denialEvents

denialEvents

List raw denial events that match the optional filter, starting from the optional paging token.

Denial events are captured from SIEM integration (e.g., Splunk) and enriched with Turbot metadata including the denying policy and linked prevention. Events are retained for a short period before being rolled up into aggregated statistics.

Supported filters:

• accountId: Filter by AWS account (Turbot resource ID)
• denialType: Filter by denial source (SCP, IAM, RCP, PermissionBoundary, Unknown)
• preventionId: Filter by linked prevention
• action: Filter by AWS action (supports wildcards)
• is:scp, is:iam, etc.: Shorthand denial type filters

For more information, please see SIEM Integration.