AWS IAM documentation change
Summary
Added 'Supported analyzer types' column to filter keys table, clarified resource type limitations for internal/unused analyzers, added serviceControlPolicyRestriction filter key, and updated findingType values
Security assessment
The changes enhance documentation about security controls (SCP restrictions, analyzer type limitations) but do not address a specific vulnerability. The additions help users better understand security-related filtering capabilities for IAM Access Analyzer without indicating a resolved security flaw.
Diff
diff --git a/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md b/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md index cc8717069..26baa8c66 100644 --- a//IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md +++ b//IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md @@ -9,27 +9,32 @@ You can use the filter keys below to define an archive rule ([`CreateArchiveRule -**Criterion** | **AWS Management Console field** | **Description** | **Type** | **Archive rule** | **List findings** | **List access preview findings** ----|---|---|---|---|---|--- -**resource** | **Resource** | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see [Amazon resource names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). | String | Yes | Yes | Yes -**resourceType** `AWS::S3::Bucket` | `AWS::IAM::Role` | `AWS::SQS::Queue` | `AWS::Lambda::Function` | `AWS::Lambda::LayerVersion` |`AWS::KMS::Key` | `AWS::SecretsManager::Secret` | `AWS::EFS::FileSystem` | `AWS::EC2::Snapshot` | `AWS::ECR::Repository` | `AWS::RDS::DBSnapshot` | `AWS::RDS::DBClusterSnapshot` | `AWS::SNS::Topic` | `AWS::S3Express::DirectoryBucket` | `AWS::DynamoDB::Table` | `AWS::DynamoDB::Stream` | `AWS::IAM::User` | **Resource Type** | The type of resource that the external principal has access to. | String | Yes | Yes | Yes -**resourceOwnerAccount** | **Resource Owner Account** | The 12 digit AWS account ID that owns the resource. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | Yes | Yes | Yes -**isPublic** | **Public access** | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean | Yes | Yes | Yes -**findingType** `UnusedIAMRole` | `UnusedIAMUserAccessKey` | `UnusedIAMUserPassword` | `UnusedPermission` | **Findings type** | The type of the finding. You can only filter by finding type for unused access findings. | String | Yes | Yes | Yes -**resourceControlPolicyRestriction** `APPLICABLE` | `FAILED_TO_EVALUATE_RCP` | `NOT_APPLICABLE` | **Resource control policy (RCP) restriction** | The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). You can only filter by RCP restriction for external acccess findings. | String | Yes | Yes | Yes -**status** `ACTIVE` | `ARCHIVED` | `RESOLVED` | **Status** | The current status of the finding. | String | No | Yes | Yes -**error** | **Error** | Indicates the error reported for the finding. | String | Yes | Yes | Yes -**principal.AWS** | **AWS Account** | The account granted access to the resource in the `Principal` field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | Yes | Yes | Yes -**principal.Federated** | **Federated User** | The ARN of the federated identity that has access to the resource in the finding. To learn more, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) | String | Yes | Yes | Yes -**condition.aws:PrincipalArn** | **Principal ARN** | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.aws:PrincipalOrgID** | **Principal OrgID** | The organization identifier of the principal indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.aws:PrincipalOrgPaths** | **Principal OrgPaths** | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.aws:SourceIp** | **Source IP** | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | IP address | Yes | Yes | Yes -**condition.aws:SourceVpc** | **Source VPC** | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.aws:UserId** | **User ID** | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.cognito-identity.amazonaws.com:aud** | **Cognito Audience** | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.graph.facebook.com:app_id** | **Facebook App ID** | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.accounts.google.com:aud** | **Google Audience** | The Google application ID specified as a condition for access to the IAM role. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes -**condition.kms:CallerAccount** | **KMS Key ID** | The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see [Condition keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). | String | Yes | Yes | Yes -**condition.www.amazon.com:app_id** | **Amazon App ID** | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String | Yes | Yes | Yes -**id** | **Finding ID** | The ID of the finding. | String | No | Yes | Yes -**changeType** `CHANGED` | `NEW` | `UNCHANGED` | | Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. | String | No | No | Yes -**existingFindingId** | | The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. | String | No | No | Yes -**existingFindingStatus** | | The existing status of the finding, provided only for existing findings in the access preview. | String | No | No | Yes +**Criterion** | **AWS Management Console field** | **Description** | **Type** | **Archive rule** | **List findings** | **List access preview findings** | **Supported analyzer types** +---|---|---|---|---|---|---|--- +**resource** | **Resource** | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see [Amazon resource names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). | String | Yes | Yes | Yes | ExternalInternalUnused +**resourceType** `AWS::S3::Bucket` | `AWS::IAM::Role` | `AWS::SQS::Queue` | `AWS::Lambda::Function` | `AWS::Lambda::LayerVersion` |`AWS::KMS::Key` | `AWS::SecretsManager::Secret` | `AWS::EFS::FileSystem` | `AWS::EC2::Snapshot` | `AWS::ECR::Repository` | `AWS::RDS::DBSnapshot` | `AWS::RDS::DBClusterSnapshot` | `AWS::SNS::Topic` | `AWS::S3Express::DirectoryBucket` | `AWS::DynamoDB::Table` | `AWS::DynamoDB::Stream` | `AWS::IAM::User` | **Resource Type** | The type of resource that the external principal has access to. + +###### Note + +Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [IAM Access Analyzer supported resource types for external and internal access](./access-analyzer-resources.html). | String | Yes | Yes | Yes | ExternalInternalUnused +**resourceOwnerAccount** | **Resource Owner Account** | The 12 digit AWS account ID that owns the resource. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | Yes | Yes | Yes | ExternalInternalUnused +**isPublic** | **Public access** | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean | Yes | Yes | Yes | External +**findingType** `ExternalAccess` | `UnusedIAMRole` | `UnusedIAMUserAccessKey` | `UnusedIAMUserPassword` | `UnusedPermission` | `InternalAccess` | **Findings type** | The type of the finding. For external access analyzers, the type is `ExternalAccess`. For unused access analyzers, the type can be `UnusedIAMRole`, `UnusedIAMUserAccessKey`, `UnusedIAMUserPassword`, or `UnusedPermission`. For internal access analyzers, the type is `InternalAccess`. | String | Yes | Yes | Yes | External InternalUnused +**resourceControlPolicyRestriction** `APPLIED` | `APPLICABLE` | `FAILED_TO_EVALUATE_RCP` | `NOT_APPLICABLE` | **Resource control policy (RCP) restriction** | The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). For more information about the values for this filter key, see [ExternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ExternalAccessDetails.html) and [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | Yes | Yes | Yes | ExternalInternal +**serviceControlPolicyRestriction** `APPLIED` | `APPLICABLE` | `FAILED_TO_EVALUATE_SCP` | `NOT_APPLICABLE` | **Service control policy (SCP) restriction** | The type of restriction applied by an Organizations service control policy (SCP). For more information about the values for this filter key, see [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | Yes | Yes | Yes | Internal +**status** `ACTIVE` | `ARCHIVED` | `RESOLVED` | **Status** | The current status of the finding. | String | No | Yes | Yes | ExternalInternalUnused +**error** | **Error** | Indicates the error reported for the finding. | String | Yes | Yes | Yes | ExternalInternal +**principal.AWS** | **AWS Account** | The account granted access to the resource in the `Principal` field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | Yes | Yes | Yes | External +**principal.Federated** | **Federated User** | The ARN of the federated identity that has access to the resource in the finding. To learn more, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) | String | Yes | Yes | Yes | External +**condition.aws:PrincipalArn** | **Principal ARN** | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.aws:PrincipalOrgID** | **Principal OrgID** | The organization identifier of the principal indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.aws:PrincipalOrgPaths** | **Principal OrgPaths** | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.aws:SourceIp** | **Source IP** | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | IP address | Yes | Yes | Yes | External +**condition.aws:SourceVpc** | **Source VPC** | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.aws:UserId** | **User ID** | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.cognito-identity.amazonaws.com:aud** | **Cognito Audience** | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.graph.facebook.com:app_id** | **Facebook App ID** | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.accounts.google.com:aud** | **Google Audience** | The Google application ID specified as a condition for access to the IAM role. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | Yes | Yes | Yes | External +**condition.kms:CallerAccount** | **KMS Key ID** | The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see [Condition keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). | String | Yes | Yes | Yes | External +**condition.www.amazon.com:app_id** | **Amazon App ID** | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String | Yes | Yes | Yes | External +**id** | **Finding ID** | The ID of the finding. | String | No | Yes | Yes | ExternalInternalUnused +**changeType** `CHANGED` | `NEW` | `UNCHANGED` | | Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. | String | No | No | Yes | External +**existingFindingId** | | The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. | String | No | No | Yes | External +**existingFindingStatus** | | The existing status of the finding, provided only for existing findings in the access preview. | String | No | No | Yes | External