aws-sdk-accessanalyzer 1.13.0 → 1.18.0

data/lib/aws-sdk-accessanalyzer/errors.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-accessanalyzer/resource.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-accessanalyzer/types.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -23,6 +23,266 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # Contains information about an access preview.
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The ARN of the analyzer used to generate the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] configurations
+    #   A map of resource ARNs for the proposed resource configuration.
+    #   @return [Hash<String,Types::Configuration>]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the access preview was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   The status of the access preview.
+    #
+    #   * `Creating` - The access preview creation is in progress.
+    #
+    #   * `Completed` - The access preview is complete. You can preview
+    #     findings for external access to the resource.
+    #
+    #   * `Failed` - The access preview creation has failed.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_reason
+    #   Provides more details about the current status of the access
+    #   preview.
+    #
+    #   For example, if the creation of the access preview fails, a `Failed`
+    #   status is returned. This failure can be due to an internal issue
+    #   with the analysis or due to an invalid resource configuration.
+    #   @return [Types::AccessPreviewStatusReason]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
+    #
+    class AccessPreview < Struct.new(
+      :analyzer_arn,
+      :configurations,
+      :created_at,
+      :id,
+      :status,
+      :status_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # An access preview finding generated by the access preview.
+    #
+    # @!attribute [rw] action
+    #   The action in the analyzed policy statement that an external
+    #   principal has permission to perform.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] change_type
+    #   Provides context on how the access preview finding compares to
+    #   existing access identified in Access Analyzer.
+    #
+    #   * `New` - The finding is for newly-introduced access.
+    #
+    #   * `Unchanged` - The preview finding is an existing finding that
+    #     would remain unchanged.
+    #
+    #   * `Changed` - The preview finding is an existing finding with a
+    #     change in status.
+    #
+    #   For example, a `Changed` finding with preview status `Resolved` and
+    #   existing status `Active` indicates the existing `Active` finding
+    #   would become `Resolved` as a result of the proposed permissions
+    #   change.
+    #   @return [String]
+    #
+    # @!attribute [rw] condition
+    #   The condition in the analyzed policy statement that resulted in a
+    #   finding.
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the access preview finding was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] error
+    #   An error.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_finding_id
+    #   The existing ID of the finding in Access Analyzer, provided only for
+    #   existing findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_finding_status
+    #   The existing status of the finding, provided only for existing
+    #   findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The ID of the access preview finding. This ID uniquely identifies
+    #   the element in the list of access preview findings and is not
+    #   related to the finding ID in Access Analyzer.
+    #   @return [String]
+    #
+    # @!attribute [rw] is_public
+    #   Indicates whether the policy that generated the finding allows
+    #   public access to the resource.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] principal
+    #   The external principal that has access to a resource within the zone
+    #   of trust.
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] resource
+    #   The resource that an external principal has access to. This is the
+    #   resource associated with the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_owner_account
+    #   The AWS account ID that owns the resource. For most AWS resources,
+    #   the owning account is the account in which the resource was created.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of the resource that can be accessed in the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] sources
+    #   The sources of the finding. This indicates how the access that
+    #   generated the finding is granted. It is populated for Amazon S3
+    #   bucket findings.
+    #   @return [Array<Types::FindingSource>]
+    #
+    # @!attribute [rw] status
+    #   The preview status of the finding. This is what the status of the
+    #   finding would be after permissions deployment. For example, a
+    #   `Changed` finding with preview status `Resolved` and existing status
+    #   `Active` indicates the existing `Active` finding would become
+    #   `Resolved` as a result of the proposed permissions change.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
+    #
+    class AccessPreviewFinding < Struct.new(
+      :action,
+      :change_type,
+      :condition,
+      :created_at,
+      :error,
+      :existing_finding_id,
+      :existing_finding_status,
+      :id,
+      :is_public,
+      :principal,
+      :resource,
+      :resource_owner_account,
+      :resource_type,
+      :sources,
+      :status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Provides more details about the current status of the access preview.
+    # For example, if the creation of the access preview fails, a `Failed`
+    # status is returned. This failure can be due to an internal issue with
+    # the analysis or due to an invalid proposed resource configuration.
+    #
+    # @!attribute [rw] code
+    #   The reason code for the current status of the access preview.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewStatusReason AWS API Documentation
+    #
+    class AccessPreviewStatusReason < Struct.new(
+      :code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains a summary of information about an access preview.
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The ARN of the analyzer used to generate the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the access preview was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   The status of the access preview.
+    #
+    #   * `Creating` - The access preview creation is in progress.
+    #
+    #   * `Completed` - The access preview is complete and previews the
+    #     findings for external access to the resource.
+    #
+    #   * `Failed` - The access preview creation has failed.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_reason
+    #   Provides more details about the current status of the access
+    #   preview. For example, if the creation of the access preview fails, a
+    #   `Failed` status is returned. This failure can be due to an internal
+    #   issue with the analysis or due to an invalid proposed resource
+    #   configuration.
+    #   @return [Types::AccessPreviewStatusReason]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
+    #
+    class AccessPreviewSummary < Struct.new(
+      :analyzer_arn,
+      :created_at,
+      :id,
+      :status,
+      :status_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # You specify each grantee as a type-value pair using one of these
+    # types. You can specify only one type of grantee. For more information,
+    # see [PutBucketAcl][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
+    #
+    # @note When making an API call, you may pass AclGrantee
+    #   data as a hash:
+    #
+    #       {
+    #         id: "AclCanonicalId",
+    #         uri: "AclUri",
+    #       }
+    #
+    # @!attribute [rw] id
+    #   The value specified is the canonical user ID of an AWS account.
+    #   @return [String]
+    #
+    # @!attribute [rw] uri
+    #   Used for granting permissions to a predefined group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AclGrantee AWS API Documentation
+    #
+    class AclGrantee < Struct.new(
+      :id,
+      :uri)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains details about the analyzed resource.
     #
     # @!attribute [rw] actions
@@ -141,16 +401,16 @@ module Aws::AccessAnalyzer
     #   The status of the analyzer. An `Active` analyzer successfully
     #   monitors supported resources and generates new findings. The
     #   analyzer is `Disabled` when a user action, such as removing trusted
-    #   access for IAM Access Analyzer from AWS Organizations, causes the
-    #   analyzer to stop generating new findings. The status is `Creating`
-    #   when the analyzer creation is in progress and `Failed` when the
-    #   analyzer creation has failed.
+    #   access for AWS IAM Access Analyzer from AWS Organizations, causes
+    #   the analyzer to stop generating new findings. The status is
+    #   `Creating` when the analyzer creation is in progress and `Failed`
+    #   when the analyzer creation has failed.
     #   @return [String]
     #
     # @!attribute [rw] status_reason
     #   The `statusReason` provides more details about the current status of
     #   the analyzer. For example, if the creation for the analyzer fails, a
-    #   `Failed` status is displayed. For an analyzer with organization as
+    #   `Failed` status is returned. For an analyzer with organization as
     #   the type, this failure can be due to an issue with creating the
     #   service-linked roles required in the member accounts of the AWS
     #   organization.
@@ -246,6 +506,111 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # Access control configuration structures for your resource. You specify
+    # the configuration as a type-value pair. You can specify only one type
+    # of access control configuration.
+    #
+    # @note When making an API call, you may pass Configuration
+    #   data as a hash:
+    #
+    #       {
+    #         iam_role: {
+    #           trust_policy: "IamTrustPolicy",
+    #         },
+    #         kms_key: {
+    #           grants: [
+    #             {
+    #               constraints: {
+    #                 encryption_context_equals: {
+    #                   "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                 },
+    #                 encryption_context_subset: {
+    #                   "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                 },
+    #               },
+    #               grantee_principal: "GranteePrincipal", # required
+    #               issuing_account: "IssuingAccount", # required
+    #               operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #               retiring_principal: "RetiringPrincipal",
+    #             },
+    #           ],
+    #           key_policies: {
+    #             "PolicyName" => "KmsKeyPolicy",
+    #           },
+    #         },
+    #         s3_bucket: {
+    #           access_points: {
+    #             "AccessPointArn" => {
+    #               access_point_policy: "AccessPointPolicy",
+    #               network_origin: {
+    #                 internet_configuration: {
+    #                 },
+    #                 vpc_configuration: {
+    #                   vpc_id: "VpcId", # required
+    #                 },
+    #               },
+    #               public_access_block: {
+    #                 ignore_public_acls: false, # required
+    #                 restrict_public_buckets: false, # required
+    #               },
+    #             },
+    #           },
+    #           bucket_acl_grants: [
+    #             {
+    #               grantee: { # required
+    #                 id: "AclCanonicalId",
+    #                 uri: "AclUri",
+    #               },
+    #               permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #             },
+    #           ],
+    #           bucket_policy: "S3BucketPolicy",
+    #           bucket_public_access_block: {
+    #             ignore_public_acls: false, # required
+    #             restrict_public_buckets: false, # required
+    #           },
+    #         },
+    #         secrets_manager_secret: {
+    #           kms_key_id: "SecretsManagerSecretKmsId",
+    #           secret_policy: "SecretsManagerSecretPolicy",
+    #         },
+    #         sqs_queue: {
+    #           queue_policy: "SqsQueuePolicy",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] iam_role
+    #   The access control configuration is for an IAM role.
+    #   @return [Types::IamRoleConfiguration]
+    #
+    # @!attribute [rw] kms_key
+    #   The access control configuration is for a KMS key.
+    #   @return [Types::KmsKeyConfiguration]
+    #
+    # @!attribute [rw] s3_bucket
+    #   The access control configuration is for an Amazon S3 Bucket.
+    #   @return [Types::S3BucketConfiguration]
+    #
+    # @!attribute [rw] secrets_manager_secret
+    #   The access control configuration is for a Secrets Manager secret.
+    #   @return [Types::SecretsManagerSecretConfiguration]
+    #
+    # @!attribute [rw] sqs_queue
+    #   The access control configuration is for an SQS queue.
+    #   @return [Types::SqsQueueConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
+    #
+    class Configuration < Struct.new(
+      :iam_role,
+      :kms_key,
+      :s3_bucket,
+      :secrets_manager_secret,
+      :sqs_queue)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A conflict exception error.
     #
     # @!attribute [rw] message
@@ -269,6 +634,128 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass CreateAccessPreviewRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_arn: "AnalyzerArn", # required
+    #         client_token: "String",
+    #         configurations: { # required
+    #           "ConfigurationsMapKey" => {
+    #             iam_role: {
+    #               trust_policy: "IamTrustPolicy",
+    #             },
+    #             kms_key: {
+    #               grants: [
+    #                 {
+    #                   constraints: {
+    #                     encryption_context_equals: {
+    #                       "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                     },
+    #                     encryption_context_subset: {
+    #                       "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                     },
+    #                   },
+    #                   grantee_principal: "GranteePrincipal", # required
+    #                   issuing_account: "IssuingAccount", # required
+    #                   operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #                   retiring_principal: "RetiringPrincipal",
+    #                 },
+    #               ],
+    #               key_policies: {
+    #                 "PolicyName" => "KmsKeyPolicy",
+    #               },
+    #             },
+    #             s3_bucket: {
+    #               access_points: {
+    #                 "AccessPointArn" => {
+    #                   access_point_policy: "AccessPointPolicy",
+    #                   network_origin: {
+    #                     internet_configuration: {
+    #                     },
+    #                     vpc_configuration: {
+    #                       vpc_id: "VpcId", # required
+    #                     },
+    #                   },
+    #                   public_access_block: {
+    #                     ignore_public_acls: false, # required
+    #                     restrict_public_buckets: false, # required
+    #                   },
+    #                 },
+    #               },
+    #               bucket_acl_grants: [
+    #                 {
+    #                   grantee: { # required
+    #                     id: "AclCanonicalId",
+    #                     uri: "AclUri",
+    #                   },
+    #                   permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #                 },
+    #               ],
+    #               bucket_policy: "S3BucketPolicy",
+    #               bucket_public_access_block: {
+    #                 ignore_public_acls: false, # required
+    #                 restrict_public_buckets: false, # required
+    #               },
+    #             },
+    #             secrets_manager_secret: {
+    #               kms_key_id: "SecretsManagerSecretKmsId",
+    #               secret_policy: "SecretsManagerSecretPolicy",
+    #             },
+    #             sqs_queue: {
+    #               queue_policy: "SqsQueuePolicy",
+    #             },
+    #           },
+    #         },
+    #       }
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the account analyzer][1] used to generate the access
+    #   preview. You can only create an access preview for analyzers with an
+    #   `Account` type and `Active` status.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] client_token
+    #   A client token.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] configurations
+    #   Access control configuration for your resource that is used to
+    #   generate the access preview. The access preview includes findings
+    #   for external access allowed to the resource with the proposed access
+    #   control configuration. The configuration must contain exactly one
+    #   element.
+    #   @return [Hash<String,Types::Configuration>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
+    #
+    class CreateAccessPreviewRequest < Struct.new(
+      :analyzer_arn,
+      :client_token,
+      :configurations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewResponse AWS API Documentation
+    #
+    class CreateAccessPreviewResponse < Struct.new(
+      :id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Creates an analyzer.
     #
     # @note When making an API call, you may pass CreateAnalyzerRequest
@@ -318,8 +805,10 @@ module Aws::AccessAnalyzer
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] type
-    #   The type of analyzer to create. Only ACCOUNT analyzers are
-    #   supported. You can create only one analyzer per account per Region.
+    #   The type of analyzer to create. Only ACCOUNT and ORGANIZATION
+    #   analyzers are supported. You can create only one analyzer per
+    #   account per Region. You can create up to 5 analyzers per
+    #   organization per Region.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
@@ -554,7 +1043,7 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] resource_type
-    #   The type of the resource reported in the finding.
+    #   The type of the resource identified in the finding.
     #   @return [String]
     #
     # @!attribute [rw] sources
@@ -715,37 +1204,82 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # Retrieves an analyzed resource.
-    #
-    # @note When making an API call, you may pass GetAnalyzedResourceRequest
+    # @note When making an API call, you may pass GetAccessPreviewRequest
     #   data as a hash:
     #
     #       {
+    #         access_preview_id: "AccessPreviewId", # required
     #         analyzer_arn: "AnalyzerArn", # required
-    #         resource_arn: "ResourceArn", # required
     #       }
     #
-    # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to retrieve information from.
+    # @!attribute [rw] access_preview_id
+    #   The unique ID for the access preview.
     #   @return [String]
     #
-    # @!attribute [rw] resource_arn
-    #   The ARN of the resource to retrieve information about.
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the access preview.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewRequest AWS API Documentation
     #
-    class GetAnalyzedResourceRequest < Struct.new(
-      :analyzer_arn,
-      :resource_arn)
+    class GetAccessPreviewRequest < Struct.new(
+      :access_preview_id,
+      :analyzer_arn)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The response to the request.
+    # @!attribute [rw] access_preview
+    #   An object that contains information about the access preview.
+    #   @return [Types::AccessPreview]
     #
-    # @!attribute [rw] resource
-    #   An `AnalyedResource` object that contains information that Access
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewResponse AWS API Documentation
+    #
+    class GetAccessPreviewResponse < Struct.new(
+      :access_preview)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Retrieves an analyzed resource.
+    #
+    # @note When making an API call, you may pass GetAnalyzedResourceRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_arn: "AnalyzerArn", # required
+    #         resource_arn: "ResourceArn", # required
+    #       }
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] to retrieve information from.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_arn
+    #   The ARN of the resource to retrieve information about.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceRequest AWS API Documentation
+    #
+    class GetAnalyzedResourceRequest < Struct.new(
+      :analyzer_arn,
+      :resource_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The response to the request.
+    #
+    # @!attribute [rw] resource
+    #   An `AnalyzedResource` object that contains information that Access
     #   Analyzer found when it analyzed the resource.
     #   @return [Types::AnalyzedResource]
     #
@@ -845,7 +1379,11 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer that generated the finding.
+    #   The [ARN of the analyzer][1] that generated the finding.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -875,6 +1413,39 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # The proposed access control configuration for an IAM role. You can
+    # propose a configuration for a new IAM role or an existing IAM role
+    # that you own by specifying the trust policy. If the configuration is
+    # for a new IAM role, you must specify the trust policy. If the
+    # configuration is for an existing IAM role that you own and you do not
+    # propose the trust policy, the access preview uses the existing trust
+    # policy for the role. The proposed trust policy cannot be an empty
+    # string. For more information about role trust policy limits, see [IAM
+    # and STS quotas][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
+    #
+    # @note When making an API call, you may pass IamRoleConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         trust_policy: "IamTrustPolicy",
+    #       }
+    #
+    # @!attribute [rw] trust_policy
+    #   The proposed trust policy for the IAM role.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/IamRoleConfiguration AWS API Documentation
+    #
+    class IamRoleConfiguration < Struct.new(
+      :trust_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An criterion statement in an archive rule. Each archive rule may have
     # multiple criteria.
     #
@@ -928,6 +1499,337 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # This configuration sets the Amazon S3 access point network origin to
+    # `Internet`.
+    #
+    # @api private
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternetConfiguration AWS API Documentation
+    #
+    class InternetConfiguration < Aws::EmptyStructure; end
+
+    # A proposed grant configuration for a KMS key. For more information,
+    # see [CreateGrant][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html
+    #
+    # @note When making an API call, you may pass KmsGrantConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         constraints: {
+    #           encryption_context_equals: {
+    #             "KmsConstraintsKey" => "KmsConstraintsValue",
+    #           },
+    #           encryption_context_subset: {
+    #             "KmsConstraintsKey" => "KmsConstraintsValue",
+    #           },
+    #         },
+    #         grantee_principal: "GranteePrincipal", # required
+    #         issuing_account: "IssuingAccount", # required
+    #         operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #         retiring_principal: "RetiringPrincipal",
+    #       }
+    #
+    # @!attribute [rw] constraints
+    #   Use this structure to propose allowing [cryptographic operations][1]
+    #   in the grant only when the operation request includes the specified
+    #   [encryption context][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   @return [Types::KmsGrantConstraints]
+    #
+    # @!attribute [rw] grantee_principal
+    #   The principal that is given permission to perform the operations
+    #   that the grant permits.
+    #   @return [String]
+    #
+    # @!attribute [rw] issuing_account
+    #   The AWS account under which the grant was issued. The account is
+    #   used to propose KMS grants issued by accounts other than the owner
+    #   of the key.
+    #   @return [String]
+    #
+    # @!attribute [rw] operations
+    #   A list of operations that the grant permits.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] retiring_principal
+    #   The principal that is given permission to retire the grant by using
+    #   [RetireGrant][1] operation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
+    #
+    class KmsGrantConfiguration < Struct.new(
+      :constraints,
+      :grantee_principal,
+      :issuing_account,
+      :operations,
+      :retiring_principal)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Use this structure to propose allowing [cryptographic operations][1]
+    # in the grant only when the operation request includes the specified
+    # [encryption context][2]. You can specify only one type of encryption
+    # context. An empty map is treated as not specified. For more
+    # information, see [GrantConstraints][3].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html
+    #
+    # @note When making an API call, you may pass KmsGrantConstraints
+    #   data as a hash:
+    #
+    #       {
+    #         encryption_context_equals: {
+    #           "KmsConstraintsKey" => "KmsConstraintsValue",
+    #         },
+    #         encryption_context_subset: {
+    #           "KmsConstraintsKey" => "KmsConstraintsValue",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] encryption_context_equals
+    #   A list of key-value pairs that must match the encryption context in
+    #   the [cryptographic operation][1] request. The grant allows the
+    #   operation only when the encryption context in the request is the
+    #   same as the encryption context specified in this constraint.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] encryption_context_subset
+    #   A list of key-value pairs that must be included in the encryption
+    #   context of the [cryptographic operation][1] request. The grant
+    #   allows the cryptographic operation only when the encryption context
+    #   in the request includes the key-value pairs specified in this
+    #   constraint, although it can include additional key-value pairs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   @return [Hash<String,String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation
+    #
+    class KmsGrantConstraints < Struct.new(
+      :encryption_context_equals,
+      :encryption_context_subset)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Proposed access control configuration for a KMS key. You can propose a
+    # configuration for a new KMS key or an existing KMS key that you own by
+    # specifying the key policy and KMS grant configuration. If the
+    # configuration is for an existing key and you do not specify the key
+    # policy, the access preview uses the existing policy for the key. If
+    # the access preview is for a new resource and you do not specify the
+    # key policy, then the access preview uses the default key policy. The
+    # proposed key policy cannot be an empty string. For more information,
+    # see [Default key policy][1]. For more information about key policy
+    # limits, see [Resource quotas][2].
+    #
+    #
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
+    #
+    # @note When making an API call, you may pass KmsKeyConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         grants: [
+    #           {
+    #             constraints: {
+    #               encryption_context_equals: {
+    #                 "KmsConstraintsKey" => "KmsConstraintsValue",
+    #               },
+    #               encryption_context_subset: {
+    #                 "KmsConstraintsKey" => "KmsConstraintsValue",
+    #               },
+    #             },
+    #             grantee_principal: "GranteePrincipal", # required
+    #             issuing_account: "IssuingAccount", # required
+    #             operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #             retiring_principal: "RetiringPrincipal",
+    #           },
+    #         ],
+    #         key_policies: {
+    #           "PolicyName" => "KmsKeyPolicy",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] grants
+    #   A list of proposed grant configurations for the KMS key. If the
+    #   proposed grant configuration is for an existing key, the access
+    #   preview uses the proposed list of grant configurations in place of
+    #   the existing grants. Otherwise, the access preview uses the existing
+    #   grants for the key.
+    #   @return [Array<Types::KmsGrantConfiguration>]
+    #
+    # @!attribute [rw] key_policies
+    #   Resource policy configuration for the KMS key. The only valid value
+    #   for the name of the key policy is `default`. For more information,
+    #   see [Default key policy][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   @return [Hash<String,String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
+    #
+    class KmsKeyConfiguration < Struct.new(
+      :grants,
+      :key_policies)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListAccessPreviewFindingsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         access_preview_id: "AccessPreviewId", # required
+    #         analyzer_arn: "AnalyzerArn", # required
+    #         filter: {
+    #           "String" => {
+    #             contains: ["String"],
+    #             eq: ["String"],
+    #             exists: false,
+    #             neq: ["String"],
+    #           },
+    #         },
+    #         max_results: 1,
+    #         next_token: "Token",
+    #       }
+    #
+    # @!attribute [rw] access_preview_id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the access.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] filter
+    #   Criteria to filter the returned findings.
+    #   @return [Hash<String,Types::Criterion>]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
+    #
+    class ListAccessPreviewFindingsRequest < Struct.new(
+      :access_preview_id,
+      :analyzer_arn,
+      :filter,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] findings
+    #   A list of access preview findings that match the specified filter
+    #   criteria.
+    #   @return [Array<Types::AccessPreviewFinding>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsResponse AWS API Documentation
+    #
+    class ListAccessPreviewFindingsResponse < Struct.new(
+      :findings,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListAccessPreviewsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_arn: "AnalyzerArn", # required
+    #         max_results: 1,
+    #         next_token: "Token",
+    #       }
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the access preview.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
+    #
+    class ListAccessPreviewsRequest < Struct.new(
+      :analyzer_arn,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] access_previews
+    #   A list of access previews retrieved for the analyzer.
+    #   @return [Array<Types::AccessPreviewSummary>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsResponse AWS API Documentation
+    #
+    class ListAccessPreviewsResponse < Struct.new(
+      :access_previews,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Retrieves a list of resources that have been analyzed.
     #
     # @note When making an API call, you may pass ListAnalyzedResourcesRequest
@@ -937,12 +1839,16 @@ module Aws::AccessAnalyzer
     #         analyzer_arn: "AnalyzerArn", # required
     #         max_results: 1,
     #         next_token: "Token",
-    #         resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key
+    #         resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to retrieve a list of analyzed resources
-    #   from.
+    #   The [ARN of the analyzer][1] to retrieve a list of analyzed
+    #   resources from.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] max_results
@@ -1115,7 +2021,11 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to retrieve findings from.
+    #   The [ARN of the analyzer][1] to retrieve findings from.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] filter
@@ -1201,13 +2111,134 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # The specified resource could not be found.
+    # A location in a policy that is represented as a path through the JSON
+    # representation and a corresponding span.
     #
-    # @!attribute [rw] message
-    #   @return [String]
+    # @!attribute [rw] path
+    #   A path in a policy, represented as a sequence of path elements.
+    #   @return [Array<Types::PathElement>]
     #
-    # @!attribute [rw] resource_id
-    #   The ID of the resource.
+    # @!attribute [rw] span
+    #   A span in a policy.
+    #   @return [Types::Span]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Location AWS API Documentation
+    #
+    class Location < Struct.new(
+      :path,
+      :span)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
+    # the Amazon S3 Access point. You can make the access point accessible
+    # from the internet, or you can specify that all requests made through
+    # that access point must originate from a specific virtual private cloud
+    # (VPC). You can specify only one type of network configuration. For
+    # more information, see [Creating access points][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
+    #
+    # @note When making an API call, you may pass NetworkOriginConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         internet_configuration: {
+    #         },
+    #         vpc_configuration: {
+    #           vpc_id: "VpcId", # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] internet_configuration
+    #   The configuration for the Amazon S3 access point with an `Internet`
+    #   origin.
+    #   @return [Types::InternetConfiguration]
+    #
+    # @!attribute [rw] vpc_configuration
+    #   The proposed virtual private cloud (VPC) configuration for the
+    #   Amazon S3 access point. For more information, see
+    #   [VpcConfiguration][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
+    #   @return [Types::VpcConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
+    #
+    class NetworkOriginConfiguration < Struct.new(
+      :internet_configuration,
+      :vpc_configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A single element in a path through the JSON representation of a
+    # policy.
+    #
+    # @!attribute [rw] index
+    #   Refers to an index in a JSON array.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] key
+    #   Refers to a key in a JSON object.
+    #   @return [String]
+    #
+    # @!attribute [rw] substring
+    #   Refers to a substring of a literal string in a JSON object.
+    #   @return [Types::Substring]
+    #
+    # @!attribute [rw] value
+    #   Refers to the value associated with a given key in a JSON object.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PathElement AWS API Documentation
+    #
+    class PathElement < Struct.new(
+      :index,
+      :key,
+      :substring,
+      :value)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A position in a policy.
+    #
+    # @!attribute [rw] column
+    #   The column of the position, starting from 0.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] line
+    #   The line of the position, starting from 1.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] offset
+    #   The offset within the policy that corresponds to the position,
+    #   starting from 0.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
+    #
+    class Position < Struct.new(
+      :column,
+      :line,
+      :offset)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The specified resource could not be found.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_id
+    #   The ID of the resource.
     #   @return [String]
     #
     # @!attribute [rw] resource_type
@@ -1224,6 +2255,278 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # The configuration for an Amazon S3 access point for the bucket. You
+    # can propose up to 10 access points per bucket. If the proposed Amazon
+    # S3 access point configuration is for an existing bucket, the access
+    # preview uses the proposed access point configuration in place of the
+    # existing access points. To propose an access point without a policy,
+    # you can provide an empty string as the access point policy. For more
+    # information, see [Creating access points][1]. For more information
+    # about access point policy limits, see [Access points restrictions and
+    # limitations][2].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
+    #
+    # @note When making an API call, you may pass S3AccessPointConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         access_point_policy: "AccessPointPolicy",
+    #         network_origin: {
+    #           internet_configuration: {
+    #           },
+    #           vpc_configuration: {
+    #             vpc_id: "VpcId", # required
+    #           },
+    #         },
+    #         public_access_block: {
+    #           ignore_public_acls: false, # required
+    #           restrict_public_buckets: false, # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] access_point_policy
+    #   The access point policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] network_origin
+    #   The proposed `Internet` and `VpcConfiguration` to apply to this
+    #   Amazon S3 access point. If the access preview is for a new resource
+    #   and neither is specified, the access preview uses `Internet` for the
+    #   network origin. If the access preview is for an existing resource
+    #   and neither is specified, the access preview uses the exiting
+    #   network origin.
+    #   @return [Types::NetworkOriginConfiguration]
+    #
+    # @!attribute [rw] public_access_block
+    #   The proposed `S3PublicAccessBlock` configuration to apply to this
+    #   Amazon S3 Access Point.
+    #   @return [Types::S3PublicAccessBlockConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
+    #
+    class S3AccessPointConfiguration < Struct.new(
+      :access_point_policy,
+      :network_origin,
+      :public_access_block)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A proposed access control list grant configuration for an Amazon S3
+    # bucket. For more information, see [How to Specify an ACL][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls
+    #
+    # @note When making an API call, you may pass S3BucketAclGrantConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         grantee: { # required
+    #           id: "AclCanonicalId",
+    #           uri: "AclUri",
+    #         },
+    #         permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #       }
+    #
+    # @!attribute [rw] grantee
+    #   The grantee to whom you’re assigning access rights.
+    #   @return [Types::AclGrantee]
+    #
+    # @!attribute [rw] permission
+    #   The permissions being granted.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
+    #
+    class S3BucketAclGrantConfiguration < Struct.new(
+      :grantee,
+      :permission)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Proposed access control configuration for an Amazon S3 bucket. You can
+    # propose a configuration for a new Amazon S3 bucket or an existing
+    # Amazon S3 bucket that you own by specifying the Amazon S3 bucket
+    # policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points
+    # attached to the bucket. If the configuration is for an existing Amazon
+    # S3 bucket and you do not specify the Amazon S3 bucket policy, the
+    # access preview uses the existing policy attached to the bucket. If the
+    # access preview is for a new resource and you do not specify the Amazon
+    # S3 bucket policy, the access preview assumes a bucket without a
+    # policy. To propose deletion of an existing bucket policy, you can
+    # specify an empty string. For more information about bucket policy
+    # limits, see [Bucket Policy Examples][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
+    #
+    # @note When making an API call, you may pass S3BucketConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         access_points: {
+    #           "AccessPointArn" => {
+    #             access_point_policy: "AccessPointPolicy",
+    #             network_origin: {
+    #               internet_configuration: {
+    #               },
+    #               vpc_configuration: {
+    #                 vpc_id: "VpcId", # required
+    #               },
+    #             },
+    #             public_access_block: {
+    #               ignore_public_acls: false, # required
+    #               restrict_public_buckets: false, # required
+    #             },
+    #           },
+    #         },
+    #         bucket_acl_grants: [
+    #           {
+    #             grantee: { # required
+    #               id: "AclCanonicalId",
+    #               uri: "AclUri",
+    #             },
+    #             permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #           },
+    #         ],
+    #         bucket_policy: "S3BucketPolicy",
+    #         bucket_public_access_block: {
+    #           ignore_public_acls: false, # required
+    #           restrict_public_buckets: false, # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] access_points
+    #   The configuration of Amazon S3 access points for the bucket.
+    #   @return [Hash<String,Types::S3AccessPointConfiguration>]
+    #
+    # @!attribute [rw] bucket_acl_grants
+    #   The proposed list of ACL grants for the Amazon S3 bucket. You can
+    #   propose up to 100 ACL grants per bucket. If the proposed grant
+    #   configuration is for an existing bucket, the access preview uses the
+    #   proposed list of grant configurations in place of the existing
+    #   grants. Otherwise, the access preview uses the existing grants for
+    #   the bucket.
+    #   @return [Array<Types::S3BucketAclGrantConfiguration>]
+    #
+    # @!attribute [rw] bucket_policy
+    #   The proposed bucket policy for the Amazon S3 bucket.
+    #   @return [String]
+    #
+    # @!attribute [rw] bucket_public_access_block
+    #   The proposed block public access configuration for the Amazon S3
+    #   bucket.
+    #   @return [Types::S3PublicAccessBlockConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
+    #
+    class S3BucketConfiguration < Struct.new(
+      :access_points,
+      :bucket_acl_grants,
+      :bucket_policy,
+      :bucket_public_access_block)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The `PublicAccessBlock` configuration to apply to this Amazon S3
+    # bucket. If the proposed configuration is for an existing Amazon S3
+    # bucket and the configuration is not specified, the access preview uses
+    # the existing setting. If the proposed configuration is for a new
+    # bucket and the configuration is not specified, the access preview uses
+    # `false`. If the proposed configuration is for a new access point and
+    # the access point BPA configuration is not specified, the access
+    # preview uses `true`. For more information, see
+    # [PublicAccessBlockConfiguration][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
+    #
+    # @note When making an API call, you may pass S3PublicAccessBlockConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         ignore_public_acls: false, # required
+    #         restrict_public_buckets: false, # required
+    #       }
+    #
+    # @!attribute [rw] ignore_public_acls
+    #   Specifies whether Amazon S3 should ignore public ACLs for this
+    #   bucket and objects in this bucket.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] restrict_public_buckets
+    #   Specifies whether Amazon S3 should restrict public bucket policies
+    #   for this bucket.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3PublicAccessBlockConfiguration AWS API Documentation
+    #
+    class S3PublicAccessBlockConfiguration < Struct.new(
+      :ignore_public_acls,
+      :restrict_public_buckets)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The configuration for a Secrets Manager secret. For more information,
+    # see [CreateSecret][1].
+    #
+    # You can propose a configuration for a new secret or an existing secret
+    # that you own by specifying the secret policy and optional KMS
+    # encryption key. If the configuration is for an existing secret and you
+    # do not specify the secret policy, the access preview uses the existing
+    # policy for the secret. If the access preview is for a new resource and
+    # you do not specify the policy, the access preview assumes a secret
+    # without a policy. To propose deletion of an existing policy, you can
+    # specify an empty string. If the proposed configuration is for a new
+    # secret and you do not specify the KMS key ID, the access preview uses
+    # the default CMK of the AWS account. If you specify an empty string for
+    # the KMS key ID, the access preview uses the default CMK of the AWS
+    # account. For more information about secret policy limits, see [Quotas
+    # for AWS Secrets Manager.][2].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html
+    # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
+    #
+    # @note When making an API call, you may pass SecretsManagerSecretConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         kms_key_id: "SecretsManagerSecretKmsId",
+    #         secret_policy: "SecretsManagerSecretPolicy",
+    #       }
+    #
+    # @!attribute [rw] kms_key_id
+    #   The proposed ARN, key ID, or alias of the AWS KMS customer master
+    #   key (CMK).
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_policy
+    #   The proposed resource policy defining who can access or manage the
+    #   secret.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SecretsManagerSecretConfiguration AWS API Documentation
+    #
+    class SecretsManagerSecretConfiguration < Struct.new(
+      :kms_key_id,
+      :secret_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Service quote met error.
     #
     # @!attribute [rw] message
@@ -1274,6 +2577,60 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # A span in a policy. The span consists of a start position (inclusive)
+    # and end position (exclusive).
+    #
+    # @!attribute [rw] end
+    #   The end position of the span (exclusive).
+    #   @return [Types::Position]
+    #
+    # @!attribute [rw] start
+    #   The start position of the span (inclusive).
+    #   @return [Types::Position]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
+    #
+    class Span < Struct.new(
+      :end,
+      :start)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The proposed access control configuration for an SQS queue. You can
+    # propose a configuration for a new SQS queue or an existing SQS queue
+    # that you own by specifying the SQS policy. If the configuration is for
+    # an existing SQS queue and you do not specify the SQS policy, the
+    # access preview uses the existing SQS policy for the queue. If the
+    # access preview is for a new resource and you do not specify the
+    # policy, the access preview assumes an SQS queue without a policy. To
+    # propose deletion of an existing SQS queue policy, you can specify an
+    # empty string for the SQS policy. For more information about SQS policy
+    # limits, see [Quotas related to policies][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html
+    #
+    # @note When making an API call, you may pass SqsQueueConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         queue_policy: "SqsQueuePolicy",
+    #       }
+    #
+    # @!attribute [rw] queue_policy
+    #   The proposed resource policy for the SQS queue.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
+    #
+    class SqsQueueConfiguration < Struct.new(
+      :queue_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Starts a scan of the policies applied to the specified resource.
     #
     # @note When making an API call, you may pass StartResourceScanRequest
@@ -1285,8 +2642,12 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to use to scan the policies applied to the
-    #   specified resource.
+    #   The [ARN of the analyzer][1] to use to scan the policies applied to
+    #   the specified resource.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] resource_arn
@@ -1304,7 +2665,7 @@ module Aws::AccessAnalyzer
 
     # Provides more details about the current status of the analyzer. For
     # example, if the creation for the analyzer fails, a `Failed` status is
-    # displayed. For an analyzer with organization as the type, this failure
+    # returned. For an analyzer with organization as the type, this failure
     # can be due to an issue with creating the service-linked roles required
     # in the member accounts of the AWS organization.
     #
@@ -1320,6 +2681,25 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # A reference to a substring of a literal string in a JSON document.
+    #
+    # @!attribute [rw] length
+    #   The length of the substring.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] start
+    #   The start index of the substring, starting from 0.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
+    #
+    class Substring < Struct.new(
+      :length,
+      :start)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Adds a tag to the specified resource.
     #
     # @note When making an API call, you may pass TagResourceRequest
@@ -1470,7 +2850,11 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer that generated the findings to update.
+    #   The [ARN of the analyzer][1] that generated the findings to update.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] client_token
@@ -1507,6 +2891,127 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # A finding in a policy. Each finding is an actionable recommendation
+    # that can be used to improve the policy.
+    #
+    # @!attribute [rw] finding_details
+    #   A localized message that explains the finding and provides guidance
+    #   on how to address it.
+    #   @return [String]
+    #
+    # @!attribute [rw] finding_type
+    #   The impact of the finding.
+    #
+    #   Security warnings report when the policy allows access that we
+    #   consider overly permissive.
+    #
+    #   Errors report when a part of the policy is not functional.
+    #
+    #   Warnings report non-security issues when a policy does not conform
+    #   to policy writing best practices.
+    #
+    #   Suggestions recommend stylistic improvements in the policy that do
+    #   not impact access.
+    #   @return [String]
+    #
+    # @!attribute [rw] issue_code
+    #   The issue code provides an identifier of the issue associated with
+    #   this finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] learn_more_link
+    #   A link to additional documentation about the type of finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] locations
+    #   The list of locations in the policy document that are related to the
+    #   finding. The issue code provides a summary of an issue identified by
+    #   the finding.
+    #   @return [Array<Types::Location>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyFinding AWS API Documentation
+    #
+    class ValidatePolicyFinding < Struct.new(
+      :finding_details,
+      :finding_type,
+      :issue_code,
+      :learn_more_link,
+      :locations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ValidatePolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         locale: "DE", # accepts DE, EN, ES, FR, IT, JA, KO, PT_BR, ZH_CN, ZH_TW
+    #         max_results: 1,
+    #         next_token: "Token",
+    #         policy_document: "PolicyDocument", # required
+    #         policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
+    #       }
+    #
+    # @!attribute [rw] locale
+    #   The locale to use for localizing the findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_document
+    #   The JSON policy document to use as the content for the policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_type
+    #   The type of policy to validate. Identity policies grant permissions
+    #   to IAM principals. Identity policies include managed and inline
+    #   policies for IAM roles, users, and groups. They also include
+    #   service-control policies (SCPs) that are attached to an AWS
+    #   organization, organizational unit (OU), or an account.
+    #
+    #   Resource policies grant permissions on AWS resources. Resource
+    #   policies include trust policies for IAM roles and bucket policies
+    #   for S3 buckets. You can provide a generic input such as identity
+    #   policy or resource policy or a specific input such as managed policy
+    #   or S3 bucket policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
+    #
+    class ValidatePolicyRequest < Struct.new(
+      :locale,
+      :max_results,
+      :next_token,
+      :policy_document,
+      :policy_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] findings
+    #   The list of findings in a policy returned by Access Analyzer based
+    #   on its suite of policy checks.
+    #   @return [Array<Types::ValidatePolicyFinding>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyResponse AWS API Documentation
+    #
+    class ValidatePolicyResponse < Struct.new(
+      :findings,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Validation exception error.
     #
     # @!attribute [rw] field_list
@@ -1549,5 +3054,32 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # The proposed virtual private cloud (VPC) configuration for the Amazon
+    # S3 access point. For more information, see [VpcConfiguration][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
+    #
+    # @note When making an API call, you may pass VpcConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         vpc_id: "VpcId", # required
+    #       }
+    #
+    # @!attribute [rw] vpc_id
+    #   If this field is specified, this access point will only allow
+    #   connections from the specified VPC ID.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/VpcConfiguration AWS API Documentation
+    #
+    class VpcConfiguration < Struct.new(
+      :vpc_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
   end
 end