aws accessanalyzer

AWS IAM Access Analyzer helps identify potential resource-access risks by enabling you to identify any policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your AWS environment. An external principal can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, or an anonymous user. You can also use Access Analyzer to preview and validate public and cross-account access to your resources before deploying permissions changes. This guide describes the AWS IAM Access Analyzer operations that you can call programmatically. For general information about Access Analyzer, see AWS IAM Access Analyzer in the IAM User Guide. To start using Access Analyzer, you first need to create an analyzer

Subcommands

NameDescription
apply-archive-ruleRetroactively applies the archive rule to existing findings that meet the archive rule criteria
cancel-policy-generationCancels the requested policy generation
create-access-previewCreates an access preview that allows you to preview Access Analyzer findings for your resource before deploying resource permissions
create-analyzerCreates an analyzer for your account
create-archive-ruleCreates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see Access Analyzer filter keys in the IAM User Guide
delete-analyzerDeletes the specified analyzer. When you delete an analyzer, Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action
delete-archive-ruleDeletes the specified archive rule
get-access-previewRetrieves information about an access preview for the specified analyzer
get-analyzed-resourceRetrieves information about a resource that was analyzed
get-analyzerRetrieves information about the specified analyzer
get-archive-ruleRetrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see Access Analyzer filter keys in the IAM User Guide
get-findingRetrieves information about the specified finding
get-generated-policyRetrieves the policy that was generated using StartPolicyGeneration
list-access-preview-findingsRetrieves a list of access preview findings generated by the specified access preview
list-access-previewsRetrieves a list of access previews for the specified analyzer
list-analyzed-resourcesRetrieves a list of resources of the specified type that have been analyzed by the specified analyzer
list-analyzersRetrieves a list of analyzers
list-archive-rulesRetrieves a list of archive rules created for the specified analyzer
list-findingsRetrieves a list of findings generated by the specified analyzer. To learn about filter keys that you can use to retrieve a list of findings, see Access Analyzer filter keys in the IAM User Guide
list-policy-generationsLists all of the policy generations requested in the last seven days
list-tags-for-resourceRetrieves a list of tags applied to the specified resource
start-policy-generationStarts the policy generation request
start-resource-scanImmediately starts a scan of the policies applied to the specified resource
tag-resourceAdds a tag to the specified resource
untag-resourceRemoves a tag from the specified resource
update-archive-ruleUpdates the criteria and values for the specified archive rule
update-findingsUpdates the status for the specified findings
validate-policyRequests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices