AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.
Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access Amazon Web Services services. Recent activity usually appears within four hours. IAM reports activity for at least the last 400 days, or less if your Region began supporting this feature within the last year. For more information, see Regions where data is tracked . For more information about services and actions for which action last accessed information is displayed, see IAM action last accessed information services and actions .
The GenerateServiceLastAccessedDetails
operation returns a JobId
. Use this parameter in the following operations to retrieve the following details from your report:
JobId
returned by GenerateServiceLastAccessedDetail
must be used by the same role within a session, or by the same user when used to call GetServiceLastAccessedDetail
.To check the status of the GenerateServiceLastAccessedDetails
request, use the JobId
parameter in the same operations and test the JobStatus
response parameter.
For additional information about the permissions policies that allow an identity (user, group, or role) to access specific services, use the ListPoliciesGrantingServiceAccess operation.
For more information about service and action last accessed data, see Reducing permissions using service last accessed data in the IAM User Guide .
See also: AWS API Documentation
generate-service-last-accessed-details
--arn <value>
[--granularity <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
--arn
(string)
The ARN of the IAM resource (user, group, role, or managed policy) used to generate information about when the resource was last used in an attempt to access an Amazon Web Services service.
--granularity
(string)
The level of detail that you want to generate. You can specify whether you want to generate information about the last attempt to access services or actions. If you specify service-level granularity, this operation generates only service data. If you specify action-level granularity, it generates service and action data. If you don't include this optional parameter, the operation generates service data.
Possible values:
SERVICE_LEVEL
ACTION_LEVEL
--cli-input-json
(string)
Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
--debug
(boolean)
Turn on debug logging.
--endpoint-url
(string)
Override command's default URL with the given URL.
--no-verify-ssl
(boolean)
By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.
--no-paginate
(boolean)
Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.
--output
(string)
The formatting style for command output.
--query
(string)
A JMESPath query to use in filtering the response data.
--profile
(string)
Use a specific profile from your credential file.
--region
(string)
The region to use. Overrides config/env settings.
--version
(string)
Display the version of this tool.
--color
(string)
Turn on/off color output.
--no-sign-request
(boolean)
Do not sign requests. Credentials will not be loaded if this argument is provided.
--ca-bundle
(string)
The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.
--cli-read-timeout
(int)
The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.
--cli-connect-timeout
(int)
The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.
To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.
Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal's quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .
Example 1: To generate a service access report for a custom policy
The following generate-service-last-accessed-details
example starts a background job to generate a report that lists the services accessed by IAM users and other entities with a custom policy named intern-boundary
. You can display the report after it is created by running the get-service-last-accessed-details
command.
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::123456789012:policy/intern-boundary
Output:
{
"JobId": "2eb6c2b8-7b4c-3xmp-3c13-03b72c8cdfdc"
}
Example 2: To generate a service access report for the AWS managed AdministratorAccess policy
The following generate-service-last-accessed-details
example starts a background job to generate a report that lists the services accessed by IAM users and other entities with the AWS managed AdministratorAccess
policy. You can display the report after it is created by running the get-service-last-accessed-details
command.
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::aws:policy/AdministratorAccess
Output:
{
"JobId": "78b6c2ba-d09e-6xmp-7039-ecde30b26916"
}
For more information, see Refining permissions in AWS using last accessed information in the AWS IAM User Guide.
JobId -> (string)
TheJobId
that you can use in the GetServiceLastAccessedDetails or GetServiceLastAccessedDetailsWithEntities operations. TheJobId
returned byGenerateServiceLastAccessedDetail
must be used by the same role within a session, or by the same user when used to callGetServiceLastAccessedDetail
.