AWS Identity and Access Management
User Guide

Viewing Service Last Accessed Data for Organizations

You can view service last accessed data for AWS Organizations using the IAM console, AWS CLI, or AWS API. For important information about the data, permissions required, troubleshooting, and supported Regions, see Refining Permissions Using Service Last Accessed Data.

When you sign in to the IAM console using AWS Organizations master account credentials, you can view data for any entity in your organization. Organizations entities include the organization root, organizational units (OUs), and accounts. You can also use the IAM console to view data for any service control policies (SCPs) in your organization. IAM shows a list of services that are allowed by any SCPs that apply to the entity. For each service, you can view the most recent account activity data for the chosen Organizations entity or the entity's children.

When you use the AWS CLI or AWS API with master account credentials, you can generate a data report for any entities or policies in your organization. A programmatic report for an entity includes a list of services that are allowed by any SCPs that apply to the entity. For each service, the report includes the most recent activity for accounts in the specified Organizations entity or the entity's subtree.

When you generate a programmatic data report for a policy, you must specify an Organizations entity. This report includes a list of services that are allowed by the specified SCP. For each service, it includes the most recent account activity in the entity or entity's children that are granted permission by that policy. For more information, see aws iam generate-organizations-access-report or GenerateOrganizationsAccessReport.

Before you view the report, make sure that you understand the master account requirements and data, reporting period, reported entities, and the evaluated policy types. For more details, see Things to Know.

Understand the AWS Organizations Entity Path

When you use the AWS CLI or AWS API to generate an AWS Organizations access report, you must specify an entity path. A path is a text representation of the structure of an Organizations entity.

You can build an entity path using the known structure of your organization. For example, assume that you have the following organizational structure in AWS Organizations.


            Organization path structure

The path for the Dev Managers OU is built using the IDs of the organization, root, and all OUs in the path down to and including the OU.

o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd

The path for the account in the Production OU is built using the IDs of the organization, root, the OU, and the account number.

o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-abc0-awsaaaaa/111111111111

Note

Organization IDs are globally unique but OU IDs and root IDs are unique only within an organization. This means that no two organizations share the same organization ID. However, another organization might have an OU or root with the same ID as yours. We recommend that you always include the organization ID when you specify an OU or root.

Viewing Data for Organizations (Console)

You can use the IAM console to view service last accessed data for your root, OU, account, or policy.

To view data for the root (console)

  1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, expand AWS Organizations, and then choose Organization activity.

  3. On the Organization activity page, choose Root.

  4. On the Details and activity tab, view the Service access report section. The data includes a list of services that are allowed by the policies that are attached directly to the root. The data shows you from which account the service was last accessed and when. For more details about which principal accessed the service, sign in as an administrator in that account and view the IAM service last accessed data.

  5. Choose the Attached SCPs tab to view the list of the service control policies (SCPs) that are attached to the root. IAM shows you the number of target entities to which each policy is attached. You can use this information to decide which SCP to review.

  6. Choose the name of an SCP to view all of the services that the policy allows. For each service, view from which account the service was last accessed, and when.

  7. Choose Edit in AWS Organizations to view additional details and edit the SCP in the Organizations console. For more information, see Updating an SCP in the AWS Organizations User Guide.

To view data for an OU or account (console)

  1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, expand AWS Organizations, and then choose Organization activity.

  3. On the Organization activity page, expand the structure of your organization. Then choose the name of the OU or any account that you want to view except the master account.

  4. On the Details and activity tab, view the Service access report section. The data includes a list of services that are allowed by the SCPs attached to the OU or account and all of its parents. The data shows you from which account the service was last accessed and when. For more details about which principal accessed the service, sign in as an administrator in that account and view the IAM service last accessed data.

  5. Choose the Attached SCPs tab to view the list of the service control policies (SCPs) that are attached directly to the OU or account. IAM shows you the number of target entities to which each policy is attached. You can use this information to decide which SCP to review.

  6. Choose the name of an SCP to view all of the services that the policy allows. For each service, view from which account the service was last accessed, and when.

  7. Choose Edit in AWS Organizations to view additional details and edit the SCP in the Organizations console. For more information, see Updating an SCP in the AWS Organizations User Guide.

To view data for the master account (console)

  1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, expand AWS Organizations, and then choose Organization activity.

  3. On the Organization activity page, expand the structure of your organization and choose the name your master account.

  4. On the Details and activity tab, view the Service access report section. The data includes a list of all AWS services. The master account is not limited by SCPs. The data shows you whether the account last accessed the service and when. For more details about which principal accessed the service, sign in as an administrator in that account and view the IAM service last accessed data.

  5. Choose the Attached SCPs tab to confirm that there are no attached SCPs because the account is the master account.

To view data for a policy (console)

  1. Sign in to the AWS Management Console using Organizations master account credentials, and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, expand AWS Organizations, and then choose Service control policies (SCPs).

  3. On the Service control policies (SCPs) page, view a list of the policies in your organization. You can view the number of target entities to which each policy is attached.

  4. Choose the name of an SCP to view all of the services that the policy allows. For each service, view from which account the service was last accessed, and when.

  5. Choose Edit in AWS Organizations to view additional details and edit the SCP in the Organizations console. For more information, see Updating an SCP in the AWS Organizations User Guide.

Viewing Data for Organizations (AWS CLI)

You can use the AWS CLI to retrieve service last accessed data for your Organizations root, OU, account, or policy.

To view Organizations service last accessed data (AWS CLI)

  1. Use your Organizations master account credentials with the required IAM and Organizations permissions, and confirm that SCPs are enabled for your root. For more information, see Things to Know.

  2. Generate a report. The request must include the path of the Organizations entity (root, OU, or account) for which you want a report. You can optionally include an organization-policy-id parameter to view a report for a specific policy. The command returns a job-id that you can then use in the get-organizations-access-report command to monitor the job-status until the job is complete.

  3. Retrieve details about the report using the job-id parameter from the previous step.

    This command returns a list of services that entity members can access. For each service, the command returns the date and time of an account member's last attempt and the entity path of the account. It also returns the total number of services that are available to access and the number of services that were not accessed. If you specified the optional organizations-policy-id parameter, then the services that are available to access are those that are allowed by the specified policy.

Viewing Data for Organizations (AWS API)

You can use the AWS API to retrieve service last accessed data for your Organizations root, OU, account, or policy.

To view Organizations service last accessed data (AWS API)

  1. Use your Organizations master account credentials with the required IAM and Organizations permissions, and confirm that SCPs are enabled for your root. For more information, see Things to Know.

  2. Generate a report. The request must include the path of the Organizations entity (root, OU, or account) for which you want a report. You can optionally include an OrganizationsPolicyId parameter to view a report for a specific policy. The operation returns a JobId that you can then use in the GetOrganizationsAccessReport operation to monitor the JobStatus until the job is complete.

  3. Retrieve details about the report using the JobId parameter from the previous step.

    This operation returns a list of services that entity members can access. For each service, the operation returns the date and time of an account member's last attempt and the entity path of the account. It also returns the total number of services that are available to access, and the number of services that were not accessed. If you specified the optional OrganizationsPolicyId parameter, then the services that are available to access are those that are allowed by the specified policy.