IAM Access Analyzer: Create archive rule from the CLI
📑 On this page
Part 771 of AWS from Zero. This is lesson 10 in the IAM Access Analyzer track.
What we are learning
Use create-archive-rule to create or register one IAM Access Analyzer resource through the CLI. This lesson identifies the required input shape, saves the raw response, and keeps inspection separate from execution.
The AWS CLI operation is aws accessanalyzer create-archive-rule. Required operation inputs: --analyzer-name (string), --rule-name (string), --filter (map). The modeled top-level response contains no modeled response body.
Before you run it
aws sts get-caller-identity
REGION="${AWS_REGION:-ap-south-1}"
ANALYZER_NAME="replace-with-analyzer-name"
RULE_NAME="replace-with-rule-name"
aws accessanalyzer create-archive-rule helpUse a sandbox account or an approved learning environment. Read the operation help before supplying identifiers, ARNs, network ranges, policy documents, or customer data.
Cost note: External access analysis is generally available without charge; unused access analysis and policy checks may have pricing.
The command
aws accessanalyzer create-archive-rule \
--generate-cli-skeleton input > part-771-request.json
# Edit every placeholder in part-771-request.json, then run:
aws accessanalyzer create-archive-rule \
--cli-input-json file://part-771-request.json \
--region "$REGION" \
--output json > part-771-response.jsonThe response is saved to part-771-response.json so inspection is separate from execution. Review part-771-request.json, replace every placeholder, and remove unsupported optional fields before the real call.
Inspect the result
# A zero-byte response can be normal for operations without a response body.
wc -c part-771-response.json
aws accessanalyzer helpCompare the returned identifiers and status fields with the account, Region, and resource you intended to target. For asynchronous operations, continue with the service's matching get, list, or describe command until it reaches a terminal state.
One tiny variation
test -s part-771-response.json \
&& node -e "console.log(require('./part-771-response.json'))" \
|| echo "The operation returned no response document."This variation changes output inspection rather than adding another infrastructure concept. Keep the raw JSON while developing a query so a narrow projection does not hide an error or unexpected field.
Common mistake
Do not run a generated request unchanged. Replace every placeholder, add ownership tags where supported, estimate cost, and verify that the selected Region and account are disposable.
Cleanup
# Review the inverse operation before removing the demo resource.
aws accessanalyzer delete-archive-rule help
rm -f part-771-request.json part-771-response.json part-771-payload.bin part-771-debug.logLocal request and response files may contain account IDs, ARNs, names, or service configuration. Remove them when the lab is complete and follow dependency-aware cleanup for any AWS resource you created.
Next, we will learn IAM Access Analyzer: Update analyzer from the CLI.