aws-sdk-accessanalyzer 1.22.0 → 1.26.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +20 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-accessanalyzer/client.rb +49 -22
- data/lib/aws-sdk-accessanalyzer/client_api.rb +2 -0
- data/lib/aws-sdk-accessanalyzer/types.rb +129 -98
- data/lib/aws-sdk-accessanalyzer.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1342cd4f47db2ecf75338f34ad04cc82ff152dac1de6eff3db4b8201cbf1edff
|
4
|
+
data.tar.gz: 12528aefa563f1de3dc8cc9c38b1348bc4fd94a148dfa37ed4eca5cf9dc6343a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1ca05166f5530d95105fcfbfc1ff2f9d42ab77e7f6f3c1f55902394c696ae0c2f71af93fa3b3fd54b93d1ea2a8ca9412df5e5cf1ca99988c060b86f067452bdc
|
7
|
+
data.tar.gz: 71739b092dd991d1356836a103f7776d25894ea191cf64d8745ade87db3003ab4859654eb5336a847ff5d67bcac50c5687aaf34a5ddcb56a6e4c9031e3e1b9f9
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,26 @@
|
|
1
1
|
Unreleased Changes
|
2
2
|
------------------
|
3
3
|
|
4
|
+
1.26.0 (2021-11-30)
|
5
|
+
------------------
|
6
|
+
|
7
|
+
* Feature - AWS IAM Access Analyzer now supports policy validation for resource policies attached to S3 buckets and access points. You can run additional policy checks by specifying the S3 resource type you want to attach to your resource policy.
|
8
|
+
|
9
|
+
1.25.0 (2021-11-04)
|
10
|
+
------------------
|
11
|
+
|
12
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
13
|
+
|
14
|
+
1.24.0 (2021-10-18)
|
15
|
+
------------------
|
16
|
+
|
17
|
+
* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
|
18
|
+
|
19
|
+
1.23.0 (2021-09-02)
|
20
|
+
------------------
|
21
|
+
|
22
|
+
* Feature - Updates service API, documentation, and paginators to support multi-region access points from Amazon S3.
|
23
|
+
|
4
24
|
1.22.0 (2021-09-01)
|
5
25
|
------------------
|
6
26
|
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.
|
1
|
+
1.26.0
|
@@ -119,7 +119,9 @@ module Aws::AccessAnalyzer
|
|
119
119
|
# * EC2/ECS IMDS instance profile - When used by default, the timeouts
|
120
120
|
# are very aggressive. Construct and pass an instance of
|
121
121
|
# `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
|
122
|
-
# enable retries and extended timeouts.
|
122
|
+
# enable retries and extended timeouts. Instance profile credential
|
123
|
+
# fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
|
124
|
+
# to true.
|
123
125
|
#
|
124
126
|
# @option options [required, String] :region
|
125
127
|
# The AWS region to connect to. The configured `:region` is
|
@@ -275,6 +277,15 @@ module Aws::AccessAnalyzer
|
|
275
277
|
# ** Please note ** When response stubbing is enabled, no HTTP
|
276
278
|
# requests are made, and retries are disabled.
|
277
279
|
#
|
280
|
+
# @option options [Boolean] :use_dualstack_endpoint
|
281
|
+
# When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
|
282
|
+
# will be used if available.
|
283
|
+
#
|
284
|
+
# @option options [Boolean] :use_fips_endpoint
|
285
|
+
# When set to `true`, fips compatible endpoints will be used if available.
|
286
|
+
# When a `fips` region is used, the region is normalized and this config
|
287
|
+
# is set to `true`.
|
288
|
+
#
|
278
289
|
# @option options [Boolean] :validate_params (true)
|
279
290
|
# When `true`, request parameters are validated before
|
280
291
|
# sending the request.
|
@@ -386,8 +397,9 @@ module Aws::AccessAnalyzer
|
|
386
397
|
req.send_request(options)
|
387
398
|
end
|
388
399
|
|
389
|
-
# Creates an access preview that allows you to preview Access
|
390
|
-
# findings for your resource before deploying resource
|
400
|
+
# Creates an access preview that allows you to preview IAM Access
|
401
|
+
# Analyzer findings for your resource before deploying resource
|
402
|
+
# permissions.
|
391
403
|
#
|
392
404
|
# @option params [required, String] :analyzer_arn
|
393
405
|
# The [ARN of the account analyzer][1] used to generate the access
|
@@ -573,7 +585,7 @@ module Aws::AccessAnalyzer
|
|
573
585
|
# when you create the rule.
|
574
586
|
#
|
575
587
|
# To learn about filter keys that you can use to create an archive rule,
|
576
|
-
# see [Access Analyzer filter keys][1] in the **IAM User Guide**.
|
588
|
+
# see [IAM Access Analyzer filter keys][1] in the **IAM User Guide**.
|
577
589
|
#
|
578
590
|
#
|
579
591
|
#
|
@@ -621,10 +633,10 @@ module Aws::AccessAnalyzer
|
|
621
633
|
req.send_request(options)
|
622
634
|
end
|
623
635
|
|
624
|
-
# Deletes the specified analyzer. When you delete an analyzer,
|
625
|
-
# Analyzer is disabled for the account or organization in the
|
626
|
-
# specific Region. All findings that were generated by the
|
627
|
-
# deleted. You cannot undo this action.
|
636
|
+
# Deletes the specified analyzer. When you delete an analyzer, IAM
|
637
|
+
# Access Analyzer is disabled for the account or organization in the
|
638
|
+
# current or specific Region. All findings that were generated by the
|
639
|
+
# analyzer are deleted. You cannot undo this action.
|
628
640
|
#
|
629
641
|
# @option params [required, String] :analyzer_name
|
630
642
|
# The name of the analyzer to delete.
|
@@ -845,7 +857,7 @@ module Aws::AccessAnalyzer
|
|
845
857
|
# Retrieves information about an archive rule.
|
846
858
|
#
|
847
859
|
# To learn about filter keys that you can use to create an archive rule,
|
848
|
-
# see [Access Analyzer filter keys][1] in the **IAM User Guide**.
|
860
|
+
# see [IAM Access Analyzer filter keys][1] in the **IAM User Guide**.
|
849
861
|
#
|
850
862
|
#
|
851
863
|
#
|
@@ -960,8 +972,9 @@ module Aws::AccessAnalyzer
|
|
960
972
|
# The level of detail that you want to generate. You can specify whether
|
961
973
|
# to generate service-level policies.
|
962
974
|
#
|
963
|
-
# Access Analyzer uses `iam:servicelastaccessed` to identify
|
964
|
-
# that have been used recently to create this service-level
|
975
|
+
# IAM Access Analyzer uses `iam:servicelastaccessed` to identify
|
976
|
+
# services that have been used recently to create this service-level
|
977
|
+
# template.
|
965
978
|
#
|
966
979
|
# @option params [required, String] :job_id
|
967
980
|
# The `JobId` that is returned by the `StartPolicyGeneration` operation.
|
@@ -1297,7 +1310,7 @@ module Aws::AccessAnalyzer
|
|
1297
1310
|
# Retrieves a list of findings generated by the specified analyzer.
|
1298
1311
|
#
|
1299
1312
|
# To learn about filter keys that you can use to retrieve a list of
|
1300
|
-
# findings, see [Access Analyzer filter keys][1] in the **IAM User
|
1313
|
+
# findings, see [IAM Access Analyzer filter keys][1] in the **IAM User
|
1301
1314
|
# Guide**.
|
1302
1315
|
#
|
1303
1316
|
#
|
@@ -1470,7 +1483,7 @@ module Aws::AccessAnalyzer
|
|
1470
1483
|
# and they have no additional effect.
|
1471
1484
|
#
|
1472
1485
|
# If you do not specify a client token, one is automatically generated
|
1473
|
-
# by the
|
1486
|
+
# by the Amazon Web Services SDK.
|
1474
1487
|
#
|
1475
1488
|
# **A suitable default value is auto-generated.** You should normally
|
1476
1489
|
# not need to pass this option.**
|
@@ -1720,14 +1733,27 @@ module Aws::AccessAnalyzer
|
|
1720
1733
|
# The type of policy to validate. Identity policies grant permissions to
|
1721
1734
|
# IAM principals. Identity policies include managed and inline policies
|
1722
1735
|
# for IAM roles, users, and groups. They also include service-control
|
1723
|
-
# policies (SCPs) that are attached to an
|
1724
|
-
# organizational unit (OU), or an account.
|
1725
|
-
#
|
1726
|
-
# Resource policies grant permissions on
|
1727
|
-
# policies include trust policies for IAM roles and bucket
|
1728
|
-
# S3 buckets. You can provide a generic input such
|
1729
|
-
# resource policy or a specific input such as
|
1730
|
-
# bucket policy.
|
1736
|
+
# policies (SCPs) that are attached to an Amazon Web Services
|
1737
|
+
# organization, organizational unit (OU), or an account.
|
1738
|
+
#
|
1739
|
+
# Resource policies grant permissions on Amazon Web Services resources.
|
1740
|
+
# Resource policies include trust policies for IAM roles and bucket
|
1741
|
+
# policies for Amazon S3 buckets. You can provide a generic input such
|
1742
|
+
# as identity policy or resource policy or a specific input such as
|
1743
|
+
# managed policy or Amazon S3 bucket policy.
|
1744
|
+
#
|
1745
|
+
# @option params [String] :validate_policy_resource_type
|
1746
|
+
# The type of resource to attach to your resource policy. Specify a
|
1747
|
+
# value for the policy validation resource type only if the policy type
|
1748
|
+
# is `RESOURCE_POLICY`. For example, to validate a resource policy to
|
1749
|
+
# attach to an Amazon S3 bucket, you can choose `AWS::S3::Bucket` for
|
1750
|
+
# the policy validation resource type.
|
1751
|
+
#
|
1752
|
+
# For resource types not supported as valid values, IAM Access Analyzer
|
1753
|
+
# runs policy checks that apply to all resource policies. For example,
|
1754
|
+
# to validate a resource policy to attach to a KMS key, do not specify a
|
1755
|
+
# value for the policy validation resource type and IAM Access Analyzer
|
1756
|
+
# will run policy checks that apply to all resource policies.
|
1731
1757
|
#
|
1732
1758
|
# @return [Types::ValidatePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1733
1759
|
#
|
@@ -1744,6 +1770,7 @@ module Aws::AccessAnalyzer
|
|
1744
1770
|
# next_token: "Token",
|
1745
1771
|
# policy_document: "PolicyDocument", # required
|
1746
1772
|
# policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
|
1773
|
+
# validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint
|
1747
1774
|
# })
|
1748
1775
|
#
|
1749
1776
|
# @example Response structure
|
@@ -1790,7 +1817,7 @@ module Aws::AccessAnalyzer
|
|
1790
1817
|
params: params,
|
1791
1818
|
config: config)
|
1792
1819
|
context[:gem_name] = 'aws-sdk-accessanalyzer'
|
1793
|
-
context[:gem_version] = '1.
|
1820
|
+
context[:gem_version] = '1.26.0'
|
1794
1821
|
Seahorse::Client::Request.new(handlers, context)
|
1795
1822
|
end
|
1796
1823
|
|
@@ -199,6 +199,7 @@ module Aws::AccessAnalyzer
|
|
199
199
|
ValidatePolicyFindingList = Shapes::ListShape.new(name: 'ValidatePolicyFindingList')
|
200
200
|
ValidatePolicyFindingType = Shapes::StringShape.new(name: 'ValidatePolicyFindingType')
|
201
201
|
ValidatePolicyRequest = Shapes::StructureShape.new(name: 'ValidatePolicyRequest')
|
202
|
+
ValidatePolicyResourceType = Shapes::StringShape.new(name: 'ValidatePolicyResourceType')
|
202
203
|
ValidatePolicyResponse = Shapes::StructureShape.new(name: 'ValidatePolicyResponse')
|
203
204
|
ValidationException = Shapes::StructureShape.new(name: 'ValidationException')
|
204
205
|
ValidationExceptionField = Shapes::StructureShape.new(name: 'ValidationExceptionField')
|
@@ -798,6 +799,7 @@ module Aws::AccessAnalyzer
|
|
798
799
|
ValidatePolicyRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location: "querystring", location_name: "nextToken"))
|
799
800
|
ValidatePolicyRequest.add_member(:policy_document, Shapes::ShapeRef.new(shape: PolicyDocument, required: true, location_name: "policyDocument"))
|
800
801
|
ValidatePolicyRequest.add_member(:policy_type, Shapes::ShapeRef.new(shape: PolicyType, required: true, location_name: "policyType"))
|
802
|
+
ValidatePolicyRequest.add_member(:validate_policy_resource_type, Shapes::ShapeRef.new(shape: ValidatePolicyResourceType, location_name: "validatePolicyResourceType"))
|
801
803
|
ValidatePolicyRequest.struct_class = Types::ValidatePolicyRequest
|
802
804
|
|
803
805
|
ValidatePolicyResponse.add_member(:findings, Shapes::ShapeRef.new(shape: ValidatePolicyFindingList, required: true, location_name: "findings"))
|
@@ -83,7 +83,7 @@ module Aws::AccessAnalyzer
|
|
83
83
|
#
|
84
84
|
# @!attribute [rw] change_type
|
85
85
|
# Provides context on how the access preview finding compares to
|
86
|
-
# existing access identified in Access Analyzer.
|
86
|
+
# existing access identified in IAM Access Analyzer.
|
87
87
|
#
|
88
88
|
# * `New` - The finding is for newly-introduced access.
|
89
89
|
#
|
@@ -113,8 +113,8 @@ module Aws::AccessAnalyzer
|
|
113
113
|
# @return [String]
|
114
114
|
#
|
115
115
|
# @!attribute [rw] existing_finding_id
|
116
|
-
# The existing ID of the finding in Access Analyzer, provided only
|
117
|
-
# existing findings.
|
116
|
+
# The existing ID of the finding in IAM Access Analyzer, provided only
|
117
|
+
# for existing findings.
|
118
118
|
# @return [String]
|
119
119
|
#
|
120
120
|
# @!attribute [rw] existing_finding_status
|
@@ -144,8 +144,9 @@ module Aws::AccessAnalyzer
|
|
144
144
|
# @return [String]
|
145
145
|
#
|
146
146
|
# @!attribute [rw] resource_owner_account
|
147
|
-
# The
|
148
|
-
# the owning account is the account in
|
147
|
+
# The Amazon Web Services account ID that owns the resource. For most
|
148
|
+
# Amazon Web Services resources, the owning account is the account in
|
149
|
+
# which the resource was created.
|
149
150
|
# @return [String]
|
150
151
|
#
|
151
152
|
# @!attribute [rw] resource_type
|
@@ -263,7 +264,8 @@ module Aws::AccessAnalyzer
|
|
263
264
|
# @note AclGrantee is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of AclGrantee corresponding to the set member.
|
264
265
|
#
|
265
266
|
# @!attribute [rw] id
|
266
|
-
# The value specified is the canonical user ID of an
|
267
|
+
# The value specified is the canonical user ID of an Amazon Web
|
268
|
+
# Services account.
|
267
269
|
# @return [String]
|
268
270
|
#
|
269
271
|
# @!attribute [rw] uri
|
@@ -314,7 +316,7 @@ module Aws::AccessAnalyzer
|
|
314
316
|
# @return [String]
|
315
317
|
#
|
316
318
|
# @!attribute [rw] resource_owner_account
|
317
|
-
# The
|
319
|
+
# The Amazon Web Services account ID that owns the resource.
|
318
320
|
# @return [String]
|
319
321
|
#
|
320
322
|
# @!attribute [rw] resource_type
|
@@ -360,7 +362,7 @@ module Aws::AccessAnalyzer
|
|
360
362
|
# @return [String]
|
361
363
|
#
|
362
364
|
# @!attribute [rw] resource_owner_account
|
363
|
-
# The
|
365
|
+
# The Amazon Web Services account ID that owns the resource.
|
364
366
|
# @return [String]
|
365
367
|
#
|
366
368
|
# @!attribute [rw] resource_type
|
@@ -403,10 +405,10 @@ module Aws::AccessAnalyzer
|
|
403
405
|
# The status of the analyzer. An `Active` analyzer successfully
|
404
406
|
# monitors supported resources and generates new findings. The
|
405
407
|
# analyzer is `Disabled` when a user action, such as removing trusted
|
406
|
-
# access for
|
407
|
-
# the analyzer to stop generating new findings.
|
408
|
-
# `Creating` when the analyzer creation is in progress
|
409
|
-
# when the analyzer creation has failed.
|
408
|
+
# access for Identity and Access Management Access Analyzer from
|
409
|
+
# Organizations, causes the analyzer to stop generating new findings.
|
410
|
+
# The status is `Creating` when the analyzer creation is in progress
|
411
|
+
# and `Failed` when the analyzer creation has failed.
|
410
412
|
# @return [String]
|
411
413
|
#
|
412
414
|
# @!attribute [rw] status_reason
|
@@ -414,8 +416,8 @@ module Aws::AccessAnalyzer
|
|
414
416
|
# the analyzer. For example, if the creation for the analyzer fails, a
|
415
417
|
# `Failed` status is returned. For an analyzer with organization as
|
416
418
|
# the type, this failure can be due to an issue with creating the
|
417
|
-
# service-linked roles required in the member accounts of the
|
418
|
-
# organization.
|
419
|
+
# service-linked roles required in the member accounts of the Amazon
|
420
|
+
# Web Services organization.
|
419
421
|
# @return [Types::StatusReason]
|
420
422
|
#
|
421
423
|
# @!attribute [rw] tags
|
@@ -553,21 +555,21 @@ module Aws::AccessAnalyzer
|
|
553
555
|
# }
|
554
556
|
#
|
555
557
|
# @!attribute [rw] access_role
|
556
|
-
# The ARN of the service role that Access Analyzer uses to access
|
557
|
-
# CloudTrail trail and service last accessed information.
|
558
|
+
# The ARN of the service role that IAM Access Analyzer uses to access
|
559
|
+
# your CloudTrail trail and service last accessed information.
|
558
560
|
# @return [String]
|
559
561
|
#
|
560
562
|
# @!attribute [rw] end_time
|
561
|
-
# The end of the time range for which Access Analyzer reviews your
|
563
|
+
# The end of the time range for which IAM Access Analyzer reviews your
|
562
564
|
# CloudTrail events. Events with a timestamp after this time are not
|
563
565
|
# considered to generate a policy. If this is not included in the
|
564
566
|
# request, the default value is the current time.
|
565
567
|
# @return [Time]
|
566
568
|
#
|
567
569
|
# @!attribute [rw] start_time
|
568
|
-
# The start of the time range for which Access Analyzer reviews
|
569
|
-
# CloudTrail events. Events with a timestamp before this time are
|
570
|
-
# considered to generate a policy.
|
570
|
+
# The start of the time range for which IAM Access Analyzer reviews
|
571
|
+
# your CloudTrail events. Events with a timestamp before this time are
|
572
|
+
# not considered to generate a policy.
|
571
573
|
# @return [Time]
|
572
574
|
#
|
573
575
|
# @!attribute [rw] trails
|
@@ -588,16 +590,16 @@ module Aws::AccessAnalyzer
|
|
588
590
|
# Contains information about CloudTrail access.
|
589
591
|
#
|
590
592
|
# @!attribute [rw] end_time
|
591
|
-
# The end of the time range for which Access Analyzer reviews your
|
593
|
+
# The end of the time range for which IAM Access Analyzer reviews your
|
592
594
|
# CloudTrail events. Events with a timestamp after this time are not
|
593
595
|
# considered to generate a policy. If this is not included in the
|
594
596
|
# request, the default value is the current time.
|
595
597
|
# @return [Time]
|
596
598
|
#
|
597
599
|
# @!attribute [rw] start_time
|
598
|
-
# The start of the time range for which Access Analyzer reviews
|
599
|
-
# CloudTrail events. Events with a timestamp before this time are
|
600
|
-
# considered to generate a policy.
|
600
|
+
# The start of the time range for which IAM Access Analyzer reviews
|
601
|
+
# your CloudTrail events. Events with a timestamp before this time are
|
602
|
+
# not considered to generate a policy.
|
601
603
|
# @return [Time]
|
602
604
|
#
|
603
605
|
# @!attribute [rw] trail_properties
|
@@ -640,7 +642,7 @@ module Aws::AccessAnalyzer
|
|
640
642
|
# @return [Types::SecretsManagerSecretConfiguration]
|
641
643
|
#
|
642
644
|
# @!attribute [rw] sqs_queue
|
643
|
-
# The access control configuration is for an SQS queue.
|
645
|
+
# The access control configuration is for an Amazon SQS queue.
|
644
646
|
# @return [Types::SqsQueueConfiguration]
|
645
647
|
#
|
646
648
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
|
@@ -1092,7 +1094,7 @@ module Aws::AccessAnalyzer
|
|
1092
1094
|
# @return [String]
|
1093
1095
|
#
|
1094
1096
|
# @!attribute [rw] resource_owner_account
|
1095
|
-
# The
|
1097
|
+
# The Amazon Web Services account ID that owns the resource.
|
1096
1098
|
# @return [String]
|
1097
1099
|
#
|
1098
1100
|
# @!attribute [rw] resource_type
|
@@ -1160,7 +1162,9 @@ module Aws::AccessAnalyzer
|
|
1160
1162
|
# granted. This is populated for Amazon S3 bucket findings.
|
1161
1163
|
#
|
1162
1164
|
# @!attribute [rw] access_point_arn
|
1163
|
-
# The ARN of the access point that generated the finding.
|
1165
|
+
# The ARN of the access point that generated the finding. The ARN
|
1166
|
+
# format depends on whether the ARN represents an access point or a
|
1167
|
+
# multi-region access point.
|
1164
1168
|
# @return [String]
|
1165
1169
|
#
|
1166
1170
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSourceDetail AWS API Documentation
|
@@ -1215,7 +1219,7 @@ module Aws::AccessAnalyzer
|
|
1215
1219
|
# @return [String]
|
1216
1220
|
#
|
1217
1221
|
# @!attribute [rw] resource_owner_account
|
1218
|
-
# The
|
1222
|
+
# The Amazon Web Services account ID that owns the resource.
|
1219
1223
|
# @return [String]
|
1220
1224
|
#
|
1221
1225
|
# @!attribute [rw] resource_type
|
@@ -1284,8 +1288,8 @@ module Aws::AccessAnalyzer
|
|
1284
1288
|
#
|
1285
1289
|
# @!attribute [rw] is_complete
|
1286
1290
|
# This value is set to `true` if the generated policy contains all
|
1287
|
-
# possible actions for a service that Access Analyzer identified
|
1288
|
-
# the CloudTrail trail that you specified, and `false` otherwise.
|
1291
|
+
# possible actions for a service that IAM Access Analyzer identified
|
1292
|
+
# from the CloudTrail trail that you specified, and `false` otherwise.
|
1289
1293
|
# @return [Boolean]
|
1290
1294
|
#
|
1291
1295
|
# @!attribute [rw] principal_arn
|
@@ -1403,8 +1407,8 @@ module Aws::AccessAnalyzer
|
|
1403
1407
|
# The response to the request.
|
1404
1408
|
#
|
1405
1409
|
# @!attribute [rw] resource
|
1406
|
-
# An `AnalyzedResource` object that contains information that
|
1407
|
-
# Analyzer found when it analyzed the resource.
|
1410
|
+
# An `AnalyzedResource` object that contains information that IAM
|
1411
|
+
# Access Analyzer found when it analyzed the resource.
|
1408
1412
|
# @return [Types::AnalyzedResource]
|
1409
1413
|
#
|
1410
1414
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceResponse AWS API Documentation
|
@@ -1560,8 +1564,9 @@ module Aws::AccessAnalyzer
|
|
1560
1564
|
# The level of detail that you want to generate. You can specify
|
1561
1565
|
# whether to generate service-level policies.
|
1562
1566
|
#
|
1563
|
-
# Access Analyzer uses `iam:servicelastaccessed` to identify
|
1564
|
-
# that have been used recently to create this service-level
|
1567
|
+
# IAM Access Analyzer uses `iam:servicelastaccessed` to identify
|
1568
|
+
# services that have been used recently to create this service-level
|
1569
|
+
# template.
|
1565
1570
|
# @return [Boolean]
|
1566
1571
|
#
|
1567
1572
|
# @!attribute [rw] job_id
|
@@ -1686,8 +1691,8 @@ module Aws::AccessAnalyzer
|
|
1686
1691
|
include Aws::Structure
|
1687
1692
|
end
|
1688
1693
|
|
1689
|
-
# This configuration sets the
|
1690
|
-
# `Internet`.
|
1694
|
+
# This configuration sets the network origin for the Amazon S3 access
|
1695
|
+
# point or multi-region access point to `Internet`.
|
1691
1696
|
#
|
1692
1697
|
# @api private
|
1693
1698
|
#
|
@@ -1702,7 +1707,7 @@ module Aws::AccessAnalyzer
|
|
1702
1707
|
# @return [Time]
|
1703
1708
|
#
|
1704
1709
|
# @!attribute [rw] job_error
|
1705
|
-
#
|
1710
|
+
# The job error for the policy generation request.
|
1706
1711
|
# @return [Types::JobError]
|
1707
1712
|
#
|
1708
1713
|
# @!attribute [rw] job_id
|
@@ -1794,9 +1799,9 @@ module Aws::AccessAnalyzer
|
|
1794
1799
|
# @return [String]
|
1795
1800
|
#
|
1796
1801
|
# @!attribute [rw] issuing_account
|
1797
|
-
# The
|
1798
|
-
# used to propose KMS grants issued by accounts other
|
1799
|
-
# of the key.
|
1802
|
+
# The Amazon Web Services account under which the grant was issued.
|
1803
|
+
# The account is used to propose KMS grants issued by accounts other
|
1804
|
+
# than the owner of the key.
|
1800
1805
|
# @return [String]
|
1801
1806
|
#
|
1802
1807
|
# @!attribute [rw] operations
|
@@ -2427,7 +2432,8 @@ module Aws::AccessAnalyzer
|
|
2427
2432
|
end
|
2428
2433
|
|
2429
2434
|
# The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
|
2430
|
-
# the Amazon S3
|
2435
|
+
# the Amazon S3 access point. `VpcConfiguration` does not apply to
|
2436
|
+
# multi-region access points. You can make the access point accessible
|
2431
2437
|
# from the internet, or you can specify that all requests made through
|
2432
2438
|
# that access point must originate from a specific virtual private cloud
|
2433
2439
|
# (VPC). You can specify only one type of network configuration. For
|
@@ -2442,13 +2448,14 @@ module Aws::AccessAnalyzer
|
|
2442
2448
|
# @note NetworkOriginConfiguration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of NetworkOriginConfiguration corresponding to the set member.
|
2443
2449
|
#
|
2444
2450
|
# @!attribute [rw] internet_configuration
|
2445
|
-
# The configuration for the Amazon S3 access point
|
2446
|
-
# origin.
|
2451
|
+
# The configuration for the Amazon S3 access point or multi-region
|
2452
|
+
# access point with an `Internet` origin.
|
2447
2453
|
# @return [Types::InternetConfiguration]
|
2448
2454
|
#
|
2449
2455
|
# @!attribute [rw] vpc_configuration
|
2450
2456
|
# The proposed virtual private cloud (VPC) configuration for the
|
2451
|
-
# Amazon S3 access point.
|
2457
|
+
# Amazon S3 access point. VPC configuration does not apply to
|
2458
|
+
# multi-region access points. For more information, see
|
2452
2459
|
# [VpcConfiguration][1].
|
2453
2460
|
#
|
2454
2461
|
#
|
@@ -2620,9 +2627,10 @@ module Aws::AccessAnalyzer
|
|
2620
2627
|
include Aws::Structure
|
2621
2628
|
end
|
2622
2629
|
|
2623
|
-
# The configuration for an Amazon S3 access point
|
2624
|
-
# can propose up to 10 access points
|
2625
|
-
#
|
2630
|
+
# The configuration for an Amazon S3 access point or multi-region access
|
2631
|
+
# point for the bucket. You can propose up to 10 access points or
|
2632
|
+
# multi-region access points per bucket. If the proposed Amazon S3
|
2633
|
+
# access point configuration is for an existing bucket, the access
|
2626
2634
|
# preview uses the proposed access point configuration in place of the
|
2627
2635
|
# existing access points. To propose an access point without a policy,
|
2628
2636
|
# you can provide an empty string as the access point policy. For more
|
@@ -2654,21 +2662,22 @@ module Aws::AccessAnalyzer
|
|
2654
2662
|
# }
|
2655
2663
|
#
|
2656
2664
|
# @!attribute [rw] access_point_policy
|
2657
|
-
# The access point policy.
|
2665
|
+
# The access point or multi-region access point policy.
|
2658
2666
|
# @return [String]
|
2659
2667
|
#
|
2660
2668
|
# @!attribute [rw] network_origin
|
2661
2669
|
# The proposed `Internet` and `VpcConfiguration` to apply to this
|
2662
|
-
# Amazon S3 access point.
|
2663
|
-
#
|
2664
|
-
#
|
2665
|
-
#
|
2666
|
-
#
|
2670
|
+
# Amazon S3 access point. `VpcConfiguration` does not apply to
|
2671
|
+
# multi-region access points. If the access preview is for a new
|
2672
|
+
# resource and neither is specified, the access preview uses
|
2673
|
+
# `Internet` for the network origin. If the access preview is for an
|
2674
|
+
# existing resource and neither is specified, the access preview uses
|
2675
|
+
# the exiting network origin.
|
2667
2676
|
# @return [Types::NetworkOriginConfiguration]
|
2668
2677
|
#
|
2669
2678
|
# @!attribute [rw] public_access_block
|
2670
2679
|
# The proposed `S3PublicAccessBlock` configuration to apply to this
|
2671
|
-
# Amazon S3
|
2680
|
+
# Amazon S3 access point or multi-region access point.
|
2672
2681
|
# @return [Types::S3PublicAccessBlockConfiguration]
|
2673
2682
|
#
|
2674
2683
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
|
@@ -2719,15 +2728,16 @@ module Aws::AccessAnalyzer
|
|
2719
2728
|
# Proposed access control configuration for an Amazon S3 bucket. You can
|
2720
2729
|
# propose a configuration for a new Amazon S3 bucket or an existing
|
2721
2730
|
# Amazon S3 bucket that you own by specifying the Amazon S3 bucket
|
2722
|
-
# policy, bucket ACLs, bucket BPA settings,
|
2723
|
-
# attached to the bucket. If the
|
2724
|
-
#
|
2725
|
-
#
|
2726
|
-
#
|
2727
|
-
#
|
2728
|
-
#
|
2729
|
-
# specify an empty string. For
|
2730
|
-
# limits, see [Bucket Policy
|
2731
|
+
# policy, bucket ACLs, bucket BPA settings, Amazon S3 access points, and
|
2732
|
+
# multi-region access points attached to the bucket. If the
|
2733
|
+
# configuration is for an existing Amazon S3 bucket and you do not
|
2734
|
+
# specify the Amazon S3 bucket policy, the access preview uses the
|
2735
|
+
# existing policy attached to the bucket. If the access preview is for a
|
2736
|
+
# new resource and you do not specify the Amazon S3 bucket policy, the
|
2737
|
+
# access preview assumes a bucket without a policy. To propose deletion
|
2738
|
+
# of an existing bucket policy, you can specify an empty string. For
|
2739
|
+
# more information about bucket policy limits, see [Bucket Policy
|
2740
|
+
# Examples][1].
|
2731
2741
|
#
|
2732
2742
|
#
|
2733
2743
|
#
|
@@ -2770,7 +2780,9 @@ module Aws::AccessAnalyzer
|
|
2770
2780
|
# }
|
2771
2781
|
#
|
2772
2782
|
# @!attribute [rw] access_points
|
2773
|
-
# The configuration of Amazon S3 access points
|
2783
|
+
# The configuration of Amazon S3 access points or multi-region access
|
2784
|
+
# points for the bucket. You can propose up to 10 new access points
|
2785
|
+
# per bucket.
|
2774
2786
|
# @return [Hash<String,Types::S3AccessPointConfiguration>]
|
2775
2787
|
#
|
2776
2788
|
# @!attribute [rw] bucket_acl_grants
|
@@ -2807,10 +2819,10 @@ module Aws::AccessAnalyzer
|
|
2807
2819
|
# bucket and the configuration is not specified, the access preview uses
|
2808
2820
|
# the existing setting. If the proposed configuration is for a new
|
2809
2821
|
# bucket and the configuration is not specified, the access preview uses
|
2810
|
-
# `false`. If the proposed configuration is for a new access point
|
2811
|
-
# the access point BPA configuration is
|
2812
|
-
# preview uses `true`. For more information,
|
2813
|
-
# [PublicAccessBlockConfiguration][1].
|
2822
|
+
# `false`. If the proposed configuration is for a new access point or
|
2823
|
+
# multi-region access point and the access point BPA configuration is
|
2824
|
+
# not specified, the access preview uses `true`. For more information,
|
2825
|
+
# see [PublicAccessBlockConfiguration][1].
|
2814
2826
|
#
|
2815
2827
|
#
|
2816
2828
|
#
|
@@ -2855,10 +2867,11 @@ module Aws::AccessAnalyzer
|
|
2855
2867
|
# without a policy. To propose deletion of an existing policy, you can
|
2856
2868
|
# specify an empty string. If the proposed configuration is for a new
|
2857
2869
|
# secret and you do not specify the KMS key ID, the access preview uses
|
2858
|
-
# the
|
2859
|
-
# the KMS key ID, the access preview uses
|
2870
|
+
# the Amazon Web Services managed key `aws/secretsmanager`. If you
|
2871
|
+
# specify an empty string for the KMS key ID, the access preview uses
|
2872
|
+
# the Amazon Web Services managed key of the Amazon Web Services
|
2860
2873
|
# account. For more information about secret policy limits, see [Quotas
|
2861
|
-
# for
|
2874
|
+
# for Secrets Manager.][2].
|
2862
2875
|
#
|
2863
2876
|
#
|
2864
2877
|
#
|
@@ -2874,8 +2887,7 @@ module Aws::AccessAnalyzer
|
|
2874
2887
|
# }
|
2875
2888
|
#
|
2876
2889
|
# @!attribute [rw] kms_key_id
|
2877
|
-
# The proposed ARN, key ID, or alias of the
|
2878
|
-
# key (CMK).
|
2890
|
+
# The proposed ARN, key ID, or alias of the KMS key.
|
2879
2891
|
# @return [String]
|
2880
2892
|
#
|
2881
2893
|
# @!attribute [rw] secret_policy
|
@@ -2962,15 +2974,16 @@ module Aws::AccessAnalyzer
|
|
2962
2974
|
include Aws::Structure
|
2963
2975
|
end
|
2964
2976
|
|
2965
|
-
# The proposed access control configuration for an SQS queue. You
|
2966
|
-
# propose a configuration for a new SQS queue or an existing
|
2967
|
-
# that you own by specifying the SQS policy. If
|
2968
|
-
# an existing SQS queue and you do not
|
2969
|
-
#
|
2970
|
-
#
|
2971
|
-
#
|
2972
|
-
#
|
2973
|
-
#
|
2977
|
+
# The proposed access control configuration for an Amazon SQS queue. You
|
2978
|
+
# can propose a configuration for a new Amazon SQS queue or an existing
|
2979
|
+
# Amazon SQS queue that you own by specifying the Amazon SQS policy. If
|
2980
|
+
# the configuration is for an existing Amazon SQS queue and you do not
|
2981
|
+
# specify the Amazon SQS policy, the access preview uses the existing
|
2982
|
+
# Amazon SQS policy for the queue. If the access preview is for a new
|
2983
|
+
# resource and you do not specify the policy, the access preview assumes
|
2984
|
+
# an Amazon SQS queue without a policy. To propose deletion of an
|
2985
|
+
# existing Amazon SQS queue policy, you can specify an empty string for
|
2986
|
+
# the Amazon SQS policy. For more information about Amazon SQS policy
|
2974
2987
|
# limits, see [Quotas related to policies][1].
|
2975
2988
|
#
|
2976
2989
|
#
|
@@ -2985,7 +2998,7 @@ module Aws::AccessAnalyzer
|
|
2985
2998
|
# }
|
2986
2999
|
#
|
2987
3000
|
# @!attribute [rw] queue_policy
|
2988
|
-
# The proposed resource policy for the SQS queue.
|
3001
|
+
# The proposed resource policy for the Amazon SQS queue.
|
2989
3002
|
# @return [String]
|
2990
3003
|
#
|
2991
3004
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
|
@@ -3027,7 +3040,7 @@ module Aws::AccessAnalyzer
|
|
3027
3040
|
# and they have no additional effect.
|
3028
3041
|
#
|
3029
3042
|
# If you do not specify a client token, one is automatically generated
|
3030
|
-
# by the
|
3043
|
+
# by the Amazon Web Services SDK.
|
3031
3044
|
#
|
3032
3045
|
# **A suitable default value is auto-generated.** You should normally
|
3033
3046
|
# not need to pass this option.
|
@@ -3104,7 +3117,7 @@ module Aws::AccessAnalyzer
|
|
3104
3117
|
# example, if the creation for the analyzer fails, a `Failed` status is
|
3105
3118
|
# returned. For an analyzer with organization as the type, this failure
|
3106
3119
|
# can be due to an issue with creating the service-linked roles required
|
3107
|
-
# in the member accounts of the
|
3120
|
+
# in the member accounts of the Amazon Web Services organization.
|
3108
3121
|
#
|
3109
3122
|
# @!attribute [rw] code
|
3110
3123
|
# The reason code for the current status of the analyzer.
|
@@ -3203,7 +3216,7 @@ module Aws::AccessAnalyzer
|
|
3203
3216
|
# }
|
3204
3217
|
#
|
3205
3218
|
# @!attribute [rw] all_regions
|
3206
|
-
# Possible values are `true` or `false`. If set to `true`, Access
|
3219
|
+
# Possible values are `true` or `false`. If set to `true`, IAM Access
|
3207
3220
|
# Analyzer retrieves CloudTrail data from all regions to analyze and
|
3208
3221
|
# generate a policy.
|
3209
3222
|
# @return [Boolean]
|
@@ -3232,7 +3245,7 @@ module Aws::AccessAnalyzer
|
|
3232
3245
|
# a policy.
|
3233
3246
|
#
|
3234
3247
|
# @!attribute [rw] all_regions
|
3235
|
-
# Possible values are `true` or `false`. If set to `true`, Access
|
3248
|
+
# Possible values are `true` or `false`. If set to `true`, IAM Access
|
3236
3249
|
# Analyzer retrieves CloudTrail data from all regions to analyze and
|
3237
3250
|
# generate a policy.
|
3238
3251
|
# @return [Boolean]
|
@@ -3454,6 +3467,7 @@ module Aws::AccessAnalyzer
|
|
3454
3467
|
# next_token: "Token",
|
3455
3468
|
# policy_document: "PolicyDocument", # required
|
3456
3469
|
# policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
|
3470
|
+
# validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint
|
3457
3471
|
# }
|
3458
3472
|
#
|
3459
3473
|
# @!attribute [rw] locale
|
@@ -3476,14 +3490,29 @@ module Aws::AccessAnalyzer
|
|
3476
3490
|
# The type of policy to validate. Identity policies grant permissions
|
3477
3491
|
# to IAM principals. Identity policies include managed and inline
|
3478
3492
|
# policies for IAM roles, users, and groups. They also include
|
3479
|
-
# service-control policies (SCPs) that are attached to an
|
3480
|
-
# organization, organizational unit (OU), or an account.
|
3493
|
+
# service-control policies (SCPs) that are attached to an Amazon Web
|
3494
|
+
# Services organization, organizational unit (OU), or an account.
|
3481
3495
|
#
|
3482
|
-
# Resource policies grant permissions on
|
3483
|
-
# policies include trust policies for IAM roles
|
3484
|
-
# for S3 buckets. You can provide a generic
|
3485
|
-
# policy or resource policy or a specific input
|
3486
|
-
# or S3 bucket policy.
|
3496
|
+
# Resource policies grant permissions on Amazon Web Services
|
3497
|
+
# resources. Resource policies include trust policies for IAM roles
|
3498
|
+
# and bucket policies for Amazon S3 buckets. You can provide a generic
|
3499
|
+
# input such as identity policy or resource policy or a specific input
|
3500
|
+
# such as managed policy or Amazon S3 bucket policy.
|
3501
|
+
# @return [String]
|
3502
|
+
#
|
3503
|
+
# @!attribute [rw] validate_policy_resource_type
|
3504
|
+
# The type of resource to attach to your resource policy. Specify a
|
3505
|
+
# value for the policy validation resource type only if the policy
|
3506
|
+
# type is `RESOURCE_POLICY`. For example, to validate a resource
|
3507
|
+
# policy to attach to an Amazon S3 bucket, you can choose
|
3508
|
+
# `AWS::S3::Bucket` for the policy validation resource type.
|
3509
|
+
#
|
3510
|
+
# For resource types not supported as valid values, IAM Access
|
3511
|
+
# Analyzer runs policy checks that apply to all resource policies. For
|
3512
|
+
# example, to validate a resource policy to attach to a KMS key, do
|
3513
|
+
# not specify a value for the policy validation resource type and IAM
|
3514
|
+
# Access Analyzer will run policy checks that apply to all resource
|
3515
|
+
# policies.
|
3487
3516
|
# @return [String]
|
3488
3517
|
#
|
3489
3518
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
|
@@ -3493,14 +3522,15 @@ module Aws::AccessAnalyzer
|
|
3493
3522
|
:max_results,
|
3494
3523
|
:next_token,
|
3495
3524
|
:policy_document,
|
3496
|
-
:policy_type
|
3525
|
+
:policy_type,
|
3526
|
+
:validate_policy_resource_type)
|
3497
3527
|
SENSITIVE = []
|
3498
3528
|
include Aws::Structure
|
3499
3529
|
end
|
3500
3530
|
|
3501
3531
|
# @!attribute [rw] findings
|
3502
|
-
# The list of findings in a policy returned by Access Analyzer
|
3503
|
-
# on its suite of policy checks.
|
3532
|
+
# The list of findings in a policy returned by IAM Access Analyzer
|
3533
|
+
# based on its suite of policy checks.
|
3504
3534
|
# @return [Array<Types::ValidatePolicyFinding>]
|
3505
3535
|
#
|
3506
3536
|
# @!attribute [rw] next_token
|
@@ -3559,7 +3589,8 @@ module Aws::AccessAnalyzer
|
|
3559
3589
|
end
|
3560
3590
|
|
3561
3591
|
# The proposed virtual private cloud (VPC) configuration for the Amazon
|
3562
|
-
# S3 access point.
|
3592
|
+
# S3 access point. VPC configuration does not apply to multi-region
|
3593
|
+
# access points. For more information, see [VpcConfiguration][1].
|
3563
3594
|
#
|
3564
3595
|
#
|
3565
3596
|
#
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: aws-sdk-accessanalyzer
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.26.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Amazon Web Services
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-11-30 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-core
|
@@ -19,7 +19,7 @@ dependencies:
|
|
19
19
|
version: '3'
|
20
20
|
- - ">="
|
21
21
|
- !ruby/object:Gem::Version
|
22
|
-
version: 3.
|
22
|
+
version: 3.122.0
|
23
23
|
type: :runtime
|
24
24
|
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -29,7 +29,7 @@ dependencies:
|
|
29
29
|
version: '3'
|
30
30
|
- - ">="
|
31
31
|
- !ruby/object:Gem::Version
|
32
|
-
version: 3.
|
32
|
+
version: 3.122.0
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
34
|
name: aws-sigv4
|
35
35
|
requirement: !ruby/object:Gem::Requirement
|