aws-sdk-accessanalyzer 1.14.0 → 1.19.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -3,7 +3,7 @@
3
3
  # WARNING ABOUT GENERATED CODE
4
4
  #
5
5
  # This file is generated. See the contributing guide for more information:
6
- # https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
6
+ # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
7
7
  #
8
8
  # WARNING ABOUT GENERATED CODE
9
9
 
@@ -23,6 +23,266 @@ module Aws::AccessAnalyzer
23
23
  include Aws::Structure
24
24
  end
25
25
 
26
+ # Contains information about an access preview.
27
+ #
28
+ # @!attribute [rw] analyzer_arn
29
+ # The ARN of the analyzer used to generate the access preview.
30
+ # @return [String]
31
+ #
32
+ # @!attribute [rw] configurations
33
+ # A map of resource ARNs for the proposed resource configuration.
34
+ # @return [Hash<String,Types::Configuration>]
35
+ #
36
+ # @!attribute [rw] created_at
37
+ # The time at which the access preview was created.
38
+ # @return [Time]
39
+ #
40
+ # @!attribute [rw] id
41
+ # The unique ID for the access preview.
42
+ # @return [String]
43
+ #
44
+ # @!attribute [rw] status
45
+ # The status of the access preview.
46
+ #
47
+ # * `Creating` - The access preview creation is in progress.
48
+ #
49
+ # * `Completed` - The access preview is complete. You can preview
50
+ # findings for external access to the resource.
51
+ #
52
+ # * `Failed` - The access preview creation has failed.
53
+ # @return [String]
54
+ #
55
+ # @!attribute [rw] status_reason
56
+ # Provides more details about the current status of the access
57
+ # preview.
58
+ #
59
+ # For example, if the creation of the access preview fails, a `Failed`
60
+ # status is returned. This failure can be due to an internal issue
61
+ # with the analysis or due to an invalid resource configuration.
62
+ # @return [Types::AccessPreviewStatusReason]
63
+ #
64
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
65
+ #
66
+ class AccessPreview < Struct.new(
67
+ :analyzer_arn,
68
+ :configurations,
69
+ :created_at,
70
+ :id,
71
+ :status,
72
+ :status_reason)
73
+ SENSITIVE = []
74
+ include Aws::Structure
75
+ end
76
+
77
+ # An access preview finding generated by the access preview.
78
+ #
79
+ # @!attribute [rw] action
80
+ # The action in the analyzed policy statement that an external
81
+ # principal has permission to perform.
82
+ # @return [Array<String>]
83
+ #
84
+ # @!attribute [rw] change_type
85
+ # Provides context on how the access preview finding compares to
86
+ # existing access identified in Access Analyzer.
87
+ #
88
+ # * `New` - The finding is for newly-introduced access.
89
+ #
90
+ # * `Unchanged` - The preview finding is an existing finding that
91
+ # would remain unchanged.
92
+ #
93
+ # * `Changed` - The preview finding is an existing finding with a
94
+ # change in status.
95
+ #
96
+ # For example, a `Changed` finding with preview status `Resolved` and
97
+ # existing status `Active` indicates the existing `Active` finding
98
+ # would become `Resolved` as a result of the proposed permissions
99
+ # change.
100
+ # @return [String]
101
+ #
102
+ # @!attribute [rw] condition
103
+ # The condition in the analyzed policy statement that resulted in a
104
+ # finding.
105
+ # @return [Hash<String,String>]
106
+ #
107
+ # @!attribute [rw] created_at
108
+ # The time at which the access preview finding was created.
109
+ # @return [Time]
110
+ #
111
+ # @!attribute [rw] error
112
+ # An error.
113
+ # @return [String]
114
+ #
115
+ # @!attribute [rw] existing_finding_id
116
+ # The existing ID of the finding in Access Analyzer, provided only for
117
+ # existing findings.
118
+ # @return [String]
119
+ #
120
+ # @!attribute [rw] existing_finding_status
121
+ # The existing status of the finding, provided only for existing
122
+ # findings.
123
+ # @return [String]
124
+ #
125
+ # @!attribute [rw] id
126
+ # The ID of the access preview finding. This ID uniquely identifies
127
+ # the element in the list of access preview findings and is not
128
+ # related to the finding ID in Access Analyzer.
129
+ # @return [String]
130
+ #
131
+ # @!attribute [rw] is_public
132
+ # Indicates whether the policy that generated the finding allows
133
+ # public access to the resource.
134
+ # @return [Boolean]
135
+ #
136
+ # @!attribute [rw] principal
137
+ # The external principal that has access to a resource within the zone
138
+ # of trust.
139
+ # @return [Hash<String,String>]
140
+ #
141
+ # @!attribute [rw] resource
142
+ # The resource that an external principal has access to. This is the
143
+ # resource associated with the access preview.
144
+ # @return [String]
145
+ #
146
+ # @!attribute [rw] resource_owner_account
147
+ # The AWS account ID that owns the resource. For most AWS resources,
148
+ # the owning account is the account in which the resource was created.
149
+ # @return [String]
150
+ #
151
+ # @!attribute [rw] resource_type
152
+ # The type of the resource that can be accessed in the finding.
153
+ # @return [String]
154
+ #
155
+ # @!attribute [rw] sources
156
+ # The sources of the finding. This indicates how the access that
157
+ # generated the finding is granted. It is populated for Amazon S3
158
+ # bucket findings.
159
+ # @return [Array<Types::FindingSource>]
160
+ #
161
+ # @!attribute [rw] status
162
+ # The preview status of the finding. This is what the status of the
163
+ # finding would be after permissions deployment. For example, a
164
+ # `Changed` finding with preview status `Resolved` and existing status
165
+ # `Active` indicates the existing `Active` finding would become
166
+ # `Resolved` as a result of the proposed permissions change.
167
+ # @return [String]
168
+ #
169
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
170
+ #
171
+ class AccessPreviewFinding < Struct.new(
172
+ :action,
173
+ :change_type,
174
+ :condition,
175
+ :created_at,
176
+ :error,
177
+ :existing_finding_id,
178
+ :existing_finding_status,
179
+ :id,
180
+ :is_public,
181
+ :principal,
182
+ :resource,
183
+ :resource_owner_account,
184
+ :resource_type,
185
+ :sources,
186
+ :status)
187
+ SENSITIVE = []
188
+ include Aws::Structure
189
+ end
190
+
191
+ # Provides more details about the current status of the access preview.
192
+ # For example, if the creation of the access preview fails, a `Failed`
193
+ # status is returned. This failure can be due to an internal issue with
194
+ # the analysis or due to an invalid proposed resource configuration.
195
+ #
196
+ # @!attribute [rw] code
197
+ # The reason code for the current status of the access preview.
198
+ # @return [String]
199
+ #
200
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewStatusReason AWS API Documentation
201
+ #
202
+ class AccessPreviewStatusReason < Struct.new(
203
+ :code)
204
+ SENSITIVE = []
205
+ include Aws::Structure
206
+ end
207
+
208
+ # Contains a summary of information about an access preview.
209
+ #
210
+ # @!attribute [rw] analyzer_arn
211
+ # The ARN of the analyzer used to generate the access preview.
212
+ # @return [String]
213
+ #
214
+ # @!attribute [rw] created_at
215
+ # The time at which the access preview was created.
216
+ # @return [Time]
217
+ #
218
+ # @!attribute [rw] id
219
+ # The unique ID for the access preview.
220
+ # @return [String]
221
+ #
222
+ # @!attribute [rw] status
223
+ # The status of the access preview.
224
+ #
225
+ # * `Creating` - The access preview creation is in progress.
226
+ #
227
+ # * `Completed` - The access preview is complete and previews the
228
+ # findings for external access to the resource.
229
+ #
230
+ # * `Failed` - The access preview creation has failed.
231
+ # @return [String]
232
+ #
233
+ # @!attribute [rw] status_reason
234
+ # Provides more details about the current status of the access
235
+ # preview. For example, if the creation of the access preview fails, a
236
+ # `Failed` status is returned. This failure can be due to an internal
237
+ # issue with the analysis or due to an invalid proposed resource
238
+ # configuration.
239
+ # @return [Types::AccessPreviewStatusReason]
240
+ #
241
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
242
+ #
243
+ class AccessPreviewSummary < Struct.new(
244
+ :analyzer_arn,
245
+ :created_at,
246
+ :id,
247
+ :status,
248
+ :status_reason)
249
+ SENSITIVE = []
250
+ include Aws::Structure
251
+ end
252
+
253
+ # You specify each grantee as a type-value pair using one of these
254
+ # types. You can specify only one type of grantee. For more information,
255
+ # see [PutBucketAcl][1].
256
+ #
257
+ #
258
+ #
259
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
260
+ #
261
+ # @note When making an API call, you may pass AclGrantee
262
+ # data as a hash:
263
+ #
264
+ # {
265
+ # id: "AclCanonicalId",
266
+ # uri: "AclUri",
267
+ # }
268
+ #
269
+ # @!attribute [rw] id
270
+ # The value specified is the canonical user ID of an AWS account.
271
+ # @return [String]
272
+ #
273
+ # @!attribute [rw] uri
274
+ # Used for granting permissions to a predefined group.
275
+ # @return [String]
276
+ #
277
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AclGrantee AWS API Documentation
278
+ #
279
+ class AclGrantee < Struct.new(
280
+ :id,
281
+ :uri)
282
+ SENSITIVE = []
283
+ include Aws::Structure
284
+ end
285
+
26
286
  # Contains details about the analyzed resource.
27
287
  #
28
288
  # @!attribute [rw] actions
@@ -141,16 +401,16 @@ module Aws::AccessAnalyzer
141
401
  # The status of the analyzer. An `Active` analyzer successfully
142
402
  # monitors supported resources and generates new findings. The
143
403
  # analyzer is `Disabled` when a user action, such as removing trusted
144
- # access for IAM Access Analyzer from AWS Organizations, causes the
145
- # analyzer to stop generating new findings. The status is `Creating`
146
- # when the analyzer creation is in progress and `Failed` when the
147
- # analyzer creation has failed.
404
+ # access for AWS IAM Access Analyzer from AWS Organizations, causes
405
+ # the analyzer to stop generating new findings. The status is
406
+ # `Creating` when the analyzer creation is in progress and `Failed`
407
+ # when the analyzer creation has failed.
148
408
  # @return [String]
149
409
  #
150
410
  # @!attribute [rw] status_reason
151
411
  # The `statusReason` provides more details about the current status of
152
412
  # the analyzer. For example, if the creation for the analyzer fails, a
153
- # `Failed` status is displayed. For an analyzer with organization as
413
+ # `Failed` status is returned. For an analyzer with organization as
154
414
  # the type, this failure can be due to an issue with creating the
155
415
  # service-linked roles required in the member accounts of the AWS
156
416
  # organization.
@@ -246,130 +506,466 @@ module Aws::AccessAnalyzer
246
506
  include Aws::Structure
247
507
  end
248
508
 
249
- # A conflict exception error.
250
- #
251
- # @!attribute [rw] message
252
- # @return [String]
509
+ # @note When making an API call, you may pass CancelPolicyGenerationRequest
510
+ # data as a hash:
253
511
  #
254
- # @!attribute [rw] resource_id
255
- # The ID of the resource.
256
- # @return [String]
512
+ # {
513
+ # job_id: "JobId", # required
514
+ # }
257
515
  #
258
- # @!attribute [rw] resource_type
259
- # The resource type.
516
+ # @!attribute [rw] job_id
517
+ # The `JobId` that is returned by the `StartPolicyGeneration`
518
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
519
+ # retrieve the generated policies or used with
520
+ # `CancelPolicyGeneration` to cancel the policy generation request.
260
521
  # @return [String]
261
522
  #
262
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ConflictException AWS API Documentation
523
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationRequest AWS API Documentation
263
524
  #
264
- class ConflictException < Struct.new(
265
- :message,
266
- :resource_id,
267
- :resource_type)
525
+ class CancelPolicyGenerationRequest < Struct.new(
526
+ :job_id)
268
527
  SENSITIVE = []
269
528
  include Aws::Structure
270
529
  end
271
530
 
272
- # Creates an analyzer.
531
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationResponse AWS API Documentation
273
532
  #
274
- # @note When making an API call, you may pass CreateAnalyzerRequest
533
+ class CancelPolicyGenerationResponse < Aws::EmptyStructure; end
534
+
535
+ # Contains information about CloudTrail access.
536
+ #
537
+ # @note When making an API call, you may pass CloudTrailDetails
275
538
  # data as a hash:
276
539
  #
277
540
  # {
278
- # analyzer_name: "Name", # required
279
- # archive_rules: [
541
+ # access_role: "RoleArn", # required
542
+ # end_time: Time.now,
543
+ # start_time: Time.now, # required
544
+ # trails: [ # required
280
545
  # {
281
- # filter: { # required
282
- # "String" => {
283
- # contains: ["String"],
284
- # eq: ["String"],
285
- # exists: false,
286
- # neq: ["String"],
287
- # },
288
- # },
289
- # rule_name: "Name", # required
546
+ # all_regions: false,
547
+ # cloud_trail_arn: "CloudTrailArn", # required
548
+ # regions: ["String"],
290
549
  # },
291
550
  # ],
292
- # client_token: "String",
293
- # tags: {
294
- # "String" => "String",
295
- # },
296
- # type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
297
551
  # }
298
552
  #
299
- # @!attribute [rw] analyzer_name
300
- # The name of the analyzer to create.
553
+ # @!attribute [rw] access_role
554
+ # The ARN of the service role that Access Analyzer uses to access your
555
+ # CloudTrail trail and service last accessed information.
301
556
  # @return [String]
302
557
  #
303
- # @!attribute [rw] archive_rules
304
- # Specifies the archive rules to add for the analyzer. Archive rules
305
- # automatically archive findings that meet the criteria you define for
306
- # the rule.
307
- # @return [Array<Types::InlineArchiveRule>]
308
- #
309
- # @!attribute [rw] client_token
310
- # A client token.
311
- #
312
- # **A suitable default value is auto-generated.** You should normally
313
- # not need to pass this option.
314
- # @return [String]
558
+ # @!attribute [rw] end_time
559
+ # The end of the time range for which Access Analyzer reviews your
560
+ # CloudTrail events. Events with a timestamp after this time are not
561
+ # considered to generate a policy. If this is not included in the
562
+ # request, the default value is the current time.
563
+ # @return [Time]
315
564
  #
316
- # @!attribute [rw] tags
317
- # The tags to apply to the analyzer.
318
- # @return [Hash<String,String>]
565
+ # @!attribute [rw] start_time
566
+ # The start of the time range for which Access Analyzer reviews your
567
+ # CloudTrail events. Events with a timestamp before this time are not
568
+ # considered to generate a policy.
569
+ # @return [Time]
319
570
  #
320
- # @!attribute [rw] type
321
- # The type of analyzer to create. Only ACCOUNT analyzers are
322
- # supported. You can create only one analyzer per account per Region.
323
- # @return [String]
571
+ # @!attribute [rw] trails
572
+ # A `Trail` object that contains settings for a trail.
573
+ # @return [Array<Types::Trail>]
324
574
  #
325
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
575
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailDetails AWS API Documentation
326
576
  #
327
- class CreateAnalyzerRequest < Struct.new(
328
- :analyzer_name,
329
- :archive_rules,
330
- :client_token,
331
- :tags,
332
- :type)
577
+ class CloudTrailDetails < Struct.new(
578
+ :access_role,
579
+ :end_time,
580
+ :start_time,
581
+ :trails)
333
582
  SENSITIVE = []
334
583
  include Aws::Structure
335
584
  end
336
585
 
337
- # The response to the request to create an analyzer.
586
+ # Contains information about CloudTrail access.
338
587
  #
339
- # @!attribute [rw] arn
340
- # The ARN of the analyzer that was created by the request.
341
- # @return [String]
588
+ # @!attribute [rw] end_time
589
+ # The end of the time range for which Access Analyzer reviews your
590
+ # CloudTrail events. Events with a timestamp after this time are not
591
+ # considered to generate a policy. If this is not included in the
592
+ # request, the default value is the current time.
593
+ # @return [Time]
342
594
  #
343
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerResponse AWS API Documentation
595
+ # @!attribute [rw] start_time
596
+ # The start of the time range for which Access Analyzer reviews your
597
+ # CloudTrail events. Events with a timestamp before this time are not
598
+ # considered to generate a policy.
599
+ # @return [Time]
344
600
  #
345
- class CreateAnalyzerResponse < Struct.new(
346
- :arn)
601
+ # @!attribute [rw] trail_properties
602
+ # A `TrailProperties` object that contains settings for trail
603
+ # properties.
604
+ # @return [Array<Types::TrailProperties>]
605
+ #
606
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailProperties AWS API Documentation
607
+ #
608
+ class CloudTrailProperties < Struct.new(
609
+ :end_time,
610
+ :start_time,
611
+ :trail_properties)
347
612
  SENSITIVE = []
348
613
  include Aws::Structure
349
614
  end
350
615
 
351
- # Creates an archive rule.
616
+ # Access control configuration structures for your resource. You specify
617
+ # the configuration as a type-value pair. You can specify only one type
618
+ # of access control configuration.
352
619
  #
353
- # @note When making an API call, you may pass CreateArchiveRuleRequest
620
+ # @note When making an API call, you may pass Configuration
354
621
  # data as a hash:
355
622
  #
356
623
  # {
357
- # analyzer_name: "Name", # required
358
- # client_token: "String",
359
- # filter: { # required
360
- # "String" => {
361
- # contains: ["String"],
362
- # eq: ["String"],
363
- # exists: false,
364
- # neq: ["String"],
624
+ # iam_role: {
625
+ # trust_policy: "IamTrustPolicy",
626
+ # },
627
+ # kms_key: {
628
+ # grants: [
629
+ # {
630
+ # constraints: {
631
+ # encryption_context_equals: {
632
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
633
+ # },
634
+ # encryption_context_subset: {
635
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
636
+ # },
637
+ # },
638
+ # grantee_principal: "GranteePrincipal", # required
639
+ # issuing_account: "IssuingAccount", # required
640
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
641
+ # retiring_principal: "RetiringPrincipal",
642
+ # },
643
+ # ],
644
+ # key_policies: {
645
+ # "PolicyName" => "KmsKeyPolicy",
365
646
  # },
366
647
  # },
367
- # rule_name: "Name", # required
368
- # }
369
- #
370
- # @!attribute [rw] analyzer_name
371
- # The name of the created analyzer.
372
- # @return [String]
648
+ # s3_bucket: {
649
+ # access_points: {
650
+ # "AccessPointArn" => {
651
+ # access_point_policy: "AccessPointPolicy",
652
+ # network_origin: {
653
+ # internet_configuration: {
654
+ # },
655
+ # vpc_configuration: {
656
+ # vpc_id: "VpcId", # required
657
+ # },
658
+ # },
659
+ # public_access_block: {
660
+ # ignore_public_acls: false, # required
661
+ # restrict_public_buckets: false, # required
662
+ # },
663
+ # },
664
+ # },
665
+ # bucket_acl_grants: [
666
+ # {
667
+ # grantee: { # required
668
+ # id: "AclCanonicalId",
669
+ # uri: "AclUri",
670
+ # },
671
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
672
+ # },
673
+ # ],
674
+ # bucket_policy: "S3BucketPolicy",
675
+ # bucket_public_access_block: {
676
+ # ignore_public_acls: false, # required
677
+ # restrict_public_buckets: false, # required
678
+ # },
679
+ # },
680
+ # secrets_manager_secret: {
681
+ # kms_key_id: "SecretsManagerSecretKmsId",
682
+ # secret_policy: "SecretsManagerSecretPolicy",
683
+ # },
684
+ # sqs_queue: {
685
+ # queue_policy: "SqsQueuePolicy",
686
+ # },
687
+ # }
688
+ #
689
+ # @!attribute [rw] iam_role
690
+ # The access control configuration is for an IAM role.
691
+ # @return [Types::IamRoleConfiguration]
692
+ #
693
+ # @!attribute [rw] kms_key
694
+ # The access control configuration is for a KMS key.
695
+ # @return [Types::KmsKeyConfiguration]
696
+ #
697
+ # @!attribute [rw] s3_bucket
698
+ # The access control configuration is for an Amazon S3 Bucket.
699
+ # @return [Types::S3BucketConfiguration]
700
+ #
701
+ # @!attribute [rw] secrets_manager_secret
702
+ # The access control configuration is for a Secrets Manager secret.
703
+ # @return [Types::SecretsManagerSecretConfiguration]
704
+ #
705
+ # @!attribute [rw] sqs_queue
706
+ # The access control configuration is for an SQS queue.
707
+ # @return [Types::SqsQueueConfiguration]
708
+ #
709
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
710
+ #
711
+ class Configuration < Struct.new(
712
+ :iam_role,
713
+ :kms_key,
714
+ :s3_bucket,
715
+ :secrets_manager_secret,
716
+ :sqs_queue)
717
+ SENSITIVE = []
718
+ include Aws::Structure
719
+ end
720
+
721
+ # A conflict exception error.
722
+ #
723
+ # @!attribute [rw] message
724
+ # @return [String]
725
+ #
726
+ # @!attribute [rw] resource_id
727
+ # The ID of the resource.
728
+ # @return [String]
729
+ #
730
+ # @!attribute [rw] resource_type
731
+ # The resource type.
732
+ # @return [String]
733
+ #
734
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ConflictException AWS API Documentation
735
+ #
736
+ class ConflictException < Struct.new(
737
+ :message,
738
+ :resource_id,
739
+ :resource_type)
740
+ SENSITIVE = []
741
+ include Aws::Structure
742
+ end
743
+
744
+ # @note When making an API call, you may pass CreateAccessPreviewRequest
745
+ # data as a hash:
746
+ #
747
+ # {
748
+ # analyzer_arn: "AnalyzerArn", # required
749
+ # client_token: "String",
750
+ # configurations: { # required
751
+ # "ConfigurationsMapKey" => {
752
+ # iam_role: {
753
+ # trust_policy: "IamTrustPolicy",
754
+ # },
755
+ # kms_key: {
756
+ # grants: [
757
+ # {
758
+ # constraints: {
759
+ # encryption_context_equals: {
760
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
761
+ # },
762
+ # encryption_context_subset: {
763
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
764
+ # },
765
+ # },
766
+ # grantee_principal: "GranteePrincipal", # required
767
+ # issuing_account: "IssuingAccount", # required
768
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
769
+ # retiring_principal: "RetiringPrincipal",
770
+ # },
771
+ # ],
772
+ # key_policies: {
773
+ # "PolicyName" => "KmsKeyPolicy",
774
+ # },
775
+ # },
776
+ # s3_bucket: {
777
+ # access_points: {
778
+ # "AccessPointArn" => {
779
+ # access_point_policy: "AccessPointPolicy",
780
+ # network_origin: {
781
+ # internet_configuration: {
782
+ # },
783
+ # vpc_configuration: {
784
+ # vpc_id: "VpcId", # required
785
+ # },
786
+ # },
787
+ # public_access_block: {
788
+ # ignore_public_acls: false, # required
789
+ # restrict_public_buckets: false, # required
790
+ # },
791
+ # },
792
+ # },
793
+ # bucket_acl_grants: [
794
+ # {
795
+ # grantee: { # required
796
+ # id: "AclCanonicalId",
797
+ # uri: "AclUri",
798
+ # },
799
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
800
+ # },
801
+ # ],
802
+ # bucket_policy: "S3BucketPolicy",
803
+ # bucket_public_access_block: {
804
+ # ignore_public_acls: false, # required
805
+ # restrict_public_buckets: false, # required
806
+ # },
807
+ # },
808
+ # secrets_manager_secret: {
809
+ # kms_key_id: "SecretsManagerSecretKmsId",
810
+ # secret_policy: "SecretsManagerSecretPolicy",
811
+ # },
812
+ # sqs_queue: {
813
+ # queue_policy: "SqsQueuePolicy",
814
+ # },
815
+ # },
816
+ # },
817
+ # }
818
+ #
819
+ # @!attribute [rw] analyzer_arn
820
+ # The [ARN of the account analyzer][1] used to generate the access
821
+ # preview. You can only create an access preview for analyzers with an
822
+ # `Account` type and `Active` status.
823
+ #
824
+ #
825
+ #
826
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
827
+ # @return [String]
828
+ #
829
+ # @!attribute [rw] client_token
830
+ # A client token.
831
+ #
832
+ # **A suitable default value is auto-generated.** You should normally
833
+ # not need to pass this option.
834
+ # @return [String]
835
+ #
836
+ # @!attribute [rw] configurations
837
+ # Access control configuration for your resource that is used to
838
+ # generate the access preview. The access preview includes findings
839
+ # for external access allowed to the resource with the proposed access
840
+ # control configuration. The configuration must contain exactly one
841
+ # element.
842
+ # @return [Hash<String,Types::Configuration>]
843
+ #
844
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
845
+ #
846
+ class CreateAccessPreviewRequest < Struct.new(
847
+ :analyzer_arn,
848
+ :client_token,
849
+ :configurations)
850
+ SENSITIVE = []
851
+ include Aws::Structure
852
+ end
853
+
854
+ # @!attribute [rw] id
855
+ # The unique ID for the access preview.
856
+ # @return [String]
857
+ #
858
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewResponse AWS API Documentation
859
+ #
860
+ class CreateAccessPreviewResponse < Struct.new(
861
+ :id)
862
+ SENSITIVE = []
863
+ include Aws::Structure
864
+ end
865
+
866
+ # Creates an analyzer.
867
+ #
868
+ # @note When making an API call, you may pass CreateAnalyzerRequest
869
+ # data as a hash:
870
+ #
871
+ # {
872
+ # analyzer_name: "Name", # required
873
+ # archive_rules: [
874
+ # {
875
+ # filter: { # required
876
+ # "String" => {
877
+ # contains: ["String"],
878
+ # eq: ["String"],
879
+ # exists: false,
880
+ # neq: ["String"],
881
+ # },
882
+ # },
883
+ # rule_name: "Name", # required
884
+ # },
885
+ # ],
886
+ # client_token: "String",
887
+ # tags: {
888
+ # "String" => "String",
889
+ # },
890
+ # type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
891
+ # }
892
+ #
893
+ # @!attribute [rw] analyzer_name
894
+ # The name of the analyzer to create.
895
+ # @return [String]
896
+ #
897
+ # @!attribute [rw] archive_rules
898
+ # Specifies the archive rules to add for the analyzer. Archive rules
899
+ # automatically archive findings that meet the criteria you define for
900
+ # the rule.
901
+ # @return [Array<Types::InlineArchiveRule>]
902
+ #
903
+ # @!attribute [rw] client_token
904
+ # A client token.
905
+ #
906
+ # **A suitable default value is auto-generated.** You should normally
907
+ # not need to pass this option.
908
+ # @return [String]
909
+ #
910
+ # @!attribute [rw] tags
911
+ # The tags to apply to the analyzer.
912
+ # @return [Hash<String,String>]
913
+ #
914
+ # @!attribute [rw] type
915
+ # The type of analyzer to create. Only ACCOUNT and ORGANIZATION
916
+ # analyzers are supported. You can create only one analyzer per
917
+ # account per Region. You can create up to 5 analyzers per
918
+ # organization per Region.
919
+ # @return [String]
920
+ #
921
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
922
+ #
923
+ class CreateAnalyzerRequest < Struct.new(
924
+ :analyzer_name,
925
+ :archive_rules,
926
+ :client_token,
927
+ :tags,
928
+ :type)
929
+ SENSITIVE = []
930
+ include Aws::Structure
931
+ end
932
+
933
+ # The response to the request to create an analyzer.
934
+ #
935
+ # @!attribute [rw] arn
936
+ # The ARN of the analyzer that was created by the request.
937
+ # @return [String]
938
+ #
939
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerResponse AWS API Documentation
940
+ #
941
+ class CreateAnalyzerResponse < Struct.new(
942
+ :arn)
943
+ SENSITIVE = []
944
+ include Aws::Structure
945
+ end
946
+
947
+ # Creates an archive rule.
948
+ #
949
+ # @note When making an API call, you may pass CreateArchiveRuleRequest
950
+ # data as a hash:
951
+ #
952
+ # {
953
+ # analyzer_name: "Name", # required
954
+ # client_token: "String",
955
+ # filter: { # required
956
+ # "String" => {
957
+ # contains: ["String"],
958
+ # eq: ["String"],
959
+ # exists: false,
960
+ # neq: ["String"],
961
+ # },
962
+ # },
963
+ # rule_name: "Name", # required
964
+ # }
965
+ #
966
+ # @!attribute [rw] analyzer_name
967
+ # The name of the created analyzer.
968
+ # @return [String]
373
969
  #
374
970
  # @!attribute [rw] client_token
375
971
  # A client token.
@@ -554,7 +1150,7 @@ module Aws::AccessAnalyzer
554
1150
  # @return [String]
555
1151
  #
556
1152
  # @!attribute [rw] resource_type
557
- # The type of the resource reported in the finding.
1153
+ # The type of the resource identified in the finding.
558
1154
  # @return [String]
559
1155
  #
560
1156
  # @!attribute [rw] sources
@@ -715,6 +1311,118 @@ module Aws::AccessAnalyzer
715
1311
  include Aws::Structure
716
1312
  end
717
1313
 
1314
+ # Contains the text for the generated policy.
1315
+ #
1316
+ # @!attribute [rw] policy
1317
+ # The text to use as the content for the new policy. The policy is
1318
+ # created using the [CreatePolicy][1] action.
1319
+ #
1320
+ #
1321
+ #
1322
+ # [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
1323
+ # @return [String]
1324
+ #
1325
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicy AWS API Documentation
1326
+ #
1327
+ class GeneratedPolicy < Struct.new(
1328
+ :policy)
1329
+ SENSITIVE = []
1330
+ include Aws::Structure
1331
+ end
1332
+
1333
+ # Contains the generated policy details.
1334
+ #
1335
+ # @!attribute [rw] cloud_trail_properties
1336
+ # Lists details about the `Trail` used to generated policy.
1337
+ # @return [Types::CloudTrailProperties]
1338
+ #
1339
+ # @!attribute [rw] is_complete
1340
+ # This value is set to `true` if the generated policy contains all
1341
+ # possible actions for a service that Access Analyzer identified from
1342
+ # the CloudTrail trail that you specified, and `false` otherwise.
1343
+ # @return [Boolean]
1344
+ #
1345
+ # @!attribute [rw] principal_arn
1346
+ # The ARN of the IAM entity (user or role) for which you are
1347
+ # generating a policy.
1348
+ # @return [String]
1349
+ #
1350
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyProperties AWS API Documentation
1351
+ #
1352
+ class GeneratedPolicyProperties < Struct.new(
1353
+ :cloud_trail_properties,
1354
+ :is_complete,
1355
+ :principal_arn)
1356
+ SENSITIVE = []
1357
+ include Aws::Structure
1358
+ end
1359
+
1360
+ # Contains the text for the generated policy and its details.
1361
+ #
1362
+ # @!attribute [rw] generated_policies
1363
+ # The text to use as the content for the new policy. The policy is
1364
+ # created using the [CreatePolicy][1] action.
1365
+ #
1366
+ #
1367
+ #
1368
+ # [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
1369
+ # @return [Array<Types::GeneratedPolicy>]
1370
+ #
1371
+ # @!attribute [rw] properties
1372
+ # A `GeneratedPolicyProperties` object that contains properties of the
1373
+ # generated policy.
1374
+ # @return [Types::GeneratedPolicyProperties]
1375
+ #
1376
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyResult AWS API Documentation
1377
+ #
1378
+ class GeneratedPolicyResult < Struct.new(
1379
+ :generated_policies,
1380
+ :properties)
1381
+ SENSITIVE = []
1382
+ include Aws::Structure
1383
+ end
1384
+
1385
+ # @note When making an API call, you may pass GetAccessPreviewRequest
1386
+ # data as a hash:
1387
+ #
1388
+ # {
1389
+ # access_preview_id: "AccessPreviewId", # required
1390
+ # analyzer_arn: "AnalyzerArn", # required
1391
+ # }
1392
+ #
1393
+ # @!attribute [rw] access_preview_id
1394
+ # The unique ID for the access preview.
1395
+ # @return [String]
1396
+ #
1397
+ # @!attribute [rw] analyzer_arn
1398
+ # The [ARN of the analyzer][1] used to generate the access preview.
1399
+ #
1400
+ #
1401
+ #
1402
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1403
+ # @return [String]
1404
+ #
1405
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewRequest AWS API Documentation
1406
+ #
1407
+ class GetAccessPreviewRequest < Struct.new(
1408
+ :access_preview_id,
1409
+ :analyzer_arn)
1410
+ SENSITIVE = []
1411
+ include Aws::Structure
1412
+ end
1413
+
1414
+ # @!attribute [rw] access_preview
1415
+ # An object that contains information about the access preview.
1416
+ # @return [Types::AccessPreview]
1417
+ #
1418
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewResponse AWS API Documentation
1419
+ #
1420
+ class GetAccessPreviewResponse < Struct.new(
1421
+ :access_preview)
1422
+ SENSITIVE = []
1423
+ include Aws::Structure
1424
+ end
1425
+
718
1426
  # Retrieves an analyzed resource.
719
1427
  #
720
1428
  # @note When making an API call, you may pass GetAnalyzedResourceRequest
@@ -726,7 +1434,11 @@ module Aws::AccessAnalyzer
726
1434
  # }
727
1435
  #
728
1436
  # @!attribute [rw] analyzer_arn
729
- # The ARN of the analyzer to retrieve information from.
1437
+ # The [ARN of the analyzer][1] to retrieve information from.
1438
+ #
1439
+ #
1440
+ #
1441
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
730
1442
  # @return [String]
731
1443
  #
732
1444
  # @!attribute [rw] resource_arn
@@ -745,7 +1457,7 @@ module Aws::AccessAnalyzer
745
1457
  # The response to the request.
746
1458
  #
747
1459
  # @!attribute [rw] resource
748
- # An `AnalyedResource` object that contains information that Access
1460
+ # An `AnalyzedResource` object that contains information that Access
749
1461
  # Analyzer found when it analyzed the resource.
750
1462
  # @return [Types::AnalyzedResource]
751
1463
  #
@@ -845,7 +1557,11 @@ module Aws::AccessAnalyzer
845
1557
  # }
846
1558
  #
847
1559
  # @!attribute [rw] analyzer_arn
848
- # The ARN of the analyzer that generated the finding.
1560
+ # The [ARN of the analyzer][1] that generated the finding.
1561
+ #
1562
+ #
1563
+ #
1564
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
849
1565
  # @return [String]
850
1566
  #
851
1567
  # @!attribute [rw] id
@@ -875,7 +1591,103 @@ module Aws::AccessAnalyzer
875
1591
  include Aws::Structure
876
1592
  end
877
1593
 
878
- # An criterion statement in an archive rule. Each archive rule may have
1594
+ # @note When making an API call, you may pass GetGeneratedPolicyRequest
1595
+ # data as a hash:
1596
+ #
1597
+ # {
1598
+ # include_resource_placeholders: false,
1599
+ # include_service_level_template: false,
1600
+ # job_id: "JobId", # required
1601
+ # }
1602
+ #
1603
+ # @!attribute [rw] include_resource_placeholders
1604
+ # The level of detail that you want to generate. You can specify
1605
+ # whether to generate policies with placeholders for resource ARNs for
1606
+ # actions that support resource level granularity in policies.
1607
+ #
1608
+ # For example, in the resource section of a policy, you can receive a
1609
+ # placeholder such as `"Resource":"arn:aws:s3:::$\{BucketName\}"`
1610
+ # instead of `"*"`.
1611
+ # @return [Boolean]
1612
+ #
1613
+ # @!attribute [rw] include_service_level_template
1614
+ # The level of detail that you want to generate. You can specify
1615
+ # whether to generate service-level policies.
1616
+ #
1617
+ # Access Analyzer uses `iam:servicelastaccessed` to identify services
1618
+ # that have been used recently to create this service-level template.
1619
+ # @return [Boolean]
1620
+ #
1621
+ # @!attribute [rw] job_id
1622
+ # The `JobId` that is returned by the `StartPolicyGeneration`
1623
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
1624
+ # retrieve the generated policies or used with
1625
+ # `CancelPolicyGeneration` to cancel the policy generation request.
1626
+ # @return [String]
1627
+ #
1628
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyRequest AWS API Documentation
1629
+ #
1630
+ class GetGeneratedPolicyRequest < Struct.new(
1631
+ :include_resource_placeholders,
1632
+ :include_service_level_template,
1633
+ :job_id)
1634
+ SENSITIVE = []
1635
+ include Aws::Structure
1636
+ end
1637
+
1638
+ # @!attribute [rw] generated_policy_result
1639
+ # A `GeneratedPolicyResult` object that contains the generated
1640
+ # policies and associated details.
1641
+ # @return [Types::GeneratedPolicyResult]
1642
+ #
1643
+ # @!attribute [rw] job_details
1644
+ # A `GeneratedPolicyDetails` object that contains details about the
1645
+ # generated policy.
1646
+ # @return [Types::JobDetails]
1647
+ #
1648
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyResponse AWS API Documentation
1649
+ #
1650
+ class GetGeneratedPolicyResponse < Struct.new(
1651
+ :generated_policy_result,
1652
+ :job_details)
1653
+ SENSITIVE = []
1654
+ include Aws::Structure
1655
+ end
1656
+
1657
+ # The proposed access control configuration for an IAM role. You can
1658
+ # propose a configuration for a new IAM role or an existing IAM role
1659
+ # that you own by specifying the trust policy. If the configuration is
1660
+ # for a new IAM role, you must specify the trust policy. If the
1661
+ # configuration is for an existing IAM role that you own and you do not
1662
+ # propose the trust policy, the access preview uses the existing trust
1663
+ # policy for the role. The proposed trust policy cannot be an empty
1664
+ # string. For more information about role trust policy limits, see [IAM
1665
+ # and STS quotas][1].
1666
+ #
1667
+ #
1668
+ #
1669
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
1670
+ #
1671
+ # @note When making an API call, you may pass IamRoleConfiguration
1672
+ # data as a hash:
1673
+ #
1674
+ # {
1675
+ # trust_policy: "IamTrustPolicy",
1676
+ # }
1677
+ #
1678
+ # @!attribute [rw] trust_policy
1679
+ # The proposed trust policy for the IAM role.
1680
+ # @return [String]
1681
+ #
1682
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/IamRoleConfiguration AWS API Documentation
1683
+ #
1684
+ class IamRoleConfiguration < Struct.new(
1685
+ :trust_policy)
1686
+ SENSITIVE = []
1687
+ include Aws::Structure
1688
+ end
1689
+
1690
+ # An criterion statement in an archive rule. Each archive rule may have
879
1691
  # multiple criteria.
880
1692
  #
881
1693
  # @note When making an API call, you may pass InlineArchiveRule
@@ -928,76 +1740,304 @@ module Aws::AccessAnalyzer
928
1740
  include Aws::Structure
929
1741
  end
930
1742
 
931
- # Retrieves a list of resources that have been analyzed.
1743
+ # This configuration sets the Amazon S3 access point network origin to
1744
+ # `Internet`.
932
1745
  #
933
- # @note When making an API call, you may pass ListAnalyzedResourcesRequest
1746
+ # @api private
1747
+ #
1748
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternetConfiguration AWS API Documentation
1749
+ #
1750
+ class InternetConfiguration < Aws::EmptyStructure; end
1751
+
1752
+ # Contains details about the policy generation request.
1753
+ #
1754
+ # @!attribute [rw] completed_on
1755
+ # A timestamp of when the job was completed.
1756
+ # @return [Time]
1757
+ #
1758
+ # @!attribute [rw] job_error
1759
+ # Contains the details about the policy generation error.
1760
+ # @return [Types::JobError]
1761
+ #
1762
+ # @!attribute [rw] job_id
1763
+ # The `JobId` that is returned by the `StartPolicyGeneration`
1764
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
1765
+ # retrieve the generated policies or used with
1766
+ # `CancelPolicyGeneration` to cancel the policy generation request.
1767
+ # @return [String]
1768
+ #
1769
+ # @!attribute [rw] started_on
1770
+ # A timestamp of when the job was started.
1771
+ # @return [Time]
1772
+ #
1773
+ # @!attribute [rw] status
1774
+ # The status of the job request.
1775
+ # @return [String]
1776
+ #
1777
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobDetails AWS API Documentation
1778
+ #
1779
+ class JobDetails < Struct.new(
1780
+ :completed_on,
1781
+ :job_error,
1782
+ :job_id,
1783
+ :started_on,
1784
+ :status)
1785
+ SENSITIVE = []
1786
+ include Aws::Structure
1787
+ end
1788
+
1789
+ # Contains the details about the policy generation error.
1790
+ #
1791
+ # @!attribute [rw] code
1792
+ # The job error code.
1793
+ # @return [String]
1794
+ #
1795
+ # @!attribute [rw] message
1796
+ # Specific information about the error. For example, which service
1797
+ # quota was exceeded or which resource was not found.
1798
+ # @return [String]
1799
+ #
1800
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobError AWS API Documentation
1801
+ #
1802
+ class JobError < Struct.new(
1803
+ :code,
1804
+ :message)
1805
+ SENSITIVE = []
1806
+ include Aws::Structure
1807
+ end
1808
+
1809
+ # A proposed grant configuration for a KMS key. For more information,
1810
+ # see [CreateGrant][1].
1811
+ #
1812
+ #
1813
+ #
1814
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html
1815
+ #
1816
+ # @note When making an API call, you may pass KmsGrantConfiguration
934
1817
  # data as a hash:
935
1818
  #
936
1819
  # {
937
- # analyzer_arn: "AnalyzerArn", # required
938
- # max_results: 1,
939
- # next_token: "Token",
940
- # resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key
1820
+ # constraints: {
1821
+ # encryption_context_equals: {
1822
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1823
+ # },
1824
+ # encryption_context_subset: {
1825
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1826
+ # },
1827
+ # },
1828
+ # grantee_principal: "GranteePrincipal", # required
1829
+ # issuing_account: "IssuingAccount", # required
1830
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
1831
+ # retiring_principal: "RetiringPrincipal",
941
1832
  # }
942
1833
  #
943
- # @!attribute [rw] analyzer_arn
944
- # The ARN of the analyzer to retrieve a list of analyzed resources
945
- # from.
946
- # @return [String]
1834
+ # @!attribute [rw] constraints
1835
+ # Use this structure to propose allowing [cryptographic operations][1]
1836
+ # in the grant only when the operation request includes the specified
1837
+ # [encryption context][2].
947
1838
  #
948
- # @!attribute [rw] max_results
949
- # The maximum number of results to return in the response.
950
- # @return [Integer]
951
1839
  #
952
- # @!attribute [rw] next_token
953
- # A token used for pagination of results returned.
1840
+ #
1841
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1842
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1843
+ # @return [Types::KmsGrantConstraints]
1844
+ #
1845
+ # @!attribute [rw] grantee_principal
1846
+ # The principal that is given permission to perform the operations
1847
+ # that the grant permits.
954
1848
  # @return [String]
955
1849
  #
956
- # @!attribute [rw] resource_type
957
- # The type of resource.
1850
+ # @!attribute [rw] issuing_account
1851
+ # The AWS account under which the grant was issued. The account is
1852
+ # used to propose KMS grants issued by accounts other than the owner
1853
+ # of the key.
958
1854
  # @return [String]
959
1855
  #
960
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
1856
+ # @!attribute [rw] operations
1857
+ # A list of operations that the grant permits.
1858
+ # @return [Array<String>]
961
1859
  #
962
- class ListAnalyzedResourcesRequest < Struct.new(
963
- :analyzer_arn,
964
- :max_results,
965
- :next_token,
966
- :resource_type)
1860
+ # @!attribute [rw] retiring_principal
1861
+ # The principal that is given permission to retire the grant by using
1862
+ # [RetireGrant][1] operation.
1863
+ #
1864
+ #
1865
+ #
1866
+ # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
1867
+ # @return [String]
1868
+ #
1869
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
1870
+ #
1871
+ class KmsGrantConfiguration < Struct.new(
1872
+ :constraints,
1873
+ :grantee_principal,
1874
+ :issuing_account,
1875
+ :operations,
1876
+ :retiring_principal)
967
1877
  SENSITIVE = []
968
1878
  include Aws::Structure
969
1879
  end
970
1880
 
971
- # The response to the request.
1881
+ # Use this structure to propose allowing [cryptographic operations][1]
1882
+ # in the grant only when the operation request includes the specified
1883
+ # [encryption context][2]. You can specify only one type of encryption
1884
+ # context. An empty map is treated as not specified. For more
1885
+ # information, see [GrantConstraints][3].
972
1886
  #
973
- # @!attribute [rw] analyzed_resources
974
- # A list of resources that were analyzed.
975
- # @return [Array<Types::AnalyzedResourceSummary>]
976
1887
  #
977
- # @!attribute [rw] next_token
978
- # A token used for pagination of results returned.
979
- # @return [String]
980
1888
  #
981
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesResponse AWS API Documentation
1889
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1890
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
1891
+ # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html
982
1892
  #
983
- class ListAnalyzedResourcesResponse < Struct.new(
984
- :analyzed_resources,
985
- :next_token)
1893
+ # @note When making an API call, you may pass KmsGrantConstraints
1894
+ # data as a hash:
1895
+ #
1896
+ # {
1897
+ # encryption_context_equals: {
1898
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1899
+ # },
1900
+ # encryption_context_subset: {
1901
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1902
+ # },
1903
+ # }
1904
+ #
1905
+ # @!attribute [rw] encryption_context_equals
1906
+ # A list of key-value pairs that must match the encryption context in
1907
+ # the [cryptographic operation][1] request. The grant allows the
1908
+ # operation only when the encryption context in the request is the
1909
+ # same as the encryption context specified in this constraint.
1910
+ #
1911
+ #
1912
+ #
1913
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1914
+ # @return [Hash<String,String>]
1915
+ #
1916
+ # @!attribute [rw] encryption_context_subset
1917
+ # A list of key-value pairs that must be included in the encryption
1918
+ # context of the [cryptographic operation][1] request. The grant
1919
+ # allows the cryptographic operation only when the encryption context
1920
+ # in the request includes the key-value pairs specified in this
1921
+ # constraint, although it can include additional key-value pairs.
1922
+ #
1923
+ #
1924
+ #
1925
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
1926
+ # @return [Hash<String,String>]
1927
+ #
1928
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation
1929
+ #
1930
+ class KmsGrantConstraints < Struct.new(
1931
+ :encryption_context_equals,
1932
+ :encryption_context_subset)
986
1933
  SENSITIVE = []
987
1934
  include Aws::Structure
988
1935
  end
989
1936
 
990
- # Retrieves a list of analyzers.
1937
+ # Proposed access control configuration for a KMS key. You can propose a
1938
+ # configuration for a new KMS key or an existing KMS key that you own by
1939
+ # specifying the key policy and KMS grant configuration. If the
1940
+ # configuration is for an existing key and you do not specify the key
1941
+ # policy, the access preview uses the existing policy for the key. If
1942
+ # the access preview is for a new resource and you do not specify the
1943
+ # key policy, then the access preview uses the default key policy. The
1944
+ # proposed key policy cannot be an empty string. For more information,
1945
+ # see [Default key policy][1]. For more information about key policy
1946
+ # limits, see [Resource quotas][2].
991
1947
  #
992
- # @note When making an API call, you may pass ListAnalyzersRequest
1948
+ #
1949
+ #
1950
+ #
1951
+ #
1952
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
1953
+ # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
1954
+ #
1955
+ # @note When making an API call, you may pass KmsKeyConfiguration
1956
+ # data as a hash:
1957
+ #
1958
+ # {
1959
+ # grants: [
1960
+ # {
1961
+ # constraints: {
1962
+ # encryption_context_equals: {
1963
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1964
+ # },
1965
+ # encryption_context_subset: {
1966
+ # "KmsConstraintsKey" => "KmsConstraintsValue",
1967
+ # },
1968
+ # },
1969
+ # grantee_principal: "GranteePrincipal", # required
1970
+ # issuing_account: "IssuingAccount", # required
1971
+ # operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
1972
+ # retiring_principal: "RetiringPrincipal",
1973
+ # },
1974
+ # ],
1975
+ # key_policies: {
1976
+ # "PolicyName" => "KmsKeyPolicy",
1977
+ # },
1978
+ # }
1979
+ #
1980
+ # @!attribute [rw] grants
1981
+ # A list of proposed grant configurations for the KMS key. If the
1982
+ # proposed grant configuration is for an existing key, the access
1983
+ # preview uses the proposed list of grant configurations in place of
1984
+ # the existing grants. Otherwise, the access preview uses the existing
1985
+ # grants for the key.
1986
+ # @return [Array<Types::KmsGrantConfiguration>]
1987
+ #
1988
+ # @!attribute [rw] key_policies
1989
+ # Resource policy configuration for the KMS key. The only valid value
1990
+ # for the name of the key policy is `default`. For more information,
1991
+ # see [Default key policy][1].
1992
+ #
1993
+ #
1994
+ #
1995
+ # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
1996
+ # @return [Hash<String,String>]
1997
+ #
1998
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
1999
+ #
2000
+ class KmsKeyConfiguration < Struct.new(
2001
+ :grants,
2002
+ :key_policies)
2003
+ SENSITIVE = []
2004
+ include Aws::Structure
2005
+ end
2006
+
2007
+ # @note When making an API call, you may pass ListAccessPreviewFindingsRequest
993
2008
  # data as a hash:
994
2009
  #
995
2010
  # {
2011
+ # access_preview_id: "AccessPreviewId", # required
2012
+ # analyzer_arn: "AnalyzerArn", # required
2013
+ # filter: {
2014
+ # "String" => {
2015
+ # contains: ["String"],
2016
+ # eq: ["String"],
2017
+ # exists: false,
2018
+ # neq: ["String"],
2019
+ # },
2020
+ # },
996
2021
  # max_results: 1,
997
2022
  # next_token: "Token",
998
- # type: "ACCOUNT", # accepts ACCOUNT, ORGANIZATION
999
2023
  # }
1000
2024
  #
2025
+ # @!attribute [rw] access_preview_id
2026
+ # The unique ID for the access preview.
2027
+ # @return [String]
2028
+ #
2029
+ # @!attribute [rw] analyzer_arn
2030
+ # The [ARN of the analyzer][1] used to generate the access.
2031
+ #
2032
+ #
2033
+ #
2034
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
2035
+ # @return [String]
2036
+ #
2037
+ # @!attribute [rw] filter
2038
+ # Criteria to filter the returned findings.
2039
+ # @return [Hash<String,Types::Criterion>]
2040
+ #
1001
2041
  # @!attribute [rw] max_results
1002
2042
  # The maximum number of results to return in the response.
1003
2043
  # @return [Integer]
@@ -1006,220 +2046,893 @@ module Aws::AccessAnalyzer
1006
2046
  # A token used for pagination of results returned.
1007
2047
  # @return [String]
1008
2048
  #
1009
- # @!attribute [rw] type
1010
- # The type of analyzer.
1011
- # @return [String]
1012
- #
1013
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
2049
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
1014
2050
  #
1015
- class ListAnalyzersRequest < Struct.new(
2051
+ class ListAccessPreviewFindingsRequest < Struct.new(
2052
+ :access_preview_id,
2053
+ :analyzer_arn,
2054
+ :filter,
1016
2055
  :max_results,
1017
- :next_token,
1018
- :type)
2056
+ :next_token)
1019
2057
  SENSITIVE = []
1020
2058
  include Aws::Structure
1021
2059
  end
1022
2060
 
1023
- # The response to the request.
1024
- #
1025
- # @!attribute [rw] analyzers
1026
- # The analyzers retrieved.
1027
- # @return [Array<Types::AnalyzerSummary>]
2061
+ # @!attribute [rw] findings
2062
+ # A list of access preview findings that match the specified filter
2063
+ # criteria.
2064
+ # @return [Array<Types::AccessPreviewFinding>]
1028
2065
  #
1029
2066
  # @!attribute [rw] next_token
1030
2067
  # A token used for pagination of results returned.
1031
2068
  # @return [String]
1032
2069
  #
1033
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersResponse AWS API Documentation
2070
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsResponse AWS API Documentation
1034
2071
  #
1035
- class ListAnalyzersResponse < Struct.new(
1036
- :analyzers,
2072
+ class ListAccessPreviewFindingsResponse < Struct.new(
2073
+ :findings,
1037
2074
  :next_token)
1038
2075
  SENSITIVE = []
1039
2076
  include Aws::Structure
1040
2077
  end
1041
2078
 
1042
- # Retrieves a list of archive rules created for the specified analyzer.
1043
- #
1044
- # @note When making an API call, you may pass ListArchiveRulesRequest
2079
+ # @note When making an API call, you may pass ListAccessPreviewsRequest
1045
2080
  # data as a hash:
1046
2081
  #
1047
2082
  # {
1048
- # analyzer_name: "Name", # required
2083
+ # analyzer_arn: "AnalyzerArn", # required
1049
2084
  # max_results: 1,
1050
2085
  # next_token: "Token",
1051
2086
  # }
1052
2087
  #
1053
- # @!attribute [rw] analyzer_name
1054
- # The name of the analyzer to retrieve rules from.
2088
+ # @!attribute [rw] analyzer_arn
2089
+ # The [ARN of the analyzer][1] used to generate the access preview.
2090
+ #
2091
+ #
2092
+ #
2093
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1055
2094
  # @return [String]
1056
2095
  #
1057
2096
  # @!attribute [rw] max_results
1058
- # The maximum number of results to return in the request.
2097
+ # The maximum number of results to return in the response.
1059
2098
  # @return [Integer]
1060
2099
  #
1061
2100
  # @!attribute [rw] next_token
1062
2101
  # A token used for pagination of results returned.
1063
2102
  # @return [String]
1064
2103
  #
1065
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
2104
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
1066
2105
  #
1067
- class ListArchiveRulesRequest < Struct.new(
1068
- :analyzer_name,
2106
+ class ListAccessPreviewsRequest < Struct.new(
2107
+ :analyzer_arn,
1069
2108
  :max_results,
1070
2109
  :next_token)
1071
2110
  SENSITIVE = []
1072
2111
  include Aws::Structure
1073
2112
  end
1074
2113
 
1075
- # The response to the request.
1076
- #
1077
- # @!attribute [rw] archive_rules
1078
- # A list of archive rules created for the specified analyzer.
1079
- # @return [Array<Types::ArchiveRuleSummary>]
2114
+ # @!attribute [rw] access_previews
2115
+ # A list of access previews retrieved for the analyzer.
2116
+ # @return [Array<Types::AccessPreviewSummary>]
1080
2117
  #
1081
2118
  # @!attribute [rw] next_token
1082
2119
  # A token used for pagination of results returned.
1083
2120
  # @return [String]
1084
2121
  #
1085
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesResponse AWS API Documentation
2122
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsResponse AWS API Documentation
1086
2123
  #
1087
- class ListArchiveRulesResponse < Struct.new(
1088
- :archive_rules,
2124
+ class ListAccessPreviewsResponse < Struct.new(
2125
+ :access_previews,
1089
2126
  :next_token)
1090
2127
  SENSITIVE = []
1091
2128
  include Aws::Structure
1092
2129
  end
1093
2130
 
1094
- # Retrieves a list of findings generated by the specified analyzer.
2131
+ # Retrieves a list of resources that have been analyzed.
1095
2132
  #
1096
- # @note When making an API call, you may pass ListFindingsRequest
2133
+ # @note When making an API call, you may pass ListAnalyzedResourcesRequest
1097
2134
  # data as a hash:
1098
2135
  #
1099
2136
  # {
1100
2137
  # analyzer_arn: "AnalyzerArn", # required
1101
- # filter: {
1102
- # "String" => {
1103
- # contains: ["String"],
1104
- # eq: ["String"],
1105
- # exists: false,
1106
- # neq: ["String"],
1107
- # },
1108
- # },
1109
2138
  # max_results: 1,
1110
2139
  # next_token: "Token",
1111
- # sort: {
1112
- # attribute_name: "String",
1113
- # order_by: "ASC", # accepts ASC, DESC
2140
+ # resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret
2141
+ # }
2142
+ #
2143
+ # @!attribute [rw] analyzer_arn
2144
+ # The [ARN of the analyzer][1] to retrieve a list of analyzed
2145
+ # resources from.
2146
+ #
2147
+ #
2148
+ #
2149
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
2150
+ # @return [String]
2151
+ #
2152
+ # @!attribute [rw] max_results
2153
+ # The maximum number of results to return in the response.
2154
+ # @return [Integer]
2155
+ #
2156
+ # @!attribute [rw] next_token
2157
+ # A token used for pagination of results returned.
2158
+ # @return [String]
2159
+ #
2160
+ # @!attribute [rw] resource_type
2161
+ # The type of resource.
2162
+ # @return [String]
2163
+ #
2164
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
2165
+ #
2166
+ class ListAnalyzedResourcesRequest < Struct.new(
2167
+ :analyzer_arn,
2168
+ :max_results,
2169
+ :next_token,
2170
+ :resource_type)
2171
+ SENSITIVE = []
2172
+ include Aws::Structure
2173
+ end
2174
+
2175
+ # The response to the request.
2176
+ #
2177
+ # @!attribute [rw] analyzed_resources
2178
+ # A list of resources that were analyzed.
2179
+ # @return [Array<Types::AnalyzedResourceSummary>]
2180
+ #
2181
+ # @!attribute [rw] next_token
2182
+ # A token used for pagination of results returned.
2183
+ # @return [String]
2184
+ #
2185
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesResponse AWS API Documentation
2186
+ #
2187
+ class ListAnalyzedResourcesResponse < Struct.new(
2188
+ :analyzed_resources,
2189
+ :next_token)
2190
+ SENSITIVE = []
2191
+ include Aws::Structure
2192
+ end
2193
+
2194
+ # Retrieves a list of analyzers.
2195
+ #
2196
+ # @note When making an API call, you may pass ListAnalyzersRequest
2197
+ # data as a hash:
2198
+ #
2199
+ # {
2200
+ # max_results: 1,
2201
+ # next_token: "Token",
2202
+ # type: "ACCOUNT", # accepts ACCOUNT, ORGANIZATION
2203
+ # }
2204
+ #
2205
+ # @!attribute [rw] max_results
2206
+ # The maximum number of results to return in the response.
2207
+ # @return [Integer]
2208
+ #
2209
+ # @!attribute [rw] next_token
2210
+ # A token used for pagination of results returned.
2211
+ # @return [String]
2212
+ #
2213
+ # @!attribute [rw] type
2214
+ # The type of analyzer.
2215
+ # @return [String]
2216
+ #
2217
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
2218
+ #
2219
+ class ListAnalyzersRequest < Struct.new(
2220
+ :max_results,
2221
+ :next_token,
2222
+ :type)
2223
+ SENSITIVE = []
2224
+ include Aws::Structure
2225
+ end
2226
+
2227
+ # The response to the request.
2228
+ #
2229
+ # @!attribute [rw] analyzers
2230
+ # The analyzers retrieved.
2231
+ # @return [Array<Types::AnalyzerSummary>]
2232
+ #
2233
+ # @!attribute [rw] next_token
2234
+ # A token used for pagination of results returned.
2235
+ # @return [String]
2236
+ #
2237
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersResponse AWS API Documentation
2238
+ #
2239
+ class ListAnalyzersResponse < Struct.new(
2240
+ :analyzers,
2241
+ :next_token)
2242
+ SENSITIVE = []
2243
+ include Aws::Structure
2244
+ end
2245
+
2246
+ # Retrieves a list of archive rules created for the specified analyzer.
2247
+ #
2248
+ # @note When making an API call, you may pass ListArchiveRulesRequest
2249
+ # data as a hash:
2250
+ #
2251
+ # {
2252
+ # analyzer_name: "Name", # required
2253
+ # max_results: 1,
2254
+ # next_token: "Token",
2255
+ # }
2256
+ #
2257
+ # @!attribute [rw] analyzer_name
2258
+ # The name of the analyzer to retrieve rules from.
2259
+ # @return [String]
2260
+ #
2261
+ # @!attribute [rw] max_results
2262
+ # The maximum number of results to return in the request.
2263
+ # @return [Integer]
2264
+ #
2265
+ # @!attribute [rw] next_token
2266
+ # A token used for pagination of results returned.
2267
+ # @return [String]
2268
+ #
2269
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
2270
+ #
2271
+ class ListArchiveRulesRequest < Struct.new(
2272
+ :analyzer_name,
2273
+ :max_results,
2274
+ :next_token)
2275
+ SENSITIVE = []
2276
+ include Aws::Structure
2277
+ end
2278
+
2279
+ # The response to the request.
2280
+ #
2281
+ # @!attribute [rw] archive_rules
2282
+ # A list of archive rules created for the specified analyzer.
2283
+ # @return [Array<Types::ArchiveRuleSummary>]
2284
+ #
2285
+ # @!attribute [rw] next_token
2286
+ # A token used for pagination of results returned.
2287
+ # @return [String]
2288
+ #
2289
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesResponse AWS API Documentation
2290
+ #
2291
+ class ListArchiveRulesResponse < Struct.new(
2292
+ :archive_rules,
2293
+ :next_token)
2294
+ SENSITIVE = []
2295
+ include Aws::Structure
2296
+ end
2297
+
2298
+ # Retrieves a list of findings generated by the specified analyzer.
2299
+ #
2300
+ # @note When making an API call, you may pass ListFindingsRequest
2301
+ # data as a hash:
2302
+ #
2303
+ # {
2304
+ # analyzer_arn: "AnalyzerArn", # required
2305
+ # filter: {
2306
+ # "String" => {
2307
+ # contains: ["String"],
2308
+ # eq: ["String"],
2309
+ # exists: false,
2310
+ # neq: ["String"],
2311
+ # },
2312
+ # },
2313
+ # max_results: 1,
2314
+ # next_token: "Token",
2315
+ # sort: {
2316
+ # attribute_name: "String",
2317
+ # order_by: "ASC", # accepts ASC, DESC
2318
+ # },
2319
+ # }
2320
+ #
2321
+ # @!attribute [rw] analyzer_arn
2322
+ # The [ARN of the analyzer][1] to retrieve findings from.
2323
+ #
2324
+ #
2325
+ #
2326
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
2327
+ # @return [String]
2328
+ #
2329
+ # @!attribute [rw] filter
2330
+ # A filter to match for the findings to return.
2331
+ # @return [Hash<String,Types::Criterion>]
2332
+ #
2333
+ # @!attribute [rw] max_results
2334
+ # The maximum number of results to return in the response.
2335
+ # @return [Integer]
2336
+ #
2337
+ # @!attribute [rw] next_token
2338
+ # A token used for pagination of results returned.
2339
+ # @return [String]
2340
+ #
2341
+ # @!attribute [rw] sort
2342
+ # The sort order for the findings returned.
2343
+ # @return [Types::SortCriteria]
2344
+ #
2345
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
2346
+ #
2347
+ class ListFindingsRequest < Struct.new(
2348
+ :analyzer_arn,
2349
+ :filter,
2350
+ :max_results,
2351
+ :next_token,
2352
+ :sort)
2353
+ SENSITIVE = []
2354
+ include Aws::Structure
2355
+ end
2356
+
2357
+ # The response to the request.
2358
+ #
2359
+ # @!attribute [rw] findings
2360
+ # A list of findings retrieved from the analyzer that match the filter
2361
+ # criteria specified, if any.
2362
+ # @return [Array<Types::FindingSummary>]
2363
+ #
2364
+ # @!attribute [rw] next_token
2365
+ # A token used for pagination of results returned.
2366
+ # @return [String]
2367
+ #
2368
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsResponse AWS API Documentation
2369
+ #
2370
+ class ListFindingsResponse < Struct.new(
2371
+ :findings,
2372
+ :next_token)
2373
+ SENSITIVE = []
2374
+ include Aws::Structure
2375
+ end
2376
+
2377
+ # @note When making an API call, you may pass ListPolicyGenerationsRequest
2378
+ # data as a hash:
2379
+ #
2380
+ # {
2381
+ # max_results: 1,
2382
+ # next_token: "Token",
2383
+ # principal_arn: "PrincipalArn",
2384
+ # }
2385
+ #
2386
+ # @!attribute [rw] max_results
2387
+ # The maximum number of results to return in the response.
2388
+ # @return [Integer]
2389
+ #
2390
+ # @!attribute [rw] next_token
2391
+ # A token used for pagination of results returned.
2392
+ # @return [String]
2393
+ #
2394
+ # @!attribute [rw] principal_arn
2395
+ # The ARN of the IAM entity (user or role) for which you are
2396
+ # generating a policy. Use this with `ListGeneratedPolicies` to filter
2397
+ # the results to only include results for a specific principal.
2398
+ # @return [String]
2399
+ #
2400
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsRequest AWS API Documentation
2401
+ #
2402
+ class ListPolicyGenerationsRequest < Struct.new(
2403
+ :max_results,
2404
+ :next_token,
2405
+ :principal_arn)
2406
+ SENSITIVE = []
2407
+ include Aws::Structure
2408
+ end
2409
+
2410
+ # @!attribute [rw] next_token
2411
+ # A token used for pagination of results returned.
2412
+ # @return [String]
2413
+ #
2414
+ # @!attribute [rw] policy_generations
2415
+ # A `PolicyGeneration` object that contains details about the
2416
+ # generated policy.
2417
+ # @return [Array<Types::PolicyGeneration>]
2418
+ #
2419
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsResponse AWS API Documentation
2420
+ #
2421
+ class ListPolicyGenerationsResponse < Struct.new(
2422
+ :next_token,
2423
+ :policy_generations)
2424
+ SENSITIVE = []
2425
+ include Aws::Structure
2426
+ end
2427
+
2428
+ # Retrieves a list of tags applied to the specified resource.
2429
+ #
2430
+ # @note When making an API call, you may pass ListTagsForResourceRequest
2431
+ # data as a hash:
2432
+ #
2433
+ # {
2434
+ # resource_arn: "String", # required
2435
+ # }
2436
+ #
2437
+ # @!attribute [rw] resource_arn
2438
+ # The ARN of the resource to retrieve tags from.
2439
+ # @return [String]
2440
+ #
2441
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceRequest AWS API Documentation
2442
+ #
2443
+ class ListTagsForResourceRequest < Struct.new(
2444
+ :resource_arn)
2445
+ SENSITIVE = []
2446
+ include Aws::Structure
2447
+ end
2448
+
2449
+ # The response to the request.
2450
+ #
2451
+ # @!attribute [rw] tags
2452
+ # The tags that are applied to the specified resource.
2453
+ # @return [Hash<String,String>]
2454
+ #
2455
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceResponse AWS API Documentation
2456
+ #
2457
+ class ListTagsForResourceResponse < Struct.new(
2458
+ :tags)
2459
+ SENSITIVE = []
2460
+ include Aws::Structure
2461
+ end
2462
+
2463
+ # A location in a policy that is represented as a path through the JSON
2464
+ # representation and a corresponding span.
2465
+ #
2466
+ # @!attribute [rw] path
2467
+ # A path in a policy, represented as a sequence of path elements.
2468
+ # @return [Array<Types::PathElement>]
2469
+ #
2470
+ # @!attribute [rw] span
2471
+ # A span in a policy.
2472
+ # @return [Types::Span]
2473
+ #
2474
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Location AWS API Documentation
2475
+ #
2476
+ class Location < Struct.new(
2477
+ :path,
2478
+ :span)
2479
+ SENSITIVE = []
2480
+ include Aws::Structure
2481
+ end
2482
+
2483
+ # The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
2484
+ # the Amazon S3 Access point. You can make the access point accessible
2485
+ # from the internet, or you can specify that all requests made through
2486
+ # that access point must originate from a specific virtual private cloud
2487
+ # (VPC). You can specify only one type of network configuration. For
2488
+ # more information, see [Creating access points][1].
2489
+ #
2490
+ #
2491
+ #
2492
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
2493
+ #
2494
+ # @note When making an API call, you may pass NetworkOriginConfiguration
2495
+ # data as a hash:
2496
+ #
2497
+ # {
2498
+ # internet_configuration: {
2499
+ # },
2500
+ # vpc_configuration: {
2501
+ # vpc_id: "VpcId", # required
2502
+ # },
2503
+ # }
2504
+ #
2505
+ # @!attribute [rw] internet_configuration
2506
+ # The configuration for the Amazon S3 access point with an `Internet`
2507
+ # origin.
2508
+ # @return [Types::InternetConfiguration]
2509
+ #
2510
+ # @!attribute [rw] vpc_configuration
2511
+ # The proposed virtual private cloud (VPC) configuration for the
2512
+ # Amazon S3 access point. For more information, see
2513
+ # [VpcConfiguration][1].
2514
+ #
2515
+ #
2516
+ #
2517
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
2518
+ # @return [Types::VpcConfiguration]
2519
+ #
2520
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
2521
+ #
2522
+ class NetworkOriginConfiguration < Struct.new(
2523
+ :internet_configuration,
2524
+ :vpc_configuration)
2525
+ SENSITIVE = []
2526
+ include Aws::Structure
2527
+ end
2528
+
2529
+ # A single element in a path through the JSON representation of a
2530
+ # policy.
2531
+ #
2532
+ # @!attribute [rw] index
2533
+ # Refers to an index in a JSON array.
2534
+ # @return [Integer]
2535
+ #
2536
+ # @!attribute [rw] key
2537
+ # Refers to a key in a JSON object.
2538
+ # @return [String]
2539
+ #
2540
+ # @!attribute [rw] substring
2541
+ # Refers to a substring of a literal string in a JSON object.
2542
+ # @return [Types::Substring]
2543
+ #
2544
+ # @!attribute [rw] value
2545
+ # Refers to the value associated with a given key in a JSON object.
2546
+ # @return [String]
2547
+ #
2548
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PathElement AWS API Documentation
2549
+ #
2550
+ class PathElement < Struct.new(
2551
+ :index,
2552
+ :key,
2553
+ :substring,
2554
+ :value)
2555
+ SENSITIVE = []
2556
+ include Aws::Structure
2557
+ end
2558
+
2559
+ # Contains details about the policy generation status and properties.
2560
+ #
2561
+ # @!attribute [rw] completed_on
2562
+ # A timestamp of when the policy generation was completed.
2563
+ # @return [Time]
2564
+ #
2565
+ # @!attribute [rw] job_id
2566
+ # The `JobId` that is returned by the `StartPolicyGeneration`
2567
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
2568
+ # retrieve the generated policies or used with
2569
+ # `CancelPolicyGeneration` to cancel the policy generation request.
2570
+ # @return [String]
2571
+ #
2572
+ # @!attribute [rw] principal_arn
2573
+ # The ARN of the IAM entity (user or role) for which you are
2574
+ # generating a policy.
2575
+ # @return [String]
2576
+ #
2577
+ # @!attribute [rw] started_on
2578
+ # A timestamp of when the policy generation started.
2579
+ # @return [Time]
2580
+ #
2581
+ # @!attribute [rw] status
2582
+ # The status of the policy generation request.
2583
+ # @return [String]
2584
+ #
2585
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGeneration AWS API Documentation
2586
+ #
2587
+ class PolicyGeneration < Struct.new(
2588
+ :completed_on,
2589
+ :job_id,
2590
+ :principal_arn,
2591
+ :started_on,
2592
+ :status)
2593
+ SENSITIVE = []
2594
+ include Aws::Structure
2595
+ end
2596
+
2597
+ # Contains the ARN details about the IAM entity for which the policy is
2598
+ # generated.
2599
+ #
2600
+ # @note When making an API call, you may pass PolicyGenerationDetails
2601
+ # data as a hash:
2602
+ #
2603
+ # {
2604
+ # principal_arn: "PrincipalArn", # required
2605
+ # }
2606
+ #
2607
+ # @!attribute [rw] principal_arn
2608
+ # The ARN of the IAM entity (user or role) for which you are
2609
+ # generating a policy.
2610
+ # @return [String]
2611
+ #
2612
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGenerationDetails AWS API Documentation
2613
+ #
2614
+ class PolicyGenerationDetails < Struct.new(
2615
+ :principal_arn)
2616
+ SENSITIVE = []
2617
+ include Aws::Structure
2618
+ end
2619
+
2620
+ # A position in a policy.
2621
+ #
2622
+ # @!attribute [rw] column
2623
+ # The column of the position, starting from 0.
2624
+ # @return [Integer]
2625
+ #
2626
+ # @!attribute [rw] line
2627
+ # The line of the position, starting from 1.
2628
+ # @return [Integer]
2629
+ #
2630
+ # @!attribute [rw] offset
2631
+ # The offset within the policy that corresponds to the position,
2632
+ # starting from 0.
2633
+ # @return [Integer]
2634
+ #
2635
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
2636
+ #
2637
+ class Position < Struct.new(
2638
+ :column,
2639
+ :line,
2640
+ :offset)
2641
+ SENSITIVE = []
2642
+ include Aws::Structure
2643
+ end
2644
+
2645
+ # The specified resource could not be found.
2646
+ #
2647
+ # @!attribute [rw] message
2648
+ # @return [String]
2649
+ #
2650
+ # @!attribute [rw] resource_id
2651
+ # The ID of the resource.
2652
+ # @return [String]
2653
+ #
2654
+ # @!attribute [rw] resource_type
2655
+ # The type of the resource.
2656
+ # @return [String]
2657
+ #
2658
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ResourceNotFoundException AWS API Documentation
2659
+ #
2660
+ class ResourceNotFoundException < Struct.new(
2661
+ :message,
2662
+ :resource_id,
2663
+ :resource_type)
2664
+ SENSITIVE = []
2665
+ include Aws::Structure
2666
+ end
2667
+
2668
+ # The configuration for an Amazon S3 access point for the bucket. You
2669
+ # can propose up to 10 access points per bucket. If the proposed Amazon
2670
+ # S3 access point configuration is for an existing bucket, the access
2671
+ # preview uses the proposed access point configuration in place of the
2672
+ # existing access points. To propose an access point without a policy,
2673
+ # you can provide an empty string as the access point policy. For more
2674
+ # information, see [Creating access points][1]. For more information
2675
+ # about access point policy limits, see [Access points restrictions and
2676
+ # limitations][2].
2677
+ #
2678
+ #
2679
+ #
2680
+ # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
2681
+ # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
2682
+ #
2683
+ # @note When making an API call, you may pass S3AccessPointConfiguration
2684
+ # data as a hash:
2685
+ #
2686
+ # {
2687
+ # access_point_policy: "AccessPointPolicy",
2688
+ # network_origin: {
2689
+ # internet_configuration: {
2690
+ # },
2691
+ # vpc_configuration: {
2692
+ # vpc_id: "VpcId", # required
2693
+ # },
2694
+ # },
2695
+ # public_access_block: {
2696
+ # ignore_public_acls: false, # required
2697
+ # restrict_public_buckets: false, # required
2698
+ # },
2699
+ # }
2700
+ #
2701
+ # @!attribute [rw] access_point_policy
2702
+ # The access point policy.
2703
+ # @return [String]
2704
+ #
2705
+ # @!attribute [rw] network_origin
2706
+ # The proposed `Internet` and `VpcConfiguration` to apply to this
2707
+ # Amazon S3 access point. If the access preview is for a new resource
2708
+ # and neither is specified, the access preview uses `Internet` for the
2709
+ # network origin. If the access preview is for an existing resource
2710
+ # and neither is specified, the access preview uses the exiting
2711
+ # network origin.
2712
+ # @return [Types::NetworkOriginConfiguration]
2713
+ #
2714
+ # @!attribute [rw] public_access_block
2715
+ # The proposed `S3PublicAccessBlock` configuration to apply to this
2716
+ # Amazon S3 Access Point.
2717
+ # @return [Types::S3PublicAccessBlockConfiguration]
2718
+ #
2719
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
2720
+ #
2721
+ class S3AccessPointConfiguration < Struct.new(
2722
+ :access_point_policy,
2723
+ :network_origin,
2724
+ :public_access_block)
2725
+ SENSITIVE = []
2726
+ include Aws::Structure
2727
+ end
2728
+
2729
+ # A proposed access control list grant configuration for an Amazon S3
2730
+ # bucket. For more information, see [How to Specify an ACL][1].
2731
+ #
2732
+ #
2733
+ #
2734
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls
2735
+ #
2736
+ # @note When making an API call, you may pass S3BucketAclGrantConfiguration
2737
+ # data as a hash:
2738
+ #
2739
+ # {
2740
+ # grantee: { # required
2741
+ # id: "AclCanonicalId",
2742
+ # uri: "AclUri",
2743
+ # },
2744
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
2745
+ # }
2746
+ #
2747
+ # @!attribute [rw] grantee
2748
+ # The grantee to whom you’re assigning access rights.
2749
+ # @return [Types::AclGrantee]
2750
+ #
2751
+ # @!attribute [rw] permission
2752
+ # The permissions being granted.
2753
+ # @return [String]
2754
+ #
2755
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
2756
+ #
2757
+ class S3BucketAclGrantConfiguration < Struct.new(
2758
+ :grantee,
2759
+ :permission)
2760
+ SENSITIVE = []
2761
+ include Aws::Structure
2762
+ end
2763
+
2764
+ # Proposed access control configuration for an Amazon S3 bucket. You can
2765
+ # propose a configuration for a new Amazon S3 bucket or an existing
2766
+ # Amazon S3 bucket that you own by specifying the Amazon S3 bucket
2767
+ # policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points
2768
+ # attached to the bucket. If the configuration is for an existing Amazon
2769
+ # S3 bucket and you do not specify the Amazon S3 bucket policy, the
2770
+ # access preview uses the existing policy attached to the bucket. If the
2771
+ # access preview is for a new resource and you do not specify the Amazon
2772
+ # S3 bucket policy, the access preview assumes a bucket without a
2773
+ # policy. To propose deletion of an existing bucket policy, you can
2774
+ # specify an empty string. For more information about bucket policy
2775
+ # limits, see [Bucket Policy Examples][1].
2776
+ #
2777
+ #
2778
+ #
2779
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
2780
+ #
2781
+ # @note When making an API call, you may pass S3BucketConfiguration
2782
+ # data as a hash:
2783
+ #
2784
+ # {
2785
+ # access_points: {
2786
+ # "AccessPointArn" => {
2787
+ # access_point_policy: "AccessPointPolicy",
2788
+ # network_origin: {
2789
+ # internet_configuration: {
2790
+ # },
2791
+ # vpc_configuration: {
2792
+ # vpc_id: "VpcId", # required
2793
+ # },
2794
+ # },
2795
+ # public_access_block: {
2796
+ # ignore_public_acls: false, # required
2797
+ # restrict_public_buckets: false, # required
2798
+ # },
2799
+ # },
2800
+ # },
2801
+ # bucket_acl_grants: [
2802
+ # {
2803
+ # grantee: { # required
2804
+ # id: "AclCanonicalId",
2805
+ # uri: "AclUri",
2806
+ # },
2807
+ # permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
2808
+ # },
2809
+ # ],
2810
+ # bucket_policy: "S3BucketPolicy",
2811
+ # bucket_public_access_block: {
2812
+ # ignore_public_acls: false, # required
2813
+ # restrict_public_buckets: false, # required
1114
2814
  # },
1115
2815
  # }
1116
2816
  #
1117
- # @!attribute [rw] analyzer_arn
1118
- # The ARN of the analyzer to retrieve findings from.
1119
- # @return [String]
1120
- #
1121
- # @!attribute [rw] filter
1122
- # A filter to match for the findings to return.
1123
- # @return [Hash<String,Types::Criterion>]
2817
+ # @!attribute [rw] access_points
2818
+ # The configuration of Amazon S3 access points for the bucket.
2819
+ # @return [Hash<String,Types::S3AccessPointConfiguration>]
1124
2820
  #
1125
- # @!attribute [rw] max_results
1126
- # The maximum number of results to return in the response.
1127
- # @return [Integer]
2821
+ # @!attribute [rw] bucket_acl_grants
2822
+ # The proposed list of ACL grants for the Amazon S3 bucket. You can
2823
+ # propose up to 100 ACL grants per bucket. If the proposed grant
2824
+ # configuration is for an existing bucket, the access preview uses the
2825
+ # proposed list of grant configurations in place of the existing
2826
+ # grants. Otherwise, the access preview uses the existing grants for
2827
+ # the bucket.
2828
+ # @return [Array<Types::S3BucketAclGrantConfiguration>]
1128
2829
  #
1129
- # @!attribute [rw] next_token
1130
- # A token used for pagination of results returned.
2830
+ # @!attribute [rw] bucket_policy
2831
+ # The proposed bucket policy for the Amazon S3 bucket.
1131
2832
  # @return [String]
1132
2833
  #
1133
- # @!attribute [rw] sort
1134
- # The sort order for the findings returned.
1135
- # @return [Types::SortCriteria]
2834
+ # @!attribute [rw] bucket_public_access_block
2835
+ # The proposed block public access configuration for the Amazon S3
2836
+ # bucket.
2837
+ # @return [Types::S3PublicAccessBlockConfiguration]
1136
2838
  #
1137
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
2839
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
1138
2840
  #
1139
- class ListFindingsRequest < Struct.new(
1140
- :analyzer_arn,
1141
- :filter,
1142
- :max_results,
1143
- :next_token,
1144
- :sort)
2841
+ class S3BucketConfiguration < Struct.new(
2842
+ :access_points,
2843
+ :bucket_acl_grants,
2844
+ :bucket_policy,
2845
+ :bucket_public_access_block)
1145
2846
  SENSITIVE = []
1146
2847
  include Aws::Structure
1147
2848
  end
1148
2849
 
1149
- # The response to the request.
1150
- #
1151
- # @!attribute [rw] findings
1152
- # A list of findings retrieved from the analyzer that match the filter
1153
- # criteria specified, if any.
1154
- # @return [Array<Types::FindingSummary>]
2850
+ # The `PublicAccessBlock` configuration to apply to this Amazon S3
2851
+ # bucket. If the proposed configuration is for an existing Amazon S3
2852
+ # bucket and the configuration is not specified, the access preview uses
2853
+ # the existing setting. If the proposed configuration is for a new
2854
+ # bucket and the configuration is not specified, the access preview uses
2855
+ # `false`. If the proposed configuration is for a new access point and
2856
+ # the access point BPA configuration is not specified, the access
2857
+ # preview uses `true`. For more information, see
2858
+ # [PublicAccessBlockConfiguration][1].
1155
2859
  #
1156
- # @!attribute [rw] next_token
1157
- # A token used for pagination of results returned.
1158
- # @return [String]
1159
2860
  #
1160
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsResponse AWS API Documentation
1161
2861
  #
1162
- class ListFindingsResponse < Struct.new(
1163
- :findings,
1164
- :next_token)
1165
- SENSITIVE = []
1166
- include Aws::Structure
1167
- end
1168
-
1169
- # Retrieves a list of tags applied to the specified resource.
2862
+ # [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
1170
2863
  #
1171
- # @note When making an API call, you may pass ListTagsForResourceRequest
2864
+ # @note When making an API call, you may pass S3PublicAccessBlockConfiguration
1172
2865
  # data as a hash:
1173
2866
  #
1174
2867
  # {
1175
- # resource_arn: "String", # required
2868
+ # ignore_public_acls: false, # required
2869
+ # restrict_public_buckets: false, # required
1176
2870
  # }
1177
2871
  #
1178
- # @!attribute [rw] resource_arn
1179
- # The ARN of the resource to retrieve tags from.
1180
- # @return [String]
2872
+ # @!attribute [rw] ignore_public_acls
2873
+ # Specifies whether Amazon S3 should ignore public ACLs for this
2874
+ # bucket and objects in this bucket.
2875
+ # @return [Boolean]
1181
2876
  #
1182
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceRequest AWS API Documentation
2877
+ # @!attribute [rw] restrict_public_buckets
2878
+ # Specifies whether Amazon S3 should restrict public bucket policies
2879
+ # for this bucket.
2880
+ # @return [Boolean]
1183
2881
  #
1184
- class ListTagsForResourceRequest < Struct.new(
1185
- :resource_arn)
2882
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3PublicAccessBlockConfiguration AWS API Documentation
2883
+ #
2884
+ class S3PublicAccessBlockConfiguration < Struct.new(
2885
+ :ignore_public_acls,
2886
+ :restrict_public_buckets)
1186
2887
  SENSITIVE = []
1187
2888
  include Aws::Structure
1188
2889
  end
1189
2890
 
1190
- # The response to the request.
2891
+ # The configuration for a Secrets Manager secret. For more information,
2892
+ # see [CreateSecret][1].
1191
2893
  #
1192
- # @!attribute [rw] tags
1193
- # The tags that are applied to the specified resource.
1194
- # @return [Hash<String,String>]
2894
+ # You can propose a configuration for a new secret or an existing secret
2895
+ # that you own by specifying the secret policy and optional KMS
2896
+ # encryption key. If the configuration is for an existing secret and you
2897
+ # do not specify the secret policy, the access preview uses the existing
2898
+ # policy for the secret. If the access preview is for a new resource and
2899
+ # you do not specify the policy, the access preview assumes a secret
2900
+ # without a policy. To propose deletion of an existing policy, you can
2901
+ # specify an empty string. If the proposed configuration is for a new
2902
+ # secret and you do not specify the KMS key ID, the access preview uses
2903
+ # the default CMK of the AWS account. If you specify an empty string for
2904
+ # the KMS key ID, the access preview uses the default CMK of the AWS
2905
+ # account. For more information about secret policy limits, see [Quotas
2906
+ # for AWS Secrets Manager.][2].
1195
2907
  #
1196
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceResponse AWS API Documentation
1197
2908
  #
1198
- class ListTagsForResourceResponse < Struct.new(
1199
- :tags)
1200
- SENSITIVE = []
1201
- include Aws::Structure
1202
- end
1203
-
1204
- # The specified resource could not be found.
1205
2909
  #
1206
- # @!attribute [rw] message
1207
- # @return [String]
2910
+ # [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html
2911
+ # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
1208
2912
  #
1209
- # @!attribute [rw] resource_id
1210
- # The ID of the resource.
2913
+ # @note When making an API call, you may pass SecretsManagerSecretConfiguration
2914
+ # data as a hash:
2915
+ #
2916
+ # {
2917
+ # kms_key_id: "SecretsManagerSecretKmsId",
2918
+ # secret_policy: "SecretsManagerSecretPolicy",
2919
+ # }
2920
+ #
2921
+ # @!attribute [rw] kms_key_id
2922
+ # The proposed ARN, key ID, or alias of the AWS KMS customer master
2923
+ # key (CMK).
1211
2924
  # @return [String]
1212
2925
  #
1213
- # @!attribute [rw] resource_type
1214
- # The type of the resource.
2926
+ # @!attribute [rw] secret_policy
2927
+ # The proposed resource policy defining who can access or manage the
2928
+ # secret.
1215
2929
  # @return [String]
1216
2930
  #
1217
- # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ResourceNotFoundException AWS API Documentation
2931
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SecretsManagerSecretConfiguration AWS API Documentation
1218
2932
  #
1219
- class ResourceNotFoundException < Struct.new(
1220
- :message,
1221
- :resource_id,
1222
- :resource_type)
2933
+ class SecretsManagerSecretConfiguration < Struct.new(
2934
+ :kms_key_id,
2935
+ :secret_policy)
1223
2936
  SENSITIVE = []
1224
2937
  include Aws::Structure
1225
2938
  end
@@ -1274,6 +2987,132 @@ module Aws::AccessAnalyzer
1274
2987
  include Aws::Structure
1275
2988
  end
1276
2989
 
2990
+ # A span in a policy. The span consists of a start position (inclusive)
2991
+ # and end position (exclusive).
2992
+ #
2993
+ # @!attribute [rw] end
2994
+ # The end position of the span (exclusive).
2995
+ # @return [Types::Position]
2996
+ #
2997
+ # @!attribute [rw] start
2998
+ # The start position of the span (inclusive).
2999
+ # @return [Types::Position]
3000
+ #
3001
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
3002
+ #
3003
+ class Span < Struct.new(
3004
+ :end,
3005
+ :start)
3006
+ SENSITIVE = []
3007
+ include Aws::Structure
3008
+ end
3009
+
3010
+ # The proposed access control configuration for an SQS queue. You can
3011
+ # propose a configuration for a new SQS queue or an existing SQS queue
3012
+ # that you own by specifying the SQS policy. If the configuration is for
3013
+ # an existing SQS queue and you do not specify the SQS policy, the
3014
+ # access preview uses the existing SQS policy for the queue. If the
3015
+ # access preview is for a new resource and you do not specify the
3016
+ # policy, the access preview assumes an SQS queue without a policy. To
3017
+ # propose deletion of an existing SQS queue policy, you can specify an
3018
+ # empty string for the SQS policy. For more information about SQS policy
3019
+ # limits, see [Quotas related to policies][1].
3020
+ #
3021
+ #
3022
+ #
3023
+ # [1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html
3024
+ #
3025
+ # @note When making an API call, you may pass SqsQueueConfiguration
3026
+ # data as a hash:
3027
+ #
3028
+ # {
3029
+ # queue_policy: "SqsQueuePolicy",
3030
+ # }
3031
+ #
3032
+ # @!attribute [rw] queue_policy
3033
+ # The proposed resource policy for the SQS queue.
3034
+ # @return [String]
3035
+ #
3036
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
3037
+ #
3038
+ class SqsQueueConfiguration < Struct.new(
3039
+ :queue_policy)
3040
+ SENSITIVE = []
3041
+ include Aws::Structure
3042
+ end
3043
+
3044
+ # @note When making an API call, you may pass StartPolicyGenerationRequest
3045
+ # data as a hash:
3046
+ #
3047
+ # {
3048
+ # client_token: "String",
3049
+ # cloud_trail_details: {
3050
+ # access_role: "RoleArn", # required
3051
+ # end_time: Time.now,
3052
+ # start_time: Time.now, # required
3053
+ # trails: [ # required
3054
+ # {
3055
+ # all_regions: false,
3056
+ # cloud_trail_arn: "CloudTrailArn", # required
3057
+ # regions: ["String"],
3058
+ # },
3059
+ # ],
3060
+ # },
3061
+ # policy_generation_details: { # required
3062
+ # principal_arn: "PrincipalArn", # required
3063
+ # },
3064
+ # }
3065
+ #
3066
+ # @!attribute [rw] client_token
3067
+ # A unique, case-sensitive identifier that you provide to ensure the
3068
+ # idempotency of the request. Idempotency ensures that an API request
3069
+ # completes only once. With an idempotent request, if the original
3070
+ # request completes successfully, the subsequent retries with the same
3071
+ # client token return the result from the original successful request
3072
+ # and they have no additional effect.
3073
+ #
3074
+ # If you do not specify a client token, one is automatically generated
3075
+ # by the AWS SDK.
3076
+ #
3077
+ # **A suitable default value is auto-generated.** You should normally
3078
+ # not need to pass this option.
3079
+ # @return [String]
3080
+ #
3081
+ # @!attribute [rw] cloud_trail_details
3082
+ # A `CloudTrailDetails` object that contains details about a `Trail`
3083
+ # that you want to analyze to generate policies.
3084
+ # @return [Types::CloudTrailDetails]
3085
+ #
3086
+ # @!attribute [rw] policy_generation_details
3087
+ # Contains the ARN of the IAM entity (user or role) for which you are
3088
+ # generating a policy.
3089
+ # @return [Types::PolicyGenerationDetails]
3090
+ #
3091
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationRequest AWS API Documentation
3092
+ #
3093
+ class StartPolicyGenerationRequest < Struct.new(
3094
+ :client_token,
3095
+ :cloud_trail_details,
3096
+ :policy_generation_details)
3097
+ SENSITIVE = []
3098
+ include Aws::Structure
3099
+ end
3100
+
3101
+ # @!attribute [rw] job_id
3102
+ # The `JobId` that is returned by the `StartPolicyGeneration`
3103
+ # operation. The `JobId` can be used with `GetGeneratedPolicy` to
3104
+ # retrieve the generated policies or used with
3105
+ # `CancelPolicyGeneration` to cancel the policy generation request.
3106
+ # @return [String]
3107
+ #
3108
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationResponse AWS API Documentation
3109
+ #
3110
+ class StartPolicyGenerationResponse < Struct.new(
3111
+ :job_id)
3112
+ SENSITIVE = []
3113
+ include Aws::Structure
3114
+ end
3115
+
1277
3116
  # Starts a scan of the policies applied to the specified resource.
1278
3117
  #
1279
3118
  # @note When making an API call, you may pass StartResourceScanRequest
@@ -1285,8 +3124,12 @@ module Aws::AccessAnalyzer
1285
3124
  # }
1286
3125
  #
1287
3126
  # @!attribute [rw] analyzer_arn
1288
- # The ARN of the analyzer to use to scan the policies applied to the
1289
- # specified resource.
3127
+ # The [ARN of the analyzer][1] to use to scan the policies applied to
3128
+ # the specified resource.
3129
+ #
3130
+ #
3131
+ #
3132
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1290
3133
  # @return [String]
1291
3134
  #
1292
3135
  # @!attribute [rw] resource_arn
@@ -1304,7 +3147,7 @@ module Aws::AccessAnalyzer
1304
3147
 
1305
3148
  # Provides more details about the current status of the analyzer. For
1306
3149
  # example, if the creation for the analyzer fails, a `Failed` status is
1307
- # displayed. For an analyzer with organization as the type, this failure
3150
+ # returned. For an analyzer with organization as the type, this failure
1308
3151
  # can be due to an issue with creating the service-linked roles required
1309
3152
  # in the member accounts of the AWS organization.
1310
3153
  #
@@ -1320,6 +3163,25 @@ module Aws::AccessAnalyzer
1320
3163
  include Aws::Structure
1321
3164
  end
1322
3165
 
3166
+ # A reference to a substring of a literal string in a JSON document.
3167
+ #
3168
+ # @!attribute [rw] length
3169
+ # The length of the substring.
3170
+ # @return [Integer]
3171
+ #
3172
+ # @!attribute [rw] start
3173
+ # The start index of the substring, starting from 0.
3174
+ # @return [Integer]
3175
+ #
3176
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
3177
+ #
3178
+ class Substring < Struct.new(
3179
+ :length,
3180
+ :start)
3181
+ SENSITIVE = []
3182
+ include Aws::Structure
3183
+ end
3184
+
1323
3185
  # Adds a tag to the specified resource.
1324
3186
  #
1325
3187
  # @note When making an API call, you may pass TagResourceRequest
@@ -1373,6 +3235,73 @@ module Aws::AccessAnalyzer
1373
3235
  include Aws::Structure
1374
3236
  end
1375
3237
 
3238
+ # Contains details about the CloudTrail trail being analyzed to generate
3239
+ # a policy.
3240
+ #
3241
+ # @note When making an API call, you may pass Trail
3242
+ # data as a hash:
3243
+ #
3244
+ # {
3245
+ # all_regions: false,
3246
+ # cloud_trail_arn: "CloudTrailArn", # required
3247
+ # regions: ["String"],
3248
+ # }
3249
+ #
3250
+ # @!attribute [rw] all_regions
3251
+ # Possible values are `true` or `false`. If set to `true`, Access
3252
+ # Analyzer retrieves CloudTrail data from all regions to analyze and
3253
+ # generate a policy.
3254
+ # @return [Boolean]
3255
+ #
3256
+ # @!attribute [rw] cloud_trail_arn
3257
+ # Specifies the ARN of the trail. The format of a trail ARN is
3258
+ # `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
3259
+ # @return [String]
3260
+ #
3261
+ # @!attribute [rw] regions
3262
+ # A list of regions to get CloudTrail data from and analyze to
3263
+ # generate a policy.
3264
+ # @return [Array<String>]
3265
+ #
3266
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Trail AWS API Documentation
3267
+ #
3268
+ class Trail < Struct.new(
3269
+ :all_regions,
3270
+ :cloud_trail_arn,
3271
+ :regions)
3272
+ SENSITIVE = []
3273
+ include Aws::Structure
3274
+ end
3275
+
3276
+ # Contains details about the CloudTrail trail being analyzed to generate
3277
+ # a policy.
3278
+ #
3279
+ # @!attribute [rw] all_regions
3280
+ # Possible values are `true` or `false`. If set to `true`, Access
3281
+ # Analyzer retrieves CloudTrail data from all regions to analyze and
3282
+ # generate a policy.
3283
+ # @return [Boolean]
3284
+ #
3285
+ # @!attribute [rw] cloud_trail_arn
3286
+ # Specifies the ARN of the trail. The format of a trail ARN is
3287
+ # `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
3288
+ # @return [String]
3289
+ #
3290
+ # @!attribute [rw] regions
3291
+ # A list of regions to get CloudTrail data from and analyze to
3292
+ # generate a policy.
3293
+ # @return [Array<String>]
3294
+ #
3295
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/TrailProperties AWS API Documentation
3296
+ #
3297
+ class TrailProperties < Struct.new(
3298
+ :all_regions,
3299
+ :cloud_trail_arn,
3300
+ :regions)
3301
+ SENSITIVE = []
3302
+ include Aws::Structure
3303
+ end
3304
+
1376
3305
  # Removes a tag from the specified resource.
1377
3306
  #
1378
3307
  # @note When making an API call, you may pass UntagResourceRequest
@@ -1470,7 +3399,11 @@ module Aws::AccessAnalyzer
1470
3399
  # }
1471
3400
  #
1472
3401
  # @!attribute [rw] analyzer_arn
1473
- # The ARN of the analyzer that generated the findings to update.
3402
+ # The [ARN of the analyzer][1] that generated the findings to update.
3403
+ #
3404
+ #
3405
+ #
3406
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1474
3407
  # @return [String]
1475
3408
  #
1476
3409
  # @!attribute [rw] client_token
@@ -1507,6 +3440,127 @@ module Aws::AccessAnalyzer
1507
3440
  include Aws::Structure
1508
3441
  end
1509
3442
 
3443
+ # A finding in a policy. Each finding is an actionable recommendation
3444
+ # that can be used to improve the policy.
3445
+ #
3446
+ # @!attribute [rw] finding_details
3447
+ # A localized message that explains the finding and provides guidance
3448
+ # on how to address it.
3449
+ # @return [String]
3450
+ #
3451
+ # @!attribute [rw] finding_type
3452
+ # The impact of the finding.
3453
+ #
3454
+ # Security warnings report when the policy allows access that we
3455
+ # consider overly permissive.
3456
+ #
3457
+ # Errors report when a part of the policy is not functional.
3458
+ #
3459
+ # Warnings report non-security issues when a policy does not conform
3460
+ # to policy writing best practices.
3461
+ #
3462
+ # Suggestions recommend stylistic improvements in the policy that do
3463
+ # not impact access.
3464
+ # @return [String]
3465
+ #
3466
+ # @!attribute [rw] issue_code
3467
+ # The issue code provides an identifier of the issue associated with
3468
+ # this finding.
3469
+ # @return [String]
3470
+ #
3471
+ # @!attribute [rw] learn_more_link
3472
+ # A link to additional documentation about the type of finding.
3473
+ # @return [String]
3474
+ #
3475
+ # @!attribute [rw] locations
3476
+ # The list of locations in the policy document that are related to the
3477
+ # finding. The issue code provides a summary of an issue identified by
3478
+ # the finding.
3479
+ # @return [Array<Types::Location>]
3480
+ #
3481
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyFinding AWS API Documentation
3482
+ #
3483
+ class ValidatePolicyFinding < Struct.new(
3484
+ :finding_details,
3485
+ :finding_type,
3486
+ :issue_code,
3487
+ :learn_more_link,
3488
+ :locations)
3489
+ SENSITIVE = []
3490
+ include Aws::Structure
3491
+ end
3492
+
3493
+ # @note When making an API call, you may pass ValidatePolicyRequest
3494
+ # data as a hash:
3495
+ #
3496
+ # {
3497
+ # locale: "DE", # accepts DE, EN, ES, FR, IT, JA, KO, PT_BR, ZH_CN, ZH_TW
3498
+ # max_results: 1,
3499
+ # next_token: "Token",
3500
+ # policy_document: "PolicyDocument", # required
3501
+ # policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
3502
+ # }
3503
+ #
3504
+ # @!attribute [rw] locale
3505
+ # The locale to use for localizing the findings.
3506
+ # @return [String]
3507
+ #
3508
+ # @!attribute [rw] max_results
3509
+ # The maximum number of results to return in the response.
3510
+ # @return [Integer]
3511
+ #
3512
+ # @!attribute [rw] next_token
3513
+ # A token used for pagination of results returned.
3514
+ # @return [String]
3515
+ #
3516
+ # @!attribute [rw] policy_document
3517
+ # The JSON policy document to use as the content for the policy.
3518
+ # @return [String]
3519
+ #
3520
+ # @!attribute [rw] policy_type
3521
+ # The type of policy to validate. Identity policies grant permissions
3522
+ # to IAM principals. Identity policies include managed and inline
3523
+ # policies for IAM roles, users, and groups. They also include
3524
+ # service-control policies (SCPs) that are attached to an AWS
3525
+ # organization, organizational unit (OU), or an account.
3526
+ #
3527
+ # Resource policies grant permissions on AWS resources. Resource
3528
+ # policies include trust policies for IAM roles and bucket policies
3529
+ # for S3 buckets. You can provide a generic input such as identity
3530
+ # policy or resource policy or a specific input such as managed policy
3531
+ # or S3 bucket policy.
3532
+ # @return [String]
3533
+ #
3534
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
3535
+ #
3536
+ class ValidatePolicyRequest < Struct.new(
3537
+ :locale,
3538
+ :max_results,
3539
+ :next_token,
3540
+ :policy_document,
3541
+ :policy_type)
3542
+ SENSITIVE = []
3543
+ include Aws::Structure
3544
+ end
3545
+
3546
+ # @!attribute [rw] findings
3547
+ # The list of findings in a policy returned by Access Analyzer based
3548
+ # on its suite of policy checks.
3549
+ # @return [Array<Types::ValidatePolicyFinding>]
3550
+ #
3551
+ # @!attribute [rw] next_token
3552
+ # A token used for pagination of results returned.
3553
+ # @return [String]
3554
+ #
3555
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyResponse AWS API Documentation
3556
+ #
3557
+ class ValidatePolicyResponse < Struct.new(
3558
+ :findings,
3559
+ :next_token)
3560
+ SENSITIVE = []
3561
+ include Aws::Structure
3562
+ end
3563
+
1510
3564
  # Validation exception error.
1511
3565
  #
1512
3566
  # @!attribute [rw] field_list
@@ -1549,5 +3603,32 @@ module Aws::AccessAnalyzer
1549
3603
  include Aws::Structure
1550
3604
  end
1551
3605
 
3606
+ # The proposed virtual private cloud (VPC) configuration for the Amazon
3607
+ # S3 access point. For more information, see [VpcConfiguration][1].
3608
+ #
3609
+ #
3610
+ #
3611
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
3612
+ #
3613
+ # @note When making an API call, you may pass VpcConfiguration
3614
+ # data as a hash:
3615
+ #
3616
+ # {
3617
+ # vpc_id: "VpcId", # required
3618
+ # }
3619
+ #
3620
+ # @!attribute [rw] vpc_id
3621
+ # If this field is specified, this access point will only allow
3622
+ # connections from the specified VPC ID.
3623
+ # @return [String]
3624
+ #
3625
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/VpcConfiguration AWS API Documentation
3626
+ #
3627
+ class VpcConfiguration < Struct.new(
3628
+ :vpc_id)
3629
+ SENSITIVE = []
3630
+ include Aws::Structure
3631
+ end
3632
+
1552
3633
  end
1553
3634
  end