文档 AWS SDK 示例 GitHub 存储库中还有更多 [S AWS DK 示例](https://github.com/awsdocs/aws-doc-sdk-examples)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用 IAM 访问分析器示例 AWS CLI
以下代码示例向您展示了如何使用 AWS Command Line Interface 与 IAM Access Analyzer 配合使用来执行操作和实现常见场景。
*操作*是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。
每个示例都包含一个指向完整源代码的链接,您可以从中找到有关如何在上下文中设置和运行代码的说明。
**Topics**
+ [操作](#actions)
## 操作
### `apply-archive-rule`
以下代码示例演示了如何使用 `apply-archive-rule`。
**AWS CLI**
**将存档规则应用于符合存档规则条件的现有调查发现**
以下 `apply-archive-rule` 示例将存档规则应用于符合存档规则条件的现有调查发现。
```
aws accessanalyzer apply-archive-rule \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization \
--rule-name MyArchiveRule
```
此命令不生成任何输出。
有关更多信息,请参阅《AWS IAM 用户指南》**中的[存档规则](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-archive-rules.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ApplyArchiveRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/apply-archive-rule.html)*中的。
### `cancel-policy-generation`
以下代码示例演示了如何使用 `cancel-policy-generation`。
**AWS CLI**
**取消请求的策略生成**
以下 `cancel-policy-generation` 示例取消请求的策略生成作业 ID。
```
aws accessanalyzer cancel-policy-generation \
--job-id 923a56b0-ebb8-4e80-8a3c-a11ccfbcd6f2
```
此命令不生成任何输出。
有关更多信息,请参阅《AWS IAM 用户指南》**中的 [IAM Access Analyzer 策略生成](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[CancelPolicyGeneration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/cancel-policy-generation.html)*中的。
### `check-access-not-granted`
以下代码示例演示了如何使用 `check-access-not-granted`。
**AWS CLI**
**检查策略是否不允许指定访问**
以下 `check-access-not-granted` 示例检查策略是否不允许指定访问。
```
aws accessanalyzer check-access-not-granted \
--policy-document file://myfile.json \
--access actions="s3:DeleteBucket","s3:GetBucketLocation" \
--policy-type IDENTITY_POLICY
```
`myfile.json` 的内容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
输出:
```
{
"result": "PASS",
"message": "The policy document does not grant access to perform one or more of the listed actions."
}
```
有关更多信息,请参阅 IAM *用户指南 APIs*中的[使用 IAM 访问分析器预览](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-preview-access-apis.html)访问权限。AWS
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[CheckAccessNotGranted](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/check-access-not-granted.html)*中的。
### `check-no-new-access`
以下代码示例演示了如何使用 `check-no-new-access`。
**AWS CLI**
**检查与现有策略相比,更新后的策略是否允许新的访问**
以下 `check-no-new-access` 示例检查与现有策略相比,更新后的策略是否允许新的访问。
```
aws accessanalyzer check-no-new-access \
--existing-policy-document file://existing-policy.json \
--new-policy-document file://new-policy.json \
--policy-type IDENTITY_POLICY
```
`existing-policy.json` 的内容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
`new-policy.json` 的内容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
输出:
```
{
"result": "FAIL",
"message": "The modified permissions grant new access compared to your existing policy.",
"reasons": [
{
"description": "New access in the statement with index: 0.",
"statementIndex": 0
}
]
}
```
有关更多信息,请参阅 IAM *用户指南 APIs*中的[使用 IAM 访问分析器预览](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-preview-access-apis.html)访问权限。AWS
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[CheckNoNewAccess](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/check-no-new-access.html)*中的。
### `check-no-public-access`
以下代码示例演示了如何使用 `check-no-public-access`。
**AWS CLI**
**检查资源策略是否可以授予对指定资源类型的公共访问权限**
以下 `check-no-public-access` 示例检查资源策略是否可以授予对指定资源类型的公共访问权限。
```
aws accessanalyzer check-no-public-access \
--policy-document file://check-no-public-access-myfile.json \
--resource-type AWS::S3::Bucket
```
`myfile.json` 的内容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CheckNoPublicAccess",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::111122223333:user/JohnDoe" },
"Action": [
"s3:GetObject"
]
}
]
}
```
输出:
```
{
"result": "PASS",
"message": "The resource policy does not grant public access for the given resource type."
}
```
有关更多信息,请参阅 IAM *用户指南 APIs*中的[使用 IAM 访问分析器预览](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-preview-access-apis.html)访问权限。AWS
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[CheckNoPublicAccess](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/check-no-public-access.html)*中的。
### `create-access-preview`
以下代码示例演示了如何使用 `create-access-preview`。
**AWS CLI**
**创建访问预览,以便允许您在部署资源权限之前预览资源的 IAM Access Analyzer 调查发现**
以下`create-access-preview`示例创建了一个访问预览,允许您在 AWS 账户中部署资源权限之前预览资源的 IAM Access Analyzer 结果。
```
aws accessanalyzer create-access-preview \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--configurations file://myfile.json
```
`myfile.json` 的内容:
```
{
"arn:aws:s3:::amzn-s3-demo-bucket": {
"s3Bucket": {
"bucketPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::111122223333:root\"]},\"Action\":[\"s3:PutObject\",\"s3:PutObjectAcl\"],\"Resource\":\"arn:aws:s3:::amzn-s3-demo-bucket/*\"}]}",
"bucketPublicAccessBlock": {
"ignorePublicAcls": true,
"restrictPublicBuckets": true
},
"bucketAclGrants": [
{
"grantee": {
"id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
},
"permission": "READ"
}
]
}
}
}
```
输出:
```
{
"id": "3c65eb13-6ef9-4629-8919-a32043619e6b"
}
```
有关更多信息,请参阅 IAM *用户指南 APIs*中的[使用 IAM 访问分析器预览](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-preview-access-apis.html)访问权限。AWS
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[CreateAccessPreview](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/create-access-preview.html)*中的。
### `create-analyzer`
以下代码示例演示了如何使用 `create-analyzer`。
**AWS CLI**
**创建分析器**
以下`create-analyzer`示例在您的 AWS 账户中创建了一个分析器。
```
aws accessanalyzer create-analyzer \
--analyzer-name example \
--type ACCOUNT
```
输出:
```
{
"arn": "arn:aws:access-analyzer:us-east-2:111122223333:analyzer/example"
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的 I [dent AWS ity and Access Management Access Analyzer 发现的入门](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[CreateAnalyzer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/create-analyzer.html)*中的。
### `create-archive-rule`
以下代码示例演示了如何使用 `create-archive-rule`。
**AWS CLI**
**为指定分析器创建存档规则**
以下`create-archive-rule`示例为您 AWS 账户中的指定分析器创建存档规则。
```
aws accessanalyzer create-archive-rule \
--analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
--rule-name MyRule \
--filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'
```
此命令不生成任何输出。
有关更多信息,请参阅《AWS IAM 用户指南》**中的[存档规则](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-archive-rules.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[CreateArchiveRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/create-archive-rule.html)*中的。
### `delete-analyzer`
以下代码示例演示了如何使用 `delete-analyzer`。
**AWS CLI**
**删除指定分析器**
以下`delete-analyzer`示例删除了您 AWS 账户中的指定分析器。
```
aws accessanalyzer delete-analyzer \
--analyzer-name example
```
此命令不生成任何输出。
有关更多信息,请参阅《AWS IAM 用户指南》**中的[存档规则](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-archive-rules.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[DeleteAnalyzer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/delete-analyzer.html)*中的。
### `delete-archive-rule`
以下代码示例演示了如何使用 `delete-archive-rule`。
**AWS CLI**
**删除指定存档规则**
以下`delete-archive-rule`示例删除了您 AWS 账户中指定的存档规则。
```
aws accessanalyzer delete-archive-rule \
--analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
--rule-name MyRule
```
此命令不生成任何输出。
有关更多信息,请参阅《AWS IAM 用户指南》**中的[存档规则](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-archive-rules.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[DeleteArchiveRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/delete-archive-rule.html)*中的。
### `get-access-preview`
以下代码示例演示了如何使用 `get-access-preview`。
**AWS CLI**
**检索有关指定分析器访问预览的信息**
以下`get-access-preview`示例检索有关您 AWS 账户中指定分析器的访问预览的信息。
```
aws accessanalyzer get-access-preview \
--access-preview-id 3c65eb13-6ef9-4629-8919-a32043619e6b \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
```
输出:
```
{
"accessPreview": {
"id": "3c65eb13-6ef9-4629-8919-a32043619e6b",
"analyzerArn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
"configurations": {
"arn:aws:s3:::amzn-s3-demo-bucket": {
"s3Bucket": {
"bucketPolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::111122223333:root\"]},\"Action\":[\"s3:PutObject\",\"s3:PutObjectAcl\"],\"Resource\":\"arn:aws:s3:::amzn-s3-demo-bucket/*\"}]}",
"bucketAclGrants": [
{
"permission": "READ",
"grantee": {
"id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
}
}
],
"bucketPublicAccessBlock": {
"ignorePublicAcls": true,
"restrictPublicBuckets": true
}
}
}
},
"createdAt": "2024-02-17T00:18:44+00:00",
"status": "COMPLETED"
}
}
```
有关更多信息,请参阅 IAM *用户指南 APIs*中的[使用 IAM 访问分析器预览](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-preview-access-apis.html)访问权限。AWS
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetAccessPreview](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/get-access-preview.html)*中的。
### `get-analyzed-resource`
以下代码示例演示了如何使用 `get-analyzed-resource`。
**AWS CLI**
**检索有关已分析资源的信息**
以下`get-analyzed-resource`示例检索有关在您的 AWS 账户中分析过的资源的信息。
```
aws accessanalyzer get-analyzed-resource \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--resource-arn arn:aws:s3:::amzn-s3-demo-bucket
```
输出:
```
{
"resource": {
"analyzedAt": "2024-02-15T18:01:53.002000+00:00",
"isPublic": false,
"resourceArn": "arn:aws:s3:::amzn-s3-demo-bucket",
"resourceOwnerAccount": "111122223333",
"resourceType": "AWS::S3::Bucket"
}
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetAnalyzedResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/get-analyzed-resource.html)*中的。
### `get-analyzer`
以下代码示例演示了如何使用 `get-analyzer`。
**AWS CLI**
**检索有关指定分析器的信息**
以下`get-analyzer`示例检索有关您 AWS 账户中指定分析器的信息。
```
aws accessanalyzer get-analyzer \
--analyzer-name ConsoleAnalyzer-account
```
输出:
```
{
"analyzer": {
"arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
"createdAt": "2019-12-03T07:28:17+00:00",
"lastResourceAnalyzed": "arn:aws:sns:us-west-2:111122223333:config-topic",
"lastResourceAnalyzedAt": "2024-02-15T18:01:53.003000+00:00",
"name": "ConsoleAnalyzer-account",
"status": "ACTIVE",
"tags": {
"auto-delete": "no"
},
"type": "ACCOUNT"
}
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetAnalyzer](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/get-analyzer.html)*中的。
### `get-archive-rule`
以下代码示例演示了如何使用 `get-archive-rule`。
**AWS CLI**
**检索有关存档规则的信息**
以下`get-archive-rule`示例检索有关您 AWS 账户中存档规则的信息。
```
aws accessanalyzer get-archive-rule \
--analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
--rule-name MyArchiveRule
```
输出:
```
{
"archiveRule": {
"createdAt": "2024-02-15T00:49:27+00:00",
"filter": {
"resource": {
"contains": [
"Cognito"
]
},
"resourceType": {
"eq": [
"AWS::IAM::Role"
]
}
},
"ruleName": "MyArchiveRule",
"updatedAt": "2024-02-15T00:49:27+00:00"
}
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[存档规则](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-archive-rules.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetArchiveRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/get-archive-rule.html)*中的。
### `get-finding-v2`
以下代码示例演示了如何使用 `get-finding-v2`。
**AWS CLI**
**检索有关指定调查发现的信息**
以下`get-finding-v2`示例检索有关您 AWS 账户中指定结果的信息。
```
aws accessanalyzer get-finding-v2 \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization \
--id 0910eedb-381e-4e95-adda-0d25c19e6e90
```
输出:
```
{
"findingDetails": [
{
"externalAccessDetails": {
"action": [
"sts:AssumeRoleWithWebIdentity"
],
"condition": {
"cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
},
"isPublic": false,
"principal": {
"Federated": "cognito-identity.amazonaws.com"
}
}
}
],
"resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
"status": "ACTIVE",
"error": null,
"createdAt": "2021-02-26T21:17:50.905000+00:00",
"resourceType": "AWS::IAM::Role",
"findingType": "ExternalAccess",
"resourceOwnerAccount": "111122223333",
"analyzedAt": "2024-02-16T18:17:47.888000+00:00",
"id": "0910eedb-381e-4e95-adda-0d25c19e6e90",
"updatedAt": "2021-02-26T21:17:50.905000+00:00"
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[查看调查发现](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-view.html)。
+ 有关 API 的详细信息,请参阅《*AWS CLI 命令参考*》中的 [GetFindingV2](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/get-finding-v2.html)。
### `get-finding`
以下代码示例演示了如何使用 `get-finding`。
**AWS CLI**
**检索有关指定调查发现的信息**
以下`get-finding`示例检索有关您 AWS 账户中指定结果的信息。
```
aws accessanalyzer get-finding \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization \
--id 0910eedb-381e-4e95-adda-0d25c19e6e90
```
输出:
```
{
"finding": {
"id": "0910eedb-381e-4e95-adda-0d25c19e6e90",
"principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"action": [
"sts:AssumeRoleWithWebIdentity"
],
"resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
"isPublic": false,
"resourceType": "AWS::IAM::Role",
"condition": {
"cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
},
"createdAt": "2021-02-26T21:17:50.905000+00:00",
"analyzedAt": "2024-02-16T18:17:47.888000+00:00",
"updatedAt": "2021-02-26T21:17:50.905000+00:00",
"status": "ACTIVE",
"resourceOwnerAccount": "111122223333"
}
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[查看调查发现](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings-view.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetFinding](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/get-finding.html)*中的。
### `get-generated-policy`
以下代码示例演示了如何使用 `get-generated-policy`。
**AWS CLI**
**检索使用 `StartPolicyGeneration` API 生成的策略**
以下`get-generated-policy`示例检索使用您 AWS 账户中的 StartPolicyGeneration API 生成的政策。
```
aws accessanalyzer get-generated-policy \
--job-id c557dc4a-0338-4489-95dd-739014860ff9
```
输出:
```
{
"generatedPolicyResult": {
"generatedPolicies": [
{
"policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"SupportedServiceSid0\",\"Effect\":\"Allow\",\"Action\":[\"access-analyzer:GetAnalyzer\",\"access-analyzer:ListAnalyzers\",\"access-analyzer:ListArchiveRules\",\"access-analyzer:ListFindings\",\"cloudtrail:DescribeTrails\",\"cloudtrail:GetEventDataStore\",\"cloudtrail:GetEventSelectors\",\"cloudtrail:GetInsightSelectors\",\"cloudtrail:GetTrailStatus\",\"cloudtrail:ListChannels\",\"cloudtrail:ListEventDataStores\",\"cloudtrail:ListQueries\",\"cloudtrail:ListTags\",\"cloudtrail:LookupEvents\",\"ec2:DescribeRegions\",\"iam:GetAccountSummary\",\"iam:GetOpenIDConnectProvider\",\"iam:GetRole\",\"iam:ListAccessKeys\",\"iam:ListAccountAliases\",\"iam:ListOpenIDConnectProviders\",\"iam:ListRoles\",\"iam:ListSAMLProviders\",\"kms:ListAliases\",\"s3:GetBucketLocation\",\"s3:ListAllMyBuckets\"],\"Resource\":\"*\"}]}"
}
],
"properties": {
"cloudTrailProperties": {
"endTime": "2024-02-14T22:44:40+00:00",
"startTime": "2024-02-13T00:30:00+00:00",
"trailProperties": [
{
"allRegions": true,
"cloudTrailArn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/my-trail",
"regions": []
}
]
},
"isComplete": false,
"principalArn": "arn:aws:iam::111122223333:role/Admin"
}
},
"jobDetails": {
"completedOn": "2024-02-14T22:47:01+00:00",
"jobId": "c557dc4a-0338-4489-95dd-739014860ff9",
"startedOn": "2024-02-14T22:44:41+00:00",
"status": "SUCCEEDED"
}
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的 [IAM Access Analyzer 策略生成](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetGeneratedPolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/get-generated-policy.html)*中的。
### `list-access-preview-findings`
以下代码示例演示了如何使用 `list-access-preview-findings`。
**AWS CLI**
**检索由指定访问预览生成的访问预览调查发现列表**
以下`list-access-preview-findings`示例检索您的 AWS 账户中指定访问预览生成的访问预览结果列表。
```
aws accessanalyzer list-access-preview-findings \
--access-preview-id 3c65eb13-6ef9-4629-8919-a32043619e6b \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
```
输出:
```
{
"findings": [
{
"id": "e22fc158-1c87-4c32-9464-e7f405ce8d74",
"principal": {
"AWS": "111122223333"
},
"action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"condition": {},
"resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"isPublic": false,
"resourceType": "AWS::S3::Bucket",
"createdAt": "2024-02-17T00:18:46+00:00",
"changeType": "NEW",
"status": "ACTIVE",
"resourceOwnerAccount": "111122223333",
"sources": [
{
"type": "POLICY"
}
]
}
]
}
```
有关更多信息,请参阅 IAM *用户指南 APIs*中的[使用 IAM 访问分析器预览](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-preview-access-apis.html)访问权限。AWS
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListAccessPreviewFindings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-access-preview-findings.html)*中的。
### `list-access-previews`
以下代码示例演示了如何使用 `list-access-previews`。
**AWS CLI**
**检索指定分析器的访问预览列表**
以下`list-access-previews`示例检索您 AWS 账户中指定分析器的访问预览列表。
```
aws accessanalyzer list-access-previews \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
```
输出:
```
{
"accessPreviews": [
{
"id": "3c65eb13-6ef9-4629-8919-a32043619e6b",
"analyzerArn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
"createdAt": "2024-02-17T00:18:44+00:00",
"status": "COMPLETED"
}
]
}
```
有关更多信息,请参阅 IAM *用户指南 APIs*中的[使用 IAM 访问分析器预览](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-preview-access-apis.html)访问权限。AWS
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListAccessPreviews](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-access-previews.html)*中的。
### `list-analyzed-resources`
以下代码示例演示了如何使用 `list-analyzed-resources`。
**AWS CLI**
**列出可用的小部件**
以下`list-analyzed-resources`示例列出了您 AWS 账户中可用的微件。
```
aws accessanalyzer list-analyzed-resources \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--resource-type AWS::IAM::Role
```
输出:
```
{
"analyzedResources": [
{
"resourceArn": "arn:aws:sns:us-west-2:111122223333:Validation-Email",
"resourceOwnerAccount": "111122223333",
"resourceType": "AWS::SNS::Topic"
},
{
"resourceArn": "arn:aws:sns:us-west-2:111122223333:admin-alerts",
"resourceOwnerAccount": "111122223333",
"resourceType": "AWS::SNS::Topic"
},
{
"resourceArn": "arn:aws:sns:us-west-2:111122223333:config-topic",
"resourceOwnerAccount": "111122223333",
"resourceType": "AWS::SNS::Topic"
},
{
"resourceArn": "arn:aws:sns:us-west-2:111122223333:inspector-topic",
"resourceOwnerAccount": "111122223333",
"resourceType": "AWS::SNS::Topic"
}
]
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListAnalyzedResources](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-analyzed-resources.html)*中的。
### `list-analyzers`
以下代码示例演示了如何使用 `list-analyzers`。
**AWS CLI**
**检索分析器列表**
以下`list-analyzers`示例检索您 AWS 账户中的分析器列表。
```
aws accessanalyzer list-analyzers
```
输出:
```
{
"analyzers": [
{
"arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization",
"createdAt": "2024-02-15T00:46:40+00:00",
"name": "UnusedAccess-ConsoleAnalyzer-organization",
"status": "ACTIVE",
"tags": {
"auto-delete": "no"
},
"type": "ORGANIZATION_UNUSED_ACCESS"
},
{
"arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-organization",
"createdAt": "2020-04-25T07:43:28+00:00",
"lastResourceAnalyzed": "arn:aws:s3:::amzn-s3-demo-bucket",
"lastResourceAnalyzedAt": "2024-02-15T21:51:56.517000+00:00",
"name": "ConsoleAnalyzer-organization",
"status": "ACTIVE",
"tags": {
"auto-delete": "no"
},
"type": "ORGANIZATION"
},
{
"arn": "arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account",
"createdAt": "2019-12-03T07:28:17+00:00",
"lastResourceAnalyzed": "arn:aws:sns:us-west-2:111122223333:config-topic",
"lastResourceAnalyzedAt": "2024-02-15T18:01:53.003000+00:00",
"name": "ConsoleAnalyzer-account",
"status": "ACTIVE",
"tags": {
"auto-delete": "no"
},
"type": "ACCOUNT"
}
]
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListAnalyzers](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-analyzers.html)*中的。
### `list-archive-rules`
以下代码示例演示了如何使用 `list-archive-rules`。
**AWS CLI**
**检索为指定分析器创建的存档规则列表**
以下`list-archive-rules`示例检索您 AWS 账户中为指定分析器创建的存档规则列表。
```
aws accessanalyzer list-archive-rules \
--analyzer-name UnusedAccess-ConsoleAnalyzer-organization
```
输出:
```
{
"archiveRules": [
{
"createdAt": "2024-02-15T00:49:27+00:00",
"filter": {
"resource": {
"contains": [
"Cognito"
]
},
"resourceType": {
"eq": [
"AWS::IAM::Role"
]
}
},
"ruleName": "MyArchiveRule",
"updatedAt": "2024-02-15T00:49:27+00:00"
},
{
"createdAt": "2024-02-15T23:27:45+00:00",
"filter": {
"findingType": {
"eq": [
"UnusedIAMUserAccessKey"
]
}
},
"ruleName": "ArchiveRule-56125a39-e517-4ff8-afb1-ef06f58db612",
"updatedAt": "2024-02-15T23:27:45+00:00"
}
]
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListArchiveRules](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-archive-rules.html)*中的。
### `list-findings-v2`
以下代码示例演示了如何使用 `list-findings-v2`。
**AWS CLI**
**检索由指定分析器生成的调查发现列表**
以下`list-findings-v2`示例检索您的 AWS 账户中指定分析器生成的结果列表。此示例筛选结果以便仅包括其名称包含 `Cognito` 的 IAM 角色。
```
aws accessanalyzer list-findings-v2 \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'
```
输出:
```
{
"findings": [
{
"analyzedAt": "2024-02-16T18:17:47.888000+00:00",
"createdAt": "2021-02-26T21:17:24.710000+00:00",
"id": "597f3bc2-3adc-4c18-9879-5c4b23485e46",
"resource": "arn:aws:iam::111122223333:role/Cognito_testpoolUnauth_Role",
"resourceType": "AWS::IAM::Role",
"resourceOwnerAccount": "111122223333",
"status": "ACTIVE",
"updatedAt": "2021-02-26T21:17:24.710000+00:00",
"findingType": "ExternalAccess"
},
{
"analyzedAt": "2024-02-16T18:17:47.888000+00:00",
"createdAt": "2021-02-26T21:17:50.905000+00:00",
"id": "ce0e221a-85b9-4d52-91ff-d7678075442f",
"resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
"resourceType": "AWS::IAM::Role",
"resourceOwnerAccount": "111122223333",
"status": "ACTIVE",
"updatedAt": "2021-02-26T21:17:50.905000+00:00",
"findingType": "ExternalAccess"
}
]
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅《*AWS CLI 命令参考*》中的 [ListFindingsV2](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-findings-v2.html)。
### `list-findings`
以下代码示例演示了如何使用 `list-findings`。
**AWS CLI**
**检索由指定分析器生成的调查发现列表**
以下`list-findings`示例检索您的 AWS 账户中指定分析器生成的结果列表。此示例筛选结果以便仅包括其名称包含 `Cognito` 的 IAM 角色。
```
aws accessanalyzer list-findings \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'
```
输出:
```
{
"findings": [
{
"id": "597f3bc2-3adc-4c18-9879-5c4b23485e46",
"principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"action": [
"sts:AssumeRoleWithWebIdentity"
],
"resource": "arn:aws:iam::111122223333:role/Cognito_testpoolUnauth_Role",
"isPublic": false,
"resourceType": "AWS::IAM::Role",
"condition": {
"cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
},
"createdAt": "2021-02-26T21:17:24.710000+00:00",
"analyzedAt": "2024-02-16T18:17:47.888000+00:00",
"updatedAt": "2021-02-26T21:17:24.710000+00:00",
"status": "ACTIVE",
"resourceOwnerAccount": "111122223333"
},
{
"id": "ce0e221a-85b9-4d52-91ff-d7678075442f",
"principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"action": [
"sts:AssumeRoleWithWebIdentity"
],
"resource": "arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role",
"isPublic": false,
"resourceType": "AWS::IAM::Role",
"condition": {
"cognito-identity.amazonaws.com:aud": "us-west-2:EXAMPLE0-0000-0000-0000-000000000000"
},
"createdAt": "2021-02-26T21:17:50.905000+00:00",
"analyzedAt": "2024-02-16T18:17:47.888000+00:00",
"updatedAt": "2021-02-26T21:17:50.905000+00:00",
"status": "ACTIVE",
"resourceOwnerAccount": "111122223333"
}
]
}
```
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListFindings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-findings.html)*中的。
### `list-policy-generations`
以下代码示例演示了如何使用 `list-policy-generations`。
**AWS CLI**
**列出最近七天请求的所有策略生成**
以下`list-policy-generations`示例列出了过去七天内您 AWS 账户中请求的所有保单生成。
```
aws accessanalyzer list-policy-generations
```
输出:
```
{
"policyGenerations": [
{
"completedOn": "2024-02-14T23:43:38+00:00",
"jobId": "923a56b0-ebb8-4e80-8a3c-a11ccfbcd6f2",
"principalArn": "arn:aws:iam::111122223333:role/Admin",
"startedOn": "2024-02-14T23:43:02+00:00",
"status": "CANCELED"
},
{
"completedOn": "2024-02-14T22:47:01+00:00",
"jobId": "c557dc4a-0338-4489-95dd-739014860ff9",
"principalArn": "arn:aws:iam::111122223333:role/Admin",
"startedOn": "2024-02-14T22:44:41+00:00",
"status": "SUCCEEDED"
}
]
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的 [IAM Access Analyzer 策略生成](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListPolicyGenerations](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-policy-generations.html)*中的。
### `list-tags-for-resource`
以下代码示例演示了如何使用 `list-tags-for-resource`。
**AWS CLI**
**检索应用于指定资源的标签列表**
以下`list-tags-for-resource`示例检索应用于您 AWS 账户中指定资源的标签列表。
```
aws accessanalyzer list-tags-for-resource \
--resource-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account
```
输出:
```
{
"tags": {
"Zone-of-trust": "Account",
"Name": "ConsoleAnalyzer"
}
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的 [IAM Access Analyzer 策略生成](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ListTagsForResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/list-tags-for-resource.html)*中的。
### `start-policy-generation`
以下代码示例演示了如何使用 `start-policy-generation`。
**AWS CLI**
**启动策略生成请求**
以下`start-policy-generation`示例在您的 AWS 账户中启动策略生成请求。
```
aws accessanalyzer start-policy-generation \
--policy-generation-details '{"principalArn":"arn:aws:iam::111122223333:role/Admin"}' \
--cloud-trail-details file://myfile.json
```
`myfile.json` 的内容:
```
{
"accessRole": "arn:aws:iam::111122223333:role/service-role/AccessAnalyzerMonitorServiceRole",
"startTime": "2024-02-13T00:30:00Z",
"trails": [
{
"allRegions": true,
"cloudTrailArn": "arn:aws:cloudtrail:us-west-2:111122223333:trail/my-trail"
}
]
}
```
输出:
```
{
"jobId": "c557dc4a-0338-4489-95dd-739014860ff9"
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的 [IAM Access Analyzer 策略生成](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[StartPolicyGeneration](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/start-policy-generation.html)*中的。
### `start-resource-scan`
以下代码示例演示了如何使用 `start-resource-scan`。
**AWS CLI**
**立即开始扫描应用于指定资源的策略**
以下`start-resource-scan`示例立即开始扫描应用于您 AWS 账户中指定资源的策略。
```
aws accessanalyzer start-resource-scan \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--resource-arn arn:aws:iam::111122223333:role/Cognito_testpoolAuth_Role
```
此命令不生成任何输出。
有关更多信息,请参阅《AWS IAM 用户指南》**中的 [IAM Access Analyzer 策略生成](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[StartResourceScan](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/start-resource-scan.html)*中的。
### `tag-resource`
以下代码示例演示了如何使用 `tag-resource`。
**AWS CLI**
**为指定资源添加标签**
以下`tag-resource`示例将标签添加到您 AWS 账户中的指定资源。
```
aws accessanalyzer tag-resource \
--resource-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--tags Environment=dev,Purpose=testing
```
此命令不生成任何输出。
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[TagResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/tag-resource.html)*中的。
### `untag-resource`
以下代码示例演示了如何使用 `untag-resource`。
**AWS CLI**
**移除指定资源的标签**
以下`untag-resource`示例从您 AWS 账户中的指定资源中移除标签。
```
aws accessanalyzer untag-resource \
--resource-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/ConsoleAnalyzer-account \
--tag-keys Environment Purpose
```
此命令不生成任何输出。
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[UntagResource](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/untag-resource.html)*中的。
### `update-archive-rule`
以下代码示例演示了如何使用 `update-archive-rule`。
**AWS CLI**
**更新指定存档规则的条件和值**
以下`update-archive-rule`示例更新了您 AWS 账户中指定存档规则的条件和值。
```
aws accessanalyzer update-archive-rule \
--analyzer-name UnusedAccess-ConsoleAnalyzer-organization \
--rule-name MyArchiveRule \
--filter '{"resource": {"contains": ["Cognito"]}, "resourceType": {"eq": ["AWS::IAM::Role"]}}'
```
此命令不生成任何输出。
有关更多信息,请参阅《AWS IAM 用户指南》**中的[存档规则](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-archive-rules.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[UpdateArchiveRule](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/update-archive-rule.html)*中的。
### `update-findings`
以下代码示例演示了如何使用 `update-findings`。
**AWS CLI**
**更新指定调查发现的状态**
以下`update-findings`示例更新了您 AWS 账户中指定发现的状态。
```
aws accessanalyzer update-findings \
--analyzer-arn arn:aws:access-analyzer:us-west-2:111122223333:analyzer/UnusedAccess-ConsoleAnalyzer-organization \
--ids 4f319ac3-2e0c-4dc4-bf51-7013a086b6ae 780d586a-2cce-4f72-aff6-359d450e7500 \
--status ARCHIVED
```
此命令不生成任何输出。
有关更多信息,请参阅 *AWS IAM 用户指南*中的[使用 I AWS dentity and Access Management 访问分析器](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[UpdateFindings](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/update-findings.html)*中的。
### `validate-policy`
以下代码示例演示了如何使用 `validate-policy`。
**AWS CLI**
**请求验证策略并返回调查发现列表**
以下 `validate-policy` 示例请求验证策略并返回调查发现列表。此示例中的策略是用于网络身份联合验证的 Amazon Cognito 角色的角色信任策略。信任策略生成的结果与空 `Sid` 元素值和不匹配的策略主体有关,原因是使用了不正确的假设角色操作 `sts:AssumeRole`。与 Cognito 一起使用的正确假设角色操作是 `sts:AssumeRoleWithWebIdentity`。
```
aws accessanalyzer validate-policy \
--policy-document file://myfile.json \
--policy-type RESOURCE_POLICY
```
`myfile.json` 的内容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-west-2_EXAMPLE"
}
}
}
]
}
```
输出:
```
{
"findings": [
{
"findingDetails": "Add a value to the empty string in the Sid element.",
"findingType": "SUGGESTION",
"issueCode": "EMPTY_SID_VALUE",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Sid"
}
],
"span": {
"end": {
"column": 21,
"line": 5,
"offset": 81
},
"start": {
"column": 19,
"line": 5,
"offset": 79
}
}
}
]
},
{
"findingDetails": "The sts:AssumeRole action is invalid with the following principal(s): cognito-identity.amazonaws.com. Use a SAML provider principal with the sts:AssumeRoleWithSAML action or use an OIDC provider principal with the sts:AssumeRoleWithWebIdentity action. Ensure the provider is Federated if you use either of the two options.",
"findingType": "ERROR",
"issueCode": "MISMATCHED_ACTION_FOR_PRINCIPAL",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-mismatched-action-for-principal",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 0
}
],
"span": {
"end": {
"column": 32,
"line": 11,
"offset": 274
},
"start": {
"column": 16,
"line": 11,
"offset": 258
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Principal"
},
{
"value": "Federated"
}
],
"span": {
"end": {
"column": 61,
"line": 8,
"offset": 202
},
"start": {
"column": 29,
"line": 8,
"offset": 170
}
}
}
]
},
{
"findingDetails": "The following actions: sts:TagSession are not supported by the condition key cognito-identity.amazonaws.com:aud. The condition will not be evaluated for these actions. We recommend that you move these actions to a different statement without this condition key.",
"findingType": "ERROR",
"issueCode": "UNSUPPORTED_ACTION_FOR_CONDITION_KEY",
"learnMoreLink": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-error-unsupported-action-for-condition-key",
"locations": [
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Action"
},
{
"index": 1
}
],
"span": {
"end": {
"column": 32,
"line": 12,
"offset": 308
},
"start": {
"column": 16,
"line": 12,
"offset": 292
}
}
},
{
"path": [
{
"value": "Statement"
},
{
"index": 0
},
{
"value": "Condition"
},
{
"value": "StringEquals"
},
{
"value": "cognito-identity.amazonaws.com:aud"
}
],
"span": {
"end": {
"column": 79,
"line": 16,
"offset": 464
},
"start": {
"column": 58,
"line": 16,
"offset": 443
}
}
}
]
}
]
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[检查验证策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-checks-validating-policies.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[ValidatePolicy](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/accessanalyzer/validate-policy.html)*中的。