aws-sdk-accessanalyzer 1.14.0 → 1.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -23,6 +23,266 @@ module Aws::AccessAnalyzer
23
23
  include Aws::Structure
24
24
  end
25
25
 
26
+ # Contains information about an access preview.
27
+ #
28
+ # @!attribute [rw] analyzer_arn
29
+ # The ARN of the analyzer used to generate the access preview.
30
+ # @return [String]
31
+ #
32
+ # @!attribute [rw] configurations
33
+ # A map of resource ARNs for the proposed resource configuration.
34
+ # @return [Hash<String,Types::Configuration>]
35
+ #
36
+ # @!attribute [rw] created_at
37
+ # The time at which the access preview was created.
38
+ # @return [Time]
39
+ #
40
+ # @!attribute [rw] id
41
+ # The unique ID for the access preview.
42
+ # @return [String]
43
+ #
44
+ # @!attribute [rw] status
45
+ # The status of the access preview.
46
+ #
47
+ # * `Creating` - The access preview creation is in progress.
48
+ #
49
+ # * `Completed` - The access preview is complete. You can preview
50
+ # findings for external access to the resource.
51
+ #
52
+ # * `Failed` - The access preview creation has failed.
53
+ # @return [String]
54
+ #
55
+ # @!attribute [rw] status_reason
56
+ # Provides more details about the current status of the access
57
+ # preview.
58
+ #
59
+ # For example, if the creation of the access preview fails, a `Failed`
60
+ # status is returned. This failure can be due to an internal issue
61
+ # with the analysis or due to an invalid resource configuration.
62
+ # @return [Types::AccessPreviewStatusReason]
63
+ #
64
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
65
+ #
66
+ class AccessPreview < Struct.new(
67
+ :analyzer_arn,
68
+ :configurations,
69
+ :created_at,
70
+ :id,
71
+ :status,
72
+ :status_reason)
73
+ SENSITIVE = []
74
+ include Aws::Structure
75
+ end
76
+
77
+ # An access preview finding generated by the access preview.
78
+ #
79
+ # @!attribute [rw] action
80
+ # The action in the analyzed policy statement that an external
81
+ # principal has permission to perform.
82
+ # @return [Array<String>]
83
+ #
84
+ # @!attribute [rw] change_type
85
+ # Provides context on how the access preview finding compares to
86
+ # existing access identified in Access Analyzer.
87
+ #
88
+ # * `New` - The finding is for newly-introduced access.
89
+ #
90
+ # * `Unchanged` - The preview finding is an existing finding that
91
+ # would remain unchanged.
92
+ #
93
+ # * `Changed` - The preview finding is an existing finding with a
94
+ # change in status.
95
+ #
96
+ # For example, a `Changed` finding with preview status `Resolved` and
97
+ # existing status `Active` indicates the existing `Active` finding
98
+ # would become `Resolved` as a result of the proposed permissions
99
+ # change.
100
+ # @return [String]
101
+ #
102
+ # @!attribute [rw] condition
103
+ # The condition in the analyzed policy statement that resulted in a
104
+ # finding.
105
+ # @return [Hash<String,String>]
106
+ #
107
+ # @!attribute [rw] created_at
108
+ # The time at which the access preview finding was created.
109
+ # @return [Time]
110
+ #
111
+ # @!attribute [rw] error
112
+ # An error.
113
+ # @return [String]
114
+ #
115
+ # @!attribute [rw] existing_finding_id
116
+ # The existing ID of the finding in Access Analyzer, provided only for
117
+ # existing findings.
118
+ # @return [String]
119
+ #
120
+ # @!attribute [rw] existing_finding_status
121
+ # The existing status of the finding, provided only for existing
122
+ # findings.
123
+ # @return [String]
124
+ #
125
+ # @!attribute [rw] id
126
+ # The ID of the access preview finding. This ID uniquely identifies
127
+ # the element in the list of access preview findings and is not
128
+ # related to the finding ID in Access Analyzer.
129
+ # @return [String]
130
+ #
131
+ # @!attribute [rw] is_public
132
+ # Indicates whether the policy that generated the finding allows
133
+ # public access to the resource.
134
+ # @return [Boolean]
135
+ #
136
+ # @!attribute [rw] principal
137
+ # The external principal that has access to a resource within the zone
138
+ # of trust.
139
+ # @return [Hash<String,String>]
140
+ #
141
+ # @!attribute [rw] resource
142
+ # The resource that an external principal has access to. This is the
143
+ # resource associated with the access preview.
144
+ # @return [String]
145
+ #
146
+ # @!attribute [rw] resource_owner_account
147
+ # The AWS account ID that owns the resource. For most AWS resources,
148
+ # the owning account is the account in which the resource was created.
149
+ # @return [String]
150
+ #
151
+ # @!attribute [rw] resource_type
152
+ # The type of the resource that can be accessed in the finding.
153
+ # @return [String]
154
+ #
155
+ # @!attribute [rw] sources
156
+ # The sources of the finding. This indicates how the access that
157
+ # generated the finding is granted. It is populated for Amazon S3
158
+ # bucket findings.
159
+ # @return [Array<Types::FindingSource>]
160
+ #
161
+ # @!attribute [rw] status
162
+ # The preview status of the finding. This is what the status of the
163
+ # finding would be after permissions deployment. For example, a
164
+ # `Changed` finding with preview status `Resolved` and existing status
165
+ # `Active` indicates the existing `Active` finding would become
166
+ # `Resolved` as a result of the proposed permissions change.
167
+ # @return [String]
168
+ #
169
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
170
+ #
171
+ class AccessPreviewFinding < Struct.new(
172
+ :action,
173
+ :change_type,
174
+ :condition,
175
+ :created_at,
176
+ :error,
177
+ :existing_finding_id,
178
+ :existing_finding_status,
179
+ :id,
180
+ :is_public,
181
+ :principal,
182
+ :resource,
183
+ :resource_owner_account,
184
+ :resource_type,
185
+ :sources,
186
+ :status)
187
+ SENSITIVE = []
188
+ include Aws::Structure
189
+ end
190
+
191
+ # Provides more details about the current status of the access preview.
192
+ # For example, if the creation of the access preview fails, a `Failed`
193
+ # status is returned. This failure can be due to an internal issue with
194
+ # the analysis or due to an invalid proposed resource configuration.
195
+ #
196
+ # @!attribute [rw] code
197
+ # The reason code for the current status of the access preview.
198
+ # @return [String]
199
+ #
200
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewStatusReason AWS API Documentation
201
+ #
202
+ class AccessPreviewStatusReason < Struct.new(
203
+ :code)
204
+ SENSITIVE = []
205
+ include Aws::Structure
206
+ end
207
+
208
+ # Contains a summary of information about an access preview.
209
+ #
210
+ # @!attribute [rw] analyzer_arn
211
+ # The ARN of the analyzer used to generate the access preview.
212
+ # @return [String]
213
+ #
214
+ # @!attribute [rw] created_at
215
+ # The time at which the access preview was created.
216
+ # @return [Time]
217
+ #
218
+ # @!attribute [rw] id
219
+ # The unique ID for the access preview.
220
+ # @return [String]
221
+ #
222
+ # @!attribute [rw] status
223
+ # The status of the access preview.
224
+ #
225
+ # * `Creating` - The access preview creation is in progress.
226
+ #
227
+ # * `Completed` - The access preview is complete and previews the
228
+ # findings for external access to the resource.
229
+ #
230
+ # * `Failed` - The access preview creation has failed.
231
+ # @return [String]
232
+ #
233
+ # @!attribute [rw] status_reason
234
+ # Provides more details about the current status of the access
235
+ # preview. For example, if the creation of the access preview fails, a
236
+ # `Failed` status is returned. This failure can be due to an internal
237
+ # issue with the analysis or due to an invalid proposed resource
238
+ # configuration.
239
+ # @return [Types::AccessPreviewStatusReason]
240
+ #
241
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
242
+ #
243
+ class AccessPreviewSummary < Struct.new(
244
+ :analyzer_arn,
245
+ :created_at,
246
+ :id,
247
+ :status,
248
+ :status_reason)
249
+ SENSITIVE = []
250
+ include Aws::Structure
251
+ end
252
+
253
+ # You specify each grantee as a type-value pair using one of these
254
+ # types. You can specify only one type of grantee. For more information,
255
+ # see [PutBucketAcl][1].
256
+ #
257
+ #
258
+ #
259
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
260
+ #
261
+ # @note When making an API call, you may pass AclGrantee
262
+ # data as a hash:
263
+ #
264
+ # {
265
+ # id: "AclCanonicalId",
266
+ # uri: "AclUri",
267
+ # }
268
+ #
269
+ # @!attribute [rw] id
270
+ # The value specified is the canonical user ID of an AWS account.
271
+ # @return [String]
272
+ #
273
+ # @!attribute [rw] uri
274
+ # Used for granting permissions to a predefined group.
275
+ # @return [String]
276
+ #
277
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AclGrantee AWS API Documentation
278
+ #
279
+ class AclGrantee < Struct.new(
280
+ :id,
281
+ :uri)
282
+ SENSITIVE = []
283
+ include Aws::Structure
284
+ end
285
+
26
286
  # Contains details about the analyzed resource.
27
287
  #
28
288
  # @!attribute [rw] actions
@@ -141,16 +401,16 @@ module Aws::AccessAnalyzer
141
401
  # The status of the analyzer. An `Active` analyzer successfully
142
402
  # monitors supported resources and generates new findings. The
143
403
  # analyzer is `Disabled` when a user action, such as removing trusted
144
- # access for IAM Access Analyzer from AWS Organizations, causes the
145
- # analyzer to stop generating new findings. The status is `Creating`
146
- # when the analyzer creation is in progress and `Failed` when the
147
- # analyzer creation has failed.
404
+ # access for AWS IAM Access Analyzer from AWS Organizations, causes
405
+ # the analyzer to stop generating new findings. The status is
406
+ # `Creating` when the analyzer creation is in progress and `Failed`
407
+ # when the analyzer creation has failed.
148
408
  # @return [String]
149
409
  #
150
410
  # @!attribute [rw] status_reason
151
411
  # The `statusReason` provides more details about the current status of
152
412
  # the analyzer. For example, if the creation for the analyzer fails, a
153
- # `Failed` status is displayed. For an analyzer with organization as
413
+ # `Failed` status is returned. For an analyzer with organization as
154
414
  # the type, this failure can be due to an issue with creating the
155
415
  # service-linked roles required in the member accounts of the AWS
156
416
  # organization.
@@ -246,130 +506,466 @@ module Aws::AccessAnalyzer
246
506
  include Aws::Structure
247
507
  end
248
508
 
249
- # A conflict exception error.
250
- #
251
- # @!attribute [rw] message
252
- # @return [String]
509
+ # @note When making an API call, you may pass CancelPolicyGenerationRequest
510
+ # data as a hash:
253
511
  #
254
- # @!attribute [rw] resource_id
255
- # The ID of the resource.
256
- # @return [String]
512
+ # {
513
+ # job_id: "JobId", # required
514
+ # }
257
515
  #
258
- # @!attribute [rw] resource_type
259
- # The resource type.
516
+ # @!attribute [rw] job_id
517
+ # The `JobId` that is returned by the `StartPolicyGeneration`
518
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
519
+ # retrieve the generated policies or used with
520
+ # `CancelPolicyGeneration` to cancel the policy generation request.
260
521
  # @return [String]
261
522
  #
262
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ConflictException AWS API Documentation
523
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationRequest AWS API Documentation
263
524
  #
264
- class ConflictException < Struct.new(
265
- :message,
266
- :resource_id,
267
- :resource_type)
525
+ class CancelPolicyGenerationRequest < Struct.new(
526
+ :job_id)
268
527
  SENSITIVE = []
269
528
  include Aws::Structure
270
529
  end
271
530
 
272
- # Creates an analyzer.
531
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationResponse AWS API Documentation
273
532
  #
274
- # @note When making an API call, you may pass CreateAnalyzerRequest
533
+ class CancelPolicyGenerationResponse < Aws::EmptyStructure; end
534
+
535
+ # Contains information about CloudTrail access.
536
+ #
537
+ # @note When making an API call, you may pass CloudTrailDetails
275
538
  # data as a hash:
276
539
  #
277
540
  # {
278
- # analyzer_name: "Name", # required
279
- # archive_rules: [
541
+ # access_role: "RoleArn", # required
542
+ # end_time: Time.now,
543
+ # start_time: Time.now, # required
544
+ # trails: [ # required
280
545
  # {
281
- # filter: { # required
282
- # "String" => {
283
- # contains: ["String"],
284
- # eq: ["String"],
285
- # exists: false,
286
- # neq: ["String"],
287
- # },
288
- # },
289
- # rule_name: "Name", # required
546
+ # all_regions: false,
547
+ # cloud_trail_arn: "CloudTrailArn", # required
548
+ # regions: ["String"],
290
549
  # },
291
550
  # ],
292
- # client_token: "String",
293
- # tags: {
294
- # "String" => "String",
295
- # },
296
- # type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
297
551
  # }
298
552
  #
299
- # @!attribute [rw] analyzer_name
300
- # The name of the analyzer to create.
553
+ # @!attribute [rw] access_role
554
+ # The ARN of the service role that Access Analyzer uses to access your
555
+ # CloudTrail trail and service last accessed information.
301
556
  # @return [String]
302
557
  #
303
- # @!attribute [rw] archive_rules
304
- # Specifies the archive rules to add for the analyzer. Archive rules
305
- # automatically archive findings that meet the criteria you define for
306
- # the rule.
307
- # @return [Array<Types::InlineArchiveRule>]
308
- #
309
- # @!attribute [rw] client_token
310
- # A client token.
311
- #
312
- # **A suitable default value is auto-generated.** You should normally
313
- # not need to pass this option.
314
- # @return [String]
558
+ # @!attribute [rw] end_time
559
+ # The end of the time range for which Access Analyzer reviews your
560
+ # CloudTrail events. Events with a timestamp after this time are not
561
+ # considered to generate a policy. If this is not included in the
562
+ # request, the default value is the current time.
563
+ # @return [Time]
315
564
  #
316
- # @!attribute [rw] tags
317
- # The tags to apply to the analyzer.
318
- # @return [Hash<String,String>]
565
+ # @!attribute [rw] start_time
566
+ # The start of the time range for which Access Analyzer reviews your
567
+ # CloudTrail events. Events with a timestamp before this time are not
568
+ # considered to generate a policy.
569
+ # @return [Time]
319
570
  #
320
- # @!attribute [rw] type
321
- # The type of analyzer to create. Only ACCOUNT analyzers are
322
- # supported. You can create only one analyzer per account per Region.
323
- # @return [String]
571
+ # @!attribute [rw] trails
572
+ # A `Trail` object that contains settings for a trail.
573
+ # @return [Array<Types::Trail>]
324
574
  #
325
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
575
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailDetails AWS API Documentation
326
576
  #
327
- class CreateAnalyzerRequest < Struct.new(
328
- :analyzer_name,
329
- :archive_rules,
330
- :client_token,
331
- :tags,
332
- :type)
577
+ class CloudTrailDetails < Struct.new(
578
+ :access_role,
579
+ :end_time,
580
+ :start_time,
581
+ :trails)
333
582
  SENSITIVE = []
334
583
  include Aws::Structure
335
584
  end
336
585
 
337
- # The response to the request to create an analyzer.
586
+ # Contains information about CloudTrail access.
338
587
  #
339
- # @!attribute [rw] arn
340
- # The ARN of the analyzer that was created by the request.
341
- # @return [String]
588
+ # @!attribute [rw] end_time
589
+ # The end of the time range for which Access Analyzer reviews your
590
+ # CloudTrail events. Events with a timestamp after this time are not
591
+ # considered to generate a policy. If this is not included in the
592
+ # request, the default value is the current time.
593
+ # @return [Time]
342
594
  #
343
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerResponse AWS API Documentation
595
+ # @!attribute [rw] start_time
596
+ # The start of the time range for which Access Analyzer reviews your
597
+ # CloudTrail events. Events with a timestamp before this time are not
598
+ # considered to generate a policy.
599
+ # @return [Time]
344
600
  #
345
- class CreateAnalyzerResponse < Struct.new(
346
- :arn)
601
+ # @!attribute [rw] trail_properties
602
+ # A `TrailProperties` object that contains settings for trail
603
+ # properties.
604
+ # @return [Array<Types::TrailProperties>]
605
+ #
606
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailProperties AWS API Documentation
607
+ #
608
+ class CloudTrailProperties < Struct.new(
609
+ :end_time,
610
+ :start_time,
611
+ :trail_properties)
347
612
  SENSITIVE = []
348
613
  include Aws::Structure
349
614
  end
350
615
 
351
- # Creates an archive rule.
616
+ # Access control configuration structures for your resource. You specify
617
+ # the configuration as a type-value pair. You can specify only one type
618
+ # of access control configuration.
352
619
  #
353
- # @note When making an API call, you may pass CreateArchiveRuleRequest
620
+ # @note When making an API call, you may pass Configuration
354
621
  # data as a hash:
355
622
  #
356
623
  # {
357
- # analyzer_name: "Name", # required
358
- # client_token: "String",
359
- # filter: { # required
360
- # "String" => {
361
- # contains: ["String"],
362
- # eq: ["String"],
363
- # exists: false,
364
- # neq: ["String"],
624
+ # iam_role: {
625
+ # trust_policy: "IamTrustPolicy",
626
+ # },
627
+ # kms_key: {
628
+ # grants: [
629
+ # {
630
+ # constraints: {
631
+ # encryption_context_equals: {
632
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
633
+ # },
634
+ # encryption_context_subset: {
635
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
636
+ # },
637
+ # },
638
+ # grantee_principal: "GranteePrincipal", # required
639
+ # issuing_account: "IssuingAccount", # required
640
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
641
+ # retiring_principal: "RetiringPrincipal",
642
+ # },
643
+ # ],
644
+ # key_policies: {
645
+ # "PolicyName" => "KmsKeyPolicy",
365
646
  # },
366
647
  # },
367
- # rule_name: "Name", # required
368
- # }
369
- #
370
- # @!attribute [rw] analyzer_name
371
- # The name of the created analyzer.
372
- # @return [String]
648
+ # s3_bucket: {
649
+ # access_points: {
650
+ # "AccessPointArn" => {
651
+ # access_point_policy: "AccessPointPolicy",
652
+ # network_origin: {
653
+ # internet_configuration: {
654
+ # },
655
+ # vpc_configuration: {
656
+ # vpc_id: "VpcId", # required
657
+ # },
658
+ # },
659
+ # public_access_block: {
660
+ # ignore_public_acls: false, # required
661
+ # restrict_public_buckets: false, # required
662
+ # },
663
+ # },
664
+ # },
665
+ # bucket_acl_grants: [
666
+ # {
667
+ # grantee: { # required
668
+ # id: "AclCanonicalId",
669
+ # uri: "AclUri",
670
+ # },
671
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
672
+ # },
673
+ # ],
674
+ # bucket_policy: "S3BucketPolicy",
675
+ # bucket_public_access_block: {
676
+ # ignore_public_acls: false, # required
677
+ # restrict_public_buckets: false, # required
678
+ # },
679
+ # },
680
+ # secrets_manager_secret: {
681
+ # kms_key_id: "SecretsManagerSecretKmsId",
682
+ # secret_policy: "SecretsManagerSecretPolicy",
683
+ # },
684
+ # sqs_queue: {
685
+ # queue_policy: "SqsQueuePolicy",
686
+ # },
687
+ # }
688
+ #
689
+ # @!attribute [rw] iam_role
690
+ # The access control configuration is for an IAM role.
691
+ # @return [Types::IamRoleConfiguration]
692
+ #
693
+ # @!attribute [rw] kms_key
694
+ # The access control configuration is for a KMS key.
695
+ # @return [Types::KmsKeyConfiguration]
696
+ #
697
+ # @!attribute [rw] s3_bucket
698
+ # The access control configuration is for an Amazon S3 Bucket.
699
+ # @return [Types::S3BucketConfiguration]
700
+ #
701
+ # @!attribute [rw] secrets_manager_secret
702
+ # The access control configuration is for a Secrets Manager secret.
703
+ # @return [Types::SecretsManagerSecretConfiguration]
704
+ #
705
+ # @!attribute [rw] sqs_queue
706
+ # The access control configuration is for an SQS queue.
707
+ # @return [Types::SqsQueueConfiguration]
708
+ #
709
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
710
+ #
711
+ class Configuration < Struct.new(
712
+ :iam_role,
713
+ :kms_key,
714
+ :s3_bucket,
715
+ :secrets_manager_secret,
716
+ :sqs_queue)
717
+ SENSITIVE = []
718
+ include Aws::Structure
719
+ end
720
+
721
+ # A conflict exception error.
722
+ #
723
+ # @!attribute [rw] message
724
+ # @return [String]
725
+ #
726
+ # @!attribute [rw] resource_id
727
+ # The ID of the resource.
728
+ # @return [String]
729
+ #
730
+ # @!attribute [rw] resource_type
731
+ # The resource type.
732
+ # @return [String]
733
+ #
734
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ConflictException AWS API Documentation
735
+ #
736
+ class ConflictException < Struct.new(
737
+ :message,
738
+ :resource_id,
739
+ :resource_type)
740
+ SENSITIVE = []
741
+ include Aws::Structure
742
+ end
743
+
744
+ # @note When making an API call, you may pass CreateAccessPreviewRequest
745
+ # data as a hash:
746
+ #
747
+ # {
748
+ # analyzer_arn: "AnalyzerArn", # required
749
+ # client_token: "String",
750
+ # configurations: { # required
751
+ # "ConfigurationsMapKey" => {
752
+ # iam_role: {
753
+ # trust_policy: "IamTrustPolicy",
754
+ # },
755
+ # kms_key: {
756
+ # grants: [
757
+ # {
758
+ # constraints: {
759
+ # encryption_context_equals: {
760
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
761
+ # },
762
+ # encryption_context_subset: {
763
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
764
+ # },
765
+ # },
766
+ # grantee_principal: "GranteePrincipal", # required
767
+ # issuing_account: "IssuingAccount", # required
768
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
769
+ # retiring_principal: "RetiringPrincipal",
770
+ # },
771
+ # ],
772
+ # key_policies: {
773
+ # "PolicyName" => "KmsKeyPolicy",
774
+ # },
775
+ # },
776
+ # s3_bucket: {
777
+ # access_points: {
778
+ # "AccessPointArn" => {
779
+ # access_point_policy: "AccessPointPolicy",
780
+ # network_origin: {
781
+ # internet_configuration: {
782
+ # },
783
+ # vpc_configuration: {
784
+ # vpc_id: "VpcId", # required
785
+ # },
786
+ # },
787
+ # public_access_block: {
788
+ # ignore_public_acls: false, # required
789
+ # restrict_public_buckets: false, # required
790
+ # },
791
+ # },
792
+ # },
793
+ # bucket_acl_grants: [
794
+ # {
795
+ # grantee: { # required
796
+ # id: "AclCanonicalId",
797
+ # uri: "AclUri",
798
+ # },
799
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
800
+ # },
801
+ # ],
802
+ # bucket_policy: "S3BucketPolicy",
803
+ # bucket_public_access_block: {
804
+ # ignore_public_acls: false, # required
805
+ # restrict_public_buckets: false, # required
806
+ # },
807
+ # },
808
+ # secrets_manager_secret: {
809
+ # kms_key_id: "SecretsManagerSecretKmsId",
810
+ # secret_policy: "SecretsManagerSecretPolicy",
811
+ # },
812
+ # sqs_queue: {
813
+ # queue_policy: "SqsQueuePolicy",
814
+ # },
815
+ # },
816
+ # },
817
+ # }
818
+ #
819
+ # @!attribute [rw] analyzer_arn
820
+ # The [ARN of the account analyzer][1] used to generate the access
821
+ # preview. You can only create an access preview for analyzers with an
822
+ # `Account` type and `Active` status.
823
+ #
824
+ #
825
+ #
826
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
827
+ # @return [String]
828
+ #
829
+ # @!attribute [rw] client_token
830
+ # A client token.
831
+ #
832
+ # **A suitable default value is auto-generated.** You should normally
833
+ # not need to pass this option.
834
+ # @return [String]
835
+ #
836
+ # @!attribute [rw] configurations
837
+ # Access control configuration for your resource that is used to
838
+ # generate the access preview. The access preview includes findings
839
+ # for external access allowed to the resource with the proposed access
840
+ # control configuration. The configuration must contain exactly one
841
+ # element.
842
+ # @return [Hash<String,Types::Configuration>]
843
+ #
844
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
845
+ #
846
+ class CreateAccessPreviewRequest < Struct.new(
847
+ :analyzer_arn,
848
+ :client_token,
849
+ :configurations)
850
+ SENSITIVE = []
851
+ include Aws::Structure
852
+ end
853
+
854
+ # @!attribute [rw] id
855
+ # The unique ID for the access preview.
856
+ # @return [String]
857
+ #
858
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewResponse AWS API Documentation
859
+ #
860
+ class CreateAccessPreviewResponse < Struct.new(
861
+ :id)
862
+ SENSITIVE = []
863
+ include Aws::Structure
864
+ end
865
+
866
+ # Creates an analyzer.
867
+ #
868
+ # @note When making an API call, you may pass CreateAnalyzerRequest
869
+ # data as a hash:
870
+ #
871
+ # {
872
+ # analyzer_name: "Name", # required
873
+ # archive_rules: [
874
+ # {
875
+ # filter: { # required
876
+ # "String" => {
877
+ # contains: ["String"],
878
+ # eq: ["String"],
879
+ # exists: false,
880
+ # neq: ["String"],
881
+ # },
882
+ # },
883
+ # rule_name: "Name", # required
884
+ # },
885
+ # ],
886
+ # client_token: "String",
887
+ # tags: {
888
+ # "String" => "String",
889
+ # },
890
+ # type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
891
+ # }
892
+ #
893
+ # @!attribute [rw] analyzer_name
894
+ # The name of the analyzer to create.
895
+ # @return [String]
896
+ #
897
+ # @!attribute [rw] archive_rules
898
+ # Specifies the archive rules to add for the analyzer. Archive rules
899
+ # automatically archive findings that meet the criteria you define for
900
+ # the rule.
901
+ # @return [Array<Types::InlineArchiveRule>]
902
+ #
903
+ # @!attribute [rw] client_token
904
+ # A client token.
905
+ #
906
+ # **A suitable default value is auto-generated.** You should normally
907
+ # not need to pass this option.
908
+ # @return [String]
909
+ #
910
+ # @!attribute [rw] tags
911
+ # The tags to apply to the analyzer.
912
+ # @return [Hash<String,String>]
913
+ #
914
+ # @!attribute [rw] type
915
+ # The type of analyzer to create. Only ACCOUNT and ORGANIZATION
916
+ # analyzers are supported. You can create only one analyzer per
917
+ # account per Region. You can create up to 5 analyzers per
918
+ # organization per Region.
919
+ # @return [String]
920
+ #
921
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
922
+ #
923
+ class CreateAnalyzerRequest < Struct.new(
924
+ :analyzer_name,
925
+ :archive_rules,
926
+ :client_token,
927
+ :tags,
928
+ :type)
929
+ SENSITIVE = []
930
+ include Aws::Structure
931
+ end
932
+
933
+ # The response to the request to create an analyzer.
934
+ #
935
+ # @!attribute [rw] arn
936
+ # The ARN of the analyzer that was created by the request.
937
+ # @return [String]
938
+ #
939
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerResponse AWS API Documentation
940
+ #
941
+ class CreateAnalyzerResponse < Struct.new(
942
+ :arn)
943
+ SENSITIVE = []
944
+ include Aws::Structure
945
+ end
946
+
947
+ # Creates an archive rule.
948
+ #
949
+ # @note When making an API call, you may pass CreateArchiveRuleRequest
950
+ # data as a hash:
951
+ #
952
+ # {
953
+ # analyzer_name: "Name", # required
954
+ # client_token: "String",
955
+ # filter: { # required
956
+ # "String" => {
957
+ # contains: ["String"],
958
+ # eq: ["String"],
959
+ # exists: false,
960
+ # neq: ["String"],
961
+ # },
962
+ # },
963
+ # rule_name: "Name", # required
964
+ # }
965
+ #
966
+ # @!attribute [rw] analyzer_name
967
+ # The name of the created analyzer.
968
+ # @return [String]
373
969
  #
374
970
  # @!attribute [rw] client_token
375
971
  # A client token.
@@ -554,7 +1150,7 @@ module Aws::AccessAnalyzer
554
1150
  # @return [String]
555
1151
  #
556
1152
  # @!attribute [rw] resource_type
557
- # The type of the resource reported in the finding.
1153
+ # The type of the resource identified in the finding.
558
1154
  # @return [String]
559
1155
  #
560
1156
  # @!attribute [rw] sources
@@ -715,6 +1311,118 @@ module Aws::AccessAnalyzer
715
1311
  include Aws::Structure
716
1312
  end
717
1313
 
1314
+ # Contains the text for the generated policy.
1315
+ #
1316
+ # @!attribute [rw] policy
1317
+ # The text to use as the content for the new policy. The policy is
1318
+ # created using the [CreatePolicy][1] action.
1319
+ #
1320
+ #
1321
+ #
1322
+ # [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
1323
+ # @return [String]
1324
+ #
1325
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicy AWS API Documentation
1326
+ #
1327
+ class GeneratedPolicy < Struct.new(
1328
+ :policy)
1329
+ SENSITIVE = []
1330
+ include Aws::Structure
1331
+ end
1332
+
1333
+ # Contains the generated policy details.
1334
+ #
1335
+ # @!attribute [rw] cloud_trail_properties
1336
+ # Lists details about the `Trail` used to generated policy.
1337
+ # @return [Types::CloudTrailProperties]
1338
+ #
1339
+ # @!attribute [rw] is_complete
1340
+ # This value is set to `true` if the generated policy contains all
1341
+ # possible actions for a service that Access Analyzer identified from
1342
+ # the CloudTrail trail that you specified, and `false` otherwise.
1343
+ # @return [Boolean]
1344
+ #
1345
+ # @!attribute [rw] principal_arn
1346
+ # The ARN of the IAM entity (user or role) for which you are
1347
+ # generating a policy.
1348
+ # @return [String]
1349
+ #
1350
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyProperties AWS API Documentation
1351
+ #
1352
+ class GeneratedPolicyProperties < Struct.new(
1353
+ :cloud_trail_properties,
1354
+ :is_complete,
1355
+ :principal_arn)
1356
+ SENSITIVE = []
1357
+ include Aws::Structure
1358
+ end
1359
+
1360
+ # Contains the text for the generated policy and its details.
1361
+ #
1362
+ # @!attribute [rw] generated_policies
1363
+ # The text to use as the content for the new policy. The policy is
1364
+ # created using the [CreatePolicy][1] action.
1365
+ #
1366
+ #
1367
+ #
1368
+ # [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
1369
+ # @return [Array<Types::GeneratedPolicy>]
1370
+ #
1371
+ # @!attribute [rw] properties
1372
+ # A `GeneratedPolicyProperties` object that contains properties of the
1373
+ # generated policy.
1374
+ # @return [Types::GeneratedPolicyProperties]
1375
+ #
1376
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyResult AWS API Documentation
1377
+ #
1378
+ class GeneratedPolicyResult < Struct.new(
1379
+ :generated_policies,
1380
+ :properties)
1381
+ SENSITIVE = []
1382
+ include Aws::Structure
1383
+ end
1384
+
1385
+ # @note When making an API call, you may pass GetAccessPreviewRequest
1386
+ # data as a hash:
1387
+ #
1388
+ # {
1389
+ # access_preview_id: "AccessPreviewId", # required
1390
+ # analyzer_arn: "AnalyzerArn", # required
1391
+ # }
1392
+ #
1393
+ # @!attribute [rw] access_preview_id
1394
+ # The unique ID for the access preview.
1395
+ # @return [String]
1396
+ #
1397
+ # @!attribute [rw] analyzer_arn
1398
+ # The [ARN of the analyzer][1] used to generate the access preview.
1399
+ #
1400
+ #
1401
+ #
1402
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1403
+ # @return [String]
1404
+ #
1405
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewRequest AWS API Documentation
1406
+ #
1407
+ class GetAccessPreviewRequest < Struct.new(
1408
+ :access_preview_id,
1409
+ :analyzer_arn)
1410
+ SENSITIVE = []
1411
+ include Aws::Structure
1412
+ end
1413
+
1414
+ # @!attribute [rw] access_preview
1415
+ # An object that contains information about the access preview.
1416
+ # @return [Types::AccessPreview]
1417
+ #
1418
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewResponse AWS API Documentation
1419
+ #
1420
+ class GetAccessPreviewResponse < Struct.new(
1421
+ :access_preview)
1422
+ SENSITIVE = []
1423
+ include Aws::Structure
1424
+ end
1425
+
718
1426
  # Retrieves an analyzed resource.
719
1427
  #
720
1428
  # @note When making an API call, you may pass GetAnalyzedResourceRequest
@@ -726,7 +1434,11 @@ module Aws::AccessAnalyzer
726
1434
  # }
727
1435
  #
728
1436
  # @!attribute [rw] analyzer_arn
729
- # The ARN of the analyzer to retrieve information from.
1437
+ # The [ARN of the analyzer][1] to retrieve information from.
1438
+ #
1439
+ #
1440
+ #
1441
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
730
1442
  # @return [String]
731
1443
  #
732
1444
  # @!attribute [rw] resource_arn
@@ -745,7 +1457,7 @@ module Aws::AccessAnalyzer
745
1457
  # The response to the request.
746
1458
  #
747
1459
  # @!attribute [rw] resource
748
- # An `AnalyedResource` object that contains information that Access
1460
+ # An `AnalyzedResource` object that contains information that Access
749
1461
  # Analyzer found when it analyzed the resource.
750
1462
  # @return [Types::AnalyzedResource]
751
1463
  #
@@ -845,7 +1557,11 @@ module Aws::AccessAnalyzer
845
1557
  # }
846
1558
  #
847
1559
  # @!attribute [rw] analyzer_arn
848
- # The ARN of the analyzer that generated the finding.
1560
+ # The [ARN of the analyzer][1] that generated the finding.
1561
+ #
1562
+ #
1563
+ #
1564
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
849
1565
  # @return [String]
850
1566
  #
851
1567
  # @!attribute [rw] id
@@ -875,7 +1591,103 @@ module Aws::AccessAnalyzer
875
1591
  include Aws::Structure
876
1592
  end
877
1593
 
878
- # An criterion statement in an archive rule. Each archive rule may have
1594
+ # @note When making an API call, you may pass GetGeneratedPolicyRequest
1595
+ # data as a hash:
1596
+ #
1597
+ # {
1598
+ # include_resource_placeholders: false,
1599
+ # include_service_level_template: false,
1600
+ # job_id: "JobId", # required
1601
+ # }
1602
+ #
1603
+ # @!attribute [rw] include_resource_placeholders
1604
+ # The level of detail that you want to generate. You can specify
1605
+ # whether to generate policies with placeholders for resource ARNs for
1606
+ # actions that support resource level granularity in policies.
1607
+ #
1608
+ # For example, in the resource section of a policy, you can receive a
1609
+ # placeholder such as `"Resource":"arn:aws:s3:::$\{BucketName\}"`
1610
+ # instead of `"*"`.
1611
+ # @return [Boolean]
1612
+ #
1613
+ # @!attribute [rw] include_service_level_template
1614
+ # The level of detail that you want to generate. You can specify
1615
+ # whether to generate service-level policies.
1616
+ #
1617
+ # Access Analyzer uses `iam:servicelastaccessed` to identify services
1618
+ # that have been used recently to create this service-level template.
1619
+ # @return [Boolean]
1620
+ #
1621
+ # @!attribute [rw] job_id
1622
+ # The `JobId` that is returned by the `StartPolicyGeneration`
1623
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
1624
+ # retrieve the generated policies or used with
1625
+ # `CancelPolicyGeneration` to cancel the policy generation request.
1626
+ # @return [String]
1627
+ #
1628
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyRequest AWS API Documentation
1629
+ #
1630
+ class GetGeneratedPolicyRequest < Struct.new(
1631
+ :include_resource_placeholders,
1632
+ :include_service_level_template,
1633
+ :job_id)
1634
+ SENSITIVE = []
1635
+ include Aws::Structure
1636
+ end
1637
+
1638
+ # @!attribute [rw] generated_policy_result
1639
+ # A `GeneratedPolicyResult` object that contains the generated
1640
+ # policies and associated details.
1641
+ # @return [Types::GeneratedPolicyResult]
1642
+ #
1643
+ # @!attribute [rw] job_details
1644
+ # A `GeneratedPolicyDetails` object that contains details about the
1645
+ # generated policy.
1646
+ # @return [Types::JobDetails]
1647
+ #
1648
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyResponse AWS API Documentation
1649
+ #
1650
+ class GetGeneratedPolicyResponse < Struct.new(
1651
+ :generated_policy_result,
1652
+ :job_details)
1653
+ SENSITIVE = []
1654
+ include Aws::Structure
1655
+ end
1656
+
1657
+ # The proposed access control configuration for an IAM role. You can
1658
+ # propose a configuration for a new IAM role or an existing IAM role
1659
+ # that you own by specifying the trust policy. If the configuration is
1660
+ # for a new IAM role, you must specify the trust policy. If the
1661
+ # configuration is for an existing IAM role that you own and you do not
1662
+ # propose the trust policy, the access preview uses the existing trust
1663
+ # policy for the role. The proposed trust policy cannot be an empty
1664
+ # string. For more information about role trust policy limits, see [IAM
1665
+ # and STS quotas][1].
1666
+ #
1667
+ #
1668
+ #
1669
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
1670
+ #
1671
+ # @note When making an API call, you may pass IamRoleConfiguration
1672
+ # data as a hash:
1673
+ #
1674
+ # {
1675
+ # trust_policy: "IamTrustPolicy",
1676
+ # }
1677
+ #
1678
+ # @!attribute [rw] trust_policy
1679
+ # The proposed trust policy for the IAM role.
1680
+ # @return [String]
1681
+ #
1682
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/IamRoleConfiguration AWS API Documentation
1683
+ #
1684
+ class IamRoleConfiguration < Struct.new(
1685
+ :trust_policy)
1686
+ SENSITIVE = []
1687
+ include Aws::Structure
1688
+ end
1689
+
1690
+ # An criterion statement in an archive rule. Each archive rule may have
879
1691
  # multiple criteria.
880
1692
  #
881
1693
  # @note When making an API call, you may pass InlineArchiveRule
@@ -928,76 +1740,304 @@ module Aws::AccessAnalyzer
928
1740
  include Aws::Structure
929
1741
  end
930
1742
 
931
- # Retrieves a list of resources that have been analyzed.
1743
+ # This configuration sets the Amazon S3 access point network origin to
1744
+ # `Internet`.
932
1745
  #
933
- # @note When making an API call, you may pass ListAnalyzedResourcesRequest
1746
+ # @api private
1747
+ #
1748
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternetConfiguration AWS API Documentation
1749
+ #
1750
+ class InternetConfiguration < Aws::EmptyStructure; end
1751
+
1752
+ # Contains details about the policy generation request.
1753
+ #
1754
+ # @!attribute [rw] completed_on
1755
+ # A timestamp of when the job was completed.
1756
+ # @return [Time]
1757
+ #
1758
+ # @!attribute [rw] job_error
1759
+ # Contains the details about the policy generation error.
1760
+ # @return [Types::JobError]
1761
+ #
1762
+ # @!attribute [rw] job_id
1763
+ # The `JobId` that is returned by the `StartPolicyGeneration`
1764
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
1765
+ # retrieve the generated policies or used with
1766
+ # `CancelPolicyGeneration` to cancel the policy generation request.
1767
+ # @return [String]
1768
+ #
1769
+ # @!attribute [rw] started_on
1770
+ # A timestamp of when the job was started.
1771
+ # @return [Time]
1772
+ #
1773
+ # @!attribute [rw] status
1774
+ # The status of the job request.
1775
+ # @return [String]
1776
+ #
1777
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobDetails AWS API Documentation
1778
+ #
1779
+ class JobDetails < Struct.new(
1780
+ :completed_on,
1781
+ :job_error,
1782
+ :job_id,
1783
+ :started_on,
1784
+ :status)
1785
+ SENSITIVE = []
1786
+ include Aws::Structure
1787
+ end
1788
+
1789
+ # Contains the details about the policy generation error.
1790
+ #
1791
+ # @!attribute [rw] code
1792
+ # The job error code.
1793
+ # @return [String]
1794
+ #
1795
+ # @!attribute [rw] message
1796
+ # Specific information about the error. For example, which service
1797
+ # quota was exceeded or which resource was not found.
1798
+ # @return [String]
1799
+ #
1800
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobError AWS API Documentation
1801
+ #
1802
+ class JobError < Struct.new(
1803
+ :code,
1804
+ :message)
1805
+ SENSITIVE = []
1806
+ include Aws::Structure
1807
+ end
1808
+
1809
+ # A proposed grant configuration for a KMS key. For more information,
1810
+ # see [CreateGrant][1].
1811
+ #
1812
+ #
1813
+ #
1814
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html
1815
+ #
1816
+ # @note When making an API call, you may pass KmsGrantConfiguration
934
1817
  # data as a hash:
935
1818
  #
936
1819
  # {
937
- # analyzer_arn: "AnalyzerArn", # required
938
- # max_results: 1,
939
- # next_token: "Token",
940
- # resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key
1820
+ # constraints: {
1821
+ # encryption_context_equals: {
1822
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1823
+ # },
1824
+ # encryption_context_subset: {
1825
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1826
+ # },
1827
+ # },
1828
+ # grantee_principal: "GranteePrincipal", # required
1829
+ # issuing_account: "IssuingAccount", # required
1830
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
1831
+ # retiring_principal: "RetiringPrincipal",
941
1832
  # }
942
1833
  #
943
- # @!attribute [rw] analyzer_arn
944
- # The ARN of the analyzer to retrieve a list of analyzed resources
945
- # from.
946
- # @return [String]
1834
+ # @!attribute [rw] constraints
1835
+ # Use this structure to propose allowing [cryptographic operations][1]
1836
+ # in the grant only when the operation request includes the specified
1837
+ # [encryption context][2].
947
1838
  #
948
- # @!attribute [rw] max_results
949
- # The maximum number of results to return in the response.
950
- # @return [Integer]
951
1839
  #
952
- # @!attribute [rw] next_token
953
- # A token used for pagination of results returned.
1840
+ #
1841
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1842
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1843
+ # @return [Types::KmsGrantConstraints]
1844
+ #
1845
+ # @!attribute [rw] grantee_principal
1846
+ # The principal that is given permission to perform the operations
1847
+ # that the grant permits.
954
1848
  # @return [String]
955
1849
  #
956
- # @!attribute [rw] resource_type
957
- # The type of resource.
1850
+ # @!attribute [rw] issuing_account
1851
+ # The AWS account under which the grant was issued. The account is
1852
+ # used to propose KMS grants issued by accounts other than the owner
1853
+ # of the key.
958
1854
  # @return [String]
959
1855
  #
960
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
1856
+ # @!attribute [rw] operations
1857
+ # A list of operations that the grant permits.
1858
+ # @return [Array<String>]
961
1859
  #
962
- class ListAnalyzedResourcesRequest < Struct.new(
963
- :analyzer_arn,
964
- :max_results,
965
- :next_token,
966
- :resource_type)
1860
+ # @!attribute [rw] retiring_principal
1861
+ # The principal that is given permission to retire the grant by using
1862
+ # [RetireGrant][1] operation.
1863
+ #
1864
+ #
1865
+ #
1866
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
1867
+ # @return [String]
1868
+ #
1869
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
1870
+ #
1871
+ class KmsGrantConfiguration < Struct.new(
1872
+ :constraints,
1873
+ :grantee_principal,
1874
+ :issuing_account,
1875
+ :operations,
1876
+ :retiring_principal)
967
1877
  SENSITIVE = []
968
1878
  include Aws::Structure
969
1879
  end
970
1880
 
971
- # The response to the request.
1881
+ # Use this structure to propose allowing [cryptographic operations][1]
1882
+ # in the grant only when the operation request includes the specified
1883
+ # [encryption context][2]. You can specify only one type of encryption
1884
+ # context. An empty map is treated as not specified. For more
1885
+ # information, see [GrantConstraints][3].
972
1886
  #
973
- # @!attribute [rw] analyzed_resources
974
- # A list of resources that were analyzed.
975
- # @return [Array<Types::AnalyzedResourceSummary>]
976
1887
  #
977
- # @!attribute [rw] next_token
978
- # A token used for pagination of results returned.
979
- # @return [String]
980
1888
  #
981
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesResponse AWS API Documentation
1889
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1890
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1891
+ # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html
982
1892
  #
983
- class ListAnalyzedResourcesResponse < Struct.new(
984
- :analyzed_resources,
985
- :next_token)
1893
+ # @note When making an API call, you may pass KmsGrantConstraints
1894
+ # data as a hash:
1895
+ #
1896
+ # {
1897
+ # encryption_context_equals: {
1898
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1899
+ # },
1900
+ # encryption_context_subset: {
1901
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1902
+ # },
1903
+ # }
1904
+ #
1905
+ # @!attribute [rw] encryption_context_equals
1906
+ # A list of key-value pairs that must match the encryption context in
1907
+ # the [cryptographic operation][1] request. The grant allows the
1908
+ # operation only when the encryption context in the request is the
1909
+ # same as the encryption context specified in this constraint.
1910
+ #
1911
+ #
1912
+ #
1913
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1914
+ # @return [Hash<String,String>]
1915
+ #
1916
+ # @!attribute [rw] encryption_context_subset
1917
+ # A list of key-value pairs that must be included in the encryption
1918
+ # context of the [cryptographic operation][1] request. The grant
1919
+ # allows the cryptographic operation only when the encryption context
1920
+ # in the request includes the key-value pairs specified in this
1921
+ # constraint, although it can include additional key-value pairs.
1922
+ #
1923
+ #
1924
+ #
1925
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1926
+ # @return [Hash<String,String>]
1927
+ #
1928
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation
1929
+ #
1930
+ class KmsGrantConstraints < Struct.new(
1931
+ :encryption_context_equals,
1932
+ :encryption_context_subset)
986
1933
  SENSITIVE = []
987
1934
  include Aws::Structure
988
1935
  end
989
1936
 
990
- # Retrieves a list of analyzers.
1937
+ # Proposed access control configuration for a KMS key. You can propose a
1938
+ # configuration for a new KMS key or an existing KMS key that you own by
1939
+ # specifying the key policy and KMS grant configuration. If the
1940
+ # configuration is for an existing key and you do not specify the key
1941
+ # policy, the access preview uses the existing policy for the key. If
1942
+ # the access preview is for a new resource and you do not specify the
1943
+ # key policy, then the access preview uses the default key policy. The
1944
+ # proposed key policy cannot be an empty string. For more information,
1945
+ # see [Default key policy][1]. For more information about key policy
1946
+ # limits, see [Resource quotas][2].
991
1947
  #
992
- # @note When making an API call, you may pass ListAnalyzersRequest
1948
+ #
1949
+ #
1950
+ #
1951
+ #
1952
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
1953
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
1954
+ #
1955
+ # @note When making an API call, you may pass KmsKeyConfiguration
1956
+ # data as a hash:
1957
+ #
1958
+ # {
1959
+ # grants: [
1960
+ # {
1961
+ # constraints: {
1962
+ # encryption_context_equals: {
1963
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1964
+ # },
1965
+ # encryption_context_subset: {
1966
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1967
+ # },
1968
+ # },
1969
+ # grantee_principal: "GranteePrincipal", # required
1970
+ # issuing_account: "IssuingAccount", # required
1971
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
1972
+ # retiring_principal: "RetiringPrincipal",
1973
+ # },
1974
+ # ],
1975
+ # key_policies: {
1976
+ # "PolicyName" => "KmsKeyPolicy",
1977
+ # },
1978
+ # }
1979
+ #
1980
+ # @!attribute [rw] grants
1981
+ # A list of proposed grant configurations for the KMS key. If the
1982
+ # proposed grant configuration is for an existing key, the access
1983
+ # preview uses the proposed list of grant configurations in place of
1984
+ # the existing grants. Otherwise, the access preview uses the existing
1985
+ # grants for the key.
1986
+ # @return [Array<Types::KmsGrantConfiguration>]
1987
+ #
1988
+ # @!attribute [rw] key_policies
1989
+ # Resource policy configuration for the KMS key. The only valid value
1990
+ # for the name of the key policy is `default`. For more information,
1991
+ # see [Default key policy][1].
1992
+ #
1993
+ #
1994
+ #
1995
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
1996
+ # @return [Hash<String,String>]
1997
+ #
1998
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
1999
+ #
2000
+ class KmsKeyConfiguration < Struct.new(
2001
+ :grants,
2002
+ :key_policies)
2003
+ SENSITIVE = []
2004
+ include Aws::Structure
2005
+ end
2006
+
2007
+ # @note When making an API call, you may pass ListAccessPreviewFindingsRequest
993
2008
  # data as a hash:
994
2009
  #
995
2010
  # {
2011
+ # access_preview_id: "AccessPreviewId", # required
2012
+ # analyzer_arn: "AnalyzerArn", # required
2013
+ # filter: {
2014
+ # "String" => {
2015
+ # contains: ["String"],
2016
+ # eq: ["String"],
2017
+ # exists: false,
2018
+ # neq: ["String"],
2019
+ # },
2020
+ # },
996
2021
  # max_results: 1,
997
2022
  # next_token: "Token",
998
- # type: "ACCOUNT", # accepts ACCOUNT, ORGANIZATION
999
2023
  # }
1000
2024
  #
2025
+ # @!attribute [rw] access_preview_id
2026
+ # The unique ID for the access preview.
2027
+ # @return [String]
2028
+ #
2029
+ # @!attribute [rw] analyzer_arn
2030
+ # The [ARN of the analyzer][1] used to generate the access.
2031
+ #
2032
+ #
2033
+ #
2034
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
2035
+ # @return [String]
2036
+ #
2037
+ # @!attribute [rw] filter
2038
+ # Criteria to filter the returned findings.
2039
+ # @return [Hash<String,Types::Criterion>]
2040
+ #
1001
2041
  # @!attribute [rw] max_results
1002
2042
  # The maximum number of results to return in the response.
1003
2043
  # @return [Integer]
@@ -1006,220 +2046,893 @@ module Aws::AccessAnalyzer
1006
2046
  # A token used for pagination of results returned.
1007
2047
  # @return [String]
1008
2048
  #
1009
- # @!attribute [rw] type
1010
- # The type of analyzer.
1011
- # @return [String]
1012
- #
1013
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
2049
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
1014
2050
  #
1015
- class ListAnalyzersRequest < Struct.new(
2051
+ class ListAccessPreviewFindingsRequest < Struct.new(
2052
+ :access_preview_id,
2053
+ :analyzer_arn,
2054
+ :filter,
1016
2055
  :max_results,
1017
- :next_token,
1018
- :type)
2056
+ :next_token)
1019
2057
  SENSITIVE = []
1020
2058
  include Aws::Structure
1021
2059
  end
1022
2060
 
1023
- # The response to the request.
1024
- #
1025
- # @!attribute [rw] analyzers
1026
- # The analyzers retrieved.
1027
- # @return [Array<Types::AnalyzerSummary>]
2061
+ # @!attribute [rw] findings
2062
+ # A list of access preview findings that match the specified filter
2063
+ # criteria.
2064
+ # @return [Array<Types::AccessPreviewFinding>]
1028
2065
  #
1029
2066
  # @!attribute [rw] next_token
1030
2067
  # A token used for pagination of results returned.
1031
2068
  # @return [String]
1032
2069
  #
1033
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersResponse AWS API Documentation
2070
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsResponse AWS API Documentation
1034
2071
  #
1035
- class ListAnalyzersResponse < Struct.new(
1036
- :analyzers,
2072
+ class ListAccessPreviewFindingsResponse < Struct.new(
2073
+ :findings,
1037
2074
  :next_token)
1038
2075
  SENSITIVE = []
1039
2076
  include Aws::Structure
1040
2077
  end
1041
2078
 
1042
- # Retrieves a list of archive rules created for the specified analyzer.
1043
- #
1044
- # @note When making an API call, you may pass ListArchiveRulesRequest
2079
+ # @note When making an API call, you may pass ListAccessPreviewsRequest
1045
2080
  # data as a hash:
1046
2081
  #
1047
2082
  # {
1048
- # analyzer_name: "Name", # required
2083
+ # analyzer_arn: "AnalyzerArn", # required
1049
2084
  # max_results: 1,
1050
2085
  # next_token: "Token",
1051
2086
  # }
1052
2087
  #
1053
- # @!attribute [rw] analyzer_name
1054
- # The name of the analyzer to retrieve rules from.
2088
+ # @!attribute [rw] analyzer_arn
2089
+ # The [ARN of the analyzer][1] used to generate the access preview.
2090
+ #
2091
+ #
2092
+ #
2093
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1055
2094
  # @return [String]
1056
2095
  #
1057
2096
  # @!attribute [rw] max_results
1058
- # The maximum number of results to return in the request.
2097
+ # The maximum number of results to return in the response.
1059
2098
  # @return [Integer]
1060
2099
  #
1061
2100
  # @!attribute [rw] next_token
1062
2101
  # A token used for pagination of results returned.
1063
2102
  # @return [String]
1064
2103
  #
1065
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
2104
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
1066
2105
  #
1067
- class ListArchiveRulesRequest < Struct.new(
1068
- :analyzer_name,
2106
+ class ListAccessPreviewsRequest < Struct.new(
2107
+ :analyzer_arn,
1069
2108
  :max_results,
1070
2109
  :next_token)
1071
2110
  SENSITIVE = []
1072
2111
  include Aws::Structure
1073
2112
  end
1074
2113
 
1075
- # The response to the request.
1076
- #
1077
- # @!attribute [rw] archive_rules
1078
- # A list of archive rules created for the specified analyzer.
1079
- # @return [Array<Types::ArchiveRuleSummary>]
2114
+ # @!attribute [rw] access_previews
2115
+ # A list of access previews retrieved for the analyzer.
2116
+ # @return [Array<Types::AccessPreviewSummary>]
1080
2117
  #
1081
2118
  # @!attribute [rw] next_token
1082
2119
  # A token used for pagination of results returned.
1083
2120
  # @return [String]
1084
2121
  #
1085
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesResponse AWS API Documentation
2122
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsResponse AWS API Documentation
1086
2123
  #
1087
- class ListArchiveRulesResponse < Struct.new(
1088
- :archive_rules,
2124
+ class ListAccessPreviewsResponse < Struct.new(
2125
+ :access_previews,
1089
2126
  :next_token)
1090
2127
  SENSITIVE = []
1091
2128
  include Aws::Structure
1092
2129
  end
1093
2130
 
1094
- # Retrieves a list of findings generated by the specified analyzer.
2131
+ # Retrieves a list of resources that have been analyzed.
1095
2132
  #
1096
- # @note When making an API call, you may pass ListFindingsRequest
2133
+ # @note When making an API call, you may pass ListAnalyzedResourcesRequest
1097
2134
  # data as a hash:
1098
2135
  #
1099
2136
  # {
1100
2137
  # analyzer_arn: "AnalyzerArn", # required
1101
- # filter: {
1102
- # "String" => {
1103
- # contains: ["String"],
1104
- # eq: ["String"],
1105
- # exists: false,
1106
- # neq: ["String"],
1107
- # },
1108
- # },
1109
2138
  # max_results: 1,
1110
2139
  # next_token: "Token",
1111
- # sort: {
1112
- # attribute_name: "String",
1113
- # order_by: "ASC", # accepts ASC, DESC
2140
+ # resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret
2141
+ # }
2142
+ #
2143
+ # @!attribute [rw] analyzer_arn
2144
+ # The [ARN of the analyzer][1] to retrieve a list of analyzed
2145
+ # resources from.
2146
+ #
2147
+ #
2148
+ #
2149
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
2150
+ # @return [String]
2151
+ #
2152
+ # @!attribute [rw] max_results
2153
+ # The maximum number of results to return in the response.
2154
+ # @return [Integer]
2155
+ #
2156
+ # @!attribute [rw] next_token
2157
+ # A token used for pagination of results returned.
2158
+ # @return [String]
2159
+ #
2160
+ # @!attribute [rw] resource_type
2161
+ # The type of resource.
2162
+ # @return [String]
2163
+ #
2164
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
2165
+ #
2166
+ class ListAnalyzedResourcesRequest < Struct.new(
2167
+ :analyzer_arn,
2168
+ :max_results,
2169
+ :next_token,
2170
+ :resource_type)
2171
+ SENSITIVE = []
2172
+ include Aws::Structure
2173
+ end
2174
+
2175
+ # The response to the request.
2176
+ #
2177
+ # @!attribute [rw] analyzed_resources
2178
+ # A list of resources that were analyzed.
2179
+ # @return [Array<Types::AnalyzedResourceSummary>]
2180
+ #
2181
+ # @!attribute [rw] next_token
2182
+ # A token used for pagination of results returned.
2183
+ # @return [String]
2184
+ #
2185
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesResponse AWS API Documentation
2186
+ #
2187
+ class ListAnalyzedResourcesResponse < Struct.new(
2188
+ :analyzed_resources,
2189
+ :next_token)
2190
+ SENSITIVE = []
2191
+ include Aws::Structure
2192
+ end
2193
+
2194
+ # Retrieves a list of analyzers.
2195
+ #
2196
+ # @note When making an API call, you may pass ListAnalyzersRequest
2197
+ # data as a hash:
2198
+ #
2199
+ # {
2200
+ # max_results: 1,
2201
+ # next_token: "Token",
2202
+ # type: "ACCOUNT", # accepts ACCOUNT, ORGANIZATION
2203
+ # }
2204
+ #
2205
+ # @!attribute [rw] max_results
2206
+ # The maximum number of results to return in the response.
2207
+ # @return [Integer]
2208
+ #
2209
+ # @!attribute [rw] next_token
2210
+ # A token used for pagination of results returned.
2211
+ # @return [String]
2212
+ #
2213
+ # @!attribute [rw] type
2214
+ # The type of analyzer.
2215
+ # @return [String]
2216
+ #
2217
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
2218
+ #
2219
+ class ListAnalyzersRequest < Struct.new(
2220
+ :max_results,
2221
+ :next_token,
2222
+ :type)
2223
+ SENSITIVE = []
2224
+ include Aws::Structure
2225
+ end
2226
+
2227
+ # The response to the request.
2228
+ #
2229
+ # @!attribute [rw] analyzers
2230
+ # The analyzers retrieved.
2231
+ # @return [Array<Types::AnalyzerSummary>]
2232
+ #
2233
+ # @!attribute [rw] next_token
2234
+ # A token used for pagination of results returned.
2235
+ # @return [String]
2236
+ #
2237
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersResponse AWS API Documentation
2238
+ #
2239
+ class ListAnalyzersResponse < Struct.new(
2240
+ :analyzers,
2241
+ :next_token)
2242
+ SENSITIVE = []
2243
+ include Aws::Structure
2244
+ end
2245
+
2246
+ # Retrieves a list of archive rules created for the specified analyzer.
2247
+ #
2248
+ # @note When making an API call, you may pass ListArchiveRulesRequest
2249
+ # data as a hash:
2250
+ #
2251
+ # {
2252
+ # analyzer_name: "Name", # required
2253
+ # max_results: 1,
2254
+ # next_token: "Token",
2255
+ # }
2256
+ #
2257
+ # @!attribute [rw] analyzer_name
2258
+ # The name of the analyzer to retrieve rules from.
2259
+ # @return [String]
2260
+ #
2261
+ # @!attribute [rw] max_results
2262
+ # The maximum number of results to return in the request.
2263
+ # @return [Integer]
2264
+ #
2265
+ # @!attribute [rw] next_token
2266
+ # A token used for pagination of results returned.
2267
+ # @return [String]
2268
+ #
2269
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
2270
+ #
2271
+ class ListArchiveRulesRequest < Struct.new(
2272
+ :analyzer_name,
2273
+ :max_results,
2274
+ :next_token)
2275
+ SENSITIVE = []
2276
+ include Aws::Structure
2277
+ end
2278
+
2279
+ # The response to the request.
2280
+ #
2281
+ # @!attribute [rw] archive_rules
2282
+ # A list of archive rules created for the specified analyzer.
2283
+ # @return [Array<Types::ArchiveRuleSummary>]
2284
+ #
2285
+ # @!attribute [rw] next_token
2286
+ # A token used for pagination of results returned.
2287
+ # @return [String]
2288
+ #
2289
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesResponse AWS API Documentation
2290
+ #
2291
+ class ListArchiveRulesResponse < Struct.new(
2292
+ :archive_rules,
2293
+ :next_token)
2294
+ SENSITIVE = []
2295
+ include Aws::Structure
2296
+ end
2297
+
2298
+ # Retrieves a list of findings generated by the specified analyzer.
2299
+ #
2300
+ # @note When making an API call, you may pass ListFindingsRequest
2301
+ # data as a hash:
2302
+ #
2303
+ # {
2304
+ # analyzer_arn: "AnalyzerArn", # required
2305
+ # filter: {
2306
+ # "String" => {
2307
+ # contains: ["String"],
2308
+ # eq: ["String"],
2309
+ # exists: false,
2310
+ # neq: ["String"],
2311
+ # },
2312
+ # },
2313
+ # max_results: 1,
2314
+ # next_token: "Token",
2315
+ # sort: {
2316
+ # attribute_name: "String",
2317
+ # order_by: "ASC", # accepts ASC, DESC
2318
+ # },
2319
+ # }
2320
+ #
2321
+ # @!attribute [rw] analyzer_arn
2322
+ # The [ARN of the analyzer][1] to retrieve findings from.
2323
+ #
2324
+ #
2325
+ #
2326
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
2327
+ # @return [String]
2328
+ #
2329
+ # @!attribute [rw] filter
2330
+ # A filter to match for the findings to return.
2331
+ # @return [Hash<String,Types::Criterion>]
2332
+ #
2333
+ # @!attribute [rw] max_results
2334
+ # The maximum number of results to return in the response.
2335
+ # @return [Integer]
2336
+ #
2337
+ # @!attribute [rw] next_token
2338
+ # A token used for pagination of results returned.
2339
+ # @return [String]
2340
+ #
2341
+ # @!attribute [rw] sort
2342
+ # The sort order for the findings returned.
2343
+ # @return [Types::SortCriteria]
2344
+ #
2345
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
2346
+ #
2347
+ class ListFindingsRequest < Struct.new(
2348
+ :analyzer_arn,
2349
+ :filter,
2350
+ :max_results,
2351
+ :next_token,
2352
+ :sort)
2353
+ SENSITIVE = []
2354
+ include Aws::Structure
2355
+ end
2356
+
2357
+ # The response to the request.
2358
+ #
2359
+ # @!attribute [rw] findings
2360
+ # A list of findings retrieved from the analyzer that match the filter
2361
+ # criteria specified, if any.
2362
+ # @return [Array<Types::FindingSummary>]
2363
+ #
2364
+ # @!attribute [rw] next_token
2365
+ # A token used for pagination of results returned.
2366
+ # @return [String]
2367
+ #
2368
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsResponse AWS API Documentation
2369
+ #
2370
+ class ListFindingsResponse < Struct.new(
2371
+ :findings,
2372
+ :next_token)
2373
+ SENSITIVE = []
2374
+ include Aws::Structure
2375
+ end
2376
+
2377
+ # @note When making an API call, you may pass ListPolicyGenerationsRequest
2378
+ # data as a hash:
2379
+ #
2380
+ # {
2381
+ # max_results: 1,
2382
+ # next_token: "Token",
2383
+ # principal_arn: "PrincipalArn",
2384
+ # }
2385
+ #
2386
+ # @!attribute [rw] max_results
2387
+ # The maximum number of results to return in the response.
2388
+ # @return [Integer]
2389
+ #
2390
+ # @!attribute [rw] next_token
2391
+ # A token used for pagination of results returned.
2392
+ # @return [String]
2393
+ #
2394
+ # @!attribute [rw] principal_arn
2395
+ # The ARN of the IAM entity (user or role) for which you are
2396
+ # generating a policy. Use this with `ListGeneratedPolicies` to filter
2397
+ # the results to only include results for a specific principal.
2398
+ # @return [String]
2399
+ #
2400
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsRequest AWS API Documentation
2401
+ #
2402
+ class ListPolicyGenerationsRequest < Struct.new(
2403
+ :max_results,
2404
+ :next_token,
2405
+ :principal_arn)
2406
+ SENSITIVE = []
2407
+ include Aws::Structure
2408
+ end
2409
+
2410
+ # @!attribute [rw] next_token
2411
+ # A token used for pagination of results returned.
2412
+ # @return [String]
2413
+ #
2414
+ # @!attribute [rw] policy_generations
2415
+ # A `PolicyGeneration` object that contains details about the
2416
+ # generated policy.
2417
+ # @return [Array<Types::PolicyGeneration>]
2418
+ #
2419
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsResponse AWS API Documentation
2420
+ #
2421
+ class ListPolicyGenerationsResponse < Struct.new(
2422
+ :next_token,
2423
+ :policy_generations)
2424
+ SENSITIVE = []
2425
+ include Aws::Structure
2426
+ end
2427
+
2428
+ # Retrieves a list of tags applied to the specified resource.
2429
+ #
2430
+ # @note When making an API call, you may pass ListTagsForResourceRequest
2431
+ # data as a hash:
2432
+ #
2433
+ # {
2434
+ # resource_arn: "String", # required
2435
+ # }
2436
+ #
2437
+ # @!attribute [rw] resource_arn
2438
+ # The ARN of the resource to retrieve tags from.
2439
+ # @return [String]
2440
+ #
2441
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceRequest AWS API Documentation
2442
+ #
2443
+ class ListTagsForResourceRequest < Struct.new(
2444
+ :resource_arn)
2445
+ SENSITIVE = []
2446
+ include Aws::Structure
2447
+ end
2448
+
2449
+ # The response to the request.
2450
+ #
2451
+ # @!attribute [rw] tags
2452
+ # The tags that are applied to the specified resource.
2453
+ # @return [Hash<String,String>]
2454
+ #
2455
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceResponse AWS API Documentation
2456
+ #
2457
+ class ListTagsForResourceResponse < Struct.new(
2458
+ :tags)
2459
+ SENSITIVE = []
2460
+ include Aws::Structure
2461
+ end
2462
+
2463
+ # A location in a policy that is represented as a path through the JSON
2464
+ # representation and a corresponding span.
2465
+ #
2466
+ # @!attribute [rw] path
2467
+ # A path in a policy, represented as a sequence of path elements.
2468
+ # @return [Array<Types::PathElement>]
2469
+ #
2470
+ # @!attribute [rw] span
2471
+ # A span in a policy.
2472
+ # @return [Types::Span]
2473
+ #
2474
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Location AWS API Documentation
2475
+ #
2476
+ class Location < Struct.new(
2477
+ :path,
2478
+ :span)
2479
+ SENSITIVE = []
2480
+ include Aws::Structure
2481
+ end
2482
+
2483
+ # The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
2484
+ # the Amazon S3 Access point. You can make the access point accessible
2485
+ # from the internet, or you can specify that all requests made through
2486
+ # that access point must originate from a specific virtual private cloud
2487
+ # (VPC). You can specify only one type of network configuration. For
2488
+ # more information, see [Creating access points][1].
2489
+ #
2490
+ #
2491
+ #
2492
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
2493
+ #
2494
+ # @note When making an API call, you may pass NetworkOriginConfiguration
2495
+ # data as a hash:
2496
+ #
2497
+ # {
2498
+ # internet_configuration: {
2499
+ # },
2500
+ # vpc_configuration: {
2501
+ # vpc_id: "VpcId", # required
2502
+ # },
2503
+ # }
2504
+ #
2505
+ # @!attribute [rw] internet_configuration
2506
+ # The configuration for the Amazon S3 access point with an `Internet`
2507
+ # origin.
2508
+ # @return [Types::InternetConfiguration]
2509
+ #
2510
+ # @!attribute [rw] vpc_configuration
2511
+ # The proposed virtual private cloud (VPC) configuration for the
2512
+ # Amazon S3 access point. For more information, see
2513
+ # [VpcConfiguration][1].
2514
+ #
2515
+ #
2516
+ #
2517
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
2518
+ # @return [Types::VpcConfiguration]
2519
+ #
2520
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
2521
+ #
2522
+ class NetworkOriginConfiguration < Struct.new(
2523
+ :internet_configuration,
2524
+ :vpc_configuration)
2525
+ SENSITIVE = []
2526
+ include Aws::Structure
2527
+ end
2528
+
2529
+ # A single element in a path through the JSON representation of a
2530
+ # policy.
2531
+ #
2532
+ # @!attribute [rw] index
2533
+ # Refers to an index in a JSON array.
2534
+ # @return [Integer]
2535
+ #
2536
+ # @!attribute [rw] key
2537
+ # Refers to a key in a JSON object.
2538
+ # @return [String]
2539
+ #
2540
+ # @!attribute [rw] substring
2541
+ # Refers to a substring of a literal string in a JSON object.
2542
+ # @return [Types::Substring]
2543
+ #
2544
+ # @!attribute [rw] value
2545
+ # Refers to the value associated with a given key in a JSON object.
2546
+ # @return [String]
2547
+ #
2548
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PathElement AWS API Documentation
2549
+ #
2550
+ class PathElement < Struct.new(
2551
+ :index,
2552
+ :key,
2553
+ :substring,
2554
+ :value)
2555
+ SENSITIVE = []
2556
+ include Aws::Structure
2557
+ end
2558
+
2559
+ # Contains details about the policy generation status and properties.
2560
+ #
2561
+ # @!attribute [rw] completed_on
2562
+ # A timestamp of when the policy generation was completed.
2563
+ # @return [Time]
2564
+ #
2565
+ # @!attribute [rw] job_id
2566
+ # The `JobId` that is returned by the `StartPolicyGeneration`
2567
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
2568
+ # retrieve the generated policies or used with
2569
+ # `CancelPolicyGeneration` to cancel the policy generation request.
2570
+ # @return [String]
2571
+ #
2572
+ # @!attribute [rw] principal_arn
2573
+ # The ARN of the IAM entity (user or role) for which you are
2574
+ # generating a policy.
2575
+ # @return [String]
2576
+ #
2577
+ # @!attribute [rw] started_on
2578
+ # A timestamp of when the policy generation started.
2579
+ # @return [Time]
2580
+ #
2581
+ # @!attribute [rw] status
2582
+ # The status of the policy generation request.
2583
+ # @return [String]
2584
+ #
2585
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGeneration AWS API Documentation
2586
+ #
2587
+ class PolicyGeneration < Struct.new(
2588
+ :completed_on,
2589
+ :job_id,
2590
+ :principal_arn,
2591
+ :started_on,
2592
+ :status)
2593
+ SENSITIVE = []
2594
+ include Aws::Structure
2595
+ end
2596
+
2597
+ # Contains the ARN details about the IAM entity for which the policy is
2598
+ # generated.
2599
+ #
2600
+ # @note When making an API call, you may pass PolicyGenerationDetails
2601
+ # data as a hash:
2602
+ #
2603
+ # {
2604
+ # principal_arn: "PrincipalArn", # required
2605
+ # }
2606
+ #
2607
+ # @!attribute [rw] principal_arn
2608
+ # The ARN of the IAM entity (user or role) for which you are
2609
+ # generating a policy.
2610
+ # @return [String]
2611
+ #
2612
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGenerationDetails AWS API Documentation
2613
+ #
2614
+ class PolicyGenerationDetails < Struct.new(
2615
+ :principal_arn)
2616
+ SENSITIVE = []
2617
+ include Aws::Structure
2618
+ end
2619
+
2620
+ # A position in a policy.
2621
+ #
2622
+ # @!attribute [rw] column
2623
+ # The column of the position, starting from 0.
2624
+ # @return [Integer]
2625
+ #
2626
+ # @!attribute [rw] line
2627
+ # The line of the position, starting from 1.
2628
+ # @return [Integer]
2629
+ #
2630
+ # @!attribute [rw] offset
2631
+ # The offset within the policy that corresponds to the position,
2632
+ # starting from 0.
2633
+ # @return [Integer]
2634
+ #
2635
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
2636
+ #
2637
+ class Position < Struct.new(
2638
+ :column,
2639
+ :line,
2640
+ :offset)
2641
+ SENSITIVE = []
2642
+ include Aws::Structure
2643
+ end
2644
+
2645
+ # The specified resource could not be found.
2646
+ #
2647
+ # @!attribute [rw] message
2648
+ # @return [String]
2649
+ #
2650
+ # @!attribute [rw] resource_id
2651
+ # The ID of the resource.
2652
+ # @return [String]
2653
+ #
2654
+ # @!attribute [rw] resource_type
2655
+ # The type of the resource.
2656
+ # @return [String]
2657
+ #
2658
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ResourceNotFoundException AWS API Documentation
2659
+ #
2660
+ class ResourceNotFoundException < Struct.new(
2661
+ :message,
2662
+ :resource_id,
2663
+ :resource_type)
2664
+ SENSITIVE = []
2665
+ include Aws::Structure
2666
+ end
2667
+
2668
+ # The configuration for an Amazon S3 access point for the bucket. You
2669
+ # can propose up to 10 access points per bucket. If the proposed Amazon
2670
+ # S3 access point configuration is for an existing bucket, the access
2671
+ # preview uses the proposed access point configuration in place of the
2672
+ # existing access points. To propose an access point without a policy,
2673
+ # you can provide an empty string as the access point policy. For more
2674
+ # information, see [Creating access points][1]. For more information
2675
+ # about access point policy limits, see [Access points restrictions and
2676
+ # limitations][2].
2677
+ #
2678
+ #
2679
+ #
2680
+ # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
2681
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
2682
+ #
2683
+ # @note When making an API call, you may pass S3AccessPointConfiguration
2684
+ # data as a hash:
2685
+ #
2686
+ # {
2687
+ # access_point_policy: "AccessPointPolicy",
2688
+ # network_origin: {
2689
+ # internet_configuration: {
2690
+ # },
2691
+ # vpc_configuration: {
2692
+ # vpc_id: "VpcId", # required
2693
+ # },
2694
+ # },
2695
+ # public_access_block: {
2696
+ # ignore_public_acls: false, # required
2697
+ # restrict_public_buckets: false, # required
2698
+ # },
2699
+ # }
2700
+ #
2701
+ # @!attribute [rw] access_point_policy
2702
+ # The access point policy.
2703
+ # @return [String]
2704
+ #
2705
+ # @!attribute [rw] network_origin
2706
+ # The proposed `Internet` and `VpcConfiguration` to apply to this
2707
+ # Amazon S3 access point. If the access preview is for a new resource
2708
+ # and neither is specified, the access preview uses `Internet` for the
2709
+ # network origin. If the access preview is for an existing resource
2710
+ # and neither is specified, the access preview uses the exiting
2711
+ # network origin.
2712
+ # @return [Types::NetworkOriginConfiguration]
2713
+ #
2714
+ # @!attribute [rw] public_access_block
2715
+ # The proposed `S3PublicAccessBlock` configuration to apply to this
2716
+ # Amazon S3 Access Point.
2717
+ # @return [Types::S3PublicAccessBlockConfiguration]
2718
+ #
2719
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
2720
+ #
2721
+ class S3AccessPointConfiguration < Struct.new(
2722
+ :access_point_policy,
2723
+ :network_origin,
2724
+ :public_access_block)
2725
+ SENSITIVE = []
2726
+ include Aws::Structure
2727
+ end
2728
+
2729
+ # A proposed access control list grant configuration for an Amazon S3
2730
+ # bucket. For more information, see [How to Specify an ACL][1].
2731
+ #
2732
+ #
2733
+ #
2734
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls
2735
+ #
2736
+ # @note When making an API call, you may pass S3BucketAclGrantConfiguration
2737
+ # data as a hash:
2738
+ #
2739
+ # {
2740
+ # grantee: { # required
2741
+ # id: "AclCanonicalId",
2742
+ # uri: "AclUri",
2743
+ # },
2744
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
2745
+ # }
2746
+ #
2747
+ # @!attribute [rw] grantee
2748
+ # The grantee to whom you’re assigning access rights.
2749
+ # @return [Types::AclGrantee]
2750
+ #
2751
+ # @!attribute [rw] permission
2752
+ # The permissions being granted.
2753
+ # @return [String]
2754
+ #
2755
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
2756
+ #
2757
+ class S3BucketAclGrantConfiguration < Struct.new(
2758
+ :grantee,
2759
+ :permission)
2760
+ SENSITIVE = []
2761
+ include Aws::Structure
2762
+ end
2763
+
2764
+ # Proposed access control configuration for an Amazon S3 bucket. You can
2765
+ # propose a configuration for a new Amazon S3 bucket or an existing
2766
+ # Amazon S3 bucket that you own by specifying the Amazon S3 bucket
2767
+ # policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points
2768
+ # attached to the bucket. If the configuration is for an existing Amazon
2769
+ # S3 bucket and you do not specify the Amazon S3 bucket policy, the
2770
+ # access preview uses the existing policy attached to the bucket. If the
2771
+ # access preview is for a new resource and you do not specify the Amazon
2772
+ # S3 bucket policy, the access preview assumes a bucket without a
2773
+ # policy. To propose deletion of an existing bucket policy, you can
2774
+ # specify an empty string. For more information about bucket policy
2775
+ # limits, see [Bucket Policy Examples][1].
2776
+ #
2777
+ #
2778
+ #
2779
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
2780
+ #
2781
+ # @note When making an API call, you may pass S3BucketConfiguration
2782
+ # data as a hash:
2783
+ #
2784
+ # {
2785
+ # access_points: {
2786
+ # "AccessPointArn" => {
2787
+ # access_point_policy: "AccessPointPolicy",
2788
+ # network_origin: {
2789
+ # internet_configuration: {
2790
+ # },
2791
+ # vpc_configuration: {
2792
+ # vpc_id: "VpcId", # required
2793
+ # },
2794
+ # },
2795
+ # public_access_block: {
2796
+ # ignore_public_acls: false, # required
2797
+ # restrict_public_buckets: false, # required
2798
+ # },
2799
+ # },
2800
+ # },
2801
+ # bucket_acl_grants: [
2802
+ # {
2803
+ # grantee: { # required
2804
+ # id: "AclCanonicalId",
2805
+ # uri: "AclUri",
2806
+ # },
2807
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
2808
+ # },
2809
+ # ],
2810
+ # bucket_policy: "S3BucketPolicy",
2811
+ # bucket_public_access_block: {
2812
+ # ignore_public_acls: false, # required
2813
+ # restrict_public_buckets: false, # required
1114
2814
  # },
1115
2815
  # }
1116
2816
  #
1117
- # @!attribute [rw] analyzer_arn
1118
- # The ARN of the analyzer to retrieve findings from.
1119
- # @return [String]
1120
- #
1121
- # @!attribute [rw] filter
1122
- # A filter to match for the findings to return.
1123
- # @return [Hash<String,Types::Criterion>]
2817
+ # @!attribute [rw] access_points
2818
+ # The configuration of Amazon S3 access points for the bucket.
2819
+ # @return [Hash<String,Types::S3AccessPointConfiguration>]
1124
2820
  #
1125
- # @!attribute [rw] max_results
1126
- # The maximum number of results to return in the response.
1127
- # @return [Integer]
2821
+ # @!attribute [rw] bucket_acl_grants
2822
+ # The proposed list of ACL grants for the Amazon S3 bucket. You can
2823
+ # propose up to 100 ACL grants per bucket. If the proposed grant
2824
+ # configuration is for an existing bucket, the access preview uses the
2825
+ # proposed list of grant configurations in place of the existing
2826
+ # grants. Otherwise, the access preview uses the existing grants for
2827
+ # the bucket.
2828
+ # @return [Array<Types::S3BucketAclGrantConfiguration>]
1128
2829
  #
1129
- # @!attribute [rw] next_token
1130
- # A token used for pagination of results returned.
2830
+ # @!attribute [rw] bucket_policy
2831
+ # The proposed bucket policy for the Amazon S3 bucket.
1131
2832
  # @return [String]
1132
2833
  #
1133
- # @!attribute [rw] sort
1134
- # The sort order for the findings returned.
1135
- # @return [Types::SortCriteria]
2834
+ # @!attribute [rw] bucket_public_access_block
2835
+ # The proposed block public access configuration for the Amazon S3
2836
+ # bucket.
2837
+ # @return [Types::S3PublicAccessBlockConfiguration]
1136
2838
  #
1137
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
2839
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
1138
2840
  #
1139
- class ListFindingsRequest < Struct.new(
1140
- :analyzer_arn,
1141
- :filter,
1142
- :max_results,
1143
- :next_token,
1144
- :sort)
2841
+ class S3BucketConfiguration < Struct.new(
2842
+ :access_points,
2843
+ :bucket_acl_grants,
2844
+ :bucket_policy,
2845
+ :bucket_public_access_block)
1145
2846
  SENSITIVE = []
1146
2847
  include Aws::Structure
1147
2848
  end
1148
2849
 
1149
- # The response to the request.
1150
- #
1151
- # @!attribute [rw] findings
1152
- # A list of findings retrieved from the analyzer that match the filter
1153
- # criteria specified, if any.
1154
- # @return [Array<Types::FindingSummary>]
2850
+ # The `PublicAccessBlock` configuration to apply to this Amazon S3
2851
+ # bucket. If the proposed configuration is for an existing Amazon S3
2852
+ # bucket and the configuration is not specified, the access preview uses
2853
+ # the existing setting. If the proposed configuration is for a new
2854
+ # bucket and the configuration is not specified, the access preview uses
2855
+ # `false`. If the proposed configuration is for a new access point and
2856
+ # the access point BPA configuration is not specified, the access
2857
+ # preview uses `true`. For more information, see
2858
+ # [PublicAccessBlockConfiguration][1].
1155
2859
  #
1156
- # @!attribute [rw] next_token
1157
- # A token used for pagination of results returned.
1158
- # @return [String]
1159
2860
  #
1160
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsResponse AWS API Documentation
1161
2861
  #
1162
- class ListFindingsResponse < Struct.new(
1163
- :findings,
1164
- :next_token)
1165
- SENSITIVE = []
1166
- include Aws::Structure
1167
- end
1168
-
1169
- # Retrieves a list of tags applied to the specified resource.
2862
+ # [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
1170
2863
  #
1171
- # @note When making an API call, you may pass ListTagsForResourceRequest
2864
+ # @note When making an API call, you may pass S3PublicAccessBlockConfiguration
1172
2865
  # data as a hash:
1173
2866
  #
1174
2867
  # {
1175
- # resource_arn: "String", # required
2868
+ # ignore_public_acls: false, # required
2869
+ # restrict_public_buckets: false, # required
1176
2870
  # }
1177
2871
  #
1178
- # @!attribute [rw] resource_arn
1179
- # The ARN of the resource to retrieve tags from.
1180
- # @return [String]
2872
+ # @!attribute [rw] ignore_public_acls
2873
+ # Specifies whether Amazon S3 should ignore public ACLs for this
2874
+ # bucket and objects in this bucket.
2875
+ # @return [Boolean]
1181
2876
  #
1182
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceRequest AWS API Documentation
2877
+ # @!attribute [rw] restrict_public_buckets
2878
+ # Specifies whether Amazon S3 should restrict public bucket policies
2879
+ # for this bucket.
2880
+ # @return [Boolean]
1183
2881
  #
1184
- class ListTagsForResourceRequest < Struct.new(
1185
- :resource_arn)
2882
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3PublicAccessBlockConfiguration AWS API Documentation
2883
+ #
2884
+ class S3PublicAccessBlockConfiguration < Struct.new(
2885
+ :ignore_public_acls,
2886
+ :restrict_public_buckets)
1186
2887
  SENSITIVE = []
1187
2888
  include Aws::Structure
1188
2889
  end
1189
2890
 
1190
- # The response to the request.
2891
+ # The configuration for a Secrets Manager secret. For more information,
2892
+ # see [CreateSecret][1].
1191
2893
  #
1192
- # @!attribute [rw] tags
1193
- # The tags that are applied to the specified resource.
1194
- # @return [Hash<String,String>]
2894
+ # You can propose a configuration for a new secret or an existing secret
2895
+ # that you own by specifying the secret policy and optional KMS
2896
+ # encryption key. If the configuration is for an existing secret and you
2897
+ # do not specify the secret policy, the access preview uses the existing
2898
+ # policy for the secret. If the access preview is for a new resource and
2899
+ # you do not specify the policy, the access preview assumes a secret
2900
+ # without a policy. To propose deletion of an existing policy, you can
2901
+ # specify an empty string. If the proposed configuration is for a new
2902
+ # secret and you do not specify the KMS key ID, the access preview uses
2903
+ # the default CMK of the AWS account. If you specify an empty string for
2904
+ # the KMS key ID, the access preview uses the default CMK of the AWS
2905
+ # account. For more information about secret policy limits, see [Quotas
2906
+ # for AWS Secrets Manager.][2].
1195
2907
  #
1196
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceResponse AWS API Documentation
1197
2908
  #
1198
- class ListTagsForResourceResponse < Struct.new(
1199
- :tags)
1200
- SENSITIVE = []
1201
- include Aws::Structure
1202
- end
1203
-
1204
- # The specified resource could not be found.
1205
2909
  #
1206
- # @!attribute [rw] message
1207
- # @return [String]
2910
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html
2911
+ # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
1208
2912
  #
1209
- # @!attribute [rw] resource_id
1210
- # The ID of the resource.
2913
+ # @note When making an API call, you may pass SecretsManagerSecretConfiguration
2914
+ # data as a hash:
2915
+ #
2916
+ # {
2917
+ # kms_key_id: "SecretsManagerSecretKmsId",
2918
+ # secret_policy: "SecretsManagerSecretPolicy",
2919
+ # }
2920
+ #
2921
+ # @!attribute [rw] kms_key_id
2922
+ # The proposed ARN, key ID, or alias of the AWS KMS customer master
2923
+ # key (CMK).
1211
2924
  # @return [String]
1212
2925
  #
1213
- # @!attribute [rw] resource_type
1214
- # The type of the resource.
2926
+ # @!attribute [rw] secret_policy
2927
+ # The proposed resource policy defining who can access or manage the
2928
+ # secret.
1215
2929
  # @return [String]
1216
2930
  #
1217
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ResourceNotFoundException AWS API Documentation
2931
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SecretsManagerSecretConfiguration AWS API Documentation
1218
2932
  #
1219
- class ResourceNotFoundException < Struct.new(
1220
- :message,
1221
- :resource_id,
1222
- :resource_type)
2933
+ class SecretsManagerSecretConfiguration < Struct.new(
2934
+ :kms_key_id,
2935
+ :secret_policy)
1223
2936
  SENSITIVE = []
1224
2937
  include Aws::Structure
1225
2938
  end
@@ -1274,6 +2987,132 @@ module Aws::AccessAnalyzer
1274
2987
  include Aws::Structure
1275
2988
  end
1276
2989
 
2990
+ # A span in a policy. The span consists of a start position (inclusive)
2991
+ # and end position (exclusive).
2992
+ #
2993
+ # @!attribute [rw] end
2994
+ # The end position of the span (exclusive).
2995
+ # @return [Types::Position]
2996
+ #
2997
+ # @!attribute [rw] start
2998
+ # The start position of the span (inclusive).
2999
+ # @return [Types::Position]
3000
+ #
3001
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
3002
+ #
3003
+ class Span < Struct.new(
3004
+ :end,
3005
+ :start)
3006
+ SENSITIVE = []
3007
+ include Aws::Structure
3008
+ end
3009
+
3010
+ # The proposed access control configuration for an SQS queue. You can
3011
+ # propose a configuration for a new SQS queue or an existing SQS queue
3012
+ # that you own by specifying the SQS policy. If the configuration is for
3013
+ # an existing SQS queue and you do not specify the SQS policy, the
3014
+ # access preview uses the existing SQS policy for the queue. If the
3015
+ # access preview is for a new resource and you do not specify the
3016
+ # policy, the access preview assumes an SQS queue without a policy. To
3017
+ # propose deletion of an existing SQS queue policy, you can specify an
3018
+ # empty string for the SQS policy. For more information about SQS policy
3019
+ # limits, see [Quotas related to policies][1].
3020
+ #
3021
+ #
3022
+ #
3023
+ # [1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html
3024
+ #
3025
+ # @note When making an API call, you may pass SqsQueueConfiguration
3026
+ # data as a hash:
3027
+ #
3028
+ # {
3029
+ # queue_policy: "SqsQueuePolicy",
3030
+ # }
3031
+ #
3032
+ # @!attribute [rw] queue_policy
3033
+ # The proposed resource policy for the SQS queue.
3034
+ # @return [String]
3035
+ #
3036
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
3037
+ #
3038
+ class SqsQueueConfiguration < Struct.new(
3039
+ :queue_policy)
3040
+ SENSITIVE = []
3041
+ include Aws::Structure
3042
+ end
3043
+
3044
+ # @note When making an API call, you may pass StartPolicyGenerationRequest
3045
+ # data as a hash:
3046
+ #
3047
+ # {
3048
+ # client_token: "String",
3049
+ # cloud_trail_details: {
3050
+ # access_role: "RoleArn", # required
3051
+ # end_time: Time.now,
3052
+ # start_time: Time.now, # required
3053
+ # trails: [ # required
3054
+ # {
3055
+ # all_regions: false,
3056
+ # cloud_trail_arn: "CloudTrailArn", # required
3057
+ # regions: ["String"],
3058
+ # },
3059
+ # ],
3060
+ # },
3061
+ # policy_generation_details: { # required
3062
+ # principal_arn: "PrincipalArn", # required
3063
+ # },
3064
+ # }
3065
+ #
3066
+ # @!attribute [rw] client_token
3067
+ # A unique, case-sensitive identifier that you provide to ensure the
3068
+ # idempotency of the request. Idempotency ensures that an API request
3069
+ # completes only once. With an idempotent request, if the original
3070
+ # request completes successfully, the subsequent retries with the same
3071
+ # client token return the result from the original successful request
3072
+ # and they have no additional effect.
3073
+ #
3074
+ # If you do not specify a client token, one is automatically generated
3075
+ # by the AWS SDK.
3076
+ #
3077
+ # **A suitable default value is auto-generated.** You should normally
3078
+ # not need to pass this option.
3079
+ # @return [String]
3080
+ #
3081
+ # @!attribute [rw] cloud_trail_details
3082
+ # A `CloudTrailDetails` object that contains details about a `Trail`
3083
+ # that you want to analyze to generate policies.
3084
+ # @return [Types::CloudTrailDetails]
3085
+ #
3086
+ # @!attribute [rw] policy_generation_details
3087
+ # Contains the ARN of the IAM entity (user or role) for which you are
3088
+ # generating a policy.
3089
+ # @return [Types::PolicyGenerationDetails]
3090
+ #
3091
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationRequest AWS API Documentation
3092
+ #
3093
+ class StartPolicyGenerationRequest < Struct.new(
3094
+ :client_token,
3095
+ :cloud_trail_details,
3096
+ :policy_generation_details)
3097
+ SENSITIVE = []
3098
+ include Aws::Structure
3099
+ end
3100
+
3101
+ # @!attribute [rw] job_id
3102
+ # The `JobId` that is returned by the `StartPolicyGeneration`
3103
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
3104
+ # retrieve the generated policies or used with
3105
+ # `CancelPolicyGeneration` to cancel the policy generation request.
3106
+ # @return [String]
3107
+ #
3108
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationResponse AWS API Documentation
3109
+ #
3110
+ class StartPolicyGenerationResponse < Struct.new(
3111
+ :job_id)
3112
+ SENSITIVE = []
3113
+ include Aws::Structure
3114
+ end
3115
+
1277
3116
  # Starts a scan of the policies applied to the specified resource.
1278
3117
  #
1279
3118
  # @note When making an API call, you may pass StartResourceScanRequest
@@ -1285,8 +3124,12 @@ module Aws::AccessAnalyzer
1285
3124
  # }
1286
3125
  #
1287
3126
  # @!attribute [rw] analyzer_arn
1288
- # The ARN of the analyzer to use to scan the policies applied to the
1289
- # specified resource.
3127
+ # The [ARN of the analyzer][1] to use to scan the policies applied to
3128
+ # the specified resource.
3129
+ #
3130
+ #
3131
+ #
3132
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1290
3133
  # @return [String]
1291
3134
  #
1292
3135
  # @!attribute [rw] resource_arn
@@ -1304,7 +3147,7 @@ module Aws::AccessAnalyzer
1304
3147
 
1305
3148
  # Provides more details about the current status of the analyzer. For
1306
3149
  # example, if the creation for the analyzer fails, a `Failed` status is
1307
- # displayed. For an analyzer with organization as the type, this failure
3150
+ # returned. For an analyzer with organization as the type, this failure
1308
3151
  # can be due to an issue with creating the service-linked roles required
1309
3152
  # in the member accounts of the AWS organization.
1310
3153
  #
@@ -1320,6 +3163,25 @@ module Aws::AccessAnalyzer
1320
3163
  include Aws::Structure
1321
3164
  end
1322
3165
 
3166
+ # A reference to a substring of a literal string in a JSON document.
3167
+ #
3168
+ # @!attribute [rw] length
3169
+ # The length of the substring.
3170
+ # @return [Integer]
3171
+ #
3172
+ # @!attribute [rw] start
3173
+ # The start index of the substring, starting from 0.
3174
+ # @return [Integer]
3175
+ #
3176
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
3177
+ #
3178
+ class Substring < Struct.new(
3179
+ :length,
3180
+ :start)
3181
+ SENSITIVE = []
3182
+ include Aws::Structure
3183
+ end
3184
+
1323
3185
  # Adds a tag to the specified resource.
1324
3186
  #
1325
3187
  # @note When making an API call, you may pass TagResourceRequest
@@ -1373,6 +3235,73 @@ module Aws::AccessAnalyzer
1373
3235
  include Aws::Structure
1374
3236
  end
1375
3237
 
3238
+ # Contains details about the CloudTrail trail being analyzed to generate
3239
+ # a policy.
3240
+ #
3241
+ # @note When making an API call, you may pass Trail
3242
+ # data as a hash:
3243
+ #
3244
+ # {
3245
+ # all_regions: false,
3246
+ # cloud_trail_arn: "CloudTrailArn", # required
3247
+ # regions: ["String"],
3248
+ # }
3249
+ #
3250
+ # @!attribute [rw] all_regions
3251
+ # Possible values are `true` or `false`. If set to `true`, Access
3252
+ # Analyzer retrieves CloudTrail data from all regions to analyze and
3253
+ # generate a policy.
3254
+ # @return [Boolean]
3255
+ #
3256
+ # @!attribute [rw] cloud_trail_arn
3257
+ # Specifies the ARN of the trail. The format of a trail ARN is
3258
+ # `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
3259
+ # @return [String]
3260
+ #
3261
+ # @!attribute [rw] regions
3262
+ # A list of regions to get CloudTrail data from and analyze to
3263
+ # generate a policy.
3264
+ # @return [Array<String>]
3265
+ #
3266
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Trail AWS API Documentation
3267
+ #
3268
+ class Trail < Struct.new(
3269
+ :all_regions,
3270
+ :cloud_trail_arn,
3271
+ :regions)
3272
+ SENSITIVE = []
3273
+ include Aws::Structure
3274
+ end
3275
+
3276
+ # Contains details about the CloudTrail trail being analyzed to generate
3277
+ # a policy.
3278
+ #
3279
+ # @!attribute [rw] all_regions
3280
+ # Possible values are `true` or `false`. If set to `true`, Access
3281
+ # Analyzer retrieves CloudTrail data from all regions to analyze and
3282
+ # generate a policy.
3283
+ # @return [Boolean]
3284
+ #
3285
+ # @!attribute [rw] cloud_trail_arn
3286
+ # Specifies the ARN of the trail. The format of a trail ARN is
3287
+ # `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
3288
+ # @return [String]
3289
+ #
3290
+ # @!attribute [rw] regions
3291
+ # A list of regions to get CloudTrail data from and analyze to
3292
+ # generate a policy.
3293
+ # @return [Array<String>]
3294
+ #
3295
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/TrailProperties AWS API Documentation
3296
+ #
3297
+ class TrailProperties < Struct.new(
3298
+ :all_regions,
3299
+ :cloud_trail_arn,
3300
+ :regions)
3301
+ SENSITIVE = []
3302
+ include Aws::Structure
3303
+ end
3304
+
1376
3305
  # Removes a tag from the specified resource.
1377
3306
  #
1378
3307
  # @note When making an API call, you may pass UntagResourceRequest
@@ -1470,7 +3399,11 @@ module Aws::AccessAnalyzer
1470
3399
  # }
1471
3400
  #
1472
3401
  # @!attribute [rw] analyzer_arn
1473
- # The ARN of the analyzer that generated the findings to update.
3402
+ # The [ARN of the analyzer][1] that generated the findings to update.
3403
+ #
3404
+ #
3405
+ #
3406
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1474
3407
  # @return [String]
1475
3408
  #
1476
3409
  # @!attribute [rw] client_token
@@ -1507,6 +3440,127 @@ module Aws::AccessAnalyzer
1507
3440
  include Aws::Structure
1508
3441
  end
1509
3442
 
3443
+ # A finding in a policy. Each finding is an actionable recommendation
3444
+ # that can be used to improve the policy.
3445
+ #
3446
+ # @!attribute [rw] finding_details
3447
+ # A localized message that explains the finding and provides guidance
3448
+ # on how to address it.
3449
+ # @return [String]
3450
+ #
3451
+ # @!attribute [rw] finding_type
3452
+ # The impact of the finding.
3453
+ #
3454
+ # Security warnings report when the policy allows access that we
3455
+ # consider overly permissive.
3456
+ #
3457
+ # Errors report when a part of the policy is not functional.
3458
+ #
3459
+ # Warnings report non-security issues when a policy does not conform
3460
+ # to policy writing best practices.
3461
+ #
3462
+ # Suggestions recommend stylistic improvements in the policy that do
3463
+ # not impact access.
3464
+ # @return [String]
3465
+ #
3466
+ # @!attribute [rw] issue_code
3467
+ # The issue code provides an identifier of the issue associated with
3468
+ # this finding.
3469
+ # @return [String]
3470
+ #
3471
+ # @!attribute [rw] learn_more_link
3472
+ # A link to additional documentation about the type of finding.
3473
+ # @return [String]
3474
+ #
3475
+ # @!attribute [rw] locations
3476
+ # The list of locations in the policy document that are related to the
3477
+ # finding. The issue code provides a summary of an issue identified by
3478
+ # the finding.
3479
+ # @return [Array<Types::Location>]
3480
+ #
3481
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyFinding AWS API Documentation
3482
+ #
3483
+ class ValidatePolicyFinding < Struct.new(
3484
+ :finding_details,
3485
+ :finding_type,
3486
+ :issue_code,
3487
+ :learn_more_link,
3488
+ :locations)
3489
+ SENSITIVE = []
3490
+ include Aws::Structure
3491
+ end
3492
+
3493
+ # @note When making an API call, you may pass ValidatePolicyRequest
3494
+ # data as a hash:
3495
+ #
3496
+ # {
3497
+ # locale: "DE", # accepts DE, EN, ES, FR, IT, JA, KO, PT_BR, ZH_CN, ZH_TW
3498
+ # max_results: 1,
3499
+ # next_token: "Token",
3500
+ # policy_document: "PolicyDocument", # required
3501
+ # policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
3502
+ # }
3503
+ #
3504
+ # @!attribute [rw] locale
3505
+ # The locale to use for localizing the findings.
3506
+ # @return [String]
3507
+ #
3508
+ # @!attribute [rw] max_results
3509
+ # The maximum number of results to return in the response.
3510
+ # @return [Integer]
3511
+ #
3512
+ # @!attribute [rw] next_token
3513
+ # A token used for pagination of results returned.
3514
+ # @return [String]
3515
+ #
3516
+ # @!attribute [rw] policy_document
3517
+ # The JSON policy document to use as the content for the policy.
3518
+ # @return [String]
3519
+ #
3520
+ # @!attribute [rw] policy_type
3521
+ # The type of policy to validate. Identity policies grant permissions
3522
+ # to IAM principals. Identity policies include managed and inline
3523
+ # policies for IAM roles, users, and groups. They also include
3524
+ # service-control policies (SCPs) that are attached to an AWS
3525
+ # organization, organizational unit (OU), or an account.
3526
+ #
3527
+ # Resource policies grant permissions on AWS resources. Resource
3528
+ # policies include trust policies for IAM roles and bucket policies
3529
+ # for S3 buckets. You can provide a generic input such as identity
3530
+ # policy or resource policy or a specific input such as managed policy
3531
+ # or S3 bucket policy.
3532
+ # @return [String]
3533
+ #
3534
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
3535
+ #
3536
+ class ValidatePolicyRequest < Struct.new(
3537
+ :locale,
3538
+ :max_results,
3539
+ :next_token,
3540
+ :policy_document,
3541
+ :policy_type)
3542
+ SENSITIVE = []
3543
+ include Aws::Structure
3544
+ end
3545
+
3546
+ # @!attribute [rw] findings
3547
+ # The list of findings in a policy returned by Access Analyzer based
3548
+ # on its suite of policy checks.
3549
+ # @return [Array<Types::ValidatePolicyFinding>]
3550
+ #
3551
+ # @!attribute [rw] next_token
3552
+ # A token used for pagination of results returned.
3553
+ # @return [String]
3554
+ #
3555
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyResponse AWS API Documentation
3556
+ #
3557
+ class ValidatePolicyResponse < Struct.new(
3558
+ :findings,
3559
+ :next_token)
3560
+ SENSITIVE = []
3561
+ include Aws::Structure
3562
+ end
3563
+
1510
3564
  # Validation exception error.
1511
3565
  #
1512
3566
  # @!attribute [rw] field_list
@@ -1549,5 +3603,32 @@ module Aws::AccessAnalyzer
1549
3603
  include Aws::Structure
1550
3604
  end
1551
3605
 
3606
+ # The proposed virtual private cloud (VPC) configuration for the Amazon
3607
+ # S3 access point. For more information, see [VpcConfiguration][1].
3608
+ #
3609
+ #
3610
+ #
3611
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
3612
+ #
3613
+ # @note When making an API call, you may pass VpcConfiguration
3614
+ # data as a hash:
3615
+ #
3616
+ # {
3617
+ # vpc_id: "VpcId", # required
3618
+ # }
3619
+ #
3620
+ # @!attribute [rw] vpc_id
3621
+ # If this field is specified, this access point will only allow
3622
+ # connections from the specified VPC ID.
3623
+ # @return [String]
3624
+ #
3625
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/VpcConfiguration AWS API Documentation
3626
+ #
3627
+ class VpcConfiguration < Struct.new(
3628
+ :vpc_id)
3629
+ SENSITIVE = []
3630
+ include Aws::Structure
3631
+ end
3632
+
1552
3633
  end
1553
3634
  end