# IAM Access Analyzer filter keys You can use the filter keys below to define an archive rule ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateArchiveRule.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateArchiveRule.html)), update an archive rule ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateArchiveRule.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateArchiveRule.html)), retrieve a list of findings ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindings.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindings.html) and [https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html)), or retrieve a list of access preview findings for a resource ([https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviewFindings.html](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviewFindings.html)). There is no difference between using IAM API and CloudFormation for configuring archive rules. | **Criterion** | **AWS Management Console field** | **Description** | **Type** | **Archive rule** | **List findings** | **List access preview findings** | **Supported analyzer types** | | --- | --- | --- | --- | --- | --- | --- | --- | | resource | Resource | The ARN uniquely identifying the resource that the external principal has access to. To learn more, see [Amazon resource names (ARNs)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | resourceType `AWS::S3::Bucket` \$1 `AWS::IAM::Role` \$1 `AWS::SQS::Queue` \$1 `AWS::Lambda::Function` \$1 `AWS::Lambda::LayerVersion` \$1`AWS::KMS::Key` \$1 `AWS::SecretsManager::Secret` \$1 `AWS::EFS::FileSystem` \$1 `AWS::EC2::Snapshot` \$1 `AWS::ECR::Repository` \$1 `AWS::RDS::DBSnapshot` \$1 `AWS::RDS::DBClusterSnapshot` \$1 `AWS::SNS::Topic` \$1 `AWS::S3Express::DirectoryBucket` \$1 `AWS::DynamoDB::Table` \$1 `AWS::DynamoDB::Stream` \$1 `AWS::IAM::User` | Resource Type | The type of resource that the external principal has access to. Internal access analyzers don't support all resource types that external access analyzers support. Unused access analyzers only support IAM users and roles. For more information, see [IAM Access Analyzer supported resource types for external and internal access](access-analyzer-resources.md). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | resourceOwnerAccount | Resource Owner Account | The 12 digit AWS account ID that owns the resource. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | isPublic | Public access | Indicates whether the finding reports a resource that has a policy that allows public access. | Boolean | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | findingType `ExternalAccess` \$1 `UnusedIAMRole` \$1 `UnusedIAMUserAccessKey` \$1 `UnusedIAMUserPassword` \$1 `UnusedPermission` \$1 `InternalAccess` | Findings type | The type of the finding. For external access analyzers, the type is ExternalAccess. For unused access analyzers, the type can be UnusedIAMRole, UnusedIAMUserAccessKey, UnusedIAMUserPassword, or UnusedPermission. For internal access analyzers, the type is InternalAccess. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External InternalUnused | | resourceControlPolicyRestriction `APPLIED` \$1 `APPLICABLE` \$1 `FAILED_TO_EVALUATE_RCP` \$1 `NOT_APPLICABLE` | Resource control policy (RCP) restriction | The type of restriction applied by the resource owner with an Organizations resource control policy (RCP). For more information about the values for this filter key, see [ExternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ExternalAccessDetails.html) and [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | serviceControlPolicyRestriction `APPLIED` \$1 `APPLICABLE` \$1 `FAILED_TO_EVALUATE_SCP` \$1 `NOT_APPLICABLE` | Service control policy (SCP) restriction | The type of restriction applied by an Organizations service control policy (SCP). For more information about the values for this filter key, see [InternalAccessDetails](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_InternalAccessDetails.html) in the IAM Access Analyzer API Reference. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | Internal | | status `ACTIVE` \$1 `ARCHIVED` \$1 `RESOLVED` | Status | The current status of the finding. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | error | Error | Indicates the error reported for the finding. | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | principal.AWS | AWS Account | The account granted access to the resource in the Principal field of the finding. Enter the 12-digit AWS account ID or the ARN of the external AWS user or role. To learn more, see [AWS account identifiers](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | principal.Federated | Federated User | The ARN of the federated identity that has access to the resource in the finding. To learn more, see [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:PrincipalArn | Principal ARN | The ARN of the principal (IAM user, role, or group) indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:PrincipalOrgID | Principal OrgID | The organization identifier of the principal indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:PrincipalOrgPaths | Principal OrgPaths | The organization or organizational unit (OU) ID indicated as the condition for resource access. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:SourceIp | Source IP | The IP address that allows the principal access to the resource when using the specified IP address. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | IP address | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:SourceVpc | Source VPC | The VPC ID that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:UserId | User ID | The user ID of the IAM user from an external account indicated as the condition for access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:VpceAccount | VPCE Account | The account ID of the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | condition.aws:SourceVpcArn | Source VPC Arn | The VPC ARN that allows the principal access to the resource when using the specified VPC. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | ARN | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.aws:VpceOrgID | VPCE OrgID | The organizational ID for the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | condition.aws:VpceOrgPaths | VPCE OrgPaths | The organizational unit (OU) for the VPC endpoint that allows the principal access to the resource. To learn more, see [AWS global condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String (list) | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternal | | condition.cognito-identity.amazonaws.com:aud | Cognito Audience | The Amazon Cognito identity pool ID specified as a condition for IAM role access in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.graph.facebook.com:app\$1id | Facebook App ID | The Facebook application ID (or site ID) specified as a condition to allow Login with Facebook federation access to the IAM role in the finding. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.accounts.google.com:aud | Google Audience | The Google application ID specified as a condition for access to the IAM role. To learn more, see [IAM and AWS STS condition context keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.kms:CallerAccount | KMS Key ID | The AWS account ID that owns the calling entity (IAM user, role or account root user) used by services calling AWS KMS. To learn more, see [Condition keys for AWS Key Management Service](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awskeymanagementservice.html#awskeymanagementservice-policy-keys). | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | condition.www.amazon.com:app\$1id | Amazon App ID | The Amazon application ID (or site ID) specified as a condition to allow Login with Amazon federation access to the role. To learn more, see | String | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | id | Finding ID | The ID of the finding. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | ExternalInternalUnused | | changeType `CHANGED` \$1 `NEW` \$1 `UNCHANGED` | | Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | existingFindingId | | The existing ID of the finding in IAM Access Analyzer, provided only for existing findings in the access preview. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External | | existingFindingStatus | | The existing status of the finding, provided only for existing findings in the access preview. | String | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[No\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-no.png) No | ![\[Yes\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/icon-yes.png) Yes | External |