View a markdown version of this page

Actions, resources, and condition keys for Amazon IAM Access Analyzer - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon IAM Access Analyzer

Amazon IAM Access Analyzer (service prefix: access-analyzer) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon IAM Access Analyzer

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

ApplyArchiveRule

access-analyzer:ApplyArchiveRule

Write

CancelPolicyGeneration

access-analyzer:CancelPolicyGeneration

Write

CheckAccessNotGranted

access-analyzer:CheckAccessNotGranted

Read

CheckNoNewAccess

access-analyzer:CheckNoNewAccess

Read

CheckNoPublicAccess

access-analyzer:CheckNoPublicAccess

Read

CreateAccessPreview

access-analyzer:CreateAccessPreview

Write

CreateAnalyzer

access-analyzer:CreateAnalyzer

Write

access-analyzer:TagResource

Tagging, Write

CreateArchiveRule

access-analyzer:CreateArchiveRule

Write

CreateServiceLinkedAnalyzer

access-analyzer:CreateServiceLinkedAnalyzer

Write

DeleteAnalyzer

access-analyzer:DeleteAnalyzer

Write

DeleteArchiveRule

access-analyzer:DeleteArchiveRule

Write

DeleteServiceLinkedAnalyzer

access-analyzer:DeleteServiceLinkedAnalyzer

Write

GenerateFindingRecommendation

access-analyzer:GenerateFindingRecommendation

Write

GetAccessPreview

access-analyzer:GetAccessPreview

Read

GetAnalyzedResource

access-analyzer:GetAnalyzedResource

Read

GetAnalyzer

access-analyzer:GetAnalyzer

Read

GetArchiveRule

access-analyzer:GetArchiveRule

Read

GetFinding

access-analyzer:GetFinding

Read

GetFindingRecommendation

access-analyzer:GetFindingRecommendation

Read

GetFindingV2

access-analyzer:GetFinding

Read

GetFindingsStatistics

access-analyzer:GetFindingsStatistics

Read

GetGeneratedPolicy

access-analyzer:GetGeneratedPolicy

Read

ListAccessPreviewFindings

access-analyzer:ListAccessPreviewFindings

Read

ListAccessPreviews

access-analyzer:ListAccessPreviews

List

ListAnalyzedResources

access-analyzer:ListAnalyzedResources

Read

ListAnalyzers

access-analyzer:ListAnalyzers

List

ListArchiveRules

access-analyzer:ListArchiveRules

List

ListFindings

access-analyzer:ListFindings

Read

ListFindingsV2

access-analyzer:ListFindings

Read

ListPolicyGenerations

access-analyzer:ListPolicyGenerations

Read

ListTagsForResource

access-analyzer:ListTagsForResource

Read

StartPolicyGeneration

access-analyzer:StartPolicyGeneration

Write

iam:PassRole

iam:PassedToService

access-analyzer.amazonaws.com

Write

StartResourceScan

access-analyzer:StartResourceScan

Write

TagResource

access-analyzer:TagResource

Tagging, Write

UntagResource

access-analyzer:UntagResource

Tagging, Write

UpdateAnalyzer

access-analyzer:UpdateAnalyzer

Write

UpdateArchiveRule

access-analyzer:UpdateArchiveRule

Write

UpdateFindings

access-analyzer:UpdateFindings

Write

ValidatePolicy

access-analyzer:ValidatePolicy

Read

Actions defined by Amazon IAM Access Analyzer

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

ApplyArchiveRule

Grants permission to apply an archive rule

Analyzer*

aws:ResourceTag/${TagKey}

Write

CancelPolicyGeneration

Grants permission to cancel a policy generation

Write

CheckAccessNotGranted

Grants permission to check that specified access is not allowed by a policy

Read

CheckNoNewAccess

Grants permission to check that no new access is allowed when compared to an existing policy

Read

CheckNoPublicAccess

Grants permission to check that public access is not allowed by a resource policy

Read

CreateAccessPreview

Grants permission to create an access preview for the specified analyzer

Analyzer*

aws:ResourceTag/${TagKey}

Write

CreateAnalyzer

Grants permission to create an analyzer

Analyzer*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

CreateArchiveRule

Grants permission to create an archive rule for the specified analyzer

ArchiveRule*

Write

CreateServiceLinkedAnalyzer

Grants permission to create a service-linked analyzer

Analyzer*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteAnalyzer

Grants permission to delete the specified analyzer

Analyzer*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

DeleteArchiveRule

Grants permission to delete archive rules for the specified analyzer

ArchiveRule*

Write

DeleteServiceLinkedAnalyzer

Grants permission to delete the specified service-linked analyzer

Analyzer*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

GenerateFindingRecommendation

Grants permission to generate recommendation steps to resolve a finding

Analyzer*

aws:ResourceTag/${TagKey}

Write

GetAccessPreview

Grants permission to retrieve information about an access preview

Analyzer*

aws:ResourceTag/${TagKey}

Read

GetAnalyzedResource

Grants permission to retrieve information about an analyzed resource

Analyzer*

aws:ResourceTag/${TagKey}

Read

GetAnalyzer

Grants permission to retrieve information about analyzers

Analyzer*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Read

GetArchiveRule

Grants permission to retrieve information about archive rules for the specified analyzer

ArchiveRule*

Read

GetFinding

Grants permission to retrieve findings

Analyzer*

aws:ResourceTag/${TagKey}

Read

GetFindingRecommendation

Grants permission to retrieve recommendation steps to resolve a finding

Analyzer*

aws:ResourceTag/${TagKey}

Read

GetFindingsStatistics

Grants permission to retrieve statistics for findings

Analyzer*

aws:ResourceTag/${TagKey}

Read

GetGeneratedPolicy

Grants permission to retrieve a policy that was generated using StartPolicyGeneration

Read

ListAccessPreviewFindings

Grants permission to retrieve a list of findings from an access preview

Analyzer*

aws:ResourceTag/${TagKey}

Read

ListAccessPreviews

Grants permission to retrieve a list of access previews

Analyzer*

aws:ResourceTag/${TagKey}

List

ListAnalyzedResources

Grants permission to retrieve a list of resources that have been analyzed

Analyzer*

aws:ResourceTag/${TagKey}

Read

ListAnalyzers

Grants permission to retrieves a list of analyzers

List

ListArchiveRules

Grants permission to retrieve a list of archive rules from an analyzer

Analyzer*

aws:ResourceTag/${TagKey}

List

ListFindings

Grants permission to retrieve a list of findings from an analyzer

Analyzer*

aws:ResourceTag/${TagKey}

Read

ListPolicyGenerations

Grants permission to list all the recently started policy generations

Read

ListTagsForResource

Grants permission to retrieve a list of tags applied to a resource

Analyzer

aws:ResourceTag/${TagKey}

Read

StartPolicyGeneration

Grants permission to start a policy generation

Write

StartResourceScan

Grants permission to start a scan of the policies applied to a resource

Analyzer*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to add a tag to a resource

Analyzer

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UntagResource

Grants permission to remove a tag from a resource

Analyzer

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

UpdateAnalyzer

Grants permission to modify an analyzer's configuration

Analyzer*

aws:ResourceTag/${TagKey}

Write

UpdateArchiveRule

Grants permission to modify an archive rule

ArchiveRule*

Write

UpdateFindings

Grants permission to modify findings

Analyzer*

aws:ResourceTag/${TagKey}

Write

ValidatePolicy

Grants permission to validate a policy

Read

Resource types defined by Amazon IAM Access Analyzer

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

Analyzer

arn:${Partition}:access-analyzer:${Region}:${Account}:analyzer/${AnalyzerName}

aws:ResourceTag/${TagKey}

ArchiveRule

arn:${Partition}:access-analyzer:${Region}:${Account}:analyzer/${AnalyzerName}/archive-rule/${RuleName}

Condition keys for Amazon IAM Access Analyzer

Amazon IAM Access Analyzer defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters actions based on the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters actions based on tag key-value pairs attached to the resource

String

aws:TagKeys

Filters actions based on the presence of tag keys in the request

ArrayOfString