IAM Access Analyzer filter keys (original) (raw)

resource

Resource

The ARN uniquely identifying the resource that the external principal has access to. To learn more, see Amazon resource names (ARNs).

String

Yes

Yes

Yes

resourceType

AWS::S3::Bucket | AWS::IAM::Role |AWS::SQS::Queue | AWS::Lambda::Function |AWS::Lambda::LayerVersion |AWS::KMS::Key |AWS::SecretsManager::Secret |AWS::EFS::FileSystem | AWS::EC2::Snapshot | AWS::ECR::Repository | AWS::RDS::DBSnapshot | AWS::RDS::DBClusterSnapshot |AWS::SNS::Topic |AWS::S3Express::DirectoryBucket |AWS::DynamoDB::Table |AWS::DynamoDB::Stream |AWS::IAM::User

Resource Type

The type of resource that the external principal has access to.

String

Yes

Yes

Yes

resourceOwnerAccount

Resource Owner Account

The 12 digit AWS account ID that owns the resource. To learn more, seeAWS account identifiers.

String

Yes

Yes

Yes

isPublic

Public access

Indicates whether the finding reports a resource that has a policy that allows public access.

Boolean

Yes

Yes

Yes

findingType

UnusedIAMRole | UnusedIAMUserAccessKey |UnusedIAMUserPassword |UnusedPermission

Findings type

The type of the finding. You can only filter by finding type for unused access findings.

String

Yes

Yes

Yes

resourceControlPolicyRestriction

APPLICABLE | FAILED_TO_EVALUATE_RCP |NOT_APPLICABLE

Resource control policy (RCP) restriction

The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). You can only filter by RCP restriction for external acccess findings.

String

Yes

Yes

Yes

status

ACTIVE | ARCHIVED |RESOLVED

Status

The current status of the finding.

String

No

Yes

Yes

error

Error

Indicates the error reported for the finding.

String

Yes

Yes

Yes

principal.AWS

AWS Account

The account granted access to the resource in the Principal field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see AWS account identifiers.

String

Yes

Yes

Yes

principal.Federated

Federated User

The ARN of the federated identity that has access to the resource in the finding. To learn more, see Identity providers and federation

String

Yes

Yes

Yes

condition.aws:PrincipalArn

Principal ARN

The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see AWS global condition context keys.

String

Yes

Yes

Yes

condition.aws:PrincipalOrgID

Principal OrgID

The organization identifier of the principal indicated as the condition for resource access. To learn more, see AWS global condition context keys.

String

Yes

Yes

Yes

condition.aws:PrincipalOrgPaths

Principal OrgPaths

The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see AWS global condition context keys.

String

Yes

Yes

Yes

condition.aws:SourceIp

Source IP

The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see AWS global condition context keys.

IP address

Yes

Yes

Yes

condition.aws:SourceVpc

Source VPC

The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see AWS global condition context keys.

String

Yes

Yes

Yes

condition.aws:UserId

User ID

The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see AWS global condition context keys.

String

Yes

Yes

Yes

condition.cognito-identity.amazonaws.com:aud

Cognito Audience

The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see IAM and AWS STS condition context keys.

String

Yes

Yes

Yes

condition.graph.facebook.com:app_id

Facebook App ID

The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see IAM and AWS STS condition context keys.

String

Yes

Yes

Yes

condition.accounts.google.com:aud

Google Audience

The Google application ID specified as a condition for access to the IAM role. To learn more, see IAM and AWS STS condition context keys.

String

Yes

Yes

Yes

condition.kms:CallerAccount

KMS Key ID

The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see Condition keys for AWS Key Management Service.

String

Yes

Yes

Yes

condition.www.amazon.com:app\_id

Amazon App ID

The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see

String

Yes

Yes

Yes

id

Finding ID

The ID of the finding.

String

No

Yes

Yes

changeType

CHANGED | NEW |UNCHANGED

Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer.

String

No

No

Yes

existingFindingId

The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview.

String

No

No

Yes

existingFindingStatus

The existing status of the finding, provided only for existing findings in the access preview.

String

No

No

Yes