Description

Access Analyzer API skill. Use when working with Access Analyzer for archive-rule, policy, access-preview. Covers 35 endpoints.

README (SKILL.md)

Access Analyzer

Name: Lap Access Analyzer
Author: mickmicksh

API version: 2019-11-01

Auth

AWS SigV4

Base URL

Not specified.

Setup

Configure auth: AWS SigV4
GET /analyzed-resource -- verify access
POST /policy/check-access-not-granted -- create first check-access-not-granted

Endpoints

35 endpoints across 10 groups. See references/api-spec.lap for full details.

archive-rule

Method	Path	Description
PUT	/archive-rule	Retroactively applies the archive rule to existing findings that meet the archive rule criteria.

policy

Method	Path	Description
PUT	/policy/generation/{jobId}	Cancels the requested policy generation.
POST	/policy/check-access-not-granted	Checks whether the specified access isn't allowed by a policy.
POST	/policy/check-no-new-access	Checks whether new access is allowed for an updated policy when compared to the existing policy. You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples repository on GitHub. The reference policies in this repository are meant to be passed to the existingPolicyDocument request parameter.
POST	/policy/check-no-public-access	Checks whether a resource policy can grant public access to the specified resource type.
GET	/policy/generation/{jobId}	Retrieves the policy that was generated using StartPolicyGeneration.
GET	/policy/generation	Lists all of the policy generations requested in the last seven days.
PUT	/policy/generation	Starts the policy generation request.
POST	/policy/validation	Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices.

access-preview

Method	Path	Description
PUT	/access-preview	Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions.
GET	/access-preview/{accessPreviewId}	Retrieves information about an access preview for the specified analyzer.
POST	/access-preview/{accessPreviewId}	Retrieves a list of access preview findings generated by the specified access preview.
GET	/access-preview	Retrieves a list of access previews for the specified analyzer.

analyzer

Method	Path	Description
PUT	/analyzer	Creates an analyzer for your account.
PUT	/analyzer/{analyzerName}/archive-rule	Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide.
DELETE	/analyzer/{analyzerName}	Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.
DELETE	/analyzer/{analyzerName}/archive-rule/{ruleName}	Deletes the specified archive rule.
GET	/analyzer/{analyzerName}	Retrieves information about the specified analyzer.
GET	/analyzer/{analyzerName}/archive-rule/{ruleName}	Retrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide.
GET	/analyzer	Retrieves a list of analyzers.
GET	/analyzer/{analyzerName}/archive-rule	Retrieves a list of archive rules created for the specified analyzer.
PUT	/analyzer/{analyzerName}/archive-rule/{ruleName}	Updates the criteria and values for the specified archive rule.

recommendation

Method	Path	Description
POST	/recommendation/{id}	Creates a recommendation for an unused permissions finding.
GET	/recommendation/{id}	Retrieves information about a finding recommendation for the specified analyzer.

analyzed-resource

Method	Path	Description
GET	/analyzed-resource	Retrieves information about a resource that was analyzed.
POST	/analyzed-resource	Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers.

finding

Method	Path	Description
GET	/finding/{id}	Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.
POST	/finding	Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide.
PUT	/finding	Updates the status for the specified findings.

findingv2

Method	Path	Description
GET	/findingv2/{id}	Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.
POST	/findingv2	Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide.

Method	Path	Description
GET	/tags/{resourceArn}	Retrieves a list of tags applied to the specified resource.
POST	/tags/{resourceArn}	Adds a tag to the specified resource.
DELETE	/tags/{resourceArn}	Removes a tag from the specified resource.

resource

Method	Path	Description
POST	/resource/scan	Immediately starts a scan of the policies applied to the specified resource.

Common Questions

Match user requests to endpoints in references/api-spec.lap. Key patterns:

"Update a generation?" -> PUT /policy/generation/{jobId}
"Create a check-access-not-granted?" -> POST /policy/check-access-not-granted
"Create a check-no-new-access?" -> POST /policy/check-no-new-access
"Create a check-no-public-access?" -> POST /policy/check-no-public-access
"Delete a analyzer?" -> DELETE /analyzer/{analyzerName}
"Delete a archive-rule?" -> DELETE /analyzer/{analyzerName}/archive-rule/{ruleName}
"Get access-preview details?" -> GET /access-preview/{accessPreviewId}
"List all analyzed-resource?" -> GET /analyzed-resource
"Get analyzer details?" -> GET /analyzer/{analyzerName}
"Get archive-rule details?" -> GET /analyzer/{analyzerName}/archive-rule/{ruleName}
"Get finding details?" -> GET /finding/{id}
"Get recommendation details?" -> GET /recommendation/{id}
"Get findingv2 details?" -> GET /findingv2/{id}
"Get generation details?" -> GET /policy/generation/{jobId}
"List all access-preview?" -> GET /access-preview
"Create a analyzed-resource?" -> POST /analyzed-resource
"List all analyzer?" -> GET /analyzer
"List all archive-rule?" -> GET /analyzer/{analyzerName}/archive-rule
"Create a finding?" -> POST /finding
"Create a findingv2?" -> POST /findingv2
"List all generation?" -> GET /policy/generation
"Get tag details?" -> GET /tags/{resourceArn}
"Create a scan?" -> POST /resource/scan
"Delete a tag?" -> DELETE /tags/{resourceArn}
"Update a archive-rule?" -> PUT /analyzer/{analyzerName}/archive-rule/{ruleName}
"Create a validation?" -> POST /policy/validation
"How to authenticate?" -> See Auth section

Response Tips

Check response schemas in references/api-spec.lap for field details
Create/update endpoints typically return the created/updated object

CLI

# Update this spec to the latest version
npx @lap-platform/lapsh get access-analyzer -o references/api-spec.lap

# Search for related APIs
npx @lap-platform/lapsh search access-analyzer

References

Full spec: See references/api-spec.lap for complete endpoint details, parameter tables, and response schemas

Generated from the official API spec by LAP

Usage Guidance

Key issues to resolve before installing: (1) Ask the publisher to explain the auth model — if the skill uses AWS SigV4 it should declare AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_REGION (or document use of the AWS SDK default chain); ACCESS_ANALYZER_API_KEY alone is suspicious. (2) Request the base URL and full API spec (references/api-spec.lap is missing) so you can review exact endpoints. (3) Confirm the skill will not implicitly read system AWS credentials (env, config file, or instance metadata) without declaring that behavior. (4) If you proceed, run the skill in a least-privileged test environment (with limited AWS credentials) and monitor network calls and credential usage. If the publisher cannot clarify the credential mismatch and the missing API spec, treat the skill as untrusted.

Capability Analysis

Type: OpenClaw Skill Name: lap-access-analyzer Version: 1.0.1 The skill bundle is a standard API wrapper for AWS IAM Access Analyzer, providing endpoints for policy checks, finding management, and analyzer configuration. It functions as described, requiring an API key for AWS SigV4 authentication, and contains no evidence of malicious instructions, data exfiltration, or suspicious execution patterns in SKILL.md or _meta.json.

Capability Assessment

⚠ Purpose & Capability

The name and description (Access Analyzer API) match the listed endpoints, but the declared required env var ACCESS_ANALYZER_API_KEY is not consistent with AWS Access Analyzer usage (which normally uses AWS SigV4 credentials or standard AWS_* env vars). Also the SKILL.md does not specify the base URL for the API nor supply an API spec file, reducing transparency.

⚠ Instruction Scope

SKILL.md instructs the agent to 'Configure auth: AWS SigV4' and to call many Access Analyzer endpoints, but it is vague about which credentials, region, or endpoint to use. Because the instructions expect SigV4 but the skill declares a single ACCESS_ANALYZER_API_KEY, the agent may attempt to use available system AWS credentials (environment, config, or instance metadata) without that use being declared.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files, so it does not write disk artifacts or download remote code — lowest install risk.

⚠ Credentials

Only ACCESS_ANALYZER_API_KEY is listed as required, which is unusual for an AWS SigV4-based API. Expected required variables would include AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, optional AWS_SESSION_TOKEN, and region, or explicit guidance to use a provided API key. The declared env var appears insufficient or mismatched for the stated auth method.

✓ Persistence & Privilege

always:false and user-invocable:true (defaults) are reasonable. The skill does not request persistent modifications to agent or other skills and has no install-time hooks.

Version History

v1.0.1

- No functional or user-facing changes in this release. - SKILL.md file reverted with no detected content differences. - Version number not updated; remains at 1.0.0.

v1.0.0

Initial release of lap-access-analyzer. - Provides API access to AWS Access Analyzer endpoints (35 endpoints across 10 groups). - Supports operations for archive rules, policy analysis, access previews, findings, recommendations, tags, resources, and analyzers. - Requires configuration of AWS SigV4 authentication and ACCESS_ANALYZER_API_KEY. - Includes example setup steps and endpoint mapping for common user queries.

Metadata

Slug lap-access-analyzer

Version 1.0.1

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is Lap Access Analyzer?

Access Analyzer API skill. Use when working with Access Analyzer for archive-rule, policy, access-preview. Covers 35 endpoints. It is an AI Agent Skill for Claude Code / OpenClaw, with 297 downloads so far.

How do I install Lap Access Analyzer?

Run "/install lap-access-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Lap Access Analyzer free?

Yes, Lap Access Analyzer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Lap Access Analyzer support?

Lap Access Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Lap Access Analyzer?

It is built and maintained by mickmicksh (@mickmicksh); the current version is v1.0.1.

More Skills

Lap Access Analyzer