AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.
Generates a report for service last accessed data for Organizations. You can generate a report for any entities (organization root, organizational unit, or account) or policies in your organization.
To call this operation, you must be signed in using your Organizations management account credentials. You can use your long-term IAM user or root user credentials, or temporary credentials from assuming an IAM role. SCPs must be enabled for your organization root. You must have the required IAM and Organizations permissions. For more information, see Refining permissions using service last accessed data in the IAM User Guide .
You can generate a service last accessed data report for entities by specifying only the entity's path. This data includes a list of services that are allowed by any service control policies (SCPs) that apply to the entity.
You can generate a service last accessed data report for a policy by specifying an entity's path and an optional Organizations policy ID. This data includes a list of services that are allowed by the specified SCP.
For each service in both report types, the data includes the most recent account activity that the policy allows to account principals in the entity or the entity's children. For important information about the data, reporting period, permissions required, troubleshooting, and supported Regions see Reducing permissions using service last accessed data in the IAM User Guide .
This operation returns a JobId
. Use this parameter in the `` GetOrganizationsAccessReport `` operation to check the status of the report generation. To check the status of this request, use the JobId
parameter in the `` GetOrganizationsAccessReport `` operation and test the JobStatus
response parameter. When the job is complete, you can retrieve the report.
To generate a service last accessed data report for entities, specify an entity path without specifying the optional Organizations policy ID. The type of entity that you specify determines the data returned in the report.
To generate a service last accessed data report for policies, specify an entity path and the optional Organizations policy ID. The type of entity that you specify determines the data returned for each service.
For more information about service last accessed data, see Reducing policy scope by viewing user activity in the IAM User Guide .
See also: AWS API Documentation
generate-organizations-access-report
--entity-path <value>
[--organizations-policy-id <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
--entity-path
(string)
The path of the Organizations entity (root, OU, or account). You can build an entity path using the known structure of your organization. For example, assume that your account ID is123456789012
and its parent OU ID isou-rge0-awsabcde
. The organization root ID isr-f6g7h8i9j0example
and your organization ID iso-a1b2c3d4e5
. Your entity path iso-a1b2c3d4e5/r-f6g7h8i9j0example/ou-rge0-awsabcde/123456789012
.
--organizations-policy-id
(string)
The identifier of the Organizations service control policy (SCP). This parameter is optional.
This ID is used to generate information about when an account principal that is limited by the SCP attempted to access an Amazon Web Services service.
--cli-input-json
(string)
Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
--debug
(boolean)
Turn on debug logging.
--endpoint-url
(string)
Override command's default URL with the given URL.
--no-verify-ssl
(boolean)
By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.
--no-paginate
(boolean)
Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.
--output
(string)
The formatting style for command output.
--query
(string)
A JMESPath query to use in filtering the response data.
--profile
(string)
Use a specific profile from your credential file.
--region
(string)
The region to use. Overrides config/env settings.
--version
(string)
Display the version of this tool.
--color
(string)
Turn on/off color output.
--no-sign-request
(boolean)
Do not sign requests. Credentials will not be loaded if this argument is provided.
--ca-bundle
(string)
The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.
--cli-read-timeout
(int)
The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.
--cli-connect-timeout
(int)
The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.
To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.
Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal's quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .
Example 1: To generate an access report for a root in an organization
The following generate-organizations-access-report
example starts a background job to create an access report for the specified root in an organization. You can display the report after it's created by running the get-organizations-access-report
command.
aws iam generate-organizations-access-report \
--entity-path o-4fxmplt198/r-c3xb
Output:
{
"JobId": "a8b6c06f-aaa4-8xmp-28bc-81da71836359"
}
Example 2: To generate an access report for an account in an organization
The following generate-organizations-access-report
example starts a background job to create an access report for account ID 123456789012
in the organization o-4fxmplt198
. You can display the report after it's created by running the get-organizations-access-report
command.
aws iam generate-organizations-access-report \
--entity-path o-4fxmplt198/r-c3xb/123456789012
Output:
{
"JobId": "14b6c071-75f6-2xmp-fb77-faf6fb4201d2"
}
Example 3: To generate an access report for an account in an organizational unit in an organization
The following generate-organizations-access-report
example starts a background job to create an access report for account ID 234567890123
in organizational unit ou-c3xb-lmu7j2yg
in the organization o-4fxmplt198
. You can display the report after it's created by running the get-organizations-access-report
command.
aws iam generate-organizations-access-report \
--entity-path o-4fxmplt198/r-c3xb/ou-c3xb-lmu7j2yg/234567890123
Output:
{
"JobId": "2eb6c2e6-0xmp-ec04-1425-c937916a64af"
}
To get details about roots and organizational units in your organization, use the organizations list-roots
and organizations list-organizational-units-for-parent
commands.
For more information, see Refining permissions in AWS using last accessed information in the AWS IAM User Guide.
JobId -> (string)
The job identifier that you can use in the GetOrganizationsAccessReport operation.