role/Admin"}
' \ --cloud-trail-detailsfile://myfile.json
Contents of
myfile.json
:{ "accessRole": "arn:aws:iam::111122223333:role/service-role/AccessAnalyzerMonitorServiceRole", "startTime": "2024-02-13T00:30:00Z", "trails": [ { "allRegions": true, "cloudTrailArn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/my-trail" } ] }
Output:
{ "jobId": "c557dc4a-0338-4489-95dd-739014860ff9" }
For more information, see IAM Access Analyzer policy generation
in the Amazon IAM User Guide. -
For API details, see StartPolicyGeneration
in Amazon CLI Command Reference.
-
The following code example shows how to use start-resource-scan
.
- Amazon CLI
-
To immediately start a scan of the policies applied to the specified resource
The following
start-resource-scan
example mmediately starts a scan of the policies applied to the specified resource in your Amazon account.aws accessanalyzer start-resource-scan \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --resource-arnarn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role
This command produces no output.
For more information, see IAM Access Analyzer policy generation
in the Amazon IAM User Guide. -
For API details, see StartResourceScan
in Amazon CLI Command Reference.
-
The following code example shows how to use tag-resource
.
- Amazon CLI
-
To add a tag to the specified resource
The following
tag-resource
example adds a tag to the specified resource in your Amazon account.aws accessanalyzer tag-resource \ --resource-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --tagsEnvironment=dev,Purpose=testing
This command produces no output.
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see TagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use untag-resource
.
- Amazon CLI
-
To remove tags from the specified resources
The following
untag-resource
example removes tags from the specified resource in your Amazon account.aws accessanalyzer untag-resource \ --resource-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
\ --tag-keysEnvironment
Purpose
This command produces no output.
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see UntagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use update-archive-rule
.
- Amazon CLI
-
To update the criteria and values for the specified archive rule
The following
update-archive-rule
example updates the criteria and values for the specified archive rule in your Amazon account.aws accessanalyzer update-archive-rule \ --analyzer-name
UnusedAccess-ConsoleAnalyzer-organization
\ --rule-nameMyArchiveRule
\ --filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}
'This command produces no output.
For more information, see Archive rules
in the Amazon IAM User Guide. -
For API details, see UpdateArchiveRule
in Amazon CLI Command Reference.
-
The following code example shows how to use update-findings
.
- Amazon CLI
-
To update the status for the specified findings
The following
update-findings
example updates the status for the specified findings in your Amazon account.aws accessanalyzer update-findings \ --analyzer-arn
arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization
\ --ids4f319ac3-2e0c-4dc4-bf51-7013a086b6ae
780d586a-2cce-4f72-aff6-359d450e7500
\ --statusARCHIVED
This command produces no output.
For more information, see Using Amazon Identity and Access Management Access Analyzer
in the Amazon IAM User Guide. -
For API details, see UpdateFindings
in Amazon CLI Command Reference.
-
The following code example shows how to use validate-policy
.
- Amazon CLI
-
To request the validation of a policy and returns a list of findings
The following
validate-policy
example requests the validation of a policy and returns a list of findings. The policy in the example is a role trust policy for an Amazon Cognito role used for web identity federation. The findings generated from the trust policy relate to an emptySid
element value and a mismatched policy principal due to the incorrect assume role action being used,sts:AssumeRole
. The correct assume role action for use with Cognito issts:AssumeRoleWithWebIdentity
.aws accessanalyzer validate-policy \ --policy-document
file://myfile.json
\ --policy-typeRESOURCE_POLICY
Contents of
myfile.json
:{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-west-2_EXAMPLE" } } } ] }
Output:
{ "findings": [ { "findingDetails": "Add a value to the empty string in the Sid element.", "findingType": "SUGGESTION", "issueCode": "EMPTY_SID_VALUE", "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value", "locations": [ { "path": [ { "value": "Statement" }, { "index": 0 }, { "value": "Sid" } ], "span": { "end": { "column": 21, "line": 5, "offset": 81 }, "start": { "column": 19, "line": 5, "offset": 79 } } } ] }, { "findingDetails": "The sts:AssumeRole action is invalid with the following principal(s): cognito-identity.amazonaws.com. Use a SAML provider principal with the sts:AssumeRoleWithSAML action or use an OIDC provider principal with the sts:AssumeRoleWithWebIdentity action. Ensure the provider is Federated if you use either of the two options.", "findingType": "ERROR", "issueCode": "MISMATCHED_ACTION_FOR_PRINCIPAL", "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-mismatched-action-for-principal", "locations": [ { "path": [ { "value": "Statement" }, { "index": 0 }, { "value": "Action" }, { "index": 0 } ], "span": { "end": { "column": 32, "line": 11, "offset": 274 }, "start": { "column": 16, "line": 11, "offset": 258 } } }, { "path": [ { "value": "Statement" }, { "index": 0 }, { "value": "Principal" }, { "value": "Federated" } ], "span": { "end": { "column": 61, "line": 8, "offset": 202 }, "start": { "column": 29, "line": 8, "offset": 170 } } } ] }, { "findingDetails": "The following actions: sts:TagSession are not supported by the condition key cognito-identity.amazonaws.com:aud. The condition will not be evaluated for these actions. We recommend that you move these actions to a different statement without this condition key.", "findingType": "ERROR", "issueCode": "UNSUPPORTED_ACTION_FOR_CONDITION_KEY", "learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-unsupported-action-for-condition-key", "locations": [ { "path": [ { "value": "Statement" }, { "index": 0 }, { "value": "Action" }, { "index": 1 } ], "span": { "end": { "column": 32, "line": 12, "offset": 308 }, "start": { "column": 16, "line": 12, "offset": 292 } } }, { "path": [ { "value": "Statement" }, { "index": 0 }, { "value": "Condition" }, { "value": "StringEquals" }, { "value": "cognito-identity.amazonaws.com:aud" } ], "span": { "end": { "column": 79, "line": 16, "offset": 464 }, "start": { "column": 58, "line": 16, "offset": 443 } } } ] } ] }
For more information, see Checks for validating policies
in the Amazon IAM User Guide. -
For API details, see ValidatePolicy
in Amazon CLI Command Reference.
-