AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-19 · Documentation low

File: IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md

Summary

Added 'Supported analyzer types' column to filter keys table, clarified resource type limitations for internal/unused analyzers, added serviceControlPolicyRestriction filter key, and updated findingType values

Security assessment

The changes enhance documentation about security controls (SCP restrictions, analyzer type limitations) but do not address a specific vulnerability. The additions help users better understand security-related filtering capabilities for IAM Access Analyzer without indicating a resolved security flaw.

Diff

diff --git a/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md b/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md
index cc8717069..26baa8c66 100644
--- a//IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md
+++ b//IAM/latest/UserGuide/access-analyzer-reference-filter-keys.md
@@ -9,27 +9,32 @@ You can use the filter keys below to define an archive rule ([`CreateArchiveRule
-**Criterion** | **AWS Management Console field** | **Description** | **Type** | **Archive rule** | **List findings** | **List access preview findings**  
----|---|---|---|---|---|---  
-**resource** | **Resource** | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see [Amazon resource names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). | String |  Yes |  Yes |  Yes  
-**resourceType** `AWS::S3::Bucket` | `AWS::IAM::Role` | `AWS::SQS::Queue` | `AWS::Lambda::Function` | `AWS::Lambda::LayerVersion` |`AWS::KMS::Key` | `AWS::SecretsManager::Secret` | `AWS::EFS::FileSystem` | `AWS::EC2::Snapshot` | `AWS::ECR::Repository` | `AWS::RDS::DBSnapshot` | `AWS::RDS::DBClusterSnapshot` | `AWS::SNS::Topic` | `AWS::S3Express::DirectoryBucket` | `AWS::DynamoDB::Table` | `AWS::DynamoDB::Stream` | `AWS::IAM::User` | **Resource Type** | The type of resource that the external principal has access to. | String |  Yes |  Yes |  Yes  
-**resourceOwnerAccount** | **Resource Owner Account** | The 12 digit AWS account ID that owns the resource. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String |  Yes |  Yes |  Yes  
-**isPublic** | **Public access** | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean |  Yes |  Yes |  Yes  
-**findingType** `UnusedIAMRole` | `UnusedIAMUserAccessKey` | `UnusedIAMUserPassword` | `UnusedPermission` | **Findings type** | The type of the finding. You can only filter by finding type for unused access findings. | String |  Yes |  Yes |  Yes  
-**resourceControlPolicyRestriction** `APPLICABLE` | `FAILED_TO_EVALUATE_RCP` | `NOT_APPLICABLE` | **Resource control policy (RCP) restriction** | The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). You can only filter by RCP restriction for external acccess findings. | String |  Yes |  Yes |  Yes  
-**status** `ACTIVE` | `ARCHIVED` | `RESOLVED` | **Status** | The current status of the finding. | String |  No |  Yes |  Yes  
-**error** | **Error** | Indicates the error reported for the finding. | String |  Yes |  Yes |  Yes  
-**principal.AWS** | **AWS Account** | The account granted access to the resource in the `Principal` field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String |  Yes |  Yes |  Yes  
-**principal.Federated** | **Federated User** | The ARN of the federated identity that has access to the resource in the finding. To learn more, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) | String |  Yes |  Yes |  Yes  
-**condition.aws:PrincipalArn** | **Principal ARN** | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.aws:PrincipalOrgID** | **Principal OrgID** | The organization identifier of the principal indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.aws:PrincipalOrgPaths** | **Principal OrgPaths** | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.aws:SourceIp** | **Source IP** | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | IP address |  Yes |  Yes |  Yes  
-**condition.aws:SourceVpc** | **Source VPC** | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.aws:UserId** | **User ID** | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.cognito-identity.amazonaws.com:aud** | **Cognito Audience** | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.graph.facebook.com:app_id** | **Facebook App ID** | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.accounts.google.com:aud** | **Google Audience** | The Google application ID specified as a condition for access to the IAM role. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes  
-**condition.kms:CallerAccount** | **KMS Key ID** | The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see [Condition keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). | String |  Yes |  Yes |  Yes  
-**condition.www.amazon.com:app_id** | **Amazon App ID** | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String |  Yes |  Yes |  Yes  
-**id** | **Finding ID** | The ID of the finding. | String |  No |  Yes |  Yes  
-**changeType** `CHANGED` | `NEW` | `UNCHANGED` |  | Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. | String |  No |  No |  Yes  
-**existingFindingId** |  | The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. | String |  No |  No |  Yes  
-**existingFindingStatus** |  | The existing status of the finding, provided only for existing findings in the access preview. | String |  No |  No |  Yes  
+**Criterion** | **AWS Management Console field** | **Description** | **Type** | **Archive rule** | **List findings** | **List access preview findings** | **Supported analyzer types**  
+---|---|---|---|---|---|---|---  
+**resource** | **Resource** | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see [Amazon resource names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). | String |  Yes |  Yes |  Yes | ExternalInternalUnused  
+**resourceType** `AWS::S3::Bucket` | `AWS::IAM::Role` | `AWS::SQS::Queue` | `AWS::Lambda::Function` | `AWS::Lambda::LayerVersion` |`AWS::KMS::Key` | `AWS::SecretsManager::Secret` | `AWS::EFS::FileSystem` | `AWS::EC2::Snapshot` | `AWS::ECR::Repository` | `AWS::RDS::DBSnapshot` | `AWS::RDS::DBClusterSnapshot` | `AWS::SNS::Topic` | `AWS::S3Express::DirectoryBucket` | `AWS::DynamoDB::Table` | `AWS::DynamoDB::Stream` | `AWS::IAM::User` | **Resource Type** | The type of resource that the external principal has access to.
+
+###### Note
+
+Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [IAM Access Analyzer supported resource types for external and internal access](./access-analyzer-resources.html). | String |  Yes |  Yes |  Yes | ExternalInternalUnused  
+**resourceOwnerAccount** | **Resource Owner Account** | The 12 digit AWS account ID that owns the resource. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String |  Yes |  Yes |  Yes | ExternalInternalUnused  
+**isPublic** | **Public access** | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean |  Yes |  Yes |  Yes | External  
+**findingType** `ExternalAccess` | `UnusedIAMRole` | `UnusedIAMUserAccessKey` | `UnusedIAMUserPassword` | `UnusedPermission` | `InternalAccess` | **Findings type** | The type of the finding. For external access analyzers, the type is `ExternalAccess`. For unused access analyzers, the type can be `UnusedIAMRole`, `UnusedIAMUserAccessKey`, `UnusedIAMUserPassword`, or `UnusedPermission`. For internal access analyzers, the type is `InternalAccess`. | String |  Yes |  Yes |  Yes | External InternalUnused  
+**resourceControlPolicyRestriction** `APPLIED` | `APPLICABLE` | `FAILED_TO_EVALUATE_RCP` | `NOT_APPLICABLE` | **Resource control policy (RCP) restriction** | The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). For more information about the values for this filter key, see [ExternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ExternalAccessDetails.html) and [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String |  Yes |  Yes |  Yes | ExternalInternal  
+**serviceControlPolicyRestriction** `APPLIED` | `APPLICABLE` | `FAILED_TO_EVALUATE_SCP` | `NOT_APPLICABLE` | **Service control policy (SCP) restriction** | The type of restriction applied by an Organizations service control policy (SCP). For more information about the values for this filter key, see [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String |  Yes |  Yes |  Yes | Internal  
+**status** `ACTIVE` | `ARCHIVED` | `RESOLVED` | **Status** | The current status of the finding. | String |  No |  Yes |  Yes | ExternalInternalUnused  
+**error** | **Error** | Indicates the error reported for the finding. | String |  Yes |  Yes |  Yes | ExternalInternal  
+**principal.AWS** | **AWS Account** | The account granted access to the resource in the `Principal` field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String |  Yes |  Yes |  Yes | External  
+**principal.Federated** | **Federated User** | The ARN of the federated identity that has access to the resource in the finding. To learn more, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) | String |  Yes |  Yes |  Yes | External  
+**condition.aws:PrincipalArn** | **Principal ARN** | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.aws:PrincipalOrgID** | **Principal OrgID** | The organization identifier of the principal indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.aws:PrincipalOrgPaths** | **Principal OrgPaths** | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.aws:SourceIp** | **Source IP** | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | IP address |  Yes |  Yes |  Yes | External  
+**condition.aws:SourceVpc** | **Source VPC** | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.aws:UserId** | **User ID** | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.cognito-identity.amazonaws.com:aud** | **Cognito Audience** | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.graph.facebook.com:app_id** | **Facebook App ID** | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.accounts.google.com:aud** | **Google Audience** | The Google application ID specified as a condition for access to the IAM role. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String |  Yes |  Yes |  Yes | External  
+**condition.kms:CallerAccount** | **KMS Key ID** | The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see [Condition keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). | String |  Yes |  Yes |  Yes | External  
+**condition.www.amazon.com:app_id** | **Amazon App ID** | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String |  Yes |  Yes |  Yes | External  
+**id** | **Finding ID** | The ID of the finding. | String |  No |  Yes |  Yes | ExternalInternalUnused  
+**changeType** `CHANGED` | `NEW` | `UNCHANGED` |  | Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. | String |  No |  No |  Yes | External  
+**existingFindingId** |  | The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. | String |  No |  No |  Yes | External  
+**existingFindingStatus** |  | The existing status of the finding, provided only for existing findings in the access preview. | String |  No |  No |  Yes | External