AccessPreviewFinding - IAM Access Analyzer

AccessPreviewFinding

An access preview finding generated by the access preview.

Contents

changeType

Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer.

  • New - The finding is for newly-introduced access.

  • Unchanged - The preview finding is an existing finding that would remain unchanged.

  • Changed - The preview finding is an existing finding with a change in status.

For example, a Changed finding with preview status Resolved and existing status Active indicates the existing Active finding would become Resolved as a result of the proposed permissions change.

Type: String

Valid Values: CHANGED | NEW | UNCHANGED

Required: Yes

createdAt

The time at which the access preview finding was created.

Type: Timestamp

Required: Yes

id

The ID of the access preview finding. This ID uniquely identifies the element in the list of access preview findings and is not related to the finding ID in Access Analyzer.

Type: String

Required: Yes

resourceOwnerAccount

The AWS account ID that owns the resource. For most AWS resources, the owning account is the account in which the resource was created.

Type: String

Required: Yes

resourceType

The type of the resource that can be accessed in the finding.

Type: String

Valid Values: AWS::S3::Bucket | AWS::IAM::Role | AWS::SQS::Queue | AWS::Lambda::Function | AWS::Lambda::LayerVersion | AWS::KMS::Key | AWS::SecretsManager::Secret | AWS::EFS::FileSystem | AWS::EC2::Snapshot | AWS::ECR::Repository | AWS::RDS::DBSnapshot | AWS::RDS::DBClusterSnapshot | AWS::SNS::Topic | AWS::S3Express::DirectoryBucket | AWS::DynamoDB::Table | AWS::DynamoDB::Stream | AWS::IAM::User

Required: Yes

status

The preview status of the finding. This is what the status of the finding would be after permissions deployment. For example, a Changed finding with preview status Resolved and existing status Active indicates the existing Active finding would become Resolved as a result of the proposed permissions change.

Type: String

Valid Values: ACTIVE | ARCHIVED | RESOLVED

Required: Yes

action

The action in the analyzed policy statement that an external principal has permission to perform.

Type: Array of strings

Required: No

condition

The condition in the analyzed policy statement that resulted in a finding.

Type: String to string map

Required: No

error

An error.

Type: String

Required: No

existingFindingId

The existing ID of the finding in IAM Access Analyzer, provided only for existing findings.

Type: String

Required: No

existingFindingStatus

The existing status of the finding, provided only for existing findings.

Type: String

Valid Values: ACTIVE | ARCHIVED | RESOLVED

Required: No

isPublic

Indicates whether the policy that generated the finding allows public access to the resource.

Type: Boolean

Required: No

principal

The external principal that has access to a resource within the zone of trust.

Type: String to string map

Required: No

resource

The resource that an external principal has access to. This is the resource associated with the access preview.

Type: String

Required: No

resourceControlPolicyRestriction

The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).

Type: String

Valid Values: APPLICABLE | FAILED_TO_EVALUATE_RCP | NOT_APPLICABLE

Required: No

sources

The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

Type: Array of FindingSource objects

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: