aws-sdk-accessanalyzer 1.14.0 → 1.19.0

data/lib/aws-sdk-accessanalyzer/errors.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-accessanalyzer/resource.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-accessanalyzer/types.rb

@@ -3,7 +3,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
@@ -23,6 +23,266 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # Contains information about an access preview.
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The ARN of the analyzer used to generate the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] configurations
+    #   A map of resource ARNs for the proposed resource configuration.
+    #   @return [Hash<String,Types::Configuration>]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the access preview was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   The status of the access preview.
+    #
+    #   * `Creating` - The access preview creation is in progress.
+    #
+    #   * `Completed` - The access preview is complete. You can preview
+    #     findings for external access to the resource.
+    #
+    #   * `Failed` - The access preview creation has failed.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_reason
+    #   Provides more details about the current status of the access
+    #   preview.
+    #
+    #   For example, if the creation of the access preview fails, a `Failed`
+    #   status is returned. This failure can be due to an internal issue
+    #   with the analysis or due to an invalid resource configuration.
+    #   @return [Types::AccessPreviewStatusReason]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
+    #
+    class AccessPreview < Struct.new(
+      :analyzer_arn,
+      :configurations,
+      :created_at,
+      :id,
+      :status,
+      :status_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # An access preview finding generated by the access preview.
+    #
+    # @!attribute [rw] action
+    #   The action in the analyzed policy statement that an external
+    #   principal has permission to perform.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] change_type
+    #   Provides context on how the access preview finding compares to
+    #   existing access identified in Access Analyzer.
+    #
+    #   * `New` - The finding is for newly-introduced access.
+    #
+    #   * `Unchanged` - The preview finding is an existing finding that
+    #     would remain unchanged.
+    #
+    #   * `Changed` - The preview finding is an existing finding with a
+    #     change in status.
+    #
+    #   For example, a `Changed` finding with preview status `Resolved` and
+    #   existing status `Active` indicates the existing `Active` finding
+    #   would become `Resolved` as a result of the proposed permissions
+    #   change.
+    #   @return [String]
+    #
+    # @!attribute [rw] condition
+    #   The condition in the analyzed policy statement that resulted in a
+    #   finding.
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the access preview finding was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] error
+    #   An error.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_finding_id
+    #   The existing ID of the finding in Access Analyzer, provided only for
+    #   existing findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_finding_status
+    #   The existing status of the finding, provided only for existing
+    #   findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The ID of the access preview finding. This ID uniquely identifies
+    #   the element in the list of access preview findings and is not
+    #   related to the finding ID in Access Analyzer.
+    #   @return [String]
+    #
+    # @!attribute [rw] is_public
+    #   Indicates whether the policy that generated the finding allows
+    #   public access to the resource.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] principal
+    #   The external principal that has access to a resource within the zone
+    #   of trust.
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] resource
+    #   The resource that an external principal has access to. This is the
+    #   resource associated with the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_owner_account
+    #   The AWS account ID that owns the resource. For most AWS resources,
+    #   the owning account is the account in which the resource was created.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of the resource that can be accessed in the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] sources
+    #   The sources of the finding. This indicates how the access that
+    #   generated the finding is granted. It is populated for Amazon S3
+    #   bucket findings.
+    #   @return [Array<Types::FindingSource>]
+    #
+    # @!attribute [rw] status
+    #   The preview status of the finding. This is what the status of the
+    #   finding would be after permissions deployment. For example, a
+    #   `Changed` finding with preview status `Resolved` and existing status
+    #   `Active` indicates the existing `Active` finding would become
+    #   `Resolved` as a result of the proposed permissions change.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
+    #
+    class AccessPreviewFinding < Struct.new(
+      :action,
+      :change_type,
+      :condition,
+      :created_at,
+      :error,
+      :existing_finding_id,
+      :existing_finding_status,
+      :id,
+      :is_public,
+      :principal,
+      :resource,
+      :resource_owner_account,
+      :resource_type,
+      :sources,
+      :status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Provides more details about the current status of the access preview.
+    # For example, if the creation of the access preview fails, a `Failed`
+    # status is returned. This failure can be due to an internal issue with
+    # the analysis or due to an invalid proposed resource configuration.
+    #
+    # @!attribute [rw] code
+    #   The reason code for the current status of the access preview.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewStatusReason AWS API Documentation
+    #
+    class AccessPreviewStatusReason < Struct.new(
+      :code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains a summary of information about an access preview.
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The ARN of the analyzer used to generate the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the access preview was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   The status of the access preview.
+    #
+    #   * `Creating` - The access preview creation is in progress.
+    #
+    #   * `Completed` - The access preview is complete and previews the
+    #     findings for external access to the resource.
+    #
+    #   * `Failed` - The access preview creation has failed.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_reason
+    #   Provides more details about the current status of the access
+    #   preview. For example, if the creation of the access preview fails, a
+    #   `Failed` status is returned. This failure can be due to an internal
+    #   issue with the analysis or due to an invalid proposed resource
+    #   configuration.
+    #   @return [Types::AccessPreviewStatusReason]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
+    #
+    class AccessPreviewSummary < Struct.new(
+      :analyzer_arn,
+      :created_at,
+      :id,
+      :status,
+      :status_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # You specify each grantee as a type-value pair using one of these
+    # types. You can specify only one type of grantee. For more information,
+    # see [PutBucketAcl][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
+    #
+    # @note When making an API call, you may pass AclGrantee
+    #   data as a hash:
+    #
+    #       {
+    #         id: "AclCanonicalId",
+    #         uri: "AclUri",
+    #       }
+    #
+    # @!attribute [rw] id
+    #   The value specified is the canonical user ID of an AWS account.
+    #   @return [String]
+    #
+    # @!attribute [rw] uri
+    #   Used for granting permissions to a predefined group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AclGrantee AWS API Documentation
+    #
+    class AclGrantee < Struct.new(
+      :id,
+      :uri)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains details about the analyzed resource.
     #
     # @!attribute [rw] actions
@@ -141,16 +401,16 @@ module Aws::AccessAnalyzer
     #   The status of the analyzer. An `Active` analyzer successfully
     #   monitors supported resources and generates new findings. The
     #   analyzer is `Disabled` when a user action, such as removing trusted
-    #   access for IAM Access Analyzer from AWS Organizations, causes the
-    #   analyzer to stop generating new findings. The status is `Creating`
-    #   when the analyzer creation is in progress and `Failed` when the
-    #   analyzer creation has failed.
+    #   access for AWS IAM Access Analyzer from AWS Organizations, causes
+    #   the analyzer to stop generating new findings. The status is
+    #   `Creating` when the analyzer creation is in progress and `Failed`
+    #   when the analyzer creation has failed.
     #   @return [String]
     #
     # @!attribute [rw] status_reason
     #   The `statusReason` provides more details about the current status of
     #   the analyzer. For example, if the creation for the analyzer fails, a
-    #   `Failed` status is displayed. For an analyzer with organization as
+    #   `Failed` status is returned. For an analyzer with organization as
     #   the type, this failure can be due to an issue with creating the
     #   service-linked roles required in the member accounts of the AWS
     #   organization.
@@ -246,130 +506,466 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # A conflict exception error.
-    #
-    # @!attribute [rw] message
-    #   @return [String]
+    # @note When making an API call, you may pass CancelPolicyGenerationRequest
+    #   data as a hash:
     #
-    # @!attribute [rw] resource_id
-    #   The ID of the resource.
-    #   @return [String]
+    #       {
+    #         job_id: "JobId", # required
+    #       }
     #
-    # @!attribute [rw] resource_type
-    #   The resource type.
+    # @!attribute [rw] job_id
+    #   The `JobId` that is returned by the `StartPolicyGeneration`
+    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
+    #   retrieve the generated policies or used with
+    #   `CancelPolicyGeneration` to cancel the policy generation request.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ConflictException AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationRequest AWS API Documentation
     #
-    class ConflictException < Struct.new(
-      :message,
-      :resource_id,
-      :resource_type)
+    class CancelPolicyGenerationRequest < Struct.new(
+      :job_id)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # Creates an analyzer.
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationResponse AWS API Documentation
     #
-    # @note When making an API call, you may pass CreateAnalyzerRequest
+    class CancelPolicyGenerationResponse < Aws::EmptyStructure; end
+
+    # Contains information about CloudTrail access.
+    #
+    # @note When making an API call, you may pass CloudTrailDetails
     #   data as a hash:
     #
     #       {
-    #         analyzer_name: "Name", # required
-    #         archive_rules: [
+    #         access_role: "RoleArn", # required
+    #         end_time: Time.now,
+    #         start_time: Time.now, # required
+    #         trails: [ # required
     #           {
-    #             filter: { # required
-    #               "String" => {
-    #                 contains: ["String"],
-    #                 eq: ["String"],
-    #                 exists: false,
-    #                 neq: ["String"],
-    #               },
-    #             },
-    #             rule_name: "Name", # required
+    #             all_regions: false,
+    #             cloud_trail_arn: "CloudTrailArn", # required
+    #             regions: ["String"],
     #           },
     #         ],
-    #         client_token: "String",
-    #         tags: {
-    #           "String" => "String",
-    #         },
-    #         type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
     #       }
     #
-    # @!attribute [rw] analyzer_name
-    #   The name of the analyzer to create.
+    # @!attribute [rw] access_role
+    #   The ARN of the service role that Access Analyzer uses to access your
+    #   CloudTrail trail and service last accessed information.
     #   @return [String]
     #
-    # @!attribute [rw] archive_rules
-    #   Specifies the archive rules to add for the analyzer. Archive rules
-    #   automatically archive findings that meet the criteria you define for
-    #   the rule.
-    #   @return [Array<Types::InlineArchiveRule>]
-    #
-    # @!attribute [rw] client_token
-    #   A client token.
-    #
-    #   **A suitable default value is auto-generated.** You should normally
-    #   not need to pass this option.
-    #   @return [String]
+    # @!attribute [rw] end_time
+    #   The end of the time range for which Access Analyzer reviews your
+    #   CloudTrail events. Events with a timestamp after this time are not
+    #   considered to generate a policy. If this is not included in the
+    #   request, the default value is the current time.
+    #   @return [Time]
     #
-    # @!attribute [rw] tags
-    #   The tags to apply to the analyzer.
-    #   @return [Hash<String,String>]
+    # @!attribute [rw] start_time
+    #   The start of the time range for which Access Analyzer reviews your
+    #   CloudTrail events. Events with a timestamp before this time are not
+    #   considered to generate a policy.
+    #   @return [Time]
     #
-    # @!attribute [rw] type
-    #   The type of analyzer to create. Only ACCOUNT analyzers are
-    #   supported. You can create only one analyzer per account per Region.
-    #   @return [String]
+    # @!attribute [rw] trails
+    #   A `Trail` object that contains settings for a trail.
+    #   @return [Array<Types::Trail>]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailDetails AWS API Documentation
     #
-    class CreateAnalyzerRequest < Struct.new(
-      :analyzer_name,
-      :archive_rules,
-      :client_token,
-      :tags,
-      :type)
+    class CloudTrailDetails < Struct.new(
+      :access_role,
+      :end_time,
+      :start_time,
+      :trails)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The response to the request to create an analyzer.
+    # Contains information about CloudTrail access.
     #
-    # @!attribute [rw] arn
-    #   The ARN of the analyzer that was created by the request.
-    #   @return [String]
+    # @!attribute [rw] end_time
+    #   The end of the time range for which Access Analyzer reviews your
+    #   CloudTrail events. Events with a timestamp after this time are not
+    #   considered to generate a policy. If this is not included in the
+    #   request, the default value is the current time.
+    #   @return [Time]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerResponse AWS API Documentation
+    # @!attribute [rw] start_time
+    #   The start of the time range for which Access Analyzer reviews your
+    #   CloudTrail events. Events with a timestamp before this time are not
+    #   considered to generate a policy.
+    #   @return [Time]
     #
-    class CreateAnalyzerResponse < Struct.new(
-      :arn)
+    # @!attribute [rw] trail_properties
+    #   A `TrailProperties` object that contains settings for trail
+    #   properties.
+    #   @return [Array<Types::TrailProperties>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailProperties AWS API Documentation
+    #
+    class CloudTrailProperties < Struct.new(
+      :end_time,
+      :start_time,
+      :trail_properties)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # Creates an archive rule.
+    # Access control configuration structures for your resource. You specify
+    # the configuration as a type-value pair. You can specify only one type
+    # of access control configuration.
     #
-    # @note When making an API call, you may pass CreateArchiveRuleRequest
+    # @note When making an API call, you may pass Configuration
     #   data as a hash:
     #
     #       {
-    #         analyzer_name: "Name", # required
-    #         client_token: "String",
-    #         filter: { # required
-    #           "String" => {
-    #             contains: ["String"],
-    #             eq: ["String"],
-    #             exists: false,
-    #             neq: ["String"],
+    #         iam_role: {
+    #           trust_policy: "IamTrustPolicy",
+    #         },
+    #         kms_key: {
+    #           grants: [
+    #             {
+    #               constraints: {
+    #                 encryption_context_equals: {
+    #                   "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                 },
+    #                 encryption_context_subset: {
+    #                   "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                 },
+    #               },
+    #               grantee_principal: "GranteePrincipal", # required
+    #               issuing_account: "IssuingAccount", # required
+    #               operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #               retiring_principal: "RetiringPrincipal",
+    #             },
+    #           ],
+    #           key_policies: {
+    #             "PolicyName" => "KmsKeyPolicy",
     #           },
     #         },
-    #         rule_name: "Name", # required
-    #       }
-    #
-    # @!attribute [rw] analyzer_name
-    #   The name of the created analyzer.
-    #   @return [String]
+    #         s3_bucket: {
+    #           access_points: {
+    #             "AccessPointArn" => {
+    #               access_point_policy: "AccessPointPolicy",
+    #               network_origin: {
+    #                 internet_configuration: {
+    #                 },
+    #                 vpc_configuration: {
+    #                   vpc_id: "VpcId", # required
+    #                 },
+    #               },
+    #               public_access_block: {
+    #                 ignore_public_acls: false, # required
+    #                 restrict_public_buckets: false, # required
+    #               },
+    #             },
+    #           },
+    #           bucket_acl_grants: [
+    #             {
+    #               grantee: { # required
+    #                 id: "AclCanonicalId",
+    #                 uri: "AclUri",
+    #               },
+    #               permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #             },
+    #           ],
+    #           bucket_policy: "S3BucketPolicy",
+    #           bucket_public_access_block: {
+    #             ignore_public_acls: false, # required
+    #             restrict_public_buckets: false, # required
+    #           },
+    #         },
+    #         secrets_manager_secret: {
+    #           kms_key_id: "SecretsManagerSecretKmsId",
+    #           secret_policy: "SecretsManagerSecretPolicy",
+    #         },
+    #         sqs_queue: {
+    #           queue_policy: "SqsQueuePolicy",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] iam_role
+    #   The access control configuration is for an IAM role.
+    #   @return [Types::IamRoleConfiguration]
+    #
+    # @!attribute [rw] kms_key
+    #   The access control configuration is for a KMS key.
+    #   @return [Types::KmsKeyConfiguration]
+    #
+    # @!attribute [rw] s3_bucket
+    #   The access control configuration is for an Amazon S3 Bucket.
+    #   @return [Types::S3BucketConfiguration]
+    #
+    # @!attribute [rw] secrets_manager_secret
+    #   The access control configuration is for a Secrets Manager secret.
+    #   @return [Types::SecretsManagerSecretConfiguration]
+    #
+    # @!attribute [rw] sqs_queue
+    #   The access control configuration is for an SQS queue.
+    #   @return [Types::SqsQueueConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
+    #
+    class Configuration < Struct.new(
+      :iam_role,
+      :kms_key,
+      :s3_bucket,
+      :secrets_manager_secret,
+      :sqs_queue)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A conflict exception error.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_id
+    #   The ID of the resource.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The resource type.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ConflictException AWS API Documentation
+    #
+    class ConflictException < Struct.new(
+      :message,
+      :resource_id,
+      :resource_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass CreateAccessPreviewRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_arn: "AnalyzerArn", # required
+    #         client_token: "String",
+    #         configurations: { # required
+    #           "ConfigurationsMapKey" => {
+    #             iam_role: {
+    #               trust_policy: "IamTrustPolicy",
+    #             },
+    #             kms_key: {
+    #               grants: [
+    #                 {
+    #                   constraints: {
+    #                     encryption_context_equals: {
+    #                       "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                     },
+    #                     encryption_context_subset: {
+    #                       "KmsConstraintsKey" => "KmsConstraintsValue",
+    #                     },
+    #                   },
+    #                   grantee_principal: "GranteePrincipal", # required
+    #                   issuing_account: "IssuingAccount", # required
+    #                   operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #                   retiring_principal: "RetiringPrincipal",
+    #                 },
+    #               ],
+    #               key_policies: {
+    #                 "PolicyName" => "KmsKeyPolicy",
+    #               },
+    #             },
+    #             s3_bucket: {
+    #               access_points: {
+    #                 "AccessPointArn" => {
+    #                   access_point_policy: "AccessPointPolicy",
+    #                   network_origin: {
+    #                     internet_configuration: {
+    #                     },
+    #                     vpc_configuration: {
+    #                       vpc_id: "VpcId", # required
+    #                     },
+    #                   },
+    #                   public_access_block: {
+    #                     ignore_public_acls: false, # required
+    #                     restrict_public_buckets: false, # required
+    #                   },
+    #                 },
+    #               },
+    #               bucket_acl_grants: [
+    #                 {
+    #                   grantee: { # required
+    #                     id: "AclCanonicalId",
+    #                     uri: "AclUri",
+    #                   },
+    #                   permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #                 },
+    #               ],
+    #               bucket_policy: "S3BucketPolicy",
+    #               bucket_public_access_block: {
+    #                 ignore_public_acls: false, # required
+    #                 restrict_public_buckets: false, # required
+    #               },
+    #             },
+    #             secrets_manager_secret: {
+    #               kms_key_id: "SecretsManagerSecretKmsId",
+    #               secret_policy: "SecretsManagerSecretPolicy",
+    #             },
+    #             sqs_queue: {
+    #               queue_policy: "SqsQueuePolicy",
+    #             },
+    #           },
+    #         },
+    #       }
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the account analyzer][1] used to generate the access
+    #   preview. You can only create an access preview for analyzers with an
+    #   `Account` type and `Active` status.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] client_token
+    #   A client token.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] configurations
+    #   Access control configuration for your resource that is used to
+    #   generate the access preview. The access preview includes findings
+    #   for external access allowed to the resource with the proposed access
+    #   control configuration. The configuration must contain exactly one
+    #   element.
+    #   @return [Hash<String,Types::Configuration>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
+    #
+    class CreateAccessPreviewRequest < Struct.new(
+      :analyzer_arn,
+      :client_token,
+      :configurations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewResponse AWS API Documentation
+    #
+    class CreateAccessPreviewResponse < Struct.new(
+      :id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Creates an analyzer.
+    #
+    # @note When making an API call, you may pass CreateAnalyzerRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_name: "Name", # required
+    #         archive_rules: [
+    #           {
+    #             filter: { # required
+    #               "String" => {
+    #                 contains: ["String"],
+    #                 eq: ["String"],
+    #                 exists: false,
+    #                 neq: ["String"],
+    #               },
+    #             },
+    #             rule_name: "Name", # required
+    #           },
+    #         ],
+    #         client_token: "String",
+    #         tags: {
+    #           "String" => "String",
+    #         },
+    #         type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
+    #       }
+    #
+    # @!attribute [rw] analyzer_name
+    #   The name of the analyzer to create.
+    #   @return [String]
+    #
+    # @!attribute [rw] archive_rules
+    #   Specifies the archive rules to add for the analyzer. Archive rules
+    #   automatically archive findings that meet the criteria you define for
+    #   the rule.
+    #   @return [Array<Types::InlineArchiveRule>]
+    #
+    # @!attribute [rw] client_token
+    #   A client token.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] tags
+    #   The tags to apply to the analyzer.
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] type
+    #   The type of analyzer to create. Only ACCOUNT and ORGANIZATION
+    #   analyzers are supported. You can create only one analyzer per
+    #   account per Region. You can create up to 5 analyzers per
+    #   organization per Region.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
+    #
+    class CreateAnalyzerRequest < Struct.new(
+      :analyzer_name,
+      :archive_rules,
+      :client_token,
+      :tags,
+      :type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The response to the request to create an analyzer.
+    #
+    # @!attribute [rw] arn
+    #   The ARN of the analyzer that was created by the request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerResponse AWS API Documentation
+    #
+    class CreateAnalyzerResponse < Struct.new(
+      :arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Creates an archive rule.
+    #
+    # @note When making an API call, you may pass CreateArchiveRuleRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_name: "Name", # required
+    #         client_token: "String",
+    #         filter: { # required
+    #           "String" => {
+    #             contains: ["String"],
+    #             eq: ["String"],
+    #             exists: false,
+    #             neq: ["String"],
+    #           },
+    #         },
+    #         rule_name: "Name", # required
+    #       }
+    #
+    # @!attribute [rw] analyzer_name
+    #   The name of the created analyzer.
+    #   @return [String]
     #
     # @!attribute [rw] client_token
     #   A client token.
@@ -554,7 +1150,7 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] resource_type
-    #   The type of the resource reported in the finding.
+    #   The type of the resource identified in the finding.
     #   @return [String]
     #
     # @!attribute [rw] sources
@@ -715,6 +1311,118 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # Contains the text for the generated policy.
+    #
+    # @!attribute [rw] policy
+    #   The text to use as the content for the new policy. The policy is
+    #   created using the [CreatePolicy][1] action.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicy AWS API Documentation
+    #
+    class GeneratedPolicy < Struct.new(
+      :policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains the generated policy details.
+    #
+    # @!attribute [rw] cloud_trail_properties
+    #   Lists details about the `Trail` used to generated policy.
+    #   @return [Types::CloudTrailProperties]
+    #
+    # @!attribute [rw] is_complete
+    #   This value is set to `true` if the generated policy contains all
+    #   possible actions for a service that Access Analyzer identified from
+    #   the CloudTrail trail that you specified, and `false` otherwise.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] principal_arn
+    #   The ARN of the IAM entity (user or role) for which you are
+    #   generating a policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyProperties AWS API Documentation
+    #
+    class GeneratedPolicyProperties < Struct.new(
+      :cloud_trail_properties,
+      :is_complete,
+      :principal_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains the text for the generated policy and its details.
+    #
+    # @!attribute [rw] generated_policies
+    #   The text to use as the content for the new policy. The policy is
+    #   created using the [CreatePolicy][1] action.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
+    #   @return [Array<Types::GeneratedPolicy>]
+    #
+    # @!attribute [rw] properties
+    #   A `GeneratedPolicyProperties` object that contains properties of the
+    #   generated policy.
+    #   @return [Types::GeneratedPolicyProperties]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyResult AWS API Documentation
+    #
+    class GeneratedPolicyResult < Struct.new(
+      :generated_policies,
+      :properties)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass GetAccessPreviewRequest
+    #   data as a hash:
+    #
+    #       {
+    #         access_preview_id: "AccessPreviewId", # required
+    #         analyzer_arn: "AnalyzerArn", # required
+    #       }
+    #
+    # @!attribute [rw] access_preview_id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the access preview.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewRequest AWS API Documentation
+    #
+    class GetAccessPreviewRequest < Struct.new(
+      :access_preview_id,
+      :analyzer_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] access_preview
+    #   An object that contains information about the access preview.
+    #   @return [Types::AccessPreview]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewResponse AWS API Documentation
+    #
+    class GetAccessPreviewResponse < Struct.new(
+      :access_preview)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Retrieves an analyzed resource.
     #
     # @note When making an API call, you may pass GetAnalyzedResourceRequest
@@ -726,7 +1434,11 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to retrieve information from.
+    #   The [ARN of the analyzer][1] to retrieve information from.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] resource_arn
@@ -745,7 +1457,7 @@ module Aws::AccessAnalyzer
     # The response to the request.
     #
     # @!attribute [rw] resource
-    #   An `AnalyedResource` object that contains information that Access
+    #   An `AnalyzedResource` object that contains information that Access
     #   Analyzer found when it analyzed the resource.
     #   @return [Types::AnalyzedResource]
     #
@@ -845,7 +1557,11 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer that generated the finding.
+    #   The [ARN of the analyzer][1] that generated the finding.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -875,7 +1591,103 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # An criterion statement in an archive rule. Each archive rule may have
+    # @note When making an API call, you may pass GetGeneratedPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         include_resource_placeholders: false,
+    #         include_service_level_template: false,
+    #         job_id: "JobId", # required
+    #       }
+    #
+    # @!attribute [rw] include_resource_placeholders
+    #   The level of detail that you want to generate. You can specify
+    #   whether to generate policies with placeholders for resource ARNs for
+    #   actions that support resource level granularity in policies.
+    #
+    #   For example, in the resource section of a policy, you can receive a
+    #   placeholder such as `"Resource":"arn:aws:s3:::$\{BucketName\}"`
+    #   instead of `"*"`.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] include_service_level_template
+    #   The level of detail that you want to generate. You can specify
+    #   whether to generate service-level policies.
+    #
+    #   Access Analyzer uses `iam:servicelastaccessed` to identify services
+    #   that have been used recently to create this service-level template.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] job_id
+    #   The `JobId` that is returned by the `StartPolicyGeneration`
+    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
+    #   retrieve the generated policies or used with
+    #   `CancelPolicyGeneration` to cancel the policy generation request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyRequest AWS API Documentation
+    #
+    class GetGeneratedPolicyRequest < Struct.new(
+      :include_resource_placeholders,
+      :include_service_level_template,
+      :job_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] generated_policy_result
+    #   A `GeneratedPolicyResult` object that contains the generated
+    #   policies and associated details.
+    #   @return [Types::GeneratedPolicyResult]
+    #
+    # @!attribute [rw] job_details
+    #   A `GeneratedPolicyDetails` object that contains details about the
+    #   generated policy.
+    #   @return [Types::JobDetails]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyResponse AWS API Documentation
+    #
+    class GetGeneratedPolicyResponse < Struct.new(
+      :generated_policy_result,
+      :job_details)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The proposed access control configuration for an IAM role. You can
+    # propose a configuration for a new IAM role or an existing IAM role
+    # that you own by specifying the trust policy. If the configuration is
+    # for a new IAM role, you must specify the trust policy. If the
+    # configuration is for an existing IAM role that you own and you do not
+    # propose the trust policy, the access preview uses the existing trust
+    # policy for the role. The proposed trust policy cannot be an empty
+    # string. For more information about role trust policy limits, see [IAM
+    # and STS quotas][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
+    #
+    # @note When making an API call, you may pass IamRoleConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         trust_policy: "IamTrustPolicy",
+    #       }
+    #
+    # @!attribute [rw] trust_policy
+    #   The proposed trust policy for the IAM role.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/IamRoleConfiguration AWS API Documentation
+    #
+    class IamRoleConfiguration < Struct.new(
+      :trust_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # An criterion statement in an archive rule. Each archive rule may have
     # multiple criteria.
     #
     # @note When making an API call, you may pass InlineArchiveRule
@@ -928,76 +1740,304 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # Retrieves a list of resources that have been analyzed.
+    # This configuration sets the Amazon S3 access point network origin to
+    # `Internet`.
     #
-    # @note When making an API call, you may pass ListAnalyzedResourcesRequest
+    # @api private
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternetConfiguration AWS API Documentation
+    #
+    class InternetConfiguration < Aws::EmptyStructure; end
+
+    # Contains details about the policy generation request.
+    #
+    # @!attribute [rw] completed_on
+    #   A timestamp of when the job was completed.
+    #   @return [Time]
+    #
+    # @!attribute [rw] job_error
+    #   Contains the details about the policy generation error.
+    #   @return [Types::JobError]
+    #
+    # @!attribute [rw] job_id
+    #   The `JobId` that is returned by the `StartPolicyGeneration`
+    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
+    #   retrieve the generated policies or used with
+    #   `CancelPolicyGeneration` to cancel the policy generation request.
+    #   @return [String]
+    #
+    # @!attribute [rw] started_on
+    #   A timestamp of when the job was started.
+    #   @return [Time]
+    #
+    # @!attribute [rw] status
+    #   The status of the job request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobDetails AWS API Documentation
+    #
+    class JobDetails < Struct.new(
+      :completed_on,
+      :job_error,
+      :job_id,
+      :started_on,
+      :status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains the details about the policy generation error.
+    #
+    # @!attribute [rw] code
+    #   The job error code.
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   Specific information about the error. For example, which service
+    #   quota was exceeded or which resource was not found.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobError AWS API Documentation
+    #
+    class JobError < Struct.new(
+      :code,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A proposed grant configuration for a KMS key. For more information,
+    # see [CreateGrant][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html
+    #
+    # @note When making an API call, you may pass KmsGrantConfiguration
     #   data as a hash:
     #
     #       {
-    #         analyzer_arn: "AnalyzerArn", # required
-    #         max_results: 1,
-    #         next_token: "Token",
-    #         resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key
+    #         constraints: {
+    #           encryption_context_equals: {
+    #             "KmsConstraintsKey" => "KmsConstraintsValue",
+    #           },
+    #           encryption_context_subset: {
+    #             "KmsConstraintsKey" => "KmsConstraintsValue",
+    #           },
+    #         },
+    #         grantee_principal: "GranteePrincipal", # required
+    #         issuing_account: "IssuingAccount", # required
+    #         operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #         retiring_principal: "RetiringPrincipal",
     #       }
     #
-    # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to retrieve a list of analyzed resources
-    #   from.
-    #   @return [String]
+    # @!attribute [rw] constraints
+    #   Use this structure to propose allowing [cryptographic operations][1]
+    #   in the grant only when the operation request includes the specified
+    #   [encryption context][2].
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the response.
-    #   @return [Integer]
     #
-    # @!attribute [rw] next_token
-    #   A token used for pagination of results returned.
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    #   @return [Types::KmsGrantConstraints]
+    #
+    # @!attribute [rw] grantee_principal
+    #   The principal that is given permission to perform the operations
+    #   that the grant permits.
     #   @return [String]
     #
-    # @!attribute [rw] resource_type
-    #   The type of resource.
+    # @!attribute [rw] issuing_account
+    #   The AWS account under which the grant was issued. The account is
+    #   used to propose KMS grants issued by accounts other than the owner
+    #   of the key.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
+    # @!attribute [rw] operations
+    #   A list of operations that the grant permits.
+    #   @return [Array<String>]
     #
-    class ListAnalyzedResourcesRequest < Struct.new(
-      :analyzer_arn,
-      :max_results,
-      :next_token,
-      :resource_type)
+    # @!attribute [rw] retiring_principal
+    #   The principal that is given permission to retire the grant by using
+    #   [RetireGrant][1] operation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
+    #
+    class KmsGrantConfiguration < Struct.new(
+      :constraints,
+      :grantee_principal,
+      :issuing_account,
+      :operations,
+      :retiring_principal)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The response to the request.
+    # Use this structure to propose allowing [cryptographic operations][1]
+    # in the grant only when the operation request includes the specified
+    # [encryption context][2]. You can specify only one type of encryption
+    # context. An empty map is treated as not specified. For more
+    # information, see [GrantConstraints][3].
     #
-    # @!attribute [rw] analyzed_resources
-    #   A list of resources that were analyzed.
-    #   @return [Array<Types::AnalyzedResourceSummary>]
     #
-    # @!attribute [rw] next_token
-    #   A token used for pagination of results returned.
-    #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesResponse AWS API Documentation
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
+    # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html
     #
-    class ListAnalyzedResourcesResponse < Struct.new(
-      :analyzed_resources,
-      :next_token)
+    # @note When making an API call, you may pass KmsGrantConstraints
+    #   data as a hash:
+    #
+    #       {
+    #         encryption_context_equals: {
+    #           "KmsConstraintsKey" => "KmsConstraintsValue",
+    #         },
+    #         encryption_context_subset: {
+    #           "KmsConstraintsKey" => "KmsConstraintsValue",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] encryption_context_equals
+    #   A list of key-value pairs that must match the encryption context in
+    #   the [cryptographic operation][1] request. The grant allows the
+    #   operation only when the encryption context in the request is the
+    #   same as the encryption context specified in this constraint.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] encryption_context_subset
+    #   A list of key-value pairs that must be included in the encryption
+    #   context of the [cryptographic operation][1] request. The grant
+    #   allows the cryptographic operation only when the encryption context
+    #   in the request includes the key-value pairs specified in this
+    #   constraint, although it can include additional key-value pairs.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
+    #   @return [Hash<String,String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation
+    #
+    class KmsGrantConstraints < Struct.new(
+      :encryption_context_equals,
+      :encryption_context_subset)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # Retrieves a list of analyzers.
+    # Proposed access control configuration for a KMS key. You can propose a
+    # configuration for a new KMS key or an existing KMS key that you own by
+    # specifying the key policy and KMS grant configuration. If the
+    # configuration is for an existing key and you do not specify the key
+    # policy, the access preview uses the existing policy for the key. If
+    # the access preview is for a new resource and you do not specify the
+    # key policy, then the access preview uses the default key policy. The
+    # proposed key policy cannot be an empty string. For more information,
+    # see [Default key policy][1]. For more information about key policy
+    # limits, see [Resource quotas][2].
     #
-    # @note When making an API call, you may pass ListAnalyzersRequest
+    #
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
+    #
+    # @note When making an API call, you may pass KmsKeyConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         grants: [
+    #           {
+    #             constraints: {
+    #               encryption_context_equals: {
+    #                 "KmsConstraintsKey" => "KmsConstraintsValue",
+    #               },
+    #               encryption_context_subset: {
+    #                 "KmsConstraintsKey" => "KmsConstraintsValue",
+    #               },
+    #             },
+    #             grantee_principal: "GranteePrincipal", # required
+    #             issuing_account: "IssuingAccount", # required
+    #             operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #             retiring_principal: "RetiringPrincipal",
+    #           },
+    #         ],
+    #         key_policies: {
+    #           "PolicyName" => "KmsKeyPolicy",
+    #         },
+    #       }
+    #
+    # @!attribute [rw] grants
+    #   A list of proposed grant configurations for the KMS key. If the
+    #   proposed grant configuration is for an existing key, the access
+    #   preview uses the proposed list of grant configurations in place of
+    #   the existing grants. Otherwise, the access preview uses the existing
+    #   grants for the key.
+    #   @return [Array<Types::KmsGrantConfiguration>]
+    #
+    # @!attribute [rw] key_policies
+    #   Resource policy configuration for the KMS key. The only valid value
+    #   for the name of the key policy is `default`. For more information,
+    #   see [Default key policy][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
+    #   @return [Hash<String,String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
+    #
+    class KmsKeyConfiguration < Struct.new(
+      :grants,
+      :key_policies)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListAccessPreviewFindingsRequest
     #   data as a hash:
     #
     #       {
+    #         access_preview_id: "AccessPreviewId", # required
+    #         analyzer_arn: "AnalyzerArn", # required
+    #         filter: {
+    #           "String" => {
+    #             contains: ["String"],
+    #             eq: ["String"],
+    #             exists: false,
+    #             neq: ["String"],
+    #           },
+    #         },
     #         max_results: 1,
     #         next_token: "Token",
-    #         type: "ACCOUNT", # accepts ACCOUNT, ORGANIZATION
     #       }
     #
+    # @!attribute [rw] access_preview_id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the access.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] filter
+    #   Criteria to filter the returned findings.
+    #   @return [Hash<String,Types::Criterion>]
+    #
     # @!attribute [rw] max_results
     #   The maximum number of results to return in the response.
     #   @return [Integer]
@@ -1006,220 +2046,893 @@ module Aws::AccessAnalyzer
     #   A token used for pagination of results returned.
     #   @return [String]
     #
-    # @!attribute [rw] type
-    #   The type of analyzer.
-    #   @return [String]
-    #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
     #
-    class ListAnalyzersRequest < Struct.new(
+    class ListAccessPreviewFindingsRequest < Struct.new(
+      :access_preview_id,
+      :analyzer_arn,
+      :filter,
       :max_results,
-      :next_token,
-      :type)
+      :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The response to the request.
-    #
-    # @!attribute [rw] analyzers
-    #   The analyzers retrieved.
-    #   @return [Array<Types::AnalyzerSummary>]
+    # @!attribute [rw] findings
+    #   A list of access preview findings that match the specified filter
+    #   criteria.
+    #   @return [Array<Types::AccessPreviewFinding>]
     #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersResponse AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsResponse AWS API Documentation
     #
-    class ListAnalyzersResponse < Struct.new(
-      :analyzers,
+    class ListAccessPreviewFindingsResponse < Struct.new(
+      :findings,
       :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # Retrieves a list of archive rules created for the specified analyzer.
-    #
-    # @note When making an API call, you may pass ListArchiveRulesRequest
+    # @note When making an API call, you may pass ListAccessPreviewsRequest
     #   data as a hash:
     #
     #       {
-    #         analyzer_name: "Name", # required
+    #         analyzer_arn: "AnalyzerArn", # required
     #         max_results: 1,
     #         next_token: "Token",
     #       }
     #
-    # @!attribute [rw] analyzer_name
-    #   The name of the analyzer to retrieve rules from.
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the access preview.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] max_results
-    #   The maximum number of results to return in the request.
+    #   The maximum number of results to return in the response.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
     #
-    class ListArchiveRulesRequest < Struct.new(
-      :analyzer_name,
+    class ListAccessPreviewsRequest < Struct.new(
+      :analyzer_arn,
       :max_results,
       :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The response to the request.
-    #
-    # @!attribute [rw] archive_rules
-    #   A list of archive rules created for the specified analyzer.
-    #   @return [Array<Types::ArchiveRuleSummary>]
+    # @!attribute [rw] access_previews
+    #   A list of access previews retrieved for the analyzer.
+    #   @return [Array<Types::AccessPreviewSummary>]
     #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesResponse AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsResponse AWS API Documentation
     #
-    class ListArchiveRulesResponse < Struct.new(
-      :archive_rules,
+    class ListAccessPreviewsResponse < Struct.new(
+      :access_previews,
       :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # Retrieves a list of findings generated by the specified analyzer.
+    # Retrieves a list of resources that have been analyzed.
     #
-    # @note When making an API call, you may pass ListFindingsRequest
+    # @note When making an API call, you may pass ListAnalyzedResourcesRequest
     #   data as a hash:
     #
     #       {
     #         analyzer_arn: "AnalyzerArn", # required
-    #         filter: {
-    #           "String" => {
-    #             contains: ["String"],
-    #             eq: ["String"],
-    #             exists: false,
-    #             neq: ["String"],
-    #           },
-    #         },
     #         max_results: 1,
     #         next_token: "Token",
-    #         sort: {
-    #           attribute_name: "String",
-    #           order_by: "ASC", # accepts ASC, DESC
+    #         resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret
+    #       }
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] to retrieve a list of analyzed
+    #   resources from.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of resource.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
+    #
+    class ListAnalyzedResourcesRequest < Struct.new(
+      :analyzer_arn,
+      :max_results,
+      :next_token,
+      :resource_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The response to the request.
+    #
+    # @!attribute [rw] analyzed_resources
+    #   A list of resources that were analyzed.
+    #   @return [Array<Types::AnalyzedResourceSummary>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesResponse AWS API Documentation
+    #
+    class ListAnalyzedResourcesResponse < Struct.new(
+      :analyzed_resources,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Retrieves a list of analyzers.
+    #
+    # @note When making an API call, you may pass ListAnalyzersRequest
+    #   data as a hash:
+    #
+    #       {
+    #         max_results: 1,
+    #         next_token: "Token",
+    #         type: "ACCOUNT", # accepts ACCOUNT, ORGANIZATION
+    #       }
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] type
+    #   The type of analyzer.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
+    #
+    class ListAnalyzersRequest < Struct.new(
+      :max_results,
+      :next_token,
+      :type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The response to the request.
+    #
+    # @!attribute [rw] analyzers
+    #   The analyzers retrieved.
+    #   @return [Array<Types::AnalyzerSummary>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersResponse AWS API Documentation
+    #
+    class ListAnalyzersResponse < Struct.new(
+      :analyzers,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Retrieves a list of archive rules created for the specified analyzer.
+    #
+    # @note When making an API call, you may pass ListArchiveRulesRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_name: "Name", # required
+    #         max_results: 1,
+    #         next_token: "Token",
+    #       }
+    #
+    # @!attribute [rw] analyzer_name
+    #   The name of the analyzer to retrieve rules from.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the request.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
+    #
+    class ListArchiveRulesRequest < Struct.new(
+      :analyzer_name,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The response to the request.
+    #
+    # @!attribute [rw] archive_rules
+    #   A list of archive rules created for the specified analyzer.
+    #   @return [Array<Types::ArchiveRuleSummary>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesResponse AWS API Documentation
+    #
+    class ListArchiveRulesResponse < Struct.new(
+      :archive_rules,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Retrieves a list of findings generated by the specified analyzer.
+    #
+    # @note When making an API call, you may pass ListFindingsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         analyzer_arn: "AnalyzerArn", # required
+    #         filter: {
+    #           "String" => {
+    #             contains: ["String"],
+    #             eq: ["String"],
+    #             exists: false,
+    #             neq: ["String"],
+    #           },
+    #         },
+    #         max_results: 1,
+    #         next_token: "Token",
+    #         sort: {
+    #           attribute_name: "String",
+    #           order_by: "ASC", # accepts ASC, DESC
+    #         },
+    #       }
+    #
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] to retrieve findings from.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] filter
+    #   A filter to match for the findings to return.
+    #   @return [Hash<String,Types::Criterion>]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] sort
+    #   The sort order for the findings returned.
+    #   @return [Types::SortCriteria]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
+    #
+    class ListFindingsRequest < Struct.new(
+      :analyzer_arn,
+      :filter,
+      :max_results,
+      :next_token,
+      :sort)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The response to the request.
+    #
+    # @!attribute [rw] findings
+    #   A list of findings retrieved from the analyzer that match the filter
+    #   criteria specified, if any.
+    #   @return [Array<Types::FindingSummary>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsResponse AWS API Documentation
+    #
+    class ListFindingsResponse < Struct.new(
+      :findings,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ListPolicyGenerationsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         max_results: 1,
+    #         next_token: "Token",
+    #         principal_arn: "PrincipalArn",
+    #       }
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] principal_arn
+    #   The ARN of the IAM entity (user or role) for which you are
+    #   generating a policy. Use this with `ListGeneratedPolicies` to filter
+    #   the results to only include results for a specific principal.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsRequest AWS API Documentation
+    #
+    class ListPolicyGenerationsRequest < Struct.new(
+      :max_results,
+      :next_token,
+      :principal_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_generations
+    #   A `PolicyGeneration` object that contains details about the
+    #   generated policy.
+    #   @return [Array<Types::PolicyGeneration>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsResponse AWS API Documentation
+    #
+    class ListPolicyGenerationsResponse < Struct.new(
+      :next_token,
+      :policy_generations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Retrieves a list of tags applied to the specified resource.
+    #
+    # @note When making an API call, you may pass ListTagsForResourceRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_arn: "String", # required
+    #       }
+    #
+    # @!attribute [rw] resource_arn
+    #   The ARN of the resource to retrieve tags from.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceRequest AWS API Documentation
+    #
+    class ListTagsForResourceRequest < Struct.new(
+      :resource_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The response to the request.
+    #
+    # @!attribute [rw] tags
+    #   The tags that are applied to the specified resource.
+    #   @return [Hash<String,String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceResponse AWS API Documentation
+    #
+    class ListTagsForResourceResponse < Struct.new(
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A location in a policy that is represented as a path through the JSON
+    # representation and a corresponding span.
+    #
+    # @!attribute [rw] path
+    #   A path in a policy, represented as a sequence of path elements.
+    #   @return [Array<Types::PathElement>]
+    #
+    # @!attribute [rw] span
+    #   A span in a policy.
+    #   @return [Types::Span]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Location AWS API Documentation
+    #
+    class Location < Struct.new(
+      :path,
+      :span)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
+    # the Amazon S3 Access point. You can make the access point accessible
+    # from the internet, or you can specify that all requests made through
+    # that access point must originate from a specific virtual private cloud
+    # (VPC). You can specify only one type of network configuration. For
+    # more information, see [Creating access points][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
+    #
+    # @note When making an API call, you may pass NetworkOriginConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         internet_configuration: {
+    #         },
+    #         vpc_configuration: {
+    #           vpc_id: "VpcId", # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] internet_configuration
+    #   The configuration for the Amazon S3 access point with an `Internet`
+    #   origin.
+    #   @return [Types::InternetConfiguration]
+    #
+    # @!attribute [rw] vpc_configuration
+    #   The proposed virtual private cloud (VPC) configuration for the
+    #   Amazon S3 access point. For more information, see
+    #   [VpcConfiguration][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
+    #   @return [Types::VpcConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
+    #
+    class NetworkOriginConfiguration < Struct.new(
+      :internet_configuration,
+      :vpc_configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A single element in a path through the JSON representation of a
+    # policy.
+    #
+    # @!attribute [rw] index
+    #   Refers to an index in a JSON array.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] key
+    #   Refers to a key in a JSON object.
+    #   @return [String]
+    #
+    # @!attribute [rw] substring
+    #   Refers to a substring of a literal string in a JSON object.
+    #   @return [Types::Substring]
+    #
+    # @!attribute [rw] value
+    #   Refers to the value associated with a given key in a JSON object.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PathElement AWS API Documentation
+    #
+    class PathElement < Struct.new(
+      :index,
+      :key,
+      :substring,
+      :value)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains details about the policy generation status and properties.
+    #
+    # @!attribute [rw] completed_on
+    #   A timestamp of when the policy generation was completed.
+    #   @return [Time]
+    #
+    # @!attribute [rw] job_id
+    #   The `JobId` that is returned by the `StartPolicyGeneration`
+    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
+    #   retrieve the generated policies or used with
+    #   `CancelPolicyGeneration` to cancel the policy generation request.
+    #   @return [String]
+    #
+    # @!attribute [rw] principal_arn
+    #   The ARN of the IAM entity (user or role) for which you are
+    #   generating a policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] started_on
+    #   A timestamp of when the policy generation started.
+    #   @return [Time]
+    #
+    # @!attribute [rw] status
+    #   The status of the policy generation request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGeneration AWS API Documentation
+    #
+    class PolicyGeneration < Struct.new(
+      :completed_on,
+      :job_id,
+      :principal_arn,
+      :started_on,
+      :status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains the ARN details about the IAM entity for which the policy is
+    # generated.
+    #
+    # @note When making an API call, you may pass PolicyGenerationDetails
+    #   data as a hash:
+    #
+    #       {
+    #         principal_arn: "PrincipalArn", # required
+    #       }
+    #
+    # @!attribute [rw] principal_arn
+    #   The ARN of the IAM entity (user or role) for which you are
+    #   generating a policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGenerationDetails AWS API Documentation
+    #
+    class PolicyGenerationDetails < Struct.new(
+      :principal_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A position in a policy.
+    #
+    # @!attribute [rw] column
+    #   The column of the position, starting from 0.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] line
+    #   The line of the position, starting from 1.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] offset
+    #   The offset within the policy that corresponds to the position,
+    #   starting from 0.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
+    #
+    class Position < Struct.new(
+      :column,
+      :line,
+      :offset)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The specified resource could not be found.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_id
+    #   The ID of the resource.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of the resource.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ResourceNotFoundException AWS API Documentation
+    #
+    class ResourceNotFoundException < Struct.new(
+      :message,
+      :resource_id,
+      :resource_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The configuration for an Amazon S3 access point for the bucket. You
+    # can propose up to 10 access points per bucket. If the proposed Amazon
+    # S3 access point configuration is for an existing bucket, the access
+    # preview uses the proposed access point configuration in place of the
+    # existing access points. To propose an access point without a policy,
+    # you can provide an empty string as the access point policy. For more
+    # information, see [Creating access points][1]. For more information
+    # about access point policy limits, see [Access points restrictions and
+    # limitations][2].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
+    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
+    #
+    # @note When making an API call, you may pass S3AccessPointConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         access_point_policy: "AccessPointPolicy",
+    #         network_origin: {
+    #           internet_configuration: {
+    #           },
+    #           vpc_configuration: {
+    #             vpc_id: "VpcId", # required
+    #           },
+    #         },
+    #         public_access_block: {
+    #           ignore_public_acls: false, # required
+    #           restrict_public_buckets: false, # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] access_point_policy
+    #   The access point policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] network_origin
+    #   The proposed `Internet` and `VpcConfiguration` to apply to this
+    #   Amazon S3 access point. If the access preview is for a new resource
+    #   and neither is specified, the access preview uses `Internet` for the
+    #   network origin. If the access preview is for an existing resource
+    #   and neither is specified, the access preview uses the exiting
+    #   network origin.
+    #   @return [Types::NetworkOriginConfiguration]
+    #
+    # @!attribute [rw] public_access_block
+    #   The proposed `S3PublicAccessBlock` configuration to apply to this
+    #   Amazon S3 Access Point.
+    #   @return [Types::S3PublicAccessBlockConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
+    #
+    class S3AccessPointConfiguration < Struct.new(
+      :access_point_policy,
+      :network_origin,
+      :public_access_block)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A proposed access control list grant configuration for an Amazon S3
+    # bucket. For more information, see [How to Specify an ACL][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls
+    #
+    # @note When making an API call, you may pass S3BucketAclGrantConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         grantee: { # required
+    #           id: "AclCanonicalId",
+    #           uri: "AclUri",
+    #         },
+    #         permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #       }
+    #
+    # @!attribute [rw] grantee
+    #   The grantee to whom you’re assigning access rights.
+    #   @return [Types::AclGrantee]
+    #
+    # @!attribute [rw] permission
+    #   The permissions being granted.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
+    #
+    class S3BucketAclGrantConfiguration < Struct.new(
+      :grantee,
+      :permission)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Proposed access control configuration for an Amazon S3 bucket. You can
+    # propose a configuration for a new Amazon S3 bucket or an existing
+    # Amazon S3 bucket that you own by specifying the Amazon S3 bucket
+    # policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points
+    # attached to the bucket. If the configuration is for an existing Amazon
+    # S3 bucket and you do not specify the Amazon S3 bucket policy, the
+    # access preview uses the existing policy attached to the bucket. If the
+    # access preview is for a new resource and you do not specify the Amazon
+    # S3 bucket policy, the access preview assumes a bucket without a
+    # policy. To propose deletion of an existing bucket policy, you can
+    # specify an empty string. For more information about bucket policy
+    # limits, see [Bucket Policy Examples][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
+    #
+    # @note When making an API call, you may pass S3BucketConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         access_points: {
+    #           "AccessPointArn" => {
+    #             access_point_policy: "AccessPointPolicy",
+    #             network_origin: {
+    #               internet_configuration: {
+    #               },
+    #               vpc_configuration: {
+    #                 vpc_id: "VpcId", # required
+    #               },
+    #             },
+    #             public_access_block: {
+    #               ignore_public_acls: false, # required
+    #               restrict_public_buckets: false, # required
+    #             },
+    #           },
+    #         },
+    #         bucket_acl_grants: [
+    #           {
+    #             grantee: { # required
+    #               id: "AclCanonicalId",
+    #               uri: "AclUri",
+    #             },
+    #             permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
+    #           },
+    #         ],
+    #         bucket_policy: "S3BucketPolicy",
+    #         bucket_public_access_block: {
+    #           ignore_public_acls: false, # required
+    #           restrict_public_buckets: false, # required
     #         },
     #       }
     #
-    # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to retrieve findings from.
-    #   @return [String]
-    #
-    # @!attribute [rw] filter
-    #   A filter to match for the findings to return.
-    #   @return [Hash<String,Types::Criterion>]
+    # @!attribute [rw] access_points
+    #   The configuration of Amazon S3 access points for the bucket.
+    #   @return [Hash<String,Types::S3AccessPointConfiguration>]
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the response.
-    #   @return [Integer]
+    # @!attribute [rw] bucket_acl_grants
+    #   The proposed list of ACL grants for the Amazon S3 bucket. You can
+    #   propose up to 100 ACL grants per bucket. If the proposed grant
+    #   configuration is for an existing bucket, the access preview uses the
+    #   proposed list of grant configurations in place of the existing
+    #   grants. Otherwise, the access preview uses the existing grants for
+    #   the bucket.
+    #   @return [Array<Types::S3BucketAclGrantConfiguration>]
     #
-    # @!attribute [rw] next_token
-    #   A token used for pagination of results returned.
+    # @!attribute [rw] bucket_policy
+    #   The proposed bucket policy for the Amazon S3 bucket.
     #   @return [String]
     #
-    # @!attribute [rw] sort
-    #   The sort order for the findings returned.
-    #   @return [Types::SortCriteria]
+    # @!attribute [rw] bucket_public_access_block
+    #   The proposed block public access configuration for the Amazon S3
+    #   bucket.
+    #   @return [Types::S3PublicAccessBlockConfiguration]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
     #
-    class ListFindingsRequest < Struct.new(
-      :analyzer_arn,
-      :filter,
-      :max_results,
-      :next_token,
-      :sort)
+    class S3BucketConfiguration < Struct.new(
+      :access_points,
+      :bucket_acl_grants,
+      :bucket_policy,
+      :bucket_public_access_block)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The response to the request.
-    #
-    # @!attribute [rw] findings
-    #   A list of findings retrieved from the analyzer that match the filter
-    #   criteria specified, if any.
-    #   @return [Array<Types::FindingSummary>]
+    # The `PublicAccessBlock` configuration to apply to this Amazon S3
+    # bucket. If the proposed configuration is for an existing Amazon S3
+    # bucket and the configuration is not specified, the access preview uses
+    # the existing setting. If the proposed configuration is for a new
+    # bucket and the configuration is not specified, the access preview uses
+    # `false`. If the proposed configuration is for a new access point and
+    # the access point BPA configuration is not specified, the access
+    # preview uses `true`. For more information, see
+    # [PublicAccessBlockConfiguration][1].
     #
-    # @!attribute [rw] next_token
-    #   A token used for pagination of results returned.
-    #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsResponse AWS API Documentation
     #
-    class ListFindingsResponse < Struct.new(
-      :findings,
-      :next_token)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # Retrieves a list of tags applied to the specified resource.
+    # [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
     #
-    # @note When making an API call, you may pass ListTagsForResourceRequest
+    # @note When making an API call, you may pass S3PublicAccessBlockConfiguration
     #   data as a hash:
     #
     #       {
-    #         resource_arn: "String", # required
+    #         ignore_public_acls: false, # required
+    #         restrict_public_buckets: false, # required
     #       }
     #
-    # @!attribute [rw] resource_arn
-    #   The ARN of the resource to retrieve tags from.
-    #   @return [String]
+    # @!attribute [rw] ignore_public_acls
+    #   Specifies whether Amazon S3 should ignore public ACLs for this
+    #   bucket and objects in this bucket.
+    #   @return [Boolean]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceRequest AWS API Documentation
+    # @!attribute [rw] restrict_public_buckets
+    #   Specifies whether Amazon S3 should restrict public bucket policies
+    #   for this bucket.
+    #   @return [Boolean]
     #
-    class ListTagsForResourceRequest < Struct.new(
-      :resource_arn)
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3PublicAccessBlockConfiguration AWS API Documentation
+    #
+    class S3PublicAccessBlockConfiguration < Struct.new(
+      :ignore_public_acls,
+      :restrict_public_buckets)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # The response to the request.
+    # The configuration for a Secrets Manager secret. For more information,
+    # see [CreateSecret][1].
     #
-    # @!attribute [rw] tags
-    #   The tags that are applied to the specified resource.
-    #   @return [Hash<String,String>]
+    # You can propose a configuration for a new secret or an existing secret
+    # that you own by specifying the secret policy and optional KMS
+    # encryption key. If the configuration is for an existing secret and you
+    # do not specify the secret policy, the access preview uses the existing
+    # policy for the secret. If the access preview is for a new resource and
+    # you do not specify the policy, the access preview assumes a secret
+    # without a policy. To propose deletion of an existing policy, you can
+    # specify an empty string. If the proposed configuration is for a new
+    # secret and you do not specify the KMS key ID, the access preview uses
+    # the default CMK of the AWS account. If you specify an empty string for
+    # the KMS key ID, the access preview uses the default CMK of the AWS
+    # account. For more information about secret policy limits, see [Quotas
+    # for AWS Secrets Manager.][2].
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceResponse AWS API Documentation
     #
-    class ListTagsForResourceResponse < Struct.new(
-      :tags)
-      SENSITIVE = []
-      include Aws::Structure
-    end
-
-    # The specified resource could not be found.
     #
-    # @!attribute [rw] message
-    #   @return [String]
+    # [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html
+    # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
     #
-    # @!attribute [rw] resource_id
-    #   The ID of the resource.
+    # @note When making an API call, you may pass SecretsManagerSecretConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         kms_key_id: "SecretsManagerSecretKmsId",
+    #         secret_policy: "SecretsManagerSecretPolicy",
+    #       }
+    #
+    # @!attribute [rw] kms_key_id
+    #   The proposed ARN, key ID, or alias of the AWS KMS customer master
+    #   key (CMK).
     #   @return [String]
     #
-    # @!attribute [rw] resource_type
-    #   The type of the resource.
+    # @!attribute [rw] secret_policy
+    #   The proposed resource policy defining who can access or manage the
+    #   secret.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ResourceNotFoundException AWS API Documentation
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SecretsManagerSecretConfiguration AWS API Documentation
     #
-    class ResourceNotFoundException < Struct.new(
-      :message,
-      :resource_id,
-      :resource_type)
+    class SecretsManagerSecretConfiguration < Struct.new(
+      :kms_key_id,
+      :secret_policy)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1274,6 +2987,132 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # A span in a policy. The span consists of a start position (inclusive)
+    # and end position (exclusive).
+    #
+    # @!attribute [rw] end
+    #   The end position of the span (exclusive).
+    #   @return [Types::Position]
+    #
+    # @!attribute [rw] start
+    #   The start position of the span (inclusive).
+    #   @return [Types::Position]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
+    #
+    class Span < Struct.new(
+      :end,
+      :start)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The proposed access control configuration for an SQS queue. You can
+    # propose a configuration for a new SQS queue or an existing SQS queue
+    # that you own by specifying the SQS policy. If the configuration is for
+    # an existing SQS queue and you do not specify the SQS policy, the
+    # access preview uses the existing SQS policy for the queue. If the
+    # access preview is for a new resource and you do not specify the
+    # policy, the access preview assumes an SQS queue without a policy. To
+    # propose deletion of an existing SQS queue policy, you can specify an
+    # empty string for the SQS policy. For more information about SQS policy
+    # limits, see [Quotas related to policies][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html
+    #
+    # @note When making an API call, you may pass SqsQueueConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         queue_policy: "SqsQueuePolicy",
+    #       }
+    #
+    # @!attribute [rw] queue_policy
+    #   The proposed resource policy for the SQS queue.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
+    #
+    class SqsQueueConfiguration < Struct.new(
+      :queue_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass StartPolicyGenerationRequest
+    #   data as a hash:
+    #
+    #       {
+    #         client_token: "String",
+    #         cloud_trail_details: {
+    #           access_role: "RoleArn", # required
+    #           end_time: Time.now,
+    #           start_time: Time.now, # required
+    #           trails: [ # required
+    #             {
+    #               all_regions: false,
+    #               cloud_trail_arn: "CloudTrailArn", # required
+    #               regions: ["String"],
+    #             },
+    #           ],
+    #         },
+    #         policy_generation_details: { # required
+    #           principal_arn: "PrincipalArn", # required
+    #         },
+    #       }
+    #
+    # @!attribute [rw] client_token
+    #   A unique, case-sensitive identifier that you provide to ensure the
+    #   idempotency of the request. Idempotency ensures that an API request
+    #   completes only once. With an idempotent request, if the original
+    #   request completes successfully, the subsequent retries with the same
+    #   client token return the result from the original successful request
+    #   and they have no additional effect.
+    #
+    #   If you do not specify a client token, one is automatically generated
+    #   by the AWS SDK.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
+    # @!attribute [rw] cloud_trail_details
+    #   A `CloudTrailDetails` object that contains details about a `Trail`
+    #   that you want to analyze to generate policies.
+    #   @return [Types::CloudTrailDetails]
+    #
+    # @!attribute [rw] policy_generation_details
+    #   Contains the ARN of the IAM entity (user or role) for which you are
+    #   generating a policy.
+    #   @return [Types::PolicyGenerationDetails]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationRequest AWS API Documentation
+    #
+    class StartPolicyGenerationRequest < Struct.new(
+      :client_token,
+      :cloud_trail_details,
+      :policy_generation_details)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] job_id
+    #   The `JobId` that is returned by the `StartPolicyGeneration`
+    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
+    #   retrieve the generated policies or used with
+    #   `CancelPolicyGeneration` to cancel the policy generation request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationResponse AWS API Documentation
+    #
+    class StartPolicyGenerationResponse < Struct.new(
+      :job_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Starts a scan of the policies applied to the specified resource.
     #
     # @note When making an API call, you may pass StartResourceScanRequest
@@ -1285,8 +3124,12 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer to use to scan the policies applied to the
-    #   specified resource.
+    #   The [ARN of the analyzer][1] to use to scan the policies applied to
+    #   the specified resource.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] resource_arn
@@ -1304,7 +3147,7 @@ module Aws::AccessAnalyzer
 
     # Provides more details about the current status of the analyzer. For
     # example, if the creation for the analyzer fails, a `Failed` status is
-    # displayed. For an analyzer with organization as the type, this failure
+    # returned. For an analyzer with organization as the type, this failure
     # can be due to an issue with creating the service-linked roles required
     # in the member accounts of the AWS organization.
     #
@@ -1320,6 +3163,25 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # A reference to a substring of a literal string in a JSON document.
+    #
+    # @!attribute [rw] length
+    #   The length of the substring.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] start
+    #   The start index of the substring, starting from 0.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
+    #
+    class Substring < Struct.new(
+      :length,
+      :start)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Adds a tag to the specified resource.
     #
     # @note When making an API call, you may pass TagResourceRequest
@@ -1373,6 +3235,73 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # Contains details about the CloudTrail trail being analyzed to generate
+    # a policy.
+    #
+    # @note When making an API call, you may pass Trail
+    #   data as a hash:
+    #
+    #       {
+    #         all_regions: false,
+    #         cloud_trail_arn: "CloudTrailArn", # required
+    #         regions: ["String"],
+    #       }
+    #
+    # @!attribute [rw] all_regions
+    #   Possible values are `true` or `false`. If set to `true`, Access
+    #   Analyzer retrieves CloudTrail data from all regions to analyze and
+    #   generate a policy.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] cloud_trail_arn
+    #   Specifies the ARN of the trail. The format of a trail ARN is
+    #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
+    #   @return [String]
+    #
+    # @!attribute [rw] regions
+    #   A list of regions to get CloudTrail data from and analyze to
+    #   generate a policy.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Trail AWS API Documentation
+    #
+    class Trail < Struct.new(
+      :all_regions,
+      :cloud_trail_arn,
+      :regions)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains details about the CloudTrail trail being analyzed to generate
+    # a policy.
+    #
+    # @!attribute [rw] all_regions
+    #   Possible values are `true` or `false`. If set to `true`, Access
+    #   Analyzer retrieves CloudTrail data from all regions to analyze and
+    #   generate a policy.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] cloud_trail_arn
+    #   Specifies the ARN of the trail. The format of a trail ARN is
+    #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
+    #   @return [String]
+    #
+    # @!attribute [rw] regions
+    #   A list of regions to get CloudTrail data from and analyze to
+    #   generate a policy.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/TrailProperties AWS API Documentation
+    #
+    class TrailProperties < Struct.new(
+      :all_regions,
+      :cloud_trail_arn,
+      :regions)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Removes a tag from the specified resource.
     #
     # @note When making an API call, you may pass UntagResourceRequest
@@ -1470,7 +3399,11 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] analyzer_arn
-    #   The ARN of the analyzer that generated the findings to update.
+    #   The [ARN of the analyzer][1] that generated the findings to update.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
     # @!attribute [rw] client_token
@@ -1507,6 +3440,127 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # A finding in a policy. Each finding is an actionable recommendation
+    # that can be used to improve the policy.
+    #
+    # @!attribute [rw] finding_details
+    #   A localized message that explains the finding and provides guidance
+    #   on how to address it.
+    #   @return [String]
+    #
+    # @!attribute [rw] finding_type
+    #   The impact of the finding.
+    #
+    #   Security warnings report when the policy allows access that we
+    #   consider overly permissive.
+    #
+    #   Errors report when a part of the policy is not functional.
+    #
+    #   Warnings report non-security issues when a policy does not conform
+    #   to policy writing best practices.
+    #
+    #   Suggestions recommend stylistic improvements in the policy that do
+    #   not impact access.
+    #   @return [String]
+    #
+    # @!attribute [rw] issue_code
+    #   The issue code provides an identifier of the issue associated with
+    #   this finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] learn_more_link
+    #   A link to additional documentation about the type of finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] locations
+    #   The list of locations in the policy document that are related to the
+    #   finding. The issue code provides a summary of an issue identified by
+    #   the finding.
+    #   @return [Array<Types::Location>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyFinding AWS API Documentation
+    #
+    class ValidatePolicyFinding < Struct.new(
+      :finding_details,
+      :finding_type,
+      :issue_code,
+      :learn_more_link,
+      :locations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ValidatePolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         locale: "DE", # accepts DE, EN, ES, FR, IT, JA, KO, PT_BR, ZH_CN, ZH_TW
+    #         max_results: 1,
+    #         next_token: "Token",
+    #         policy_document: "PolicyDocument", # required
+    #         policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
+    #       }
+    #
+    # @!attribute [rw] locale
+    #   The locale to use for localizing the findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_document
+    #   The JSON policy document to use as the content for the policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_type
+    #   The type of policy to validate. Identity policies grant permissions
+    #   to IAM principals. Identity policies include managed and inline
+    #   policies for IAM roles, users, and groups. They also include
+    #   service-control policies (SCPs) that are attached to an AWS
+    #   organization, organizational unit (OU), or an account.
+    #
+    #   Resource policies grant permissions on AWS resources. Resource
+    #   policies include trust policies for IAM roles and bucket policies
+    #   for S3 buckets. You can provide a generic input such as identity
+    #   policy or resource policy or a specific input such as managed policy
+    #   or S3 bucket policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
+    #
+    class ValidatePolicyRequest < Struct.new(
+      :locale,
+      :max_results,
+      :next_token,
+      :policy_document,
+      :policy_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] findings
+    #   The list of findings in a policy returned by Access Analyzer based
+    #   on its suite of policy checks.
+    #   @return [Array<Types::ValidatePolicyFinding>]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyResponse AWS API Documentation
+    #
+    class ValidatePolicyResponse < Struct.new(
+      :findings,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Validation exception error.
     #
     # @!attribute [rw] field_list
@@ -1549,5 +3603,32 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # The proposed virtual private cloud (VPC) configuration for the Amazon
+    # S3 access point. For more information, see [VpcConfiguration][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
+    #
+    # @note When making an API call, you may pass VpcConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         vpc_id: "VpcId", # required
+    #       }
+    #
+    # @!attribute [rw] vpc_id
+    #   If this field is specified, this access point will only allow
+    #   connections from the specified VPC ID.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/VpcConfiguration AWS API Documentation
+    #
+    class VpcConfiguration < Struct.new(
+      :vpc_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
   end
 end