aws-sdk-accessanalyzer 1.13.0 → 1.18.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +109 -0
- data/LICENSE.txt +202 -0
- data/VERSION +1 -0
- data/lib/aws-sdk-accessanalyzer.rb +2 -2
- data/lib/aws-sdk-accessanalyzer/client.rb +461 -19
- data/lib/aws-sdk-accessanalyzer/client_api.rb +367 -1
- data/lib/aws-sdk-accessanalyzer/errors.rb +1 -1
- data/lib/aws-sdk-accessanalyzer/resource.rb +1 -1
- data/lib/aws-sdk-accessanalyzer/types.rb +1570 -38
- metadata +8 -5
@@ -3,7 +3,7 @@
|
|
3
3
|
# WARNING ABOUT GENERATED CODE
|
4
4
|
#
|
5
5
|
# This file is generated. See the contributing guide for more information:
|
6
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
6
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# WARNING ABOUT GENERATED CODE
|
4
4
|
#
|
5
5
|
# This file is generated. See the contributing guide for more information:
|
6
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
6
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
@@ -3,7 +3,7 @@
|
|
3
3
|
# WARNING ABOUT GENERATED CODE
|
4
4
|
#
|
5
5
|
# This file is generated. See the contributing guide for more information:
|
6
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
6
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
@@ -23,6 +23,266 @@ module Aws::AccessAnalyzer
|
|
23
23
|
include Aws::Structure
|
24
24
|
end
|
25
25
|
|
26
|
+
# Contains information about an access preview.
|
27
|
+
#
|
28
|
+
# @!attribute [rw] analyzer_arn
|
29
|
+
# The ARN of the analyzer used to generate the access preview.
|
30
|
+
# @return [String]
|
31
|
+
#
|
32
|
+
# @!attribute [rw] configurations
|
33
|
+
# A map of resource ARNs for the proposed resource configuration.
|
34
|
+
# @return [Hash<String,Types::Configuration>]
|
35
|
+
#
|
36
|
+
# @!attribute [rw] created_at
|
37
|
+
# The time at which the access preview was created.
|
38
|
+
# @return [Time]
|
39
|
+
#
|
40
|
+
# @!attribute [rw] id
|
41
|
+
# The unique ID for the access preview.
|
42
|
+
# @return [String]
|
43
|
+
#
|
44
|
+
# @!attribute [rw] status
|
45
|
+
# The status of the access preview.
|
46
|
+
#
|
47
|
+
# * `Creating` - The access preview creation is in progress.
|
48
|
+
#
|
49
|
+
# * `Completed` - The access preview is complete. You can preview
|
50
|
+
# findings for external access to the resource.
|
51
|
+
#
|
52
|
+
# * `Failed` - The access preview creation has failed.
|
53
|
+
# @return [String]
|
54
|
+
#
|
55
|
+
# @!attribute [rw] status_reason
|
56
|
+
# Provides more details about the current status of the access
|
57
|
+
# preview.
|
58
|
+
#
|
59
|
+
# For example, if the creation of the access preview fails, a `Failed`
|
60
|
+
# status is returned. This failure can be due to an internal issue
|
61
|
+
# with the analysis or due to an invalid resource configuration.
|
62
|
+
# @return [Types::AccessPreviewStatusReason]
|
63
|
+
#
|
64
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
|
65
|
+
#
|
66
|
+
class AccessPreview < Struct.new(
|
67
|
+
:analyzer_arn,
|
68
|
+
:configurations,
|
69
|
+
:created_at,
|
70
|
+
:id,
|
71
|
+
:status,
|
72
|
+
:status_reason)
|
73
|
+
SENSITIVE = []
|
74
|
+
include Aws::Structure
|
75
|
+
end
|
76
|
+
|
77
|
+
# An access preview finding generated by the access preview.
|
78
|
+
#
|
79
|
+
# @!attribute [rw] action
|
80
|
+
# The action in the analyzed policy statement that an external
|
81
|
+
# principal has permission to perform.
|
82
|
+
# @return [Array<String>]
|
83
|
+
#
|
84
|
+
# @!attribute [rw] change_type
|
85
|
+
# Provides context on how the access preview finding compares to
|
86
|
+
# existing access identified in Access Analyzer.
|
87
|
+
#
|
88
|
+
# * `New` - The finding is for newly-introduced access.
|
89
|
+
#
|
90
|
+
# * `Unchanged` - The preview finding is an existing finding that
|
91
|
+
# would remain unchanged.
|
92
|
+
#
|
93
|
+
# * `Changed` - The preview finding is an existing finding with a
|
94
|
+
# change in status.
|
95
|
+
#
|
96
|
+
# For example, a `Changed` finding with preview status `Resolved` and
|
97
|
+
# existing status `Active` indicates the existing `Active` finding
|
98
|
+
# would become `Resolved` as a result of the proposed permissions
|
99
|
+
# change.
|
100
|
+
# @return [String]
|
101
|
+
#
|
102
|
+
# @!attribute [rw] condition
|
103
|
+
# The condition in the analyzed policy statement that resulted in a
|
104
|
+
# finding.
|
105
|
+
# @return [Hash<String,String>]
|
106
|
+
#
|
107
|
+
# @!attribute [rw] created_at
|
108
|
+
# The time at which the access preview finding was created.
|
109
|
+
# @return [Time]
|
110
|
+
#
|
111
|
+
# @!attribute [rw] error
|
112
|
+
# An error.
|
113
|
+
# @return [String]
|
114
|
+
#
|
115
|
+
# @!attribute [rw] existing_finding_id
|
116
|
+
# The existing ID of the finding in Access Analyzer, provided only for
|
117
|
+
# existing findings.
|
118
|
+
# @return [String]
|
119
|
+
#
|
120
|
+
# @!attribute [rw] existing_finding_status
|
121
|
+
# The existing status of the finding, provided only for existing
|
122
|
+
# findings.
|
123
|
+
# @return [String]
|
124
|
+
#
|
125
|
+
# @!attribute [rw] id
|
126
|
+
# The ID of the access preview finding. This ID uniquely identifies
|
127
|
+
# the element in the list of access preview findings and is not
|
128
|
+
# related to the finding ID in Access Analyzer.
|
129
|
+
# @return [String]
|
130
|
+
#
|
131
|
+
# @!attribute [rw] is_public
|
132
|
+
# Indicates whether the policy that generated the finding allows
|
133
|
+
# public access to the resource.
|
134
|
+
# @return [Boolean]
|
135
|
+
#
|
136
|
+
# @!attribute [rw] principal
|
137
|
+
# The external principal that has access to a resource within the zone
|
138
|
+
# of trust.
|
139
|
+
# @return [Hash<String,String>]
|
140
|
+
#
|
141
|
+
# @!attribute [rw] resource
|
142
|
+
# The resource that an external principal has access to. This is the
|
143
|
+
# resource associated with the access preview.
|
144
|
+
# @return [String]
|
145
|
+
#
|
146
|
+
# @!attribute [rw] resource_owner_account
|
147
|
+
# The AWS account ID that owns the resource. For most AWS resources,
|
148
|
+
# the owning account is the account in which the resource was created.
|
149
|
+
# @return [String]
|
150
|
+
#
|
151
|
+
# @!attribute [rw] resource_type
|
152
|
+
# The type of the resource that can be accessed in the finding.
|
153
|
+
# @return [String]
|
154
|
+
#
|
155
|
+
# @!attribute [rw] sources
|
156
|
+
# The sources of the finding. This indicates how the access that
|
157
|
+
# generated the finding is granted. It is populated for Amazon S3
|
158
|
+
# bucket findings.
|
159
|
+
# @return [Array<Types::FindingSource>]
|
160
|
+
#
|
161
|
+
# @!attribute [rw] status
|
162
|
+
# The preview status of the finding. This is what the status of the
|
163
|
+
# finding would be after permissions deployment. For example, a
|
164
|
+
# `Changed` finding with preview status `Resolved` and existing status
|
165
|
+
# `Active` indicates the existing `Active` finding would become
|
166
|
+
# `Resolved` as a result of the proposed permissions change.
|
167
|
+
# @return [String]
|
168
|
+
#
|
169
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
|
170
|
+
#
|
171
|
+
class AccessPreviewFinding < Struct.new(
|
172
|
+
:action,
|
173
|
+
:change_type,
|
174
|
+
:condition,
|
175
|
+
:created_at,
|
176
|
+
:error,
|
177
|
+
:existing_finding_id,
|
178
|
+
:existing_finding_status,
|
179
|
+
:id,
|
180
|
+
:is_public,
|
181
|
+
:principal,
|
182
|
+
:resource,
|
183
|
+
:resource_owner_account,
|
184
|
+
:resource_type,
|
185
|
+
:sources,
|
186
|
+
:status)
|
187
|
+
SENSITIVE = []
|
188
|
+
include Aws::Structure
|
189
|
+
end
|
190
|
+
|
191
|
+
# Provides more details about the current status of the access preview.
|
192
|
+
# For example, if the creation of the access preview fails, a `Failed`
|
193
|
+
# status is returned. This failure can be due to an internal issue with
|
194
|
+
# the analysis or due to an invalid proposed resource configuration.
|
195
|
+
#
|
196
|
+
# @!attribute [rw] code
|
197
|
+
# The reason code for the current status of the access preview.
|
198
|
+
# @return [String]
|
199
|
+
#
|
200
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewStatusReason AWS API Documentation
|
201
|
+
#
|
202
|
+
class AccessPreviewStatusReason < Struct.new(
|
203
|
+
:code)
|
204
|
+
SENSITIVE = []
|
205
|
+
include Aws::Structure
|
206
|
+
end
|
207
|
+
|
208
|
+
# Contains a summary of information about an access preview.
|
209
|
+
#
|
210
|
+
# @!attribute [rw] analyzer_arn
|
211
|
+
# The ARN of the analyzer used to generate the access preview.
|
212
|
+
# @return [String]
|
213
|
+
#
|
214
|
+
# @!attribute [rw] created_at
|
215
|
+
# The time at which the access preview was created.
|
216
|
+
# @return [Time]
|
217
|
+
#
|
218
|
+
# @!attribute [rw] id
|
219
|
+
# The unique ID for the access preview.
|
220
|
+
# @return [String]
|
221
|
+
#
|
222
|
+
# @!attribute [rw] status
|
223
|
+
# The status of the access preview.
|
224
|
+
#
|
225
|
+
# * `Creating` - The access preview creation is in progress.
|
226
|
+
#
|
227
|
+
# * `Completed` - The access preview is complete and previews the
|
228
|
+
# findings for external access to the resource.
|
229
|
+
#
|
230
|
+
# * `Failed` - The access preview creation has failed.
|
231
|
+
# @return [String]
|
232
|
+
#
|
233
|
+
# @!attribute [rw] status_reason
|
234
|
+
# Provides more details about the current status of the access
|
235
|
+
# preview. For example, if the creation of the access preview fails, a
|
236
|
+
# `Failed` status is returned. This failure can be due to an internal
|
237
|
+
# issue with the analysis or due to an invalid proposed resource
|
238
|
+
# configuration.
|
239
|
+
# @return [Types::AccessPreviewStatusReason]
|
240
|
+
#
|
241
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
|
242
|
+
#
|
243
|
+
class AccessPreviewSummary < Struct.new(
|
244
|
+
:analyzer_arn,
|
245
|
+
:created_at,
|
246
|
+
:id,
|
247
|
+
:status,
|
248
|
+
:status_reason)
|
249
|
+
SENSITIVE = []
|
250
|
+
include Aws::Structure
|
251
|
+
end
|
252
|
+
|
253
|
+
# You specify each grantee as a type-value pair using one of these
|
254
|
+
# types. You can specify only one type of grantee. For more information,
|
255
|
+
# see [PutBucketAcl][1].
|
256
|
+
#
|
257
|
+
#
|
258
|
+
#
|
259
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
|
260
|
+
#
|
261
|
+
# @note When making an API call, you may pass AclGrantee
|
262
|
+
# data as a hash:
|
263
|
+
#
|
264
|
+
# {
|
265
|
+
# id: "AclCanonicalId",
|
266
|
+
# uri: "AclUri",
|
267
|
+
# }
|
268
|
+
#
|
269
|
+
# @!attribute [rw] id
|
270
|
+
# The value specified is the canonical user ID of an AWS account.
|
271
|
+
# @return [String]
|
272
|
+
#
|
273
|
+
# @!attribute [rw] uri
|
274
|
+
# Used for granting permissions to a predefined group.
|
275
|
+
# @return [String]
|
276
|
+
#
|
277
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AclGrantee AWS API Documentation
|
278
|
+
#
|
279
|
+
class AclGrantee < Struct.new(
|
280
|
+
:id,
|
281
|
+
:uri)
|
282
|
+
SENSITIVE = []
|
283
|
+
include Aws::Structure
|
284
|
+
end
|
285
|
+
|
26
286
|
# Contains details about the analyzed resource.
|
27
287
|
#
|
28
288
|
# @!attribute [rw] actions
|
@@ -141,16 +401,16 @@ module Aws::AccessAnalyzer
|
|
141
401
|
# The status of the analyzer. An `Active` analyzer successfully
|
142
402
|
# monitors supported resources and generates new findings. The
|
143
403
|
# analyzer is `Disabled` when a user action, such as removing trusted
|
144
|
-
# access for IAM Access Analyzer from AWS Organizations, causes
|
145
|
-
# analyzer to stop generating new findings. The status is
|
146
|
-
# when the analyzer creation is in progress and `Failed`
|
147
|
-
# analyzer creation has failed.
|
404
|
+
# access for AWS IAM Access Analyzer from AWS Organizations, causes
|
405
|
+
# the analyzer to stop generating new findings. The status is
|
406
|
+
# `Creating` when the analyzer creation is in progress and `Failed`
|
407
|
+
# when the analyzer creation has failed.
|
148
408
|
# @return [String]
|
149
409
|
#
|
150
410
|
# @!attribute [rw] status_reason
|
151
411
|
# The `statusReason` provides more details about the current status of
|
152
412
|
# the analyzer. For example, if the creation for the analyzer fails, a
|
153
|
-
# `Failed` status is
|
413
|
+
# `Failed` status is returned. For an analyzer with organization as
|
154
414
|
# the type, this failure can be due to an issue with creating the
|
155
415
|
# service-linked roles required in the member accounts of the AWS
|
156
416
|
# organization.
|
@@ -246,6 +506,111 @@ module Aws::AccessAnalyzer
|
|
246
506
|
include Aws::Structure
|
247
507
|
end
|
248
508
|
|
509
|
+
# Access control configuration structures for your resource. You specify
|
510
|
+
# the configuration as a type-value pair. You can specify only one type
|
511
|
+
# of access control configuration.
|
512
|
+
#
|
513
|
+
# @note When making an API call, you may pass Configuration
|
514
|
+
# data as a hash:
|
515
|
+
#
|
516
|
+
# {
|
517
|
+
# iam_role: {
|
518
|
+
# trust_policy: "IamTrustPolicy",
|
519
|
+
# },
|
520
|
+
# kms_key: {
|
521
|
+
# grants: [
|
522
|
+
# {
|
523
|
+
# constraints: {
|
524
|
+
# encryption_context_equals: {
|
525
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
526
|
+
# },
|
527
|
+
# encryption_context_subset: {
|
528
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
529
|
+
# },
|
530
|
+
# },
|
531
|
+
# grantee_principal: "GranteePrincipal", # required
|
532
|
+
# issuing_account: "IssuingAccount", # required
|
533
|
+
# operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
|
534
|
+
# retiring_principal: "RetiringPrincipal",
|
535
|
+
# },
|
536
|
+
# ],
|
537
|
+
# key_policies: {
|
538
|
+
# "PolicyName" => "KmsKeyPolicy",
|
539
|
+
# },
|
540
|
+
# },
|
541
|
+
# s3_bucket: {
|
542
|
+
# access_points: {
|
543
|
+
# "AccessPointArn" => {
|
544
|
+
# access_point_policy: "AccessPointPolicy",
|
545
|
+
# network_origin: {
|
546
|
+
# internet_configuration: {
|
547
|
+
# },
|
548
|
+
# vpc_configuration: {
|
549
|
+
# vpc_id: "VpcId", # required
|
550
|
+
# },
|
551
|
+
# },
|
552
|
+
# public_access_block: {
|
553
|
+
# ignore_public_acls: false, # required
|
554
|
+
# restrict_public_buckets: false, # required
|
555
|
+
# },
|
556
|
+
# },
|
557
|
+
# },
|
558
|
+
# bucket_acl_grants: [
|
559
|
+
# {
|
560
|
+
# grantee: { # required
|
561
|
+
# id: "AclCanonicalId",
|
562
|
+
# uri: "AclUri",
|
563
|
+
# },
|
564
|
+
# permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
|
565
|
+
# },
|
566
|
+
# ],
|
567
|
+
# bucket_policy: "S3BucketPolicy",
|
568
|
+
# bucket_public_access_block: {
|
569
|
+
# ignore_public_acls: false, # required
|
570
|
+
# restrict_public_buckets: false, # required
|
571
|
+
# },
|
572
|
+
# },
|
573
|
+
# secrets_manager_secret: {
|
574
|
+
# kms_key_id: "SecretsManagerSecretKmsId",
|
575
|
+
# secret_policy: "SecretsManagerSecretPolicy",
|
576
|
+
# },
|
577
|
+
# sqs_queue: {
|
578
|
+
# queue_policy: "SqsQueuePolicy",
|
579
|
+
# },
|
580
|
+
# }
|
581
|
+
#
|
582
|
+
# @!attribute [rw] iam_role
|
583
|
+
# The access control configuration is for an IAM role.
|
584
|
+
# @return [Types::IamRoleConfiguration]
|
585
|
+
#
|
586
|
+
# @!attribute [rw] kms_key
|
587
|
+
# The access control configuration is for a KMS key.
|
588
|
+
# @return [Types::KmsKeyConfiguration]
|
589
|
+
#
|
590
|
+
# @!attribute [rw] s3_bucket
|
591
|
+
# The access control configuration is for an Amazon S3 Bucket.
|
592
|
+
# @return [Types::S3BucketConfiguration]
|
593
|
+
#
|
594
|
+
# @!attribute [rw] secrets_manager_secret
|
595
|
+
# The access control configuration is for a Secrets Manager secret.
|
596
|
+
# @return [Types::SecretsManagerSecretConfiguration]
|
597
|
+
#
|
598
|
+
# @!attribute [rw] sqs_queue
|
599
|
+
# The access control configuration is for an SQS queue.
|
600
|
+
# @return [Types::SqsQueueConfiguration]
|
601
|
+
#
|
602
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
|
603
|
+
#
|
604
|
+
class Configuration < Struct.new(
|
605
|
+
:iam_role,
|
606
|
+
:kms_key,
|
607
|
+
:s3_bucket,
|
608
|
+
:secrets_manager_secret,
|
609
|
+
:sqs_queue)
|
610
|
+
SENSITIVE = []
|
611
|
+
include Aws::Structure
|
612
|
+
end
|
613
|
+
|
249
614
|
# A conflict exception error.
|
250
615
|
#
|
251
616
|
# @!attribute [rw] message
|
@@ -269,6 +634,128 @@ module Aws::AccessAnalyzer
|
|
269
634
|
include Aws::Structure
|
270
635
|
end
|
271
636
|
|
637
|
+
# @note When making an API call, you may pass CreateAccessPreviewRequest
|
638
|
+
# data as a hash:
|
639
|
+
#
|
640
|
+
# {
|
641
|
+
# analyzer_arn: "AnalyzerArn", # required
|
642
|
+
# client_token: "String",
|
643
|
+
# configurations: { # required
|
644
|
+
# "ConfigurationsMapKey" => {
|
645
|
+
# iam_role: {
|
646
|
+
# trust_policy: "IamTrustPolicy",
|
647
|
+
# },
|
648
|
+
# kms_key: {
|
649
|
+
# grants: [
|
650
|
+
# {
|
651
|
+
# constraints: {
|
652
|
+
# encryption_context_equals: {
|
653
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
654
|
+
# },
|
655
|
+
# encryption_context_subset: {
|
656
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
657
|
+
# },
|
658
|
+
# },
|
659
|
+
# grantee_principal: "GranteePrincipal", # required
|
660
|
+
# issuing_account: "IssuingAccount", # required
|
661
|
+
# operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
|
662
|
+
# retiring_principal: "RetiringPrincipal",
|
663
|
+
# },
|
664
|
+
# ],
|
665
|
+
# key_policies: {
|
666
|
+
# "PolicyName" => "KmsKeyPolicy",
|
667
|
+
# },
|
668
|
+
# },
|
669
|
+
# s3_bucket: {
|
670
|
+
# access_points: {
|
671
|
+
# "AccessPointArn" => {
|
672
|
+
# access_point_policy: "AccessPointPolicy",
|
673
|
+
# network_origin: {
|
674
|
+
# internet_configuration: {
|
675
|
+
# },
|
676
|
+
# vpc_configuration: {
|
677
|
+
# vpc_id: "VpcId", # required
|
678
|
+
# },
|
679
|
+
# },
|
680
|
+
# public_access_block: {
|
681
|
+
# ignore_public_acls: false, # required
|
682
|
+
# restrict_public_buckets: false, # required
|
683
|
+
# },
|
684
|
+
# },
|
685
|
+
# },
|
686
|
+
# bucket_acl_grants: [
|
687
|
+
# {
|
688
|
+
# grantee: { # required
|
689
|
+
# id: "AclCanonicalId",
|
690
|
+
# uri: "AclUri",
|
691
|
+
# },
|
692
|
+
# permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
|
693
|
+
# },
|
694
|
+
# ],
|
695
|
+
# bucket_policy: "S3BucketPolicy",
|
696
|
+
# bucket_public_access_block: {
|
697
|
+
# ignore_public_acls: false, # required
|
698
|
+
# restrict_public_buckets: false, # required
|
699
|
+
# },
|
700
|
+
# },
|
701
|
+
# secrets_manager_secret: {
|
702
|
+
# kms_key_id: "SecretsManagerSecretKmsId",
|
703
|
+
# secret_policy: "SecretsManagerSecretPolicy",
|
704
|
+
# },
|
705
|
+
# sqs_queue: {
|
706
|
+
# queue_policy: "SqsQueuePolicy",
|
707
|
+
# },
|
708
|
+
# },
|
709
|
+
# },
|
710
|
+
# }
|
711
|
+
#
|
712
|
+
# @!attribute [rw] analyzer_arn
|
713
|
+
# The [ARN of the account analyzer][1] used to generate the access
|
714
|
+
# preview. You can only create an access preview for analyzers with an
|
715
|
+
# `Account` type and `Active` status.
|
716
|
+
#
|
717
|
+
#
|
718
|
+
#
|
719
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
720
|
+
# @return [String]
|
721
|
+
#
|
722
|
+
# @!attribute [rw] client_token
|
723
|
+
# A client token.
|
724
|
+
#
|
725
|
+
# **A suitable default value is auto-generated.** You should normally
|
726
|
+
# not need to pass this option.
|
727
|
+
# @return [String]
|
728
|
+
#
|
729
|
+
# @!attribute [rw] configurations
|
730
|
+
# Access control configuration for your resource that is used to
|
731
|
+
# generate the access preview. The access preview includes findings
|
732
|
+
# for external access allowed to the resource with the proposed access
|
733
|
+
# control configuration. The configuration must contain exactly one
|
734
|
+
# element.
|
735
|
+
# @return [Hash<String,Types::Configuration>]
|
736
|
+
#
|
737
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
|
738
|
+
#
|
739
|
+
class CreateAccessPreviewRequest < Struct.new(
|
740
|
+
:analyzer_arn,
|
741
|
+
:client_token,
|
742
|
+
:configurations)
|
743
|
+
SENSITIVE = []
|
744
|
+
include Aws::Structure
|
745
|
+
end
|
746
|
+
|
747
|
+
# @!attribute [rw] id
|
748
|
+
# The unique ID for the access preview.
|
749
|
+
# @return [String]
|
750
|
+
#
|
751
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewResponse AWS API Documentation
|
752
|
+
#
|
753
|
+
class CreateAccessPreviewResponse < Struct.new(
|
754
|
+
:id)
|
755
|
+
SENSITIVE = []
|
756
|
+
include Aws::Structure
|
757
|
+
end
|
758
|
+
|
272
759
|
# Creates an analyzer.
|
273
760
|
#
|
274
761
|
# @note When making an API call, you may pass CreateAnalyzerRequest
|
@@ -318,8 +805,10 @@ module Aws::AccessAnalyzer
|
|
318
805
|
# @return [Hash<String,String>]
|
319
806
|
#
|
320
807
|
# @!attribute [rw] type
|
321
|
-
# The type of analyzer to create. Only ACCOUNT
|
322
|
-
# supported. You can create only one analyzer per
|
808
|
+
# The type of analyzer to create. Only ACCOUNT and ORGANIZATION
|
809
|
+
# analyzers are supported. You can create only one analyzer per
|
810
|
+
# account per Region. You can create up to 5 analyzers per
|
811
|
+
# organization per Region.
|
323
812
|
# @return [String]
|
324
813
|
#
|
325
814
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
|
@@ -554,7 +1043,7 @@ module Aws::AccessAnalyzer
|
|
554
1043
|
# @return [String]
|
555
1044
|
#
|
556
1045
|
# @!attribute [rw] resource_type
|
557
|
-
# The type of the resource
|
1046
|
+
# The type of the resource identified in the finding.
|
558
1047
|
# @return [String]
|
559
1048
|
#
|
560
1049
|
# @!attribute [rw] sources
|
@@ -715,37 +1204,82 @@ module Aws::AccessAnalyzer
|
|
715
1204
|
include Aws::Structure
|
716
1205
|
end
|
717
1206
|
|
718
|
-
#
|
719
|
-
#
|
720
|
-
# @note When making an API call, you may pass GetAnalyzedResourceRequest
|
1207
|
+
# @note When making an API call, you may pass GetAccessPreviewRequest
|
721
1208
|
# data as a hash:
|
722
1209
|
#
|
723
1210
|
# {
|
1211
|
+
# access_preview_id: "AccessPreviewId", # required
|
724
1212
|
# analyzer_arn: "AnalyzerArn", # required
|
725
|
-
# resource_arn: "ResourceArn", # required
|
726
1213
|
# }
|
727
1214
|
#
|
728
|
-
# @!attribute [rw]
|
729
|
-
# The
|
1215
|
+
# @!attribute [rw] access_preview_id
|
1216
|
+
# The unique ID for the access preview.
|
730
1217
|
# @return [String]
|
731
1218
|
#
|
732
|
-
# @!attribute [rw]
|
733
|
-
# The ARN of the
|
1219
|
+
# @!attribute [rw] analyzer_arn
|
1220
|
+
# The [ARN of the analyzer][1] used to generate the access preview.
|
1221
|
+
#
|
1222
|
+
#
|
1223
|
+
#
|
1224
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
734
1225
|
# @return [String]
|
735
1226
|
#
|
736
|
-
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/
|
1227
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewRequest AWS API Documentation
|
737
1228
|
#
|
738
|
-
class
|
739
|
-
:
|
740
|
-
:
|
1229
|
+
class GetAccessPreviewRequest < Struct.new(
|
1230
|
+
:access_preview_id,
|
1231
|
+
:analyzer_arn)
|
741
1232
|
SENSITIVE = []
|
742
1233
|
include Aws::Structure
|
743
1234
|
end
|
744
1235
|
|
745
|
-
#
|
1236
|
+
# @!attribute [rw] access_preview
|
1237
|
+
# An object that contains information about the access preview.
|
1238
|
+
# @return [Types::AccessPreview]
|
746
1239
|
#
|
747
|
-
#
|
748
|
-
#
|
1240
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewResponse AWS API Documentation
|
1241
|
+
#
|
1242
|
+
class GetAccessPreviewResponse < Struct.new(
|
1243
|
+
:access_preview)
|
1244
|
+
SENSITIVE = []
|
1245
|
+
include Aws::Structure
|
1246
|
+
end
|
1247
|
+
|
1248
|
+
# Retrieves an analyzed resource.
|
1249
|
+
#
|
1250
|
+
# @note When making an API call, you may pass GetAnalyzedResourceRequest
|
1251
|
+
# data as a hash:
|
1252
|
+
#
|
1253
|
+
# {
|
1254
|
+
# analyzer_arn: "AnalyzerArn", # required
|
1255
|
+
# resource_arn: "ResourceArn", # required
|
1256
|
+
# }
|
1257
|
+
#
|
1258
|
+
# @!attribute [rw] analyzer_arn
|
1259
|
+
# The [ARN of the analyzer][1] to retrieve information from.
|
1260
|
+
#
|
1261
|
+
#
|
1262
|
+
#
|
1263
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
1264
|
+
# @return [String]
|
1265
|
+
#
|
1266
|
+
# @!attribute [rw] resource_arn
|
1267
|
+
# The ARN of the resource to retrieve information about.
|
1268
|
+
# @return [String]
|
1269
|
+
#
|
1270
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceRequest AWS API Documentation
|
1271
|
+
#
|
1272
|
+
class GetAnalyzedResourceRequest < Struct.new(
|
1273
|
+
:analyzer_arn,
|
1274
|
+
:resource_arn)
|
1275
|
+
SENSITIVE = []
|
1276
|
+
include Aws::Structure
|
1277
|
+
end
|
1278
|
+
|
1279
|
+
# The response to the request.
|
1280
|
+
#
|
1281
|
+
# @!attribute [rw] resource
|
1282
|
+
# An `AnalyzedResource` object that contains information that Access
|
749
1283
|
# Analyzer found when it analyzed the resource.
|
750
1284
|
# @return [Types::AnalyzedResource]
|
751
1285
|
#
|
@@ -845,7 +1379,11 @@ module Aws::AccessAnalyzer
|
|
845
1379
|
# }
|
846
1380
|
#
|
847
1381
|
# @!attribute [rw] analyzer_arn
|
848
|
-
# The ARN of the analyzer that generated the finding.
|
1382
|
+
# The [ARN of the analyzer][1] that generated the finding.
|
1383
|
+
#
|
1384
|
+
#
|
1385
|
+
#
|
1386
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
849
1387
|
# @return [String]
|
850
1388
|
#
|
851
1389
|
# @!attribute [rw] id
|
@@ -875,6 +1413,39 @@ module Aws::AccessAnalyzer
|
|
875
1413
|
include Aws::Structure
|
876
1414
|
end
|
877
1415
|
|
1416
|
+
# The proposed access control configuration for an IAM role. You can
|
1417
|
+
# propose a configuration for a new IAM role or an existing IAM role
|
1418
|
+
# that you own by specifying the trust policy. If the configuration is
|
1419
|
+
# for a new IAM role, you must specify the trust policy. If the
|
1420
|
+
# configuration is for an existing IAM role that you own and you do not
|
1421
|
+
# propose the trust policy, the access preview uses the existing trust
|
1422
|
+
# policy for the role. The proposed trust policy cannot be an empty
|
1423
|
+
# string. For more information about role trust policy limits, see [IAM
|
1424
|
+
# and STS quotas][1].
|
1425
|
+
#
|
1426
|
+
#
|
1427
|
+
#
|
1428
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
|
1429
|
+
#
|
1430
|
+
# @note When making an API call, you may pass IamRoleConfiguration
|
1431
|
+
# data as a hash:
|
1432
|
+
#
|
1433
|
+
# {
|
1434
|
+
# trust_policy: "IamTrustPolicy",
|
1435
|
+
# }
|
1436
|
+
#
|
1437
|
+
# @!attribute [rw] trust_policy
|
1438
|
+
# The proposed trust policy for the IAM role.
|
1439
|
+
# @return [String]
|
1440
|
+
#
|
1441
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/IamRoleConfiguration AWS API Documentation
|
1442
|
+
#
|
1443
|
+
class IamRoleConfiguration < Struct.new(
|
1444
|
+
:trust_policy)
|
1445
|
+
SENSITIVE = []
|
1446
|
+
include Aws::Structure
|
1447
|
+
end
|
1448
|
+
|
878
1449
|
# An criterion statement in an archive rule. Each archive rule may have
|
879
1450
|
# multiple criteria.
|
880
1451
|
#
|
@@ -928,6 +1499,337 @@ module Aws::AccessAnalyzer
|
|
928
1499
|
include Aws::Structure
|
929
1500
|
end
|
930
1501
|
|
1502
|
+
# This configuration sets the Amazon S3 access point network origin to
|
1503
|
+
# `Internet`.
|
1504
|
+
#
|
1505
|
+
# @api private
|
1506
|
+
#
|
1507
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternetConfiguration AWS API Documentation
|
1508
|
+
#
|
1509
|
+
class InternetConfiguration < Aws::EmptyStructure; end
|
1510
|
+
|
1511
|
+
# A proposed grant configuration for a KMS key. For more information,
|
1512
|
+
# see [CreateGrant][1].
|
1513
|
+
#
|
1514
|
+
#
|
1515
|
+
#
|
1516
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html
|
1517
|
+
#
|
1518
|
+
# @note When making an API call, you may pass KmsGrantConfiguration
|
1519
|
+
# data as a hash:
|
1520
|
+
#
|
1521
|
+
# {
|
1522
|
+
# constraints: {
|
1523
|
+
# encryption_context_equals: {
|
1524
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
1525
|
+
# },
|
1526
|
+
# encryption_context_subset: {
|
1527
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
1528
|
+
# },
|
1529
|
+
# },
|
1530
|
+
# grantee_principal: "GranteePrincipal", # required
|
1531
|
+
# issuing_account: "IssuingAccount", # required
|
1532
|
+
# operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
|
1533
|
+
# retiring_principal: "RetiringPrincipal",
|
1534
|
+
# }
|
1535
|
+
#
|
1536
|
+
# @!attribute [rw] constraints
|
1537
|
+
# Use this structure to propose allowing [cryptographic operations][1]
|
1538
|
+
# in the grant only when the operation request includes the specified
|
1539
|
+
# [encryption context][2].
|
1540
|
+
#
|
1541
|
+
#
|
1542
|
+
#
|
1543
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1544
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1545
|
+
# @return [Types::KmsGrantConstraints]
|
1546
|
+
#
|
1547
|
+
# @!attribute [rw] grantee_principal
|
1548
|
+
# The principal that is given permission to perform the operations
|
1549
|
+
# that the grant permits.
|
1550
|
+
# @return [String]
|
1551
|
+
#
|
1552
|
+
# @!attribute [rw] issuing_account
|
1553
|
+
# The AWS account under which the grant was issued. The account is
|
1554
|
+
# used to propose KMS grants issued by accounts other than the owner
|
1555
|
+
# of the key.
|
1556
|
+
# @return [String]
|
1557
|
+
#
|
1558
|
+
# @!attribute [rw] operations
|
1559
|
+
# A list of operations that the grant permits.
|
1560
|
+
# @return [Array<String>]
|
1561
|
+
#
|
1562
|
+
# @!attribute [rw] retiring_principal
|
1563
|
+
# The principal that is given permission to retire the grant by using
|
1564
|
+
# [RetireGrant][1] operation.
|
1565
|
+
#
|
1566
|
+
#
|
1567
|
+
#
|
1568
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
|
1569
|
+
# @return [String]
|
1570
|
+
#
|
1571
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
|
1572
|
+
#
|
1573
|
+
class KmsGrantConfiguration < Struct.new(
|
1574
|
+
:constraints,
|
1575
|
+
:grantee_principal,
|
1576
|
+
:issuing_account,
|
1577
|
+
:operations,
|
1578
|
+
:retiring_principal)
|
1579
|
+
SENSITIVE = []
|
1580
|
+
include Aws::Structure
|
1581
|
+
end
|
1582
|
+
|
1583
|
+
# Use this structure to propose allowing [cryptographic operations][1]
|
1584
|
+
# in the grant only when the operation request includes the specified
|
1585
|
+
# [encryption context][2]. You can specify only one type of encryption
|
1586
|
+
# context. An empty map is treated as not specified. For more
|
1587
|
+
# information, see [GrantConstraints][3].
|
1588
|
+
#
|
1589
|
+
#
|
1590
|
+
#
|
1591
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1592
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
|
1593
|
+
# [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html
|
1594
|
+
#
|
1595
|
+
# @note When making an API call, you may pass KmsGrantConstraints
|
1596
|
+
# data as a hash:
|
1597
|
+
#
|
1598
|
+
# {
|
1599
|
+
# encryption_context_equals: {
|
1600
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
1601
|
+
# },
|
1602
|
+
# encryption_context_subset: {
|
1603
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
1604
|
+
# },
|
1605
|
+
# }
|
1606
|
+
#
|
1607
|
+
# @!attribute [rw] encryption_context_equals
|
1608
|
+
# A list of key-value pairs that must match the encryption context in
|
1609
|
+
# the [cryptographic operation][1] request. The grant allows the
|
1610
|
+
# operation only when the encryption context in the request is the
|
1611
|
+
# same as the encryption context specified in this constraint.
|
1612
|
+
#
|
1613
|
+
#
|
1614
|
+
#
|
1615
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1616
|
+
# @return [Hash<String,String>]
|
1617
|
+
#
|
1618
|
+
# @!attribute [rw] encryption_context_subset
|
1619
|
+
# A list of key-value pairs that must be included in the encryption
|
1620
|
+
# context of the [cryptographic operation][1] request. The grant
|
1621
|
+
# allows the cryptographic operation only when the encryption context
|
1622
|
+
# in the request includes the key-value pairs specified in this
|
1623
|
+
# constraint, although it can include additional key-value pairs.
|
1624
|
+
#
|
1625
|
+
#
|
1626
|
+
#
|
1627
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
|
1628
|
+
# @return [Hash<String,String>]
|
1629
|
+
#
|
1630
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation
|
1631
|
+
#
|
1632
|
+
class KmsGrantConstraints < Struct.new(
|
1633
|
+
:encryption_context_equals,
|
1634
|
+
:encryption_context_subset)
|
1635
|
+
SENSITIVE = []
|
1636
|
+
include Aws::Structure
|
1637
|
+
end
|
1638
|
+
|
1639
|
+
# Proposed access control configuration for a KMS key. You can propose a
|
1640
|
+
# configuration for a new KMS key or an existing KMS key that you own by
|
1641
|
+
# specifying the key policy and KMS grant configuration. If the
|
1642
|
+
# configuration is for an existing key and you do not specify the key
|
1643
|
+
# policy, the access preview uses the existing policy for the key. If
|
1644
|
+
# the access preview is for a new resource and you do not specify the
|
1645
|
+
# key policy, then the access preview uses the default key policy. The
|
1646
|
+
# proposed key policy cannot be an empty string. For more information,
|
1647
|
+
# see [Default key policy][1]. For more information about key policy
|
1648
|
+
# limits, see [Resource quotas][2].
|
1649
|
+
#
|
1650
|
+
#
|
1651
|
+
#
|
1652
|
+
#
|
1653
|
+
#
|
1654
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
1655
|
+
# [2]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
|
1656
|
+
#
|
1657
|
+
# @note When making an API call, you may pass KmsKeyConfiguration
|
1658
|
+
# data as a hash:
|
1659
|
+
#
|
1660
|
+
# {
|
1661
|
+
# grants: [
|
1662
|
+
# {
|
1663
|
+
# constraints: {
|
1664
|
+
# encryption_context_equals: {
|
1665
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
1666
|
+
# },
|
1667
|
+
# encryption_context_subset: {
|
1668
|
+
# "KmsConstraintsKey" => "KmsConstraintsValue",
|
1669
|
+
# },
|
1670
|
+
# },
|
1671
|
+
# grantee_principal: "GranteePrincipal", # required
|
1672
|
+
# issuing_account: "IssuingAccount", # required
|
1673
|
+
# operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
|
1674
|
+
# retiring_principal: "RetiringPrincipal",
|
1675
|
+
# },
|
1676
|
+
# ],
|
1677
|
+
# key_policies: {
|
1678
|
+
# "PolicyName" => "KmsKeyPolicy",
|
1679
|
+
# },
|
1680
|
+
# }
|
1681
|
+
#
|
1682
|
+
# @!attribute [rw] grants
|
1683
|
+
# A list of proposed grant configurations for the KMS key. If the
|
1684
|
+
# proposed grant configuration is for an existing key, the access
|
1685
|
+
# preview uses the proposed list of grant configurations in place of
|
1686
|
+
# the existing grants. Otherwise, the access preview uses the existing
|
1687
|
+
# grants for the key.
|
1688
|
+
# @return [Array<Types::KmsGrantConfiguration>]
|
1689
|
+
#
|
1690
|
+
# @!attribute [rw] key_policies
|
1691
|
+
# Resource policy configuration for the KMS key. The only valid value
|
1692
|
+
# for the name of the key policy is `default`. For more information,
|
1693
|
+
# see [Default key policy][1].
|
1694
|
+
#
|
1695
|
+
#
|
1696
|
+
#
|
1697
|
+
# [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
1698
|
+
# @return [Hash<String,String>]
|
1699
|
+
#
|
1700
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
|
1701
|
+
#
|
1702
|
+
class KmsKeyConfiguration < Struct.new(
|
1703
|
+
:grants,
|
1704
|
+
:key_policies)
|
1705
|
+
SENSITIVE = []
|
1706
|
+
include Aws::Structure
|
1707
|
+
end
|
1708
|
+
|
1709
|
+
# @note When making an API call, you may pass ListAccessPreviewFindingsRequest
|
1710
|
+
# data as a hash:
|
1711
|
+
#
|
1712
|
+
# {
|
1713
|
+
# access_preview_id: "AccessPreviewId", # required
|
1714
|
+
# analyzer_arn: "AnalyzerArn", # required
|
1715
|
+
# filter: {
|
1716
|
+
# "String" => {
|
1717
|
+
# contains: ["String"],
|
1718
|
+
# eq: ["String"],
|
1719
|
+
# exists: false,
|
1720
|
+
# neq: ["String"],
|
1721
|
+
# },
|
1722
|
+
# },
|
1723
|
+
# max_results: 1,
|
1724
|
+
# next_token: "Token",
|
1725
|
+
# }
|
1726
|
+
#
|
1727
|
+
# @!attribute [rw] access_preview_id
|
1728
|
+
# The unique ID for the access preview.
|
1729
|
+
# @return [String]
|
1730
|
+
#
|
1731
|
+
# @!attribute [rw] analyzer_arn
|
1732
|
+
# The [ARN of the analyzer][1] used to generate the access.
|
1733
|
+
#
|
1734
|
+
#
|
1735
|
+
#
|
1736
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
1737
|
+
# @return [String]
|
1738
|
+
#
|
1739
|
+
# @!attribute [rw] filter
|
1740
|
+
# Criteria to filter the returned findings.
|
1741
|
+
# @return [Hash<String,Types::Criterion>]
|
1742
|
+
#
|
1743
|
+
# @!attribute [rw] max_results
|
1744
|
+
# The maximum number of results to return in the response.
|
1745
|
+
# @return [Integer]
|
1746
|
+
#
|
1747
|
+
# @!attribute [rw] next_token
|
1748
|
+
# A token used for pagination of results returned.
|
1749
|
+
# @return [String]
|
1750
|
+
#
|
1751
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
|
1752
|
+
#
|
1753
|
+
class ListAccessPreviewFindingsRequest < Struct.new(
|
1754
|
+
:access_preview_id,
|
1755
|
+
:analyzer_arn,
|
1756
|
+
:filter,
|
1757
|
+
:max_results,
|
1758
|
+
:next_token)
|
1759
|
+
SENSITIVE = []
|
1760
|
+
include Aws::Structure
|
1761
|
+
end
|
1762
|
+
|
1763
|
+
# @!attribute [rw] findings
|
1764
|
+
# A list of access preview findings that match the specified filter
|
1765
|
+
# criteria.
|
1766
|
+
# @return [Array<Types::AccessPreviewFinding>]
|
1767
|
+
#
|
1768
|
+
# @!attribute [rw] next_token
|
1769
|
+
# A token used for pagination of results returned.
|
1770
|
+
# @return [String]
|
1771
|
+
#
|
1772
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsResponse AWS API Documentation
|
1773
|
+
#
|
1774
|
+
class ListAccessPreviewFindingsResponse < Struct.new(
|
1775
|
+
:findings,
|
1776
|
+
:next_token)
|
1777
|
+
SENSITIVE = []
|
1778
|
+
include Aws::Structure
|
1779
|
+
end
|
1780
|
+
|
1781
|
+
# @note When making an API call, you may pass ListAccessPreviewsRequest
|
1782
|
+
# data as a hash:
|
1783
|
+
#
|
1784
|
+
# {
|
1785
|
+
# analyzer_arn: "AnalyzerArn", # required
|
1786
|
+
# max_results: 1,
|
1787
|
+
# next_token: "Token",
|
1788
|
+
# }
|
1789
|
+
#
|
1790
|
+
# @!attribute [rw] analyzer_arn
|
1791
|
+
# The [ARN of the analyzer][1] used to generate the access preview.
|
1792
|
+
#
|
1793
|
+
#
|
1794
|
+
#
|
1795
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
1796
|
+
# @return [String]
|
1797
|
+
#
|
1798
|
+
# @!attribute [rw] max_results
|
1799
|
+
# The maximum number of results to return in the response.
|
1800
|
+
# @return [Integer]
|
1801
|
+
#
|
1802
|
+
# @!attribute [rw] next_token
|
1803
|
+
# A token used for pagination of results returned.
|
1804
|
+
# @return [String]
|
1805
|
+
#
|
1806
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
|
1807
|
+
#
|
1808
|
+
class ListAccessPreviewsRequest < Struct.new(
|
1809
|
+
:analyzer_arn,
|
1810
|
+
:max_results,
|
1811
|
+
:next_token)
|
1812
|
+
SENSITIVE = []
|
1813
|
+
include Aws::Structure
|
1814
|
+
end
|
1815
|
+
|
1816
|
+
# @!attribute [rw] access_previews
|
1817
|
+
# A list of access previews retrieved for the analyzer.
|
1818
|
+
# @return [Array<Types::AccessPreviewSummary>]
|
1819
|
+
#
|
1820
|
+
# @!attribute [rw] next_token
|
1821
|
+
# A token used for pagination of results returned.
|
1822
|
+
# @return [String]
|
1823
|
+
#
|
1824
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsResponse AWS API Documentation
|
1825
|
+
#
|
1826
|
+
class ListAccessPreviewsResponse < Struct.new(
|
1827
|
+
:access_previews,
|
1828
|
+
:next_token)
|
1829
|
+
SENSITIVE = []
|
1830
|
+
include Aws::Structure
|
1831
|
+
end
|
1832
|
+
|
931
1833
|
# Retrieves a list of resources that have been analyzed.
|
932
1834
|
#
|
933
1835
|
# @note When making an API call, you may pass ListAnalyzedResourcesRequest
|
@@ -937,12 +1839,16 @@ module Aws::AccessAnalyzer
|
|
937
1839
|
# analyzer_arn: "AnalyzerArn", # required
|
938
1840
|
# max_results: 1,
|
939
1841
|
# next_token: "Token",
|
940
|
-
# resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key
|
1842
|
+
# resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret
|
941
1843
|
# }
|
942
1844
|
#
|
943
1845
|
# @!attribute [rw] analyzer_arn
|
944
|
-
# The ARN of the analyzer to retrieve a list of analyzed
|
945
|
-
# from.
|
1846
|
+
# The [ARN of the analyzer][1] to retrieve a list of analyzed
|
1847
|
+
# resources from.
|
1848
|
+
#
|
1849
|
+
#
|
1850
|
+
#
|
1851
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
946
1852
|
# @return [String]
|
947
1853
|
#
|
948
1854
|
# @!attribute [rw] max_results
|
@@ -1115,7 +2021,11 @@ module Aws::AccessAnalyzer
|
|
1115
2021
|
# }
|
1116
2022
|
#
|
1117
2023
|
# @!attribute [rw] analyzer_arn
|
1118
|
-
# The ARN of the analyzer to retrieve findings from.
|
2024
|
+
# The [ARN of the analyzer][1] to retrieve findings from.
|
2025
|
+
#
|
2026
|
+
#
|
2027
|
+
#
|
2028
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
1119
2029
|
# @return [String]
|
1120
2030
|
#
|
1121
2031
|
# @!attribute [rw] filter
|
@@ -1201,13 +2111,134 @@ module Aws::AccessAnalyzer
|
|
1201
2111
|
include Aws::Structure
|
1202
2112
|
end
|
1203
2113
|
|
1204
|
-
#
|
2114
|
+
# A location in a policy that is represented as a path through the JSON
|
2115
|
+
# representation and a corresponding span.
|
1205
2116
|
#
|
1206
|
-
# @!attribute [rw]
|
1207
|
-
#
|
2117
|
+
# @!attribute [rw] path
|
2118
|
+
# A path in a policy, represented as a sequence of path elements.
|
2119
|
+
# @return [Array<Types::PathElement>]
|
1208
2120
|
#
|
1209
|
-
# @!attribute [rw]
|
1210
|
-
#
|
2121
|
+
# @!attribute [rw] span
|
2122
|
+
# A span in a policy.
|
2123
|
+
# @return [Types::Span]
|
2124
|
+
#
|
2125
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Location AWS API Documentation
|
2126
|
+
#
|
2127
|
+
class Location < Struct.new(
|
2128
|
+
:path,
|
2129
|
+
:span)
|
2130
|
+
SENSITIVE = []
|
2131
|
+
include Aws::Structure
|
2132
|
+
end
|
2133
|
+
|
2134
|
+
# The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
|
2135
|
+
# the Amazon S3 Access point. You can make the access point accessible
|
2136
|
+
# from the internet, or you can specify that all requests made through
|
2137
|
+
# that access point must originate from a specific virtual private cloud
|
2138
|
+
# (VPC). You can specify only one type of network configuration. For
|
2139
|
+
# more information, see [Creating access points][1].
|
2140
|
+
#
|
2141
|
+
#
|
2142
|
+
#
|
2143
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
|
2144
|
+
#
|
2145
|
+
# @note When making an API call, you may pass NetworkOriginConfiguration
|
2146
|
+
# data as a hash:
|
2147
|
+
#
|
2148
|
+
# {
|
2149
|
+
# internet_configuration: {
|
2150
|
+
# },
|
2151
|
+
# vpc_configuration: {
|
2152
|
+
# vpc_id: "VpcId", # required
|
2153
|
+
# },
|
2154
|
+
# }
|
2155
|
+
#
|
2156
|
+
# @!attribute [rw] internet_configuration
|
2157
|
+
# The configuration for the Amazon S3 access point with an `Internet`
|
2158
|
+
# origin.
|
2159
|
+
# @return [Types::InternetConfiguration]
|
2160
|
+
#
|
2161
|
+
# @!attribute [rw] vpc_configuration
|
2162
|
+
# The proposed virtual private cloud (VPC) configuration for the
|
2163
|
+
# Amazon S3 access point. For more information, see
|
2164
|
+
# [VpcConfiguration][1].
|
2165
|
+
#
|
2166
|
+
#
|
2167
|
+
#
|
2168
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
|
2169
|
+
# @return [Types::VpcConfiguration]
|
2170
|
+
#
|
2171
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
|
2172
|
+
#
|
2173
|
+
class NetworkOriginConfiguration < Struct.new(
|
2174
|
+
:internet_configuration,
|
2175
|
+
:vpc_configuration)
|
2176
|
+
SENSITIVE = []
|
2177
|
+
include Aws::Structure
|
2178
|
+
end
|
2179
|
+
|
2180
|
+
# A single element in a path through the JSON representation of a
|
2181
|
+
# policy.
|
2182
|
+
#
|
2183
|
+
# @!attribute [rw] index
|
2184
|
+
# Refers to an index in a JSON array.
|
2185
|
+
# @return [Integer]
|
2186
|
+
#
|
2187
|
+
# @!attribute [rw] key
|
2188
|
+
# Refers to a key in a JSON object.
|
2189
|
+
# @return [String]
|
2190
|
+
#
|
2191
|
+
# @!attribute [rw] substring
|
2192
|
+
# Refers to a substring of a literal string in a JSON object.
|
2193
|
+
# @return [Types::Substring]
|
2194
|
+
#
|
2195
|
+
# @!attribute [rw] value
|
2196
|
+
# Refers to the value associated with a given key in a JSON object.
|
2197
|
+
# @return [String]
|
2198
|
+
#
|
2199
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PathElement AWS API Documentation
|
2200
|
+
#
|
2201
|
+
class PathElement < Struct.new(
|
2202
|
+
:index,
|
2203
|
+
:key,
|
2204
|
+
:substring,
|
2205
|
+
:value)
|
2206
|
+
SENSITIVE = []
|
2207
|
+
include Aws::Structure
|
2208
|
+
end
|
2209
|
+
|
2210
|
+
# A position in a policy.
|
2211
|
+
#
|
2212
|
+
# @!attribute [rw] column
|
2213
|
+
# The column of the position, starting from 0.
|
2214
|
+
# @return [Integer]
|
2215
|
+
#
|
2216
|
+
# @!attribute [rw] line
|
2217
|
+
# The line of the position, starting from 1.
|
2218
|
+
# @return [Integer]
|
2219
|
+
#
|
2220
|
+
# @!attribute [rw] offset
|
2221
|
+
# The offset within the policy that corresponds to the position,
|
2222
|
+
# starting from 0.
|
2223
|
+
# @return [Integer]
|
2224
|
+
#
|
2225
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
|
2226
|
+
#
|
2227
|
+
class Position < Struct.new(
|
2228
|
+
:column,
|
2229
|
+
:line,
|
2230
|
+
:offset)
|
2231
|
+
SENSITIVE = []
|
2232
|
+
include Aws::Structure
|
2233
|
+
end
|
2234
|
+
|
2235
|
+
# The specified resource could not be found.
|
2236
|
+
#
|
2237
|
+
# @!attribute [rw] message
|
2238
|
+
# @return [String]
|
2239
|
+
#
|
2240
|
+
# @!attribute [rw] resource_id
|
2241
|
+
# The ID of the resource.
|
1211
2242
|
# @return [String]
|
1212
2243
|
#
|
1213
2244
|
# @!attribute [rw] resource_type
|
@@ -1224,6 +2255,278 @@ module Aws::AccessAnalyzer
|
|
1224
2255
|
include Aws::Structure
|
1225
2256
|
end
|
1226
2257
|
|
2258
|
+
# The configuration for an Amazon S3 access point for the bucket. You
|
2259
|
+
# can propose up to 10 access points per bucket. If the proposed Amazon
|
2260
|
+
# S3 access point configuration is for an existing bucket, the access
|
2261
|
+
# preview uses the proposed access point configuration in place of the
|
2262
|
+
# existing access points. To propose an access point without a policy,
|
2263
|
+
# you can provide an empty string as the access point policy. For more
|
2264
|
+
# information, see [Creating access points][1]. For more information
|
2265
|
+
# about access point policy limits, see [Access points restrictions and
|
2266
|
+
# limitations][2].
|
2267
|
+
#
|
2268
|
+
#
|
2269
|
+
#
|
2270
|
+
# [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
|
2271
|
+
# [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
|
2272
|
+
#
|
2273
|
+
# @note When making an API call, you may pass S3AccessPointConfiguration
|
2274
|
+
# data as a hash:
|
2275
|
+
#
|
2276
|
+
# {
|
2277
|
+
# access_point_policy: "AccessPointPolicy",
|
2278
|
+
# network_origin: {
|
2279
|
+
# internet_configuration: {
|
2280
|
+
# },
|
2281
|
+
# vpc_configuration: {
|
2282
|
+
# vpc_id: "VpcId", # required
|
2283
|
+
# },
|
2284
|
+
# },
|
2285
|
+
# public_access_block: {
|
2286
|
+
# ignore_public_acls: false, # required
|
2287
|
+
# restrict_public_buckets: false, # required
|
2288
|
+
# },
|
2289
|
+
# }
|
2290
|
+
#
|
2291
|
+
# @!attribute [rw] access_point_policy
|
2292
|
+
# The access point policy.
|
2293
|
+
# @return [String]
|
2294
|
+
#
|
2295
|
+
# @!attribute [rw] network_origin
|
2296
|
+
# The proposed `Internet` and `VpcConfiguration` to apply to this
|
2297
|
+
# Amazon S3 access point. If the access preview is for a new resource
|
2298
|
+
# and neither is specified, the access preview uses `Internet` for the
|
2299
|
+
# network origin. If the access preview is for an existing resource
|
2300
|
+
# and neither is specified, the access preview uses the exiting
|
2301
|
+
# network origin.
|
2302
|
+
# @return [Types::NetworkOriginConfiguration]
|
2303
|
+
#
|
2304
|
+
# @!attribute [rw] public_access_block
|
2305
|
+
# The proposed `S3PublicAccessBlock` configuration to apply to this
|
2306
|
+
# Amazon S3 Access Point.
|
2307
|
+
# @return [Types::S3PublicAccessBlockConfiguration]
|
2308
|
+
#
|
2309
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
|
2310
|
+
#
|
2311
|
+
class S3AccessPointConfiguration < Struct.new(
|
2312
|
+
:access_point_policy,
|
2313
|
+
:network_origin,
|
2314
|
+
:public_access_block)
|
2315
|
+
SENSITIVE = []
|
2316
|
+
include Aws::Structure
|
2317
|
+
end
|
2318
|
+
|
2319
|
+
# A proposed access control list grant configuration for an Amazon S3
|
2320
|
+
# bucket. For more information, see [How to Specify an ACL][1].
|
2321
|
+
#
|
2322
|
+
#
|
2323
|
+
#
|
2324
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls
|
2325
|
+
#
|
2326
|
+
# @note When making an API call, you may pass S3BucketAclGrantConfiguration
|
2327
|
+
# data as a hash:
|
2328
|
+
#
|
2329
|
+
# {
|
2330
|
+
# grantee: { # required
|
2331
|
+
# id: "AclCanonicalId",
|
2332
|
+
# uri: "AclUri",
|
2333
|
+
# },
|
2334
|
+
# permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
|
2335
|
+
# }
|
2336
|
+
#
|
2337
|
+
# @!attribute [rw] grantee
|
2338
|
+
# The grantee to whom you’re assigning access rights.
|
2339
|
+
# @return [Types::AclGrantee]
|
2340
|
+
#
|
2341
|
+
# @!attribute [rw] permission
|
2342
|
+
# The permissions being granted.
|
2343
|
+
# @return [String]
|
2344
|
+
#
|
2345
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
|
2346
|
+
#
|
2347
|
+
class S3BucketAclGrantConfiguration < Struct.new(
|
2348
|
+
:grantee,
|
2349
|
+
:permission)
|
2350
|
+
SENSITIVE = []
|
2351
|
+
include Aws::Structure
|
2352
|
+
end
|
2353
|
+
|
2354
|
+
# Proposed access control configuration for an Amazon S3 bucket. You can
|
2355
|
+
# propose a configuration for a new Amazon S3 bucket or an existing
|
2356
|
+
# Amazon S3 bucket that you own by specifying the Amazon S3 bucket
|
2357
|
+
# policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points
|
2358
|
+
# attached to the bucket. If the configuration is for an existing Amazon
|
2359
|
+
# S3 bucket and you do not specify the Amazon S3 bucket policy, the
|
2360
|
+
# access preview uses the existing policy attached to the bucket. If the
|
2361
|
+
# access preview is for a new resource and you do not specify the Amazon
|
2362
|
+
# S3 bucket policy, the access preview assumes a bucket without a
|
2363
|
+
# policy. To propose deletion of an existing bucket policy, you can
|
2364
|
+
# specify an empty string. For more information about bucket policy
|
2365
|
+
# limits, see [Bucket Policy Examples][1].
|
2366
|
+
#
|
2367
|
+
#
|
2368
|
+
#
|
2369
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
|
2370
|
+
#
|
2371
|
+
# @note When making an API call, you may pass S3BucketConfiguration
|
2372
|
+
# data as a hash:
|
2373
|
+
#
|
2374
|
+
# {
|
2375
|
+
# access_points: {
|
2376
|
+
# "AccessPointArn" => {
|
2377
|
+
# access_point_policy: "AccessPointPolicy",
|
2378
|
+
# network_origin: {
|
2379
|
+
# internet_configuration: {
|
2380
|
+
# },
|
2381
|
+
# vpc_configuration: {
|
2382
|
+
# vpc_id: "VpcId", # required
|
2383
|
+
# },
|
2384
|
+
# },
|
2385
|
+
# public_access_block: {
|
2386
|
+
# ignore_public_acls: false, # required
|
2387
|
+
# restrict_public_buckets: false, # required
|
2388
|
+
# },
|
2389
|
+
# },
|
2390
|
+
# },
|
2391
|
+
# bucket_acl_grants: [
|
2392
|
+
# {
|
2393
|
+
# grantee: { # required
|
2394
|
+
# id: "AclCanonicalId",
|
2395
|
+
# uri: "AclUri",
|
2396
|
+
# },
|
2397
|
+
# permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
|
2398
|
+
# },
|
2399
|
+
# ],
|
2400
|
+
# bucket_policy: "S3BucketPolicy",
|
2401
|
+
# bucket_public_access_block: {
|
2402
|
+
# ignore_public_acls: false, # required
|
2403
|
+
# restrict_public_buckets: false, # required
|
2404
|
+
# },
|
2405
|
+
# }
|
2406
|
+
#
|
2407
|
+
# @!attribute [rw] access_points
|
2408
|
+
# The configuration of Amazon S3 access points for the bucket.
|
2409
|
+
# @return [Hash<String,Types::S3AccessPointConfiguration>]
|
2410
|
+
#
|
2411
|
+
# @!attribute [rw] bucket_acl_grants
|
2412
|
+
# The proposed list of ACL grants for the Amazon S3 bucket. You can
|
2413
|
+
# propose up to 100 ACL grants per bucket. If the proposed grant
|
2414
|
+
# configuration is for an existing bucket, the access preview uses the
|
2415
|
+
# proposed list of grant configurations in place of the existing
|
2416
|
+
# grants. Otherwise, the access preview uses the existing grants for
|
2417
|
+
# the bucket.
|
2418
|
+
# @return [Array<Types::S3BucketAclGrantConfiguration>]
|
2419
|
+
#
|
2420
|
+
# @!attribute [rw] bucket_policy
|
2421
|
+
# The proposed bucket policy for the Amazon S3 bucket.
|
2422
|
+
# @return [String]
|
2423
|
+
#
|
2424
|
+
# @!attribute [rw] bucket_public_access_block
|
2425
|
+
# The proposed block public access configuration for the Amazon S3
|
2426
|
+
# bucket.
|
2427
|
+
# @return [Types::S3PublicAccessBlockConfiguration]
|
2428
|
+
#
|
2429
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
|
2430
|
+
#
|
2431
|
+
class S3BucketConfiguration < Struct.new(
|
2432
|
+
:access_points,
|
2433
|
+
:bucket_acl_grants,
|
2434
|
+
:bucket_policy,
|
2435
|
+
:bucket_public_access_block)
|
2436
|
+
SENSITIVE = []
|
2437
|
+
include Aws::Structure
|
2438
|
+
end
|
2439
|
+
|
2440
|
+
# The `PublicAccessBlock` configuration to apply to this Amazon S3
|
2441
|
+
# bucket. If the proposed configuration is for an existing Amazon S3
|
2442
|
+
# bucket and the configuration is not specified, the access preview uses
|
2443
|
+
# the existing setting. If the proposed configuration is for a new
|
2444
|
+
# bucket and the configuration is not specified, the access preview uses
|
2445
|
+
# `false`. If the proposed configuration is for a new access point and
|
2446
|
+
# the access point BPA configuration is not specified, the access
|
2447
|
+
# preview uses `true`. For more information, see
|
2448
|
+
# [PublicAccessBlockConfiguration][1].
|
2449
|
+
#
|
2450
|
+
#
|
2451
|
+
#
|
2452
|
+
# [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
|
2453
|
+
#
|
2454
|
+
# @note When making an API call, you may pass S3PublicAccessBlockConfiguration
|
2455
|
+
# data as a hash:
|
2456
|
+
#
|
2457
|
+
# {
|
2458
|
+
# ignore_public_acls: false, # required
|
2459
|
+
# restrict_public_buckets: false, # required
|
2460
|
+
# }
|
2461
|
+
#
|
2462
|
+
# @!attribute [rw] ignore_public_acls
|
2463
|
+
# Specifies whether Amazon S3 should ignore public ACLs for this
|
2464
|
+
# bucket and objects in this bucket.
|
2465
|
+
# @return [Boolean]
|
2466
|
+
#
|
2467
|
+
# @!attribute [rw] restrict_public_buckets
|
2468
|
+
# Specifies whether Amazon S3 should restrict public bucket policies
|
2469
|
+
# for this bucket.
|
2470
|
+
# @return [Boolean]
|
2471
|
+
#
|
2472
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3PublicAccessBlockConfiguration AWS API Documentation
|
2473
|
+
#
|
2474
|
+
class S3PublicAccessBlockConfiguration < Struct.new(
|
2475
|
+
:ignore_public_acls,
|
2476
|
+
:restrict_public_buckets)
|
2477
|
+
SENSITIVE = []
|
2478
|
+
include Aws::Structure
|
2479
|
+
end
|
2480
|
+
|
2481
|
+
# The configuration for a Secrets Manager secret. For more information,
|
2482
|
+
# see [CreateSecret][1].
|
2483
|
+
#
|
2484
|
+
# You can propose a configuration for a new secret or an existing secret
|
2485
|
+
# that you own by specifying the secret policy and optional KMS
|
2486
|
+
# encryption key. If the configuration is for an existing secret and you
|
2487
|
+
# do not specify the secret policy, the access preview uses the existing
|
2488
|
+
# policy for the secret. If the access preview is for a new resource and
|
2489
|
+
# you do not specify the policy, the access preview assumes a secret
|
2490
|
+
# without a policy. To propose deletion of an existing policy, you can
|
2491
|
+
# specify an empty string. If the proposed configuration is for a new
|
2492
|
+
# secret and you do not specify the KMS key ID, the access preview uses
|
2493
|
+
# the default CMK of the AWS account. If you specify an empty string for
|
2494
|
+
# the KMS key ID, the access preview uses the default CMK of the AWS
|
2495
|
+
# account. For more information about secret policy limits, see [Quotas
|
2496
|
+
# for AWS Secrets Manager.][2].
|
2497
|
+
#
|
2498
|
+
#
|
2499
|
+
#
|
2500
|
+
# [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html
|
2501
|
+
# [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
|
2502
|
+
#
|
2503
|
+
# @note When making an API call, you may pass SecretsManagerSecretConfiguration
|
2504
|
+
# data as a hash:
|
2505
|
+
#
|
2506
|
+
# {
|
2507
|
+
# kms_key_id: "SecretsManagerSecretKmsId",
|
2508
|
+
# secret_policy: "SecretsManagerSecretPolicy",
|
2509
|
+
# }
|
2510
|
+
#
|
2511
|
+
# @!attribute [rw] kms_key_id
|
2512
|
+
# The proposed ARN, key ID, or alias of the AWS KMS customer master
|
2513
|
+
# key (CMK).
|
2514
|
+
# @return [String]
|
2515
|
+
#
|
2516
|
+
# @!attribute [rw] secret_policy
|
2517
|
+
# The proposed resource policy defining who can access or manage the
|
2518
|
+
# secret.
|
2519
|
+
# @return [String]
|
2520
|
+
#
|
2521
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SecretsManagerSecretConfiguration AWS API Documentation
|
2522
|
+
#
|
2523
|
+
class SecretsManagerSecretConfiguration < Struct.new(
|
2524
|
+
:kms_key_id,
|
2525
|
+
:secret_policy)
|
2526
|
+
SENSITIVE = []
|
2527
|
+
include Aws::Structure
|
2528
|
+
end
|
2529
|
+
|
1227
2530
|
# Service quote met error.
|
1228
2531
|
#
|
1229
2532
|
# @!attribute [rw] message
|
@@ -1274,6 +2577,60 @@ module Aws::AccessAnalyzer
|
|
1274
2577
|
include Aws::Structure
|
1275
2578
|
end
|
1276
2579
|
|
2580
|
+
# A span in a policy. The span consists of a start position (inclusive)
|
2581
|
+
# and end position (exclusive).
|
2582
|
+
#
|
2583
|
+
# @!attribute [rw] end
|
2584
|
+
# The end position of the span (exclusive).
|
2585
|
+
# @return [Types::Position]
|
2586
|
+
#
|
2587
|
+
# @!attribute [rw] start
|
2588
|
+
# The start position of the span (inclusive).
|
2589
|
+
# @return [Types::Position]
|
2590
|
+
#
|
2591
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
|
2592
|
+
#
|
2593
|
+
class Span < Struct.new(
|
2594
|
+
:end,
|
2595
|
+
:start)
|
2596
|
+
SENSITIVE = []
|
2597
|
+
include Aws::Structure
|
2598
|
+
end
|
2599
|
+
|
2600
|
+
# The proposed access control configuration for an SQS queue. You can
|
2601
|
+
# propose a configuration for a new SQS queue or an existing SQS queue
|
2602
|
+
# that you own by specifying the SQS policy. If the configuration is for
|
2603
|
+
# an existing SQS queue and you do not specify the SQS policy, the
|
2604
|
+
# access preview uses the existing SQS policy for the queue. If the
|
2605
|
+
# access preview is for a new resource and you do not specify the
|
2606
|
+
# policy, the access preview assumes an SQS queue without a policy. To
|
2607
|
+
# propose deletion of an existing SQS queue policy, you can specify an
|
2608
|
+
# empty string for the SQS policy. For more information about SQS policy
|
2609
|
+
# limits, see [Quotas related to policies][1].
|
2610
|
+
#
|
2611
|
+
#
|
2612
|
+
#
|
2613
|
+
# [1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html
|
2614
|
+
#
|
2615
|
+
# @note When making an API call, you may pass SqsQueueConfiguration
|
2616
|
+
# data as a hash:
|
2617
|
+
#
|
2618
|
+
# {
|
2619
|
+
# queue_policy: "SqsQueuePolicy",
|
2620
|
+
# }
|
2621
|
+
#
|
2622
|
+
# @!attribute [rw] queue_policy
|
2623
|
+
# The proposed resource policy for the SQS queue.
|
2624
|
+
# @return [String]
|
2625
|
+
#
|
2626
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
|
2627
|
+
#
|
2628
|
+
class SqsQueueConfiguration < Struct.new(
|
2629
|
+
:queue_policy)
|
2630
|
+
SENSITIVE = []
|
2631
|
+
include Aws::Structure
|
2632
|
+
end
|
2633
|
+
|
1277
2634
|
# Starts a scan of the policies applied to the specified resource.
|
1278
2635
|
#
|
1279
2636
|
# @note When making an API call, you may pass StartResourceScanRequest
|
@@ -1285,8 +2642,12 @@ module Aws::AccessAnalyzer
|
|
1285
2642
|
# }
|
1286
2643
|
#
|
1287
2644
|
# @!attribute [rw] analyzer_arn
|
1288
|
-
# The ARN of the analyzer to use to scan the policies applied to
|
1289
|
-
# specified resource.
|
2645
|
+
# The [ARN of the analyzer][1] to use to scan the policies applied to
|
2646
|
+
# the specified resource.
|
2647
|
+
#
|
2648
|
+
#
|
2649
|
+
#
|
2650
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
1290
2651
|
# @return [String]
|
1291
2652
|
#
|
1292
2653
|
# @!attribute [rw] resource_arn
|
@@ -1304,7 +2665,7 @@ module Aws::AccessAnalyzer
|
|
1304
2665
|
|
1305
2666
|
# Provides more details about the current status of the analyzer. For
|
1306
2667
|
# example, if the creation for the analyzer fails, a `Failed` status is
|
1307
|
-
#
|
2668
|
+
# returned. For an analyzer with organization as the type, this failure
|
1308
2669
|
# can be due to an issue with creating the service-linked roles required
|
1309
2670
|
# in the member accounts of the AWS organization.
|
1310
2671
|
#
|
@@ -1320,6 +2681,25 @@ module Aws::AccessAnalyzer
|
|
1320
2681
|
include Aws::Structure
|
1321
2682
|
end
|
1322
2683
|
|
2684
|
+
# A reference to a substring of a literal string in a JSON document.
|
2685
|
+
#
|
2686
|
+
# @!attribute [rw] length
|
2687
|
+
# The length of the substring.
|
2688
|
+
# @return [Integer]
|
2689
|
+
#
|
2690
|
+
# @!attribute [rw] start
|
2691
|
+
# The start index of the substring, starting from 0.
|
2692
|
+
# @return [Integer]
|
2693
|
+
#
|
2694
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
|
2695
|
+
#
|
2696
|
+
class Substring < Struct.new(
|
2697
|
+
:length,
|
2698
|
+
:start)
|
2699
|
+
SENSITIVE = []
|
2700
|
+
include Aws::Structure
|
2701
|
+
end
|
2702
|
+
|
1323
2703
|
# Adds a tag to the specified resource.
|
1324
2704
|
#
|
1325
2705
|
# @note When making an API call, you may pass TagResourceRequest
|
@@ -1470,7 +2850,11 @@ module Aws::AccessAnalyzer
|
|
1470
2850
|
# }
|
1471
2851
|
#
|
1472
2852
|
# @!attribute [rw] analyzer_arn
|
1473
|
-
# The ARN of the analyzer that generated the findings to update.
|
2853
|
+
# The [ARN of the analyzer][1] that generated the findings to update.
|
2854
|
+
#
|
2855
|
+
#
|
2856
|
+
#
|
2857
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
1474
2858
|
# @return [String]
|
1475
2859
|
#
|
1476
2860
|
# @!attribute [rw] client_token
|
@@ -1507,6 +2891,127 @@ module Aws::AccessAnalyzer
|
|
1507
2891
|
include Aws::Structure
|
1508
2892
|
end
|
1509
2893
|
|
2894
|
+
# A finding in a policy. Each finding is an actionable recommendation
|
2895
|
+
# that can be used to improve the policy.
|
2896
|
+
#
|
2897
|
+
# @!attribute [rw] finding_details
|
2898
|
+
# A localized message that explains the finding and provides guidance
|
2899
|
+
# on how to address it.
|
2900
|
+
# @return [String]
|
2901
|
+
#
|
2902
|
+
# @!attribute [rw] finding_type
|
2903
|
+
# The impact of the finding.
|
2904
|
+
#
|
2905
|
+
# Security warnings report when the policy allows access that we
|
2906
|
+
# consider overly permissive.
|
2907
|
+
#
|
2908
|
+
# Errors report when a part of the policy is not functional.
|
2909
|
+
#
|
2910
|
+
# Warnings report non-security issues when a policy does not conform
|
2911
|
+
# to policy writing best practices.
|
2912
|
+
#
|
2913
|
+
# Suggestions recommend stylistic improvements in the policy that do
|
2914
|
+
# not impact access.
|
2915
|
+
# @return [String]
|
2916
|
+
#
|
2917
|
+
# @!attribute [rw] issue_code
|
2918
|
+
# The issue code provides an identifier of the issue associated with
|
2919
|
+
# this finding.
|
2920
|
+
# @return [String]
|
2921
|
+
#
|
2922
|
+
# @!attribute [rw] learn_more_link
|
2923
|
+
# A link to additional documentation about the type of finding.
|
2924
|
+
# @return [String]
|
2925
|
+
#
|
2926
|
+
# @!attribute [rw] locations
|
2927
|
+
# The list of locations in the policy document that are related to the
|
2928
|
+
# finding. The issue code provides a summary of an issue identified by
|
2929
|
+
# the finding.
|
2930
|
+
# @return [Array<Types::Location>]
|
2931
|
+
#
|
2932
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyFinding AWS API Documentation
|
2933
|
+
#
|
2934
|
+
class ValidatePolicyFinding < Struct.new(
|
2935
|
+
:finding_details,
|
2936
|
+
:finding_type,
|
2937
|
+
:issue_code,
|
2938
|
+
:learn_more_link,
|
2939
|
+
:locations)
|
2940
|
+
SENSITIVE = []
|
2941
|
+
include Aws::Structure
|
2942
|
+
end
|
2943
|
+
|
2944
|
+
# @note When making an API call, you may pass ValidatePolicyRequest
|
2945
|
+
# data as a hash:
|
2946
|
+
#
|
2947
|
+
# {
|
2948
|
+
# locale: "DE", # accepts DE, EN, ES, FR, IT, JA, KO, PT_BR, ZH_CN, ZH_TW
|
2949
|
+
# max_results: 1,
|
2950
|
+
# next_token: "Token",
|
2951
|
+
# policy_document: "PolicyDocument", # required
|
2952
|
+
# policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
|
2953
|
+
# }
|
2954
|
+
#
|
2955
|
+
# @!attribute [rw] locale
|
2956
|
+
# The locale to use for localizing the findings.
|
2957
|
+
# @return [String]
|
2958
|
+
#
|
2959
|
+
# @!attribute [rw] max_results
|
2960
|
+
# The maximum number of results to return in the response.
|
2961
|
+
# @return [Integer]
|
2962
|
+
#
|
2963
|
+
# @!attribute [rw] next_token
|
2964
|
+
# A token used for pagination of results returned.
|
2965
|
+
# @return [String]
|
2966
|
+
#
|
2967
|
+
# @!attribute [rw] policy_document
|
2968
|
+
# The JSON policy document to use as the content for the policy.
|
2969
|
+
# @return [String]
|
2970
|
+
#
|
2971
|
+
# @!attribute [rw] policy_type
|
2972
|
+
# The type of policy to validate. Identity policies grant permissions
|
2973
|
+
# to IAM principals. Identity policies include managed and inline
|
2974
|
+
# policies for IAM roles, users, and groups. They also include
|
2975
|
+
# service-control policies (SCPs) that are attached to an AWS
|
2976
|
+
# organization, organizational unit (OU), or an account.
|
2977
|
+
#
|
2978
|
+
# Resource policies grant permissions on AWS resources. Resource
|
2979
|
+
# policies include trust policies for IAM roles and bucket policies
|
2980
|
+
# for S3 buckets. You can provide a generic input such as identity
|
2981
|
+
# policy or resource policy or a specific input such as managed policy
|
2982
|
+
# or S3 bucket policy.
|
2983
|
+
# @return [String]
|
2984
|
+
#
|
2985
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
|
2986
|
+
#
|
2987
|
+
class ValidatePolicyRequest < Struct.new(
|
2988
|
+
:locale,
|
2989
|
+
:max_results,
|
2990
|
+
:next_token,
|
2991
|
+
:policy_document,
|
2992
|
+
:policy_type)
|
2993
|
+
SENSITIVE = []
|
2994
|
+
include Aws::Structure
|
2995
|
+
end
|
2996
|
+
|
2997
|
+
# @!attribute [rw] findings
|
2998
|
+
# The list of findings in a policy returned by Access Analyzer based
|
2999
|
+
# on its suite of policy checks.
|
3000
|
+
# @return [Array<Types::ValidatePolicyFinding>]
|
3001
|
+
#
|
3002
|
+
# @!attribute [rw] next_token
|
3003
|
+
# A token used for pagination of results returned.
|
3004
|
+
# @return [String]
|
3005
|
+
#
|
3006
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyResponse AWS API Documentation
|
3007
|
+
#
|
3008
|
+
class ValidatePolicyResponse < Struct.new(
|
3009
|
+
:findings,
|
3010
|
+
:next_token)
|
3011
|
+
SENSITIVE = []
|
3012
|
+
include Aws::Structure
|
3013
|
+
end
|
3014
|
+
|
1510
3015
|
# Validation exception error.
|
1511
3016
|
#
|
1512
3017
|
# @!attribute [rw] field_list
|
@@ -1549,5 +3054,32 @@ module Aws::AccessAnalyzer
|
|
1549
3054
|
include Aws::Structure
|
1550
3055
|
end
|
1551
3056
|
|
3057
|
+
# The proposed virtual private cloud (VPC) configuration for the Amazon
|
3058
|
+
# S3 access point. For more information, see [VpcConfiguration][1].
|
3059
|
+
#
|
3060
|
+
#
|
3061
|
+
#
|
3062
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
|
3063
|
+
#
|
3064
|
+
# @note When making an API call, you may pass VpcConfiguration
|
3065
|
+
# data as a hash:
|
3066
|
+
#
|
3067
|
+
# {
|
3068
|
+
# vpc_id: "VpcId", # required
|
3069
|
+
# }
|
3070
|
+
#
|
3071
|
+
# @!attribute [rw] vpc_id
|
3072
|
+
# If this field is specified, this access point will only allow
|
3073
|
+
# connections from the specified VPC ID.
|
3074
|
+
# @return [String]
|
3075
|
+
#
|
3076
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/VpcConfiguration AWS API Documentation
|
3077
|
+
#
|
3078
|
+
class VpcConfiguration < Struct.new(
|
3079
|
+
:vpc_id)
|
3080
|
+
SENSITIVE = []
|
3081
|
+
include Aws::Structure
|
3082
|
+
end
|
3083
|
+
|
1552
3084
|
end
|
1553
3085
|
end
|