aws-sdk-accessanalyzer 1.13.0 → 1.18.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -23,6 +23,266 @@ module Aws::AccessAnalyzer
23
23
  include Aws::Structure
24
24
  end
25
25
 
26
+ # Contains information about an access preview.
27
+ #
28
+ # @!attribute [rw] analyzer_arn
29
+ # The ARN of the analyzer used to generate the access preview.
30
+ # @return [String]
31
+ #
32
+ # @!attribute [rw] configurations
33
+ # A map of resource ARNs for the proposed resource configuration.
34
+ # @return [Hash<String,Types::Configuration>]
35
+ #
36
+ # @!attribute [rw] created_at
37
+ # The time at which the access preview was created.
38
+ # @return [Time]
39
+ #
40
+ # @!attribute [rw] id
41
+ # The unique ID for the access preview.
42
+ # @return [String]
43
+ #
44
+ # @!attribute [rw] status
45
+ # The status of the access preview.
46
+ #
47
+ # * `Creating` - The access preview creation is in progress.
48
+ #
49
+ # * `Completed` - The access preview is complete. You can preview
50
+ # findings for external access to the resource.
51
+ #
52
+ # * `Failed` - The access preview creation has failed.
53
+ # @return [String]
54
+ #
55
+ # @!attribute [rw] status_reason
56
+ # Provides more details about the current status of the access
57
+ # preview.
58
+ #
59
+ # For example, if the creation of the access preview fails, a `Failed`
60
+ # status is returned. This failure can be due to an internal issue
61
+ # with the analysis or due to an invalid resource configuration.
62
+ # @return [Types::AccessPreviewStatusReason]
63
+ #
64
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
65
+ #
66
+ class AccessPreview < Struct.new(
67
+ :analyzer_arn,
68
+ :configurations,
69
+ :created_at,
70
+ :id,
71
+ :status,
72
+ :status_reason)
73
+ SENSITIVE = []
74
+ include Aws::Structure
75
+ end
76
+
77
+ # An access preview finding generated by the access preview.
78
+ #
79
+ # @!attribute [rw] action
80
+ # The action in the analyzed policy statement that an external
81
+ # principal has permission to perform.
82
+ # @return [Array<String>]
83
+ #
84
+ # @!attribute [rw] change_type
85
+ # Provides context on how the access preview finding compares to
86
+ # existing access identified in Access Analyzer.
87
+ #
88
+ # * `New` - The finding is for newly-introduced access.
89
+ #
90
+ # * `Unchanged` - The preview finding is an existing finding that
91
+ # would remain unchanged.
92
+ #
93
+ # * `Changed` - The preview finding is an existing finding with a
94
+ # change in status.
95
+ #
96
+ # For example, a `Changed` finding with preview status `Resolved` and
97
+ # existing status `Active` indicates the existing `Active` finding
98
+ # would become `Resolved` as a result of the proposed permissions
99
+ # change.
100
+ # @return [String]
101
+ #
102
+ # @!attribute [rw] condition
103
+ # The condition in the analyzed policy statement that resulted in a
104
+ # finding.
105
+ # @return [Hash<String,String>]
106
+ #
107
+ # @!attribute [rw] created_at
108
+ # The time at which the access preview finding was created.
109
+ # @return [Time]
110
+ #
111
+ # @!attribute [rw] error
112
+ # An error.
113
+ # @return [String]
114
+ #
115
+ # @!attribute [rw] existing_finding_id
116
+ # The existing ID of the finding in Access Analyzer, provided only for
117
+ # existing findings.
118
+ # @return [String]
119
+ #
120
+ # @!attribute [rw] existing_finding_status
121
+ # The existing status of the finding, provided only for existing
122
+ # findings.
123
+ # @return [String]
124
+ #
125
+ # @!attribute [rw] id
126
+ # The ID of the access preview finding. This ID uniquely identifies
127
+ # the element in the list of access preview findings and is not
128
+ # related to the finding ID in Access Analyzer.
129
+ # @return [String]
130
+ #
131
+ # @!attribute [rw] is_public
132
+ # Indicates whether the policy that generated the finding allows
133
+ # public access to the resource.
134
+ # @return [Boolean]
135
+ #
136
+ # @!attribute [rw] principal
137
+ # The external principal that has access to a resource within the zone
138
+ # of trust.
139
+ # @return [Hash<String,String>]
140
+ #
141
+ # @!attribute [rw] resource
142
+ # The resource that an external principal has access to. This is the
143
+ # resource associated with the access preview.
144
+ # @return [String]
145
+ #
146
+ # @!attribute [rw] resource_owner_account
147
+ # The AWS account ID that owns the resource. For most AWS resources,
148
+ # the owning account is the account in which the resource was created.
149
+ # @return [String]
150
+ #
151
+ # @!attribute [rw] resource_type
152
+ # The type of the resource that can be accessed in the finding.
153
+ # @return [String]
154
+ #
155
+ # @!attribute [rw] sources
156
+ # The sources of the finding. This indicates how the access that
157
+ # generated the finding is granted. It is populated for Amazon S3
158
+ # bucket findings.
159
+ # @return [Array<Types::FindingSource>]
160
+ #
161
+ # @!attribute [rw] status
162
+ # The preview status of the finding. This is what the status of the
163
+ # finding would be after permissions deployment. For example, a
164
+ # `Changed` finding with preview status `Resolved` and existing status
165
+ # `Active` indicates the existing `Active` finding would become
166
+ # `Resolved` as a result of the proposed permissions change.
167
+ # @return [String]
168
+ #
169
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
170
+ #
171
+ class AccessPreviewFinding < Struct.new(
172
+ :action,
173
+ :change_type,
174
+ :condition,
175
+ :created_at,
176
+ :error,
177
+ :existing_finding_id,
178
+ :existing_finding_status,
179
+ :id,
180
+ :is_public,
181
+ :principal,
182
+ :resource,
183
+ :resource_owner_account,
184
+ :resource_type,
185
+ :sources,
186
+ :status)
187
+ SENSITIVE = []
188
+ include Aws::Structure
189
+ end
190
+
191
+ # Provides more details about the current status of the access preview.
192
+ # For example, if the creation of the access preview fails, a `Failed`
193
+ # status is returned. This failure can be due to an internal issue with
194
+ # the analysis or due to an invalid proposed resource configuration.
195
+ #
196
+ # @!attribute [rw] code
197
+ # The reason code for the current status of the access preview.
198
+ # @return [String]
199
+ #
200
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewStatusReason AWS API Documentation
201
+ #
202
+ class AccessPreviewStatusReason < Struct.new(
203
+ :code)
204
+ SENSITIVE = []
205
+ include Aws::Structure
206
+ end
207
+
208
+ # Contains a summary of information about an access preview.
209
+ #
210
+ # @!attribute [rw] analyzer_arn
211
+ # The ARN of the analyzer used to generate the access preview.
212
+ # @return [String]
213
+ #
214
+ # @!attribute [rw] created_at
215
+ # The time at which the access preview was created.
216
+ # @return [Time]
217
+ #
218
+ # @!attribute [rw] id
219
+ # The unique ID for the access preview.
220
+ # @return [String]
221
+ #
222
+ # @!attribute [rw] status
223
+ # The status of the access preview.
224
+ #
225
+ # * `Creating` - The access preview creation is in progress.
226
+ #
227
+ # * `Completed` - The access preview is complete and previews the
228
+ # findings for external access to the resource.
229
+ #
230
+ # * `Failed` - The access preview creation has failed.
231
+ # @return [String]
232
+ #
233
+ # @!attribute [rw] status_reason
234
+ # Provides more details about the current status of the access
235
+ # preview. For example, if the creation of the access preview fails, a
236
+ # `Failed` status is returned. This failure can be due to an internal
237
+ # issue with the analysis or due to an invalid proposed resource
238
+ # configuration.
239
+ # @return [Types::AccessPreviewStatusReason]
240
+ #
241
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
242
+ #
243
+ class AccessPreviewSummary < Struct.new(
244
+ :analyzer_arn,
245
+ :created_at,
246
+ :id,
247
+ :status,
248
+ :status_reason)
249
+ SENSITIVE = []
250
+ include Aws::Structure
251
+ end
252
+
253
+ # You specify each grantee as a type-value pair using one of these
254
+ # types. You can specify only one type of grantee. For more information,
255
+ # see [PutBucketAcl][1].
256
+ #
257
+ #
258
+ #
259
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
260
+ #
261
+ # @note When making an API call, you may pass AclGrantee
262
+ # data as a hash:
263
+ #
264
+ # {
265
+ # id: "AclCanonicalId",
266
+ # uri: "AclUri",
267
+ # }
268
+ #
269
+ # @!attribute [rw] id
270
+ # The value specified is the canonical user ID of an AWS account.
271
+ # @return [String]
272
+ #
273
+ # @!attribute [rw] uri
274
+ # Used for granting permissions to a predefined group.
275
+ # @return [String]
276
+ #
277
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AclGrantee AWS API Documentation
278
+ #
279
+ class AclGrantee < Struct.new(
280
+ :id,
281
+ :uri)
282
+ SENSITIVE = []
283
+ include Aws::Structure
284
+ end
285
+
26
286
  # Contains details about the analyzed resource.
27
287
  #
28
288
  # @!attribute [rw] actions
@@ -141,16 +401,16 @@ module Aws::AccessAnalyzer
141
401
  # The status of the analyzer. An `Active` analyzer successfully
142
402
  # monitors supported resources and generates new findings. The
143
403
  # analyzer is `Disabled` when a user action, such as removing trusted
144
- # access for IAM Access Analyzer from AWS Organizations, causes the
145
- # analyzer to stop generating new findings. The status is `Creating`
146
- # when the analyzer creation is in progress and `Failed` when the
147
- # analyzer creation has failed.
404
+ # access for AWS IAM Access Analyzer from AWS Organizations, causes
405
+ # the analyzer to stop generating new findings. The status is
406
+ # `Creating` when the analyzer creation is in progress and `Failed`
407
+ # when the analyzer creation has failed.
148
408
  # @return [String]
149
409
  #
150
410
  # @!attribute [rw] status_reason
151
411
  # The `statusReason` provides more details about the current status of
152
412
  # the analyzer. For example, if the creation for the analyzer fails, a
153
- # `Failed` status is displayed. For an analyzer with organization as
413
+ # `Failed` status is returned. For an analyzer with organization as
154
414
  # the type, this failure can be due to an issue with creating the
155
415
  # service-linked roles required in the member accounts of the AWS
156
416
  # organization.
@@ -246,6 +506,111 @@ module Aws::AccessAnalyzer
246
506
  include Aws::Structure
247
507
  end
248
508
 
509
+ # Access control configuration structures for your resource. You specify
510
+ # the configuration as a type-value pair. You can specify only one type
511
+ # of access control configuration.
512
+ #
513
+ # @note When making an API call, you may pass Configuration
514
+ # data as a hash:
515
+ #
516
+ # {
517
+ # iam_role: {
518
+ # trust_policy: "IamTrustPolicy",
519
+ # },
520
+ # kms_key: {
521
+ # grants: [
522
+ # {
523
+ # constraints: {
524
+ # encryption_context_equals: {
525
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
526
+ # },
527
+ # encryption_context_subset: {
528
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
529
+ # },
530
+ # },
531
+ # grantee_principal: "GranteePrincipal", # required
532
+ # issuing_account: "IssuingAccount", # required
533
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
534
+ # retiring_principal: "RetiringPrincipal",
535
+ # },
536
+ # ],
537
+ # key_policies: {
538
+ # "PolicyName" => "KmsKeyPolicy",
539
+ # },
540
+ # },
541
+ # s3_bucket: {
542
+ # access_points: {
543
+ # "AccessPointArn" => {
544
+ # access_point_policy: "AccessPointPolicy",
545
+ # network_origin: {
546
+ # internet_configuration: {
547
+ # },
548
+ # vpc_configuration: {
549
+ # vpc_id: "VpcId", # required
550
+ # },
551
+ # },
552
+ # public_access_block: {
553
+ # ignore_public_acls: false, # required
554
+ # restrict_public_buckets: false, # required
555
+ # },
556
+ # },
557
+ # },
558
+ # bucket_acl_grants: [
559
+ # {
560
+ # grantee: { # required
561
+ # id: "AclCanonicalId",
562
+ # uri: "AclUri",
563
+ # },
564
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
565
+ # },
566
+ # ],
567
+ # bucket_policy: "S3BucketPolicy",
568
+ # bucket_public_access_block: {
569
+ # ignore_public_acls: false, # required
570
+ # restrict_public_buckets: false, # required
571
+ # },
572
+ # },
573
+ # secrets_manager_secret: {
574
+ # kms_key_id: "SecretsManagerSecretKmsId",
575
+ # secret_policy: "SecretsManagerSecretPolicy",
576
+ # },
577
+ # sqs_queue: {
578
+ # queue_policy: "SqsQueuePolicy",
579
+ # },
580
+ # }
581
+ #
582
+ # @!attribute [rw] iam_role
583
+ # The access control configuration is for an IAM role.
584
+ # @return [Types::IamRoleConfiguration]
585
+ #
586
+ # @!attribute [rw] kms_key
587
+ # The access control configuration is for a KMS key.
588
+ # @return [Types::KmsKeyConfiguration]
589
+ #
590
+ # @!attribute [rw] s3_bucket
591
+ # The access control configuration is for an Amazon S3 Bucket.
592
+ # @return [Types::S3BucketConfiguration]
593
+ #
594
+ # @!attribute [rw] secrets_manager_secret
595
+ # The access control configuration is for a Secrets Manager secret.
596
+ # @return [Types::SecretsManagerSecretConfiguration]
597
+ #
598
+ # @!attribute [rw] sqs_queue
599
+ # The access control configuration is for an SQS queue.
600
+ # @return [Types::SqsQueueConfiguration]
601
+ #
602
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
603
+ #
604
+ class Configuration < Struct.new(
605
+ :iam_role,
606
+ :kms_key,
607
+ :s3_bucket,
608
+ :secrets_manager_secret,
609
+ :sqs_queue)
610
+ SENSITIVE = []
611
+ include Aws::Structure
612
+ end
613
+
249
614
  # A conflict exception error.
250
615
  #
251
616
  # @!attribute [rw] message
@@ -269,6 +634,128 @@ module Aws::AccessAnalyzer
269
634
  include Aws::Structure
270
635
  end
271
636
 
637
+ # @note When making an API call, you may pass CreateAccessPreviewRequest
638
+ # data as a hash:
639
+ #
640
+ # {
641
+ # analyzer_arn: "AnalyzerArn", # required
642
+ # client_token: "String",
643
+ # configurations: { # required
644
+ # "ConfigurationsMapKey" => {
645
+ # iam_role: {
646
+ # trust_policy: "IamTrustPolicy",
647
+ # },
648
+ # kms_key: {
649
+ # grants: [
650
+ # {
651
+ # constraints: {
652
+ # encryption_context_equals: {
653
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
654
+ # },
655
+ # encryption_context_subset: {
656
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
657
+ # },
658
+ # },
659
+ # grantee_principal: "GranteePrincipal", # required
660
+ # issuing_account: "IssuingAccount", # required
661
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
662
+ # retiring_principal: "RetiringPrincipal",
663
+ # },
664
+ # ],
665
+ # key_policies: {
666
+ # "PolicyName" => "KmsKeyPolicy",
667
+ # },
668
+ # },
669
+ # s3_bucket: {
670
+ # access_points: {
671
+ # "AccessPointArn" => {
672
+ # access_point_policy: "AccessPointPolicy",
673
+ # network_origin: {
674
+ # internet_configuration: {
675
+ # },
676
+ # vpc_configuration: {
677
+ # vpc_id: "VpcId", # required
678
+ # },
679
+ # },
680
+ # public_access_block: {
681
+ # ignore_public_acls: false, # required
682
+ # restrict_public_buckets: false, # required
683
+ # },
684
+ # },
685
+ # },
686
+ # bucket_acl_grants: [
687
+ # {
688
+ # grantee: { # required
689
+ # id: "AclCanonicalId",
690
+ # uri: "AclUri",
691
+ # },
692
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
693
+ # },
694
+ # ],
695
+ # bucket_policy: "S3BucketPolicy",
696
+ # bucket_public_access_block: {
697
+ # ignore_public_acls: false, # required
698
+ # restrict_public_buckets: false, # required
699
+ # },
700
+ # },
701
+ # secrets_manager_secret: {
702
+ # kms_key_id: "SecretsManagerSecretKmsId",
703
+ # secret_policy: "SecretsManagerSecretPolicy",
704
+ # },
705
+ # sqs_queue: {
706
+ # queue_policy: "SqsQueuePolicy",
707
+ # },
708
+ # },
709
+ # },
710
+ # }
711
+ #
712
+ # @!attribute [rw] analyzer_arn
713
+ # The [ARN of the account analyzer][1] used to generate the access
714
+ # preview. You can only create an access preview for analyzers with an
715
+ # `Account` type and `Active` status.
716
+ #
717
+ #
718
+ #
719
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
720
+ # @return [String]
721
+ #
722
+ # @!attribute [rw] client_token
723
+ # A client token.
724
+ #
725
+ # **A suitable default value is auto-generated.** You should normally
726
+ # not need to pass this option.
727
+ # @return [String]
728
+ #
729
+ # @!attribute [rw] configurations
730
+ # Access control configuration for your resource that is used to
731
+ # generate the access preview. The access preview includes findings
732
+ # for external access allowed to the resource with the proposed access
733
+ # control configuration. The configuration must contain exactly one
734
+ # element.
735
+ # @return [Hash<String,Types::Configuration>]
736
+ #
737
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
738
+ #
739
+ class CreateAccessPreviewRequest < Struct.new(
740
+ :analyzer_arn,
741
+ :client_token,
742
+ :configurations)
743
+ SENSITIVE = []
744
+ include Aws::Structure
745
+ end
746
+
747
+ # @!attribute [rw] id
748
+ # The unique ID for the access preview.
749
+ # @return [String]
750
+ #
751
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewResponse AWS API Documentation
752
+ #
753
+ class CreateAccessPreviewResponse < Struct.new(
754
+ :id)
755
+ SENSITIVE = []
756
+ include Aws::Structure
757
+ end
758
+
272
759
  # Creates an analyzer.
273
760
  #
274
761
  # @note When making an API call, you may pass CreateAnalyzerRequest
@@ -318,8 +805,10 @@ module Aws::AccessAnalyzer
318
805
  # @return [Hash<String,String>]
319
806
  #
320
807
  # @!attribute [rw] type
321
- # The type of analyzer to create. Only ACCOUNT analyzers are
322
- # supported. You can create only one analyzer per account per Region.
808
+ # The type of analyzer to create. Only ACCOUNT and ORGANIZATION
809
+ # analyzers are supported. You can create only one analyzer per
810
+ # account per Region. You can create up to 5 analyzers per
811
+ # organization per Region.
323
812
  # @return [String]
324
813
  #
325
814
  # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
@@ -554,7 +1043,7 @@ module Aws::AccessAnalyzer
554
1043
  # @return [String]
555
1044
  #
556
1045
  # @!attribute [rw] resource_type
557
- # The type of the resource reported in the finding.
1046
+ # The type of the resource identified in the finding.
558
1047
  # @return [String]
559
1048
  #
560
1049
  # @!attribute [rw] sources
@@ -715,37 +1204,82 @@ module Aws::AccessAnalyzer
715
1204
  include Aws::Structure
716
1205
  end
717
1206
 
718
- # Retrieves an analyzed resource.
719
- #
720
- # @note When making an API call, you may pass GetAnalyzedResourceRequest
1207
+ # @note When making an API call, you may pass GetAccessPreviewRequest
721
1208
  # data as a hash:
722
1209
  #
723
1210
  # {
1211
+ # access_preview_id: "AccessPreviewId", # required
724
1212
  # analyzer_arn: "AnalyzerArn", # required
725
- # resource_arn: "ResourceArn", # required
726
1213
  # }
727
1214
  #
728
- # @!attribute [rw] analyzer_arn
729
- # The ARN of the analyzer to retrieve information from.
1215
+ # @!attribute [rw] access_preview_id
1216
+ # The unique ID for the access preview.
730
1217
  # @return [String]
731
1218
  #
732
- # @!attribute [rw] resource_arn
733
- # The ARN of the resource to retrieve information about.
1219
+ # @!attribute [rw] analyzer_arn
1220
+ # The [ARN of the analyzer][1] used to generate the access preview.
1221
+ #
1222
+ #
1223
+ #
1224
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
734
1225
  # @return [String]
735
1226
  #
736
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceRequest AWS API Documentation
1227
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewRequest AWS API Documentation
737
1228
  #
738
- class GetAnalyzedResourceRequest < Struct.new(
739
- :analyzer_arn,
740
- :resource_arn)
1229
+ class GetAccessPreviewRequest < Struct.new(
1230
+ :access_preview_id,
1231
+ :analyzer_arn)
741
1232
  SENSITIVE = []
742
1233
  include Aws::Structure
743
1234
  end
744
1235
 
745
- # The response to the request.
1236
+ # @!attribute [rw] access_preview
1237
+ # An object that contains information about the access preview.
1238
+ # @return [Types::AccessPreview]
746
1239
  #
747
- # @!attribute [rw] resource
748
- # An `AnalyedResource` object that contains information that Access
1240
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewResponse AWS API Documentation
1241
+ #
1242
+ class GetAccessPreviewResponse < Struct.new(
1243
+ :access_preview)
1244
+ SENSITIVE = []
1245
+ include Aws::Structure
1246
+ end
1247
+
1248
+ # Retrieves an analyzed resource.
1249
+ #
1250
+ # @note When making an API call, you may pass GetAnalyzedResourceRequest
1251
+ # data as a hash:
1252
+ #
1253
+ # {
1254
+ # analyzer_arn: "AnalyzerArn", # required
1255
+ # resource_arn: "ResourceArn", # required
1256
+ # }
1257
+ #
1258
+ # @!attribute [rw] analyzer_arn
1259
+ # The [ARN of the analyzer][1] to retrieve information from.
1260
+ #
1261
+ #
1262
+ #
1263
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1264
+ # @return [String]
1265
+ #
1266
+ # @!attribute [rw] resource_arn
1267
+ # The ARN of the resource to retrieve information about.
1268
+ # @return [String]
1269
+ #
1270
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceRequest AWS API Documentation
1271
+ #
1272
+ class GetAnalyzedResourceRequest < Struct.new(
1273
+ :analyzer_arn,
1274
+ :resource_arn)
1275
+ SENSITIVE = []
1276
+ include Aws::Structure
1277
+ end
1278
+
1279
+ # The response to the request.
1280
+ #
1281
+ # @!attribute [rw] resource
1282
+ # An `AnalyzedResource` object that contains information that Access
749
1283
  # Analyzer found when it analyzed the resource.
750
1284
  # @return [Types::AnalyzedResource]
751
1285
  #
@@ -845,7 +1379,11 @@ module Aws::AccessAnalyzer
845
1379
  # }
846
1380
  #
847
1381
  # @!attribute [rw] analyzer_arn
848
- # The ARN of the analyzer that generated the finding.
1382
+ # The [ARN of the analyzer][1] that generated the finding.
1383
+ #
1384
+ #
1385
+ #
1386
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
849
1387
  # @return [String]
850
1388
  #
851
1389
  # @!attribute [rw] id
@@ -875,6 +1413,39 @@ module Aws::AccessAnalyzer
875
1413
  include Aws::Structure
876
1414
  end
877
1415
 
1416
+ # The proposed access control configuration for an IAM role. You can
1417
+ # propose a configuration for a new IAM role or an existing IAM role
1418
+ # that you own by specifying the trust policy. If the configuration is
1419
+ # for a new IAM role, you must specify the trust policy. If the
1420
+ # configuration is for an existing IAM role that you own and you do not
1421
+ # propose the trust policy, the access preview uses the existing trust
1422
+ # policy for the role. The proposed trust policy cannot be an empty
1423
+ # string. For more information about role trust policy limits, see [IAM
1424
+ # and STS quotas][1].
1425
+ #
1426
+ #
1427
+ #
1428
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
1429
+ #
1430
+ # @note When making an API call, you may pass IamRoleConfiguration
1431
+ # data as a hash:
1432
+ #
1433
+ # {
1434
+ # trust_policy: "IamTrustPolicy",
1435
+ # }
1436
+ #
1437
+ # @!attribute [rw] trust_policy
1438
+ # The proposed trust policy for the IAM role.
1439
+ # @return [String]
1440
+ #
1441
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/IamRoleConfiguration AWS API Documentation
1442
+ #
1443
+ class IamRoleConfiguration < Struct.new(
1444
+ :trust_policy)
1445
+ SENSITIVE = []
1446
+ include Aws::Structure
1447
+ end
1448
+
878
1449
  # An criterion statement in an archive rule. Each archive rule may have
879
1450
  # multiple criteria.
880
1451
  #
@@ -928,6 +1499,337 @@ module Aws::AccessAnalyzer
928
1499
  include Aws::Structure
929
1500
  end
930
1501
 
1502
+ # This configuration sets the Amazon S3 access point network origin to
1503
+ # `Internet`.
1504
+ #
1505
+ # @api private
1506
+ #
1507
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternetConfiguration AWS API Documentation
1508
+ #
1509
+ class InternetConfiguration < Aws::EmptyStructure; end
1510
+
1511
+ # A proposed grant configuration for a KMS key. For more information,
1512
+ # see [CreateGrant][1].
1513
+ #
1514
+ #
1515
+ #
1516
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html
1517
+ #
1518
+ # @note When making an API call, you may pass KmsGrantConfiguration
1519
+ # data as a hash:
1520
+ #
1521
+ # {
1522
+ # constraints: {
1523
+ # encryption_context_equals: {
1524
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1525
+ # },
1526
+ # encryption_context_subset: {
1527
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1528
+ # },
1529
+ # },
1530
+ # grantee_principal: "GranteePrincipal", # required
1531
+ # issuing_account: "IssuingAccount", # required
1532
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
1533
+ # retiring_principal: "RetiringPrincipal",
1534
+ # }
1535
+ #
1536
+ # @!attribute [rw] constraints
1537
+ # Use this structure to propose allowing [cryptographic operations][1]
1538
+ # in the grant only when the operation request includes the specified
1539
+ # [encryption context][2].
1540
+ #
1541
+ #
1542
+ #
1543
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1544
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1545
+ # @return [Types::KmsGrantConstraints]
1546
+ #
1547
+ # @!attribute [rw] grantee_principal
1548
+ # The principal that is given permission to perform the operations
1549
+ # that the grant permits.
1550
+ # @return [String]
1551
+ #
1552
+ # @!attribute [rw] issuing_account
1553
+ # The AWS account under which the grant was issued. The account is
1554
+ # used to propose KMS grants issued by accounts other than the owner
1555
+ # of the key.
1556
+ # @return [String]
1557
+ #
1558
+ # @!attribute [rw] operations
1559
+ # A list of operations that the grant permits.
1560
+ # @return [Array<String>]
1561
+ #
1562
+ # @!attribute [rw] retiring_principal
1563
+ # The principal that is given permission to retire the grant by using
1564
+ # [RetireGrant][1] operation.
1565
+ #
1566
+ #
1567
+ #
1568
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
1569
+ # @return [String]
1570
+ #
1571
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
1572
+ #
1573
+ class KmsGrantConfiguration < Struct.new(
1574
+ :constraints,
1575
+ :grantee_principal,
1576
+ :issuing_account,
1577
+ :operations,
1578
+ :retiring_principal)
1579
+ SENSITIVE = []
1580
+ include Aws::Structure
1581
+ end
1582
+
1583
+ # Use this structure to propose allowing [cryptographic operations][1]
1584
+ # in the grant only when the operation request includes the specified
1585
+ # [encryption context][2]. You can specify only one type of encryption
1586
+ # context. An empty map is treated as not specified. For more
1587
+ # information, see [GrantConstraints][3].
1588
+ #
1589
+ #
1590
+ #
1591
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1592
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1593
+ # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html
1594
+ #
1595
+ # @note When making an API call, you may pass KmsGrantConstraints
1596
+ # data as a hash:
1597
+ #
1598
+ # {
1599
+ # encryption_context_equals: {
1600
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1601
+ # },
1602
+ # encryption_context_subset: {
1603
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1604
+ # },
1605
+ # }
1606
+ #
1607
+ # @!attribute [rw] encryption_context_equals
1608
+ # A list of key-value pairs that must match the encryption context in
1609
+ # the [cryptographic operation][1] request. The grant allows the
1610
+ # operation only when the encryption context in the request is the
1611
+ # same as the encryption context specified in this constraint.
1612
+ #
1613
+ #
1614
+ #
1615
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1616
+ # @return [Hash<String,String>]
1617
+ #
1618
+ # @!attribute [rw] encryption_context_subset
1619
+ # A list of key-value pairs that must be included in the encryption
1620
+ # context of the [cryptographic operation][1] request. The grant
1621
+ # allows the cryptographic operation only when the encryption context
1622
+ # in the request includes the key-value pairs specified in this
1623
+ # constraint, although it can include additional key-value pairs.
1624
+ #
1625
+ #
1626
+ #
1627
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1628
+ # @return [Hash<String,String>]
1629
+ #
1630
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation
1631
+ #
1632
+ class KmsGrantConstraints < Struct.new(
1633
+ :encryption_context_equals,
1634
+ :encryption_context_subset)
1635
+ SENSITIVE = []
1636
+ include Aws::Structure
1637
+ end
1638
+
1639
+ # Proposed access control configuration for a KMS key. You can propose a
1640
+ # configuration for a new KMS key or an existing KMS key that you own by
1641
+ # specifying the key policy and KMS grant configuration. If the
1642
+ # configuration is for an existing key and you do not specify the key
1643
+ # policy, the access preview uses the existing policy for the key. If
1644
+ # the access preview is for a new resource and you do not specify the
1645
+ # key policy, then the access preview uses the default key policy. The
1646
+ # proposed key policy cannot be an empty string. For more information,
1647
+ # see [Default key policy][1]. For more information about key policy
1648
+ # limits, see [Resource quotas][2].
1649
+ #
1650
+ #
1651
+ #
1652
+ #
1653
+ #
1654
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
1655
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
1656
+ #
1657
+ # @note When making an API call, you may pass KmsKeyConfiguration
1658
+ # data as a hash:
1659
+ #
1660
+ # {
1661
+ # grants: [
1662
+ # {
1663
+ # constraints: {
1664
+ # encryption_context_equals: {
1665
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1666
+ # },
1667
+ # encryption_context_subset: {
1668
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1669
+ # },
1670
+ # },
1671
+ # grantee_principal: "GranteePrincipal", # required
1672
+ # issuing_account: "IssuingAccount", # required
1673
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
1674
+ # retiring_principal: "RetiringPrincipal",
1675
+ # },
1676
+ # ],
1677
+ # key_policies: {
1678
+ # "PolicyName" => "KmsKeyPolicy",
1679
+ # },
1680
+ # }
1681
+ #
1682
+ # @!attribute [rw] grants
1683
+ # A list of proposed grant configurations for the KMS key. If the
1684
+ # proposed grant configuration is for an existing key, the access
1685
+ # preview uses the proposed list of grant configurations in place of
1686
+ # the existing grants. Otherwise, the access preview uses the existing
1687
+ # grants for the key.
1688
+ # @return [Array<Types::KmsGrantConfiguration>]
1689
+ #
1690
+ # @!attribute [rw] key_policies
1691
+ # Resource policy configuration for the KMS key. The only valid value
1692
+ # for the name of the key policy is `default`. For more information,
1693
+ # see [Default key policy][1].
1694
+ #
1695
+ #
1696
+ #
1697
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
1698
+ # @return [Hash<String,String>]
1699
+ #
1700
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
1701
+ #
1702
+ class KmsKeyConfiguration < Struct.new(
1703
+ :grants,
1704
+ :key_policies)
1705
+ SENSITIVE = []
1706
+ include Aws::Structure
1707
+ end
1708
+
1709
+ # @note When making an API call, you may pass ListAccessPreviewFindingsRequest
1710
+ # data as a hash:
1711
+ #
1712
+ # {
1713
+ # access_preview_id: "AccessPreviewId", # required
1714
+ # analyzer_arn: "AnalyzerArn", # required
1715
+ # filter: {
1716
+ # "String" => {
1717
+ # contains: ["String"],
1718
+ # eq: ["String"],
1719
+ # exists: false,
1720
+ # neq: ["String"],
1721
+ # },
1722
+ # },
1723
+ # max_results: 1,
1724
+ # next_token: "Token",
1725
+ # }
1726
+ #
1727
+ # @!attribute [rw] access_preview_id
1728
+ # The unique ID for the access preview.
1729
+ # @return [String]
1730
+ #
1731
+ # @!attribute [rw] analyzer_arn
1732
+ # The [ARN of the analyzer][1] used to generate the access.
1733
+ #
1734
+ #
1735
+ #
1736
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1737
+ # @return [String]
1738
+ #
1739
+ # @!attribute [rw] filter
1740
+ # Criteria to filter the returned findings.
1741
+ # @return [Hash<String,Types::Criterion>]
1742
+ #
1743
+ # @!attribute [rw] max_results
1744
+ # The maximum number of results to return in the response.
1745
+ # @return [Integer]
1746
+ #
1747
+ # @!attribute [rw] next_token
1748
+ # A token used for pagination of results returned.
1749
+ # @return [String]
1750
+ #
1751
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
1752
+ #
1753
+ class ListAccessPreviewFindingsRequest < Struct.new(
1754
+ :access_preview_id,
1755
+ :analyzer_arn,
1756
+ :filter,
1757
+ :max_results,
1758
+ :next_token)
1759
+ SENSITIVE = []
1760
+ include Aws::Structure
1761
+ end
1762
+
1763
+ # @!attribute [rw] findings
1764
+ # A list of access preview findings that match the specified filter
1765
+ # criteria.
1766
+ # @return [Array<Types::AccessPreviewFinding>]
1767
+ #
1768
+ # @!attribute [rw] next_token
1769
+ # A token used for pagination of results returned.
1770
+ # @return [String]
1771
+ #
1772
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsResponse AWS API Documentation
1773
+ #
1774
+ class ListAccessPreviewFindingsResponse < Struct.new(
1775
+ :findings,
1776
+ :next_token)
1777
+ SENSITIVE = []
1778
+ include Aws::Structure
1779
+ end
1780
+
1781
+ # @note When making an API call, you may pass ListAccessPreviewsRequest
1782
+ # data as a hash:
1783
+ #
1784
+ # {
1785
+ # analyzer_arn: "AnalyzerArn", # required
1786
+ # max_results: 1,
1787
+ # next_token: "Token",
1788
+ # }
1789
+ #
1790
+ # @!attribute [rw] analyzer_arn
1791
+ # The [ARN of the analyzer][1] used to generate the access preview.
1792
+ #
1793
+ #
1794
+ #
1795
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1796
+ # @return [String]
1797
+ #
1798
+ # @!attribute [rw] max_results
1799
+ # The maximum number of results to return in the response.
1800
+ # @return [Integer]
1801
+ #
1802
+ # @!attribute [rw] next_token
1803
+ # A token used for pagination of results returned.
1804
+ # @return [String]
1805
+ #
1806
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
1807
+ #
1808
+ class ListAccessPreviewsRequest < Struct.new(
1809
+ :analyzer_arn,
1810
+ :max_results,
1811
+ :next_token)
1812
+ SENSITIVE = []
1813
+ include Aws::Structure
1814
+ end
1815
+
1816
+ # @!attribute [rw] access_previews
1817
+ # A list of access previews retrieved for the analyzer.
1818
+ # @return [Array<Types::AccessPreviewSummary>]
1819
+ #
1820
+ # @!attribute [rw] next_token
1821
+ # A token used for pagination of results returned.
1822
+ # @return [String]
1823
+ #
1824
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsResponse AWS API Documentation
1825
+ #
1826
+ class ListAccessPreviewsResponse < Struct.new(
1827
+ :access_previews,
1828
+ :next_token)
1829
+ SENSITIVE = []
1830
+ include Aws::Structure
1831
+ end
1832
+
931
1833
  # Retrieves a list of resources that have been analyzed.
932
1834
  #
933
1835
  # @note When making an API call, you may pass ListAnalyzedResourcesRequest
@@ -937,12 +1839,16 @@ module Aws::AccessAnalyzer
937
1839
  # analyzer_arn: "AnalyzerArn", # required
938
1840
  # max_results: 1,
939
1841
  # next_token: "Token",
940
- # resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key
1842
+ # resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret
941
1843
  # }
942
1844
  #
943
1845
  # @!attribute [rw] analyzer_arn
944
- # The ARN of the analyzer to retrieve a list of analyzed resources
945
- # from.
1846
+ # The [ARN of the analyzer][1] to retrieve a list of analyzed
1847
+ # resources from.
1848
+ #
1849
+ #
1850
+ #
1851
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
946
1852
  # @return [String]
947
1853
  #
948
1854
  # @!attribute [rw] max_results
@@ -1115,7 +2021,11 @@ module Aws::AccessAnalyzer
1115
2021
  # }
1116
2022
  #
1117
2023
  # @!attribute [rw] analyzer_arn
1118
- # The ARN of the analyzer to retrieve findings from.
2024
+ # The [ARN of the analyzer][1] to retrieve findings from.
2025
+ #
2026
+ #
2027
+ #
2028
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1119
2029
  # @return [String]
1120
2030
  #
1121
2031
  # @!attribute [rw] filter
@@ -1201,13 +2111,134 @@ module Aws::AccessAnalyzer
1201
2111
  include Aws::Structure
1202
2112
  end
1203
2113
 
1204
- # The specified resource could not be found.
2114
+ # A location in a policy that is represented as a path through the JSON
2115
+ # representation and a corresponding span.
1205
2116
  #
1206
- # @!attribute [rw] message
1207
- # @return [String]
2117
+ # @!attribute [rw] path
2118
+ # A path in a policy, represented as a sequence of path elements.
2119
+ # @return [Array<Types::PathElement>]
1208
2120
  #
1209
- # @!attribute [rw] resource_id
1210
- # The ID of the resource.
2121
+ # @!attribute [rw] span
2122
+ # A span in a policy.
2123
+ # @return [Types::Span]
2124
+ #
2125
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Location AWS API Documentation
2126
+ #
2127
+ class Location < Struct.new(
2128
+ :path,
2129
+ :span)
2130
+ SENSITIVE = []
2131
+ include Aws::Structure
2132
+ end
2133
+
2134
+ # The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
2135
+ # the Amazon S3 Access point. You can make the access point accessible
2136
+ # from the internet, or you can specify that all requests made through
2137
+ # that access point must originate from a specific virtual private cloud
2138
+ # (VPC). You can specify only one type of network configuration. For
2139
+ # more information, see [Creating access points][1].
2140
+ #
2141
+ #
2142
+ #
2143
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
2144
+ #
2145
+ # @note When making an API call, you may pass NetworkOriginConfiguration
2146
+ # data as a hash:
2147
+ #
2148
+ # {
2149
+ # internet_configuration: {
2150
+ # },
2151
+ # vpc_configuration: {
2152
+ # vpc_id: "VpcId", # required
2153
+ # },
2154
+ # }
2155
+ #
2156
+ # @!attribute [rw] internet_configuration
2157
+ # The configuration for the Amazon S3 access point with an `Internet`
2158
+ # origin.
2159
+ # @return [Types::InternetConfiguration]
2160
+ #
2161
+ # @!attribute [rw] vpc_configuration
2162
+ # The proposed virtual private cloud (VPC) configuration for the
2163
+ # Amazon S3 access point. For more information, see
2164
+ # [VpcConfiguration][1].
2165
+ #
2166
+ #
2167
+ #
2168
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
2169
+ # @return [Types::VpcConfiguration]
2170
+ #
2171
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
2172
+ #
2173
+ class NetworkOriginConfiguration < Struct.new(
2174
+ :internet_configuration,
2175
+ :vpc_configuration)
2176
+ SENSITIVE = []
2177
+ include Aws::Structure
2178
+ end
2179
+
2180
+ # A single element in a path through the JSON representation of a
2181
+ # policy.
2182
+ #
2183
+ # @!attribute [rw] index
2184
+ # Refers to an index in a JSON array.
2185
+ # @return [Integer]
2186
+ #
2187
+ # @!attribute [rw] key
2188
+ # Refers to a key in a JSON object.
2189
+ # @return [String]
2190
+ #
2191
+ # @!attribute [rw] substring
2192
+ # Refers to a substring of a literal string in a JSON object.
2193
+ # @return [Types::Substring]
2194
+ #
2195
+ # @!attribute [rw] value
2196
+ # Refers to the value associated with a given key in a JSON object.
2197
+ # @return [String]
2198
+ #
2199
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PathElement AWS API Documentation
2200
+ #
2201
+ class PathElement < Struct.new(
2202
+ :index,
2203
+ :key,
2204
+ :substring,
2205
+ :value)
2206
+ SENSITIVE = []
2207
+ include Aws::Structure
2208
+ end
2209
+
2210
+ # A position in a policy.
2211
+ #
2212
+ # @!attribute [rw] column
2213
+ # The column of the position, starting from 0.
2214
+ # @return [Integer]
2215
+ #
2216
+ # @!attribute [rw] line
2217
+ # The line of the position, starting from 1.
2218
+ # @return [Integer]
2219
+ #
2220
+ # @!attribute [rw] offset
2221
+ # The offset within the policy that corresponds to the position,
2222
+ # starting from 0.
2223
+ # @return [Integer]
2224
+ #
2225
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
2226
+ #
2227
+ class Position < Struct.new(
2228
+ :column,
2229
+ :line,
2230
+ :offset)
2231
+ SENSITIVE = []
2232
+ include Aws::Structure
2233
+ end
2234
+
2235
+ # The specified resource could not be found.
2236
+ #
2237
+ # @!attribute [rw] message
2238
+ # @return [String]
2239
+ #
2240
+ # @!attribute [rw] resource_id
2241
+ # The ID of the resource.
1211
2242
  # @return [String]
1212
2243
  #
1213
2244
  # @!attribute [rw] resource_type
@@ -1224,6 +2255,278 @@ module Aws::AccessAnalyzer
1224
2255
  include Aws::Structure
1225
2256
  end
1226
2257
 
2258
+ # The configuration for an Amazon S3 access point for the bucket. You
2259
+ # can propose up to 10 access points per bucket. If the proposed Amazon
2260
+ # S3 access point configuration is for an existing bucket, the access
2261
+ # preview uses the proposed access point configuration in place of the
2262
+ # existing access points. To propose an access point without a policy,
2263
+ # you can provide an empty string as the access point policy. For more
2264
+ # information, see [Creating access points][1]. For more information
2265
+ # about access point policy limits, see [Access points restrictions and
2266
+ # limitations][2].
2267
+ #
2268
+ #
2269
+ #
2270
+ # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
2271
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
2272
+ #
2273
+ # @note When making an API call, you may pass S3AccessPointConfiguration
2274
+ # data as a hash:
2275
+ #
2276
+ # {
2277
+ # access_point_policy: "AccessPointPolicy",
2278
+ # network_origin: {
2279
+ # internet_configuration: {
2280
+ # },
2281
+ # vpc_configuration: {
2282
+ # vpc_id: "VpcId", # required
2283
+ # },
2284
+ # },
2285
+ # public_access_block: {
2286
+ # ignore_public_acls: false, # required
2287
+ # restrict_public_buckets: false, # required
2288
+ # },
2289
+ # }
2290
+ #
2291
+ # @!attribute [rw] access_point_policy
2292
+ # The access point policy.
2293
+ # @return [String]
2294
+ #
2295
+ # @!attribute [rw] network_origin
2296
+ # The proposed `Internet` and `VpcConfiguration` to apply to this
2297
+ # Amazon S3 access point. If the access preview is for a new resource
2298
+ # and neither is specified, the access preview uses `Internet` for the
2299
+ # network origin. If the access preview is for an existing resource
2300
+ # and neither is specified, the access preview uses the exiting
2301
+ # network origin.
2302
+ # @return [Types::NetworkOriginConfiguration]
2303
+ #
2304
+ # @!attribute [rw] public_access_block
2305
+ # The proposed `S3PublicAccessBlock` configuration to apply to this
2306
+ # Amazon S3 Access Point.
2307
+ # @return [Types::S3PublicAccessBlockConfiguration]
2308
+ #
2309
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
2310
+ #
2311
+ class S3AccessPointConfiguration < Struct.new(
2312
+ :access_point_policy,
2313
+ :network_origin,
2314
+ :public_access_block)
2315
+ SENSITIVE = []
2316
+ include Aws::Structure
2317
+ end
2318
+
2319
+ # A proposed access control list grant configuration for an Amazon S3
2320
+ # bucket. For more information, see [How to Specify an ACL][1].
2321
+ #
2322
+ #
2323
+ #
2324
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls
2325
+ #
2326
+ # @note When making an API call, you may pass S3BucketAclGrantConfiguration
2327
+ # data as a hash:
2328
+ #
2329
+ # {
2330
+ # grantee: { # required
2331
+ # id: "AclCanonicalId",
2332
+ # uri: "AclUri",
2333
+ # },
2334
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
2335
+ # }
2336
+ #
2337
+ # @!attribute [rw] grantee
2338
+ # The grantee to whom you’re assigning access rights.
2339
+ # @return [Types::AclGrantee]
2340
+ #
2341
+ # @!attribute [rw] permission
2342
+ # The permissions being granted.
2343
+ # @return [String]
2344
+ #
2345
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
2346
+ #
2347
+ class S3BucketAclGrantConfiguration < Struct.new(
2348
+ :grantee,
2349
+ :permission)
2350
+ SENSITIVE = []
2351
+ include Aws::Structure
2352
+ end
2353
+
2354
+ # Proposed access control configuration for an Amazon S3 bucket. You can
2355
+ # propose a configuration for a new Amazon S3 bucket or an existing
2356
+ # Amazon S3 bucket that you own by specifying the Amazon S3 bucket
2357
+ # policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points
2358
+ # attached to the bucket. If the configuration is for an existing Amazon
2359
+ # S3 bucket and you do not specify the Amazon S3 bucket policy, the
2360
+ # access preview uses the existing policy attached to the bucket. If the
2361
+ # access preview is for a new resource and you do not specify the Amazon
2362
+ # S3 bucket policy, the access preview assumes a bucket without a
2363
+ # policy. To propose deletion of an existing bucket policy, you can
2364
+ # specify an empty string. For more information about bucket policy
2365
+ # limits, see [Bucket Policy Examples][1].
2366
+ #
2367
+ #
2368
+ #
2369
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
2370
+ #
2371
+ # @note When making an API call, you may pass S3BucketConfiguration
2372
+ # data as a hash:
2373
+ #
2374
+ # {
2375
+ # access_points: {
2376
+ # "AccessPointArn" => {
2377
+ # access_point_policy: "AccessPointPolicy",
2378
+ # network_origin: {
2379
+ # internet_configuration: {
2380
+ # },
2381
+ # vpc_configuration: {
2382
+ # vpc_id: "VpcId", # required
2383
+ # },
2384
+ # },
2385
+ # public_access_block: {
2386
+ # ignore_public_acls: false, # required
2387
+ # restrict_public_buckets: false, # required
2388
+ # },
2389
+ # },
2390
+ # },
2391
+ # bucket_acl_grants: [
2392
+ # {
2393
+ # grantee: { # required
2394
+ # id: "AclCanonicalId",
2395
+ # uri: "AclUri",
2396
+ # },
2397
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
2398
+ # },
2399
+ # ],
2400
+ # bucket_policy: "S3BucketPolicy",
2401
+ # bucket_public_access_block: {
2402
+ # ignore_public_acls: false, # required
2403
+ # restrict_public_buckets: false, # required
2404
+ # },
2405
+ # }
2406
+ #
2407
+ # @!attribute [rw] access_points
2408
+ # The configuration of Amazon S3 access points for the bucket.
2409
+ # @return [Hash<String,Types::S3AccessPointConfiguration>]
2410
+ #
2411
+ # @!attribute [rw] bucket_acl_grants
2412
+ # The proposed list of ACL grants for the Amazon S3 bucket. You can
2413
+ # propose up to 100 ACL grants per bucket. If the proposed grant
2414
+ # configuration is for an existing bucket, the access preview uses the
2415
+ # proposed list of grant configurations in place of the existing
2416
+ # grants. Otherwise, the access preview uses the existing grants for
2417
+ # the bucket.
2418
+ # @return [Array<Types::S3BucketAclGrantConfiguration>]
2419
+ #
2420
+ # @!attribute [rw] bucket_policy
2421
+ # The proposed bucket policy for the Amazon S3 bucket.
2422
+ # @return [String]
2423
+ #
2424
+ # @!attribute [rw] bucket_public_access_block
2425
+ # The proposed block public access configuration for the Amazon S3
2426
+ # bucket.
2427
+ # @return [Types::S3PublicAccessBlockConfiguration]
2428
+ #
2429
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
2430
+ #
2431
+ class S3BucketConfiguration < Struct.new(
2432
+ :access_points,
2433
+ :bucket_acl_grants,
2434
+ :bucket_policy,
2435
+ :bucket_public_access_block)
2436
+ SENSITIVE = []
2437
+ include Aws::Structure
2438
+ end
2439
+
2440
+ # The `PublicAccessBlock` configuration to apply to this Amazon S3
2441
+ # bucket. If the proposed configuration is for an existing Amazon S3
2442
+ # bucket and the configuration is not specified, the access preview uses
2443
+ # the existing setting. If the proposed configuration is for a new
2444
+ # bucket and the configuration is not specified, the access preview uses
2445
+ # `false`. If the proposed configuration is for a new access point and
2446
+ # the access point BPA configuration is not specified, the access
2447
+ # preview uses `true`. For more information, see
2448
+ # [PublicAccessBlockConfiguration][1].
2449
+ #
2450
+ #
2451
+ #
2452
+ # [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
2453
+ #
2454
+ # @note When making an API call, you may pass S3PublicAccessBlockConfiguration
2455
+ # data as a hash:
2456
+ #
2457
+ # {
2458
+ # ignore_public_acls: false, # required
2459
+ # restrict_public_buckets: false, # required
2460
+ # }
2461
+ #
2462
+ # @!attribute [rw] ignore_public_acls
2463
+ # Specifies whether Amazon S3 should ignore public ACLs for this
2464
+ # bucket and objects in this bucket.
2465
+ # @return [Boolean]
2466
+ #
2467
+ # @!attribute [rw] restrict_public_buckets
2468
+ # Specifies whether Amazon S3 should restrict public bucket policies
2469
+ # for this bucket.
2470
+ # @return [Boolean]
2471
+ #
2472
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3PublicAccessBlockConfiguration AWS API Documentation
2473
+ #
2474
+ class S3PublicAccessBlockConfiguration < Struct.new(
2475
+ :ignore_public_acls,
2476
+ :restrict_public_buckets)
2477
+ SENSITIVE = []
2478
+ include Aws::Structure
2479
+ end
2480
+
2481
+ # The configuration for a Secrets Manager secret. For more information,
2482
+ # see [CreateSecret][1].
2483
+ #
2484
+ # You can propose a configuration for a new secret or an existing secret
2485
+ # that you own by specifying the secret policy and optional KMS
2486
+ # encryption key. If the configuration is for an existing secret and you
2487
+ # do not specify the secret policy, the access preview uses the existing
2488
+ # policy for the secret. If the access preview is for a new resource and
2489
+ # you do not specify the policy, the access preview assumes a secret
2490
+ # without a policy. To propose deletion of an existing policy, you can
2491
+ # specify an empty string. If the proposed configuration is for a new
2492
+ # secret and you do not specify the KMS key ID, the access preview uses
2493
+ # the default CMK of the AWS account. If you specify an empty string for
2494
+ # the KMS key ID, the access preview uses the default CMK of the AWS
2495
+ # account. For more information about secret policy limits, see [Quotas
2496
+ # for AWS Secrets Manager.][2].
2497
+ #
2498
+ #
2499
+ #
2500
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html
2501
+ # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
2502
+ #
2503
+ # @note When making an API call, you may pass SecretsManagerSecretConfiguration
2504
+ # data as a hash:
2505
+ #
2506
+ # {
2507
+ # kms_key_id: "SecretsManagerSecretKmsId",
2508
+ # secret_policy: "SecretsManagerSecretPolicy",
2509
+ # }
2510
+ #
2511
+ # @!attribute [rw] kms_key_id
2512
+ # The proposed ARN, key ID, or alias of the AWS KMS customer master
2513
+ # key (CMK).
2514
+ # @return [String]
2515
+ #
2516
+ # @!attribute [rw] secret_policy
2517
+ # The proposed resource policy defining who can access or manage the
2518
+ # secret.
2519
+ # @return [String]
2520
+ #
2521
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SecretsManagerSecretConfiguration AWS API Documentation
2522
+ #
2523
+ class SecretsManagerSecretConfiguration < Struct.new(
2524
+ :kms_key_id,
2525
+ :secret_policy)
2526
+ SENSITIVE = []
2527
+ include Aws::Structure
2528
+ end
2529
+
1227
2530
  # Service quote met error.
1228
2531
  #
1229
2532
  # @!attribute [rw] message
@@ -1274,6 +2577,60 @@ module Aws::AccessAnalyzer
1274
2577
  include Aws::Structure
1275
2578
  end
1276
2579
 
2580
+ # A span in a policy. The span consists of a start position (inclusive)
2581
+ # and end position (exclusive).
2582
+ #
2583
+ # @!attribute [rw] end
2584
+ # The end position of the span (exclusive).
2585
+ # @return [Types::Position]
2586
+ #
2587
+ # @!attribute [rw] start
2588
+ # The start position of the span (inclusive).
2589
+ # @return [Types::Position]
2590
+ #
2591
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
2592
+ #
2593
+ class Span < Struct.new(
2594
+ :end,
2595
+ :start)
2596
+ SENSITIVE = []
2597
+ include Aws::Structure
2598
+ end
2599
+
2600
+ # The proposed access control configuration for an SQS queue. You can
2601
+ # propose a configuration for a new SQS queue or an existing SQS queue
2602
+ # that you own by specifying the SQS policy. If the configuration is for
2603
+ # an existing SQS queue and you do not specify the SQS policy, the
2604
+ # access preview uses the existing SQS policy for the queue. If the
2605
+ # access preview is for a new resource and you do not specify the
2606
+ # policy, the access preview assumes an SQS queue without a policy. To
2607
+ # propose deletion of an existing SQS queue policy, you can specify an
2608
+ # empty string for the SQS policy. For more information about SQS policy
2609
+ # limits, see [Quotas related to policies][1].
2610
+ #
2611
+ #
2612
+ #
2613
+ # [1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html
2614
+ #
2615
+ # @note When making an API call, you may pass SqsQueueConfiguration
2616
+ # data as a hash:
2617
+ #
2618
+ # {
2619
+ # queue_policy: "SqsQueuePolicy",
2620
+ # }
2621
+ #
2622
+ # @!attribute [rw] queue_policy
2623
+ # The proposed resource policy for the SQS queue.
2624
+ # @return [String]
2625
+ #
2626
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
2627
+ #
2628
+ class SqsQueueConfiguration < Struct.new(
2629
+ :queue_policy)
2630
+ SENSITIVE = []
2631
+ include Aws::Structure
2632
+ end
2633
+
1277
2634
  # Starts a scan of the policies applied to the specified resource.
1278
2635
  #
1279
2636
  # @note When making an API call, you may pass StartResourceScanRequest
@@ -1285,8 +2642,12 @@ module Aws::AccessAnalyzer
1285
2642
  # }
1286
2643
  #
1287
2644
  # @!attribute [rw] analyzer_arn
1288
- # The ARN of the analyzer to use to scan the policies applied to the
1289
- # specified resource.
2645
+ # The [ARN of the analyzer][1] to use to scan the policies applied to
2646
+ # the specified resource.
2647
+ #
2648
+ #
2649
+ #
2650
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1290
2651
  # @return [String]
1291
2652
  #
1292
2653
  # @!attribute [rw] resource_arn
@@ -1304,7 +2665,7 @@ module Aws::AccessAnalyzer
1304
2665
 
1305
2666
  # Provides more details about the current status of the analyzer. For
1306
2667
  # example, if the creation for the analyzer fails, a `Failed` status is
1307
- # displayed. For an analyzer with organization as the type, this failure
2668
+ # returned. For an analyzer with organization as the type, this failure
1308
2669
  # can be due to an issue with creating the service-linked roles required
1309
2670
  # in the member accounts of the AWS organization.
1310
2671
  #
@@ -1320,6 +2681,25 @@ module Aws::AccessAnalyzer
1320
2681
  include Aws::Structure
1321
2682
  end
1322
2683
 
2684
+ # A reference to a substring of a literal string in a JSON document.
2685
+ #
2686
+ # @!attribute [rw] length
2687
+ # The length of the substring.
2688
+ # @return [Integer]
2689
+ #
2690
+ # @!attribute [rw] start
2691
+ # The start index of the substring, starting from 0.
2692
+ # @return [Integer]
2693
+ #
2694
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
2695
+ #
2696
+ class Substring < Struct.new(
2697
+ :length,
2698
+ :start)
2699
+ SENSITIVE = []
2700
+ include Aws::Structure
2701
+ end
2702
+
1323
2703
  # Adds a tag to the specified resource.
1324
2704
  #
1325
2705
  # @note When making an API call, you may pass TagResourceRequest
@@ -1470,7 +2850,11 @@ module Aws::AccessAnalyzer
1470
2850
  # }
1471
2851
  #
1472
2852
  # @!attribute [rw] analyzer_arn
1473
- # The ARN of the analyzer that generated the findings to update.
2853
+ # The [ARN of the analyzer][1] that generated the findings to update.
2854
+ #
2855
+ #
2856
+ #
2857
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1474
2858
  # @return [String]
1475
2859
  #
1476
2860
  # @!attribute [rw] client_token
@@ -1507,6 +2891,127 @@ module Aws::AccessAnalyzer
1507
2891
  include Aws::Structure
1508
2892
  end
1509
2893
 
2894
+ # A finding in a policy. Each finding is an actionable recommendation
2895
+ # that can be used to improve the policy.
2896
+ #
2897
+ # @!attribute [rw] finding_details
2898
+ # A localized message that explains the finding and provides guidance
2899
+ # on how to address it.
2900
+ # @return [String]
2901
+ #
2902
+ # @!attribute [rw] finding_type
2903
+ # The impact of the finding.
2904
+ #
2905
+ # Security warnings report when the policy allows access that we
2906
+ # consider overly permissive.
2907
+ #
2908
+ # Errors report when a part of the policy is not functional.
2909
+ #
2910
+ # Warnings report non-security issues when a policy does not conform
2911
+ # to policy writing best practices.
2912
+ #
2913
+ # Suggestions recommend stylistic improvements in the policy that do
2914
+ # not impact access.
2915
+ # @return [String]
2916
+ #
2917
+ # @!attribute [rw] issue_code
2918
+ # The issue code provides an identifier of the issue associated with
2919
+ # this finding.
2920
+ # @return [String]
2921
+ #
2922
+ # @!attribute [rw] learn_more_link
2923
+ # A link to additional documentation about the type of finding.
2924
+ # @return [String]
2925
+ #
2926
+ # @!attribute [rw] locations
2927
+ # The list of locations in the policy document that are related to the
2928
+ # finding. The issue code provides a summary of an issue identified by
2929
+ # the finding.
2930
+ # @return [Array<Types::Location>]
2931
+ #
2932
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyFinding AWS API Documentation
2933
+ #
2934
+ class ValidatePolicyFinding < Struct.new(
2935
+ :finding_details,
2936
+ :finding_type,
2937
+ :issue_code,
2938
+ :learn_more_link,
2939
+ :locations)
2940
+ SENSITIVE = []
2941
+ include Aws::Structure
2942
+ end
2943
+
2944
+ # @note When making an API call, you may pass ValidatePolicyRequest
2945
+ # data as a hash:
2946
+ #
2947
+ # {
2948
+ # locale: "DE", # accepts DE, EN, ES, FR, IT, JA, KO, PT_BR, ZH_CN, ZH_TW
2949
+ # max_results: 1,
2950
+ # next_token: "Token",
2951
+ # policy_document: "PolicyDocument", # required
2952
+ # policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
2953
+ # }
2954
+ #
2955
+ # @!attribute [rw] locale
2956
+ # The locale to use for localizing the findings.
2957
+ # @return [String]
2958
+ #
2959
+ # @!attribute [rw] max_results
2960
+ # The maximum number of results to return in the response.
2961
+ # @return [Integer]
2962
+ #
2963
+ # @!attribute [rw] next_token
2964
+ # A token used for pagination of results returned.
2965
+ # @return [String]
2966
+ #
2967
+ # @!attribute [rw] policy_document
2968
+ # The JSON policy document to use as the content for the policy.
2969
+ # @return [String]
2970
+ #
2971
+ # @!attribute [rw] policy_type
2972
+ # The type of policy to validate. Identity policies grant permissions
2973
+ # to IAM principals. Identity policies include managed and inline
2974
+ # policies for IAM roles, users, and groups. They also include
2975
+ # service-control policies (SCPs) that are attached to an AWS
2976
+ # organization, organizational unit (OU), or an account.
2977
+ #
2978
+ # Resource policies grant permissions on AWS resources. Resource
2979
+ # policies include trust policies for IAM roles and bucket policies
2980
+ # for S3 buckets. You can provide a generic input such as identity
2981
+ # policy or resource policy or a specific input such as managed policy
2982
+ # or S3 bucket policy.
2983
+ # @return [String]
2984
+ #
2985
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
2986
+ #
2987
+ class ValidatePolicyRequest < Struct.new(
2988
+ :locale,
2989
+ :max_results,
2990
+ :next_token,
2991
+ :policy_document,
2992
+ :policy_type)
2993
+ SENSITIVE = []
2994
+ include Aws::Structure
2995
+ end
2996
+
2997
+ # @!attribute [rw] findings
2998
+ # The list of findings in a policy returned by Access Analyzer based
2999
+ # on its suite of policy checks.
3000
+ # @return [Array<Types::ValidatePolicyFinding>]
3001
+ #
3002
+ # @!attribute [rw] next_token
3003
+ # A token used for pagination of results returned.
3004
+ # @return [String]
3005
+ #
3006
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyResponse AWS API Documentation
3007
+ #
3008
+ class ValidatePolicyResponse < Struct.new(
3009
+ :findings,
3010
+ :next_token)
3011
+ SENSITIVE = []
3012
+ include Aws::Structure
3013
+ end
3014
+
1510
3015
  # Validation exception error.
1511
3016
  #
1512
3017
  # @!attribute [rw] field_list
@@ -1549,5 +3054,32 @@ module Aws::AccessAnalyzer
1549
3054
  include Aws::Structure
1550
3055
  end
1551
3056
 
3057
+ # The proposed virtual private cloud (VPC) configuration for the Amazon
3058
+ # S3 access point. For more information, see [VpcConfiguration][1].
3059
+ #
3060
+ #
3061
+ #
3062
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
3063
+ #
3064
+ # @note When making an API call, you may pass VpcConfiguration
3065
+ # data as a hash:
3066
+ #
3067
+ # {
3068
+ # vpc_id: "VpcId", # required
3069
+ # }
3070
+ #
3071
+ # @!attribute [rw] vpc_id
3072
+ # If this field is specified, this access point will only allow
3073
+ # connections from the specified VPC ID.
3074
+ # @return [String]
3075
+ #
3076
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/VpcConfiguration AWS API Documentation
3077
+ #
3078
+ class VpcConfiguration < Struct.new(
3079
+ :vpc_id)
3080
+ SENSITIVE = []
3081
+ include Aws::Structure
3082
+ end
3083
+
1552
3084
  end
1553
3085
  end