IAM Access Analyzer filter keys

You can use the filter keys below to define an archive rule (CreateArchiveRule), update an archive rule (UpdateArchiveRule), retrieve a list of findings (ListFindings and ListFindingsV2), or retrieve a list of access preview findings for a resource (ListAccessPreviewFindings). There is no difference between using IAM API and AWS CloudFormation for configuring archive rules.

Criterion	Description	Type	Archive rule	List findings	List access preview findings
resource	The ARN uniquely identifying the resource that the external principal has access to. To learn more, see Amazon resource names (ARNs).	String	Yes	Yes	Yes
resourceType `AWS::S3::Bucket` \| `AWS::IAM::Role` \| `AWS::SQS::Queue` \| `AWS::Lambda::Function` \| `AWS::Lambda::LayerVersion` \|`AWS::KMS::Key` \| `AWS::SecretsManager::Secret` \| `AWS::EFS::FileSystem` \| `AWS::EC2::Snapshot` \| `AWS::ECR::Repository` \| `AWS::RDS::DBSnapshot` \| `AWS::RDS::DBClusterSnapshot` \| `AWS::SNS::Topic` \| `AWS::S3Express::DirectoryBucket` \| `AWS::DynamoDB::Table` \| `AWS::DynamoDB::Stream` \| `AWS::IAM::User`	The type of resource that the external principal has access to.	String	Yes	Yes	Yes
resourceOwnerAccount	The 12 digit AWS account ID that owns the resource. To learn more, see AWS account identifiers.	String	Yes	Yes	Yes
isPublic	Indicates whether the finding reports a resource that has a policy that allows public access.	Boolean	Yes	Yes	Yes
findingType `UnusedIAMRole` \| `UnusedIAMUserAccessKey` \| `UnusedIAMUserPassword` \| `UnusedPermission`	The type of the finding. You can only filter by finding type for unused access findings.	String	Yes	Yes	Yes
resourceControlPolicyRestriction `APPLICABLE` \| `FAILED_TO_EVALUATE_RCP` \| `NOT_APPLICABLE`	The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). You can only filter by RCP restriction for external acccess findings.	String	Yes	Yes	Yes
status `ACTIVE` \| `ARCHIVED` \| `RESOLVED`	The current status of the finding.	String	No	Yes	Yes
error	Indicates the error reported for the finding.	String	Yes	Yes	Yes
principal.AWS	The account granted access to the resource in the `Principal` field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see AWS account identifiers.	String	Yes	Yes	Yes
principal.Federated	The ARN of the federated identity that has access to the resource in the finding. To learn more, see Identity providers and federation	String	Yes	Yes	Yes
condition.aws:PrincipalArn	The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see AWS global condition context keys.	String	Yes	Yes	Yes
condition.aws:PrincipalOrgID	The organization identifier of the principal indicated as the condition for resource access. To learn more, see AWS global condition context keys.	String	Yes	Yes	Yes
condition.aws:PrincipalOrgPaths	The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see AWS global condition context keys.	String	Yes	Yes	Yes
condition.aws:SourceIp	The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see AWS global condition context keys.	IP address	Yes	Yes	Yes
condition.aws:SourceVpc	The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see AWS global condition context keys.	String	Yes	Yes	Yes
condition.aws:UserId	The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see AWS global condition context keys.	String	Yes	Yes	Yes
condition.cognito-identity.amazonaws.com:aud	The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see IAM and AWS STS condition context keys.	String	Yes	Yes	Yes
condition.graph.facebook.com:app_id	The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see IAM and AWS STS condition context keys.	String	Yes	Yes	Yes
condition.accounts.google.com:aud	The Google application ID specified as a condition for access to the IAM role. To learn more, see IAM and AWS STS condition context keys.	String	Yes	Yes	Yes
condition.kms:CallerAccount	The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see Condition keys for AWS Key Management Service.	String	Yes	Yes	Yes
condition.www.amazon.com:app_id	The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see	String	Yes	Yes	Yes
id	The ID of the finding.	String	No	Yes	Yes
changeType	Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer.	String	No	No	Yes
existingFindingId	The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview.	String	No	No	Yes
existingFindingStatus	The existing status of the finding, provided only for existing findings in the access preview.	String	No	No	Yes

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Logging with CloudTrail

Using service-linked roles