aws-accessanalyzer

Create a new Access Analyzer

$ aws accessanalyzer create-analyzer --analyzer-name [analyzer_name] --type [type] --tags [tags]

$ aws accessanalyzer delete-analyzer --analyzer-arn [analyzer_arn]

$ aws accessanalyzer get-analyzer --analyzer-arn [analyzer_arn]

$ aws accessanalyzer list-analyzers

$ aws accessanalyzer update-analyzer --analyzer-arn [analyzer_arn] --tags [new_tags]

$ aws accessanalyzer create-archive-rule --analyzer-arn [analyzer_arn] --rule-name [rule_name] --filter [filter]

$ aws accessanalyzer delete-archive-rule --analyzer-arn [analyzer_arn] --rule-name [rule_name]

$ aws accessanalyzer list-archive-rules --analyzer-arn [analyzer_arn]

aws accessanalyzer [--debug] [--endpoint-url <URL>] [--no-verify-ssl] [--no-paginate] [--output <text|table|json>] [--query <JMESPath>] [--profile <PROFILE>] [--region <REGION>] [--version] [--color <on|off|auto>] SUBCOMMAND [ARGS]

--cli-binary-format raw|base64|base64url
    Binary format for blobs in output.

--cli-input-json <string>
    Perform operation from JSON file or inline.

--generate-cli-skeleton <0|1|2>
    Prints JSON skeleton for input parameters.

--debug
    Enable debug logging.

--endpoint-url <URL>
    Override default service endpoint.

--no-verify-ssl
    Disable SSL certificate verification.

--no-paginate
    Disable automatic pagination.

--output text|table|json|json-summary
    Output format.

--query <JMESPath>
    JMESPath query to filter output.

--profile <PROFILE>
    Use specific profile from credentials file.

--region <REGION>
    AWS region (e.g., us-east-1).

--version
    Display version information.

--color on|off|auto
    Control colored output.

--no-sign-request
    Do not sign requests.

--ca-bundle <PATH>
    CA bundle for SSL verification.

--cli-read-timeout <INT>
    Max CLI read timeout in seconds.

--cli-connect-timeout <INT>
    Max CLI connect timeout in seconds.

aws accessanalyzer is part of the AWS Command Line Interface (CLI) v2, providing programmatic access to the AWS IAM Access Analyzer service.

IAM Access Analyzer identifies resources accessible from outside your AWS account, analyzes access policies, and generates secure policy recommendations. It helps prevent unintended data leaks by reviewing permissions across services like S3, IAM, Lambda, and more.

Key capabilities include creating analyzers scoped to accounts or organizations, listing potential security findings (e.g., public access risks), generating least-privilege policies from access logs, scanning resources for compliance, and managing tags. Findings are categorized by type (e.g., Public, CrossAccount) with remediation details.

Usage requires AWS CLI configured with credentials having accessanalyzer:* permissions. Output supports JSON for scripting. Integrate with CI/CD for policy validation.

Example: aws accessanalyzer create-analyzer --analyzer-name my-analyzer --type ACCOUNT --resource-types S3::Bucket creates an analyzer for S3 buckets.

This tool enhances security posture by automating access reviews, reducing manual audits.

Requires AWS CLI v2+ installed and configured with IAM permissions for Access Analyzer actions. Not all regions supported; check AWS docs. High-volume findings may require pagination handling. Service quotas apply to analyzers and scans.

create-analyzer, delete-analyzer, get-analyzer, list-analyzers, list-findings, get-finding, update-findings, list-tags-for-resource, tag-resource, untag-resource, start-resource-scan, get-generated-policy.

Use --query 'analyzers[].{Name:arn,Type:type}' to filter analyzer lists. Pipe to jq for JSON processing.

Added to AWS CLI with IAM Access Analyzer launch (Nov 2019). Enhanced in CLI v2 (2020+) with policy generation and resource scan features. Ongoing updates align with service expansions like unused access analysis (2022).

aws(1), aws iam(1)