Skip to main content

stave permissions resource

Show who has effective access to a resource

Usage

stave permissions resource [flags]

Description

Show all principals with resolved effective access to a specific resource ARN, with access path attribution (identity-based, resource policy, or both).

By default shows only non-designated principals. Use --all to include designated principals.

Exit Codes: 0 No non-designated access to the resource 1 Non-designated principals have access (PHI violation) 3 Incomplete resolution 4 Internal error

Examples: stave nep resource --snapshot obs.json
--resource arn:aws:s3:::phi-patient-records

stave nep resource --snapshot obs.json
--resource arn:aws:s3:::phi-records --all

stave nep resource --snapshot obs.json
--resource arn:aws:s3:::phi-records --format dot | dot -Tpng > access.png

Flags

FlagTypeDescription
--actionsstringcomma-separated action filter
--allboolshow all principals including designated
--classificationstringdata classification tag value to filter resources (default: phi)
-f, --formatstringoutput format: table | json | dot (default: table)
--resourcestringresource ARN to query (required)
--show-designatedboolshow designated principals (alias for --all)
--snapshotstringpath to snapshot file (required)

Examples

stave nep resource --snapshot obs.json --resource arn:aws:s3:::phi-records
stave nep resource --snapshot obs.json --resource arn:aws:s3:::phi-records --all --format dot