aws-sdk-accessanalyzer 1.22.0 → 1.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 00c5a06a9e93cd9d1db1a64e21e8b6af85a48da50721a9eb2e385208a1c17892
-  data.tar.gz: ceb723710ed8cba1036e4f9423b8b1f248594b6d06e74e8a73b50e9970c7e934
+  metadata.gz: 1342cd4f47db2ecf75338f34ad04cc82ff152dac1de6eff3db4b8201cbf1edff
+  data.tar.gz: 12528aefa563f1de3dc8cc9c38b1348bc4fd94a148dfa37ed4eca5cf9dc6343a
 SHA512:
-  metadata.gz: c42107cc0570f71afbead42b47b963d54ac6e915d6a7803ef7d688107304c40e38ed78ca8b3df1542aa1cdc59021c5b7408c430e28e7797f465624d40e9847e8
-  data.tar.gz: f1c855305a7f7c58e43f4d15288bd7a68c4c3582d43df45a139bf5676038d830bcc158ac2a5818ddf469149d50cdd074e8e8738beabb2b285781c1c18a13025e
+  metadata.gz: 1ca05166f5530d95105fcfbfc1ff2f9d42ab77e7f6f3c1f55902394c696ae0c2f71af93fa3b3fd54b93d1ea2a8ca9412df5e5cf1ca99988c060b86f067452bdc
+  data.tar.gz: 71739b092dd991d1356836a103f7776d25894ea191cf64d8745ade87db3003ab4859654eb5336a847ff5d67bcac50c5687aaf34a5ddcb56a6e4c9031e3e1b9f9

data/CHANGELOG.md

@@ -1,6 +1,26 @@
 Unreleased Changes
 ------------------
 
+1.26.0 (2021-11-30)
+------------------
+
+* Feature - AWS IAM Access Analyzer now supports policy validation for resource policies attached to S3 buckets and access points. You can run additional policy checks by specifying the S3 resource type you want to attach to your resource policy.
+
+1.25.0 (2021-11-04)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.24.0 (2021-10-18)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
+1.23.0 (2021-09-02)
+------------------
+
+* Feature - Updates service API, documentation, and paginators to support multi-region access points from Amazon S3.
+
 1.22.0 (2021-09-01)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.22.0
+1.26.0

data/lib/aws-sdk-accessanalyzer/client.rb

@@ -119,7 +119,9 @@ module Aws::AccessAnalyzer
     #     * EC2/ECS IMDS instance profile - When used by default, the timeouts
     #       are very aggressive. Construct and pass an instance of
     #       `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to
-    #       enable retries and extended timeouts.
+    #       enable retries and extended timeouts. Instance profile credential
+    #       fetching can be disabled by setting ENV['AWS_EC2_METADATA_DISABLED']
+    #       to true.
     #
     #   @option options [required, String] :region
     #     The AWS region to connect to.  The configured `:region` is
@@ -275,6 +277,15 @@ module Aws::AccessAnalyzer
     #     ** Please note ** When response stubbing is enabled, no HTTP
     #     requests are made, and retries are disabled.
     #
+    #   @option options [Boolean] :use_dualstack_endpoint
+    #     When set to `true`, dualstack enabled endpoints (with `.aws` TLD)
+    #     will be used if available.
+    #
+    #   @option options [Boolean] :use_fips_endpoint
+    #     When set to `true`, fips compatible endpoints will be used if available.
+    #     When a `fips` region is used, the region is normalized and this config
+    #     is set to `true`.
+    #
     #   @option options [Boolean] :validate_params (true)
     #     When `true`, request parameters are validated before
     #     sending the request.
@@ -386,8 +397,9 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
-    # Creates an access preview that allows you to preview Access Analyzer
-    # findings for your resource before deploying resource permissions.
+    # Creates an access preview that allows you to preview IAM Access
+    # Analyzer findings for your resource before deploying resource
+    # permissions.
     #
     # @option params [required, String] :analyzer_arn
     #   The [ARN of the account analyzer][1] used to generate the access
@@ -573,7 +585,7 @@ module Aws::AccessAnalyzer
     # when you create the rule.
     #
     # To learn about filter keys that you can use to create an archive rule,
-    # see [Access Analyzer filter keys][1] in the **IAM User Guide**.
+    # see [IAM Access Analyzer filter keys][1] in the **IAM User Guide**.
     #
     #
     #
@@ -621,10 +633,10 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
-    # Deletes the specified analyzer. When you delete an analyzer, Access
-    # Analyzer is disabled for the account or organization in the current or
-    # specific Region. All findings that were generated by the analyzer are
-    # deleted. You cannot undo this action.
+    # Deletes the specified analyzer. When you delete an analyzer, IAM
+    # Access Analyzer is disabled for the account or organization in the
+    # current or specific Region. All findings that were generated by the
+    # analyzer are deleted. You cannot undo this action.
     #
     # @option params [required, String] :analyzer_name
     #   The name of the analyzer to delete.
@@ -845,7 +857,7 @@ module Aws::AccessAnalyzer
     # Retrieves information about an archive rule.
     #
     # To learn about filter keys that you can use to create an archive rule,
-    # see [Access Analyzer filter keys][1] in the **IAM User Guide**.
+    # see [IAM Access Analyzer filter keys][1] in the **IAM User Guide**.
     #
     #
     #
@@ -960,8 +972,9 @@ module Aws::AccessAnalyzer
     #   The level of detail that you want to generate. You can specify whether
     #   to generate service-level policies.
     #
-    #   Access Analyzer uses `iam:servicelastaccessed` to identify services
-    #   that have been used recently to create this service-level template.
+    #   IAM Access Analyzer uses `iam:servicelastaccessed` to identify
+    #   services that have been used recently to create this service-level
+    #   template.
     #
     # @option params [required, String] :job_id
     #   The `JobId` that is returned by the `StartPolicyGeneration` operation.
@@ -1297,7 +1310,7 @@ module Aws::AccessAnalyzer
     # Retrieves a list of findings generated by the specified analyzer.
     #
     # To learn about filter keys that you can use to retrieve a list of
-    # findings, see [Access Analyzer filter keys][1] in the **IAM User
+    # findings, see [IAM Access Analyzer filter keys][1] in the **IAM User
     # Guide**.
     #
     #
@@ -1470,7 +1483,7 @@ module Aws::AccessAnalyzer
     #   and they have no additional effect.
     #
     #   If you do not specify a client token, one is automatically generated
-    #   by the AWS SDK.
+    #   by the Amazon Web Services SDK.
     #
     #   **A suitable default value is auto-generated.** You should normally
     #   not need to pass this option.**
@@ -1720,14 +1733,27 @@ module Aws::AccessAnalyzer
     #   The type of policy to validate. Identity policies grant permissions to
     #   IAM principals. Identity policies include managed and inline policies
     #   for IAM roles, users, and groups. They also include service-control
-    #   policies (SCPs) that are attached to an AWS organization,
-    #   organizational unit (OU), or an account.
-    #
-    #   Resource policies grant permissions on AWS resources. Resource
-    #   policies include trust policies for IAM roles and bucket policies for
-    #   S3 buckets. You can provide a generic input such as identity policy or
-    #   resource policy or a specific input such as managed policy or S3
-    #   bucket policy.
+    #   policies (SCPs) that are attached to an Amazon Web Services
+    #   organization, organizational unit (OU), or an account.
+    #
+    #   Resource policies grant permissions on Amazon Web Services resources.
+    #   Resource policies include trust policies for IAM roles and bucket
+    #   policies for Amazon S3 buckets. You can provide a generic input such
+    #   as identity policy or resource policy or a specific input such as
+    #   managed policy or Amazon S3 bucket policy.
+    #
+    # @option params [String] :validate_policy_resource_type
+    #   The type of resource to attach to your resource policy. Specify a
+    #   value for the policy validation resource type only if the policy type
+    #   is `RESOURCE_POLICY`. For example, to validate a resource policy to
+    #   attach to an Amazon S3 bucket, you can choose `AWS::S3::Bucket` for
+    #   the policy validation resource type.
+    #
+    #   For resource types not supported as valid values, IAM Access Analyzer
+    #   runs policy checks that apply to all resource policies. For example,
+    #   to validate a resource policy to attach to a KMS key, do not specify a
+    #   value for the policy validation resource type and IAM Access Analyzer
+    #   will run policy checks that apply to all resource policies.
     #
     # @return [Types::ValidatePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1744,6 +1770,7 @@ module Aws::AccessAnalyzer
     #     next_token: "Token",
     #     policy_document: "PolicyDocument", # required
     #     policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
+    #     validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint
     #   })
     #
     # @example Response structure
@@ -1790,7 +1817,7 @@ module Aws::AccessAnalyzer
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-accessanalyzer'
-      context[:gem_version] = '1.22.0'
+      context[:gem_version] = '1.26.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-accessanalyzer/client_api.rb

@@ -199,6 +199,7 @@ module Aws::AccessAnalyzer
     ValidatePolicyFindingList = Shapes::ListShape.new(name: 'ValidatePolicyFindingList')
     ValidatePolicyFindingType = Shapes::StringShape.new(name: 'ValidatePolicyFindingType')
     ValidatePolicyRequest = Shapes::StructureShape.new(name: 'ValidatePolicyRequest')
+    ValidatePolicyResourceType = Shapes::StringShape.new(name: 'ValidatePolicyResourceType')
     ValidatePolicyResponse = Shapes::StructureShape.new(name: 'ValidatePolicyResponse')
     ValidationException = Shapes::StructureShape.new(name: 'ValidationException')
     ValidationExceptionField = Shapes::StructureShape.new(name: 'ValidationExceptionField')
@@ -798,6 +799,7 @@ module Aws::AccessAnalyzer
     ValidatePolicyRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location: "querystring", location_name: "nextToken"))
     ValidatePolicyRequest.add_member(:policy_document, Shapes::ShapeRef.new(shape: PolicyDocument, required: true, location_name: "policyDocument"))
     ValidatePolicyRequest.add_member(:policy_type, Shapes::ShapeRef.new(shape: PolicyType, required: true, location_name: "policyType"))
+    ValidatePolicyRequest.add_member(:validate_policy_resource_type, Shapes::ShapeRef.new(shape: ValidatePolicyResourceType, location_name: "validatePolicyResourceType"))
     ValidatePolicyRequest.struct_class = Types::ValidatePolicyRequest
 
     ValidatePolicyResponse.add_member(:findings, Shapes::ShapeRef.new(shape: ValidatePolicyFindingList, required: true, location_name: "findings"))

data/lib/aws-sdk-accessanalyzer/types.rb

@@ -83,7 +83,7 @@ module Aws::AccessAnalyzer
     #
     # @!attribute [rw] change_type
     #   Provides context on how the access preview finding compares to
-    #   existing access identified in Access Analyzer.
+    #   existing access identified in IAM Access Analyzer.
     #
     #   * `New` - The finding is for newly-introduced access.
     #
@@ -113,8 +113,8 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] existing_finding_id
-    #   The existing ID of the finding in Access Analyzer, provided only for
-    #   existing findings.
+    #   The existing ID of the finding in IAM Access Analyzer, provided only
+    #   for existing findings.
     #   @return [String]
     #
     # @!attribute [rw] existing_finding_status
@@ -144,8 +144,9 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] resource_owner_account
-    #   The AWS account ID that owns the resource. For most AWS resources,
-    #   the owning account is the account in which the resource was created.
+    #   The Amazon Web Services account ID that owns the resource. For most
+    #   Amazon Web Services resources, the owning account is the account in
+    #   which the resource was created.
     #   @return [String]
     #
     # @!attribute [rw] resource_type
@@ -263,7 +264,8 @@ module Aws::AccessAnalyzer
     # @note AclGrantee is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of AclGrantee corresponding to the set member.
     #
     # @!attribute [rw] id
-    #   The value specified is the canonical user ID of an AWS account.
+    #   The value specified is the canonical user ID of an Amazon Web
+    #   Services account.
     #   @return [String]
     #
     # @!attribute [rw] uri
@@ -314,7 +316,7 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] resource_owner_account
-    #   The AWS account ID that owns the resource.
+    #   The Amazon Web Services account ID that owns the resource.
     #   @return [String]
     #
     # @!attribute [rw] resource_type
@@ -360,7 +362,7 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] resource_owner_account
-    #   The AWS account ID that owns the resource.
+    #   The Amazon Web Services account ID that owns the resource.
     #   @return [String]
     #
     # @!attribute [rw] resource_type
@@ -403,10 +405,10 @@ module Aws::AccessAnalyzer
     #   The status of the analyzer. An `Active` analyzer successfully
     #   monitors supported resources and generates new findings. The
     #   analyzer is `Disabled` when a user action, such as removing trusted
-    #   access for AWS IAM Access Analyzer from AWS Organizations, causes
-    #   the analyzer to stop generating new findings. The status is
-    #   `Creating` when the analyzer creation is in progress and `Failed`
-    #   when the analyzer creation has failed.
+    #   access for Identity and Access Management Access Analyzer from
+    #   Organizations, causes the analyzer to stop generating new findings.
+    #   The status is `Creating` when the analyzer creation is in progress
+    #   and `Failed` when the analyzer creation has failed.
     #   @return [String]
     #
     # @!attribute [rw] status_reason
@@ -414,8 +416,8 @@ module Aws::AccessAnalyzer
     #   the analyzer. For example, if the creation for the analyzer fails, a
     #   `Failed` status is returned. For an analyzer with organization as
     #   the type, this failure can be due to an issue with creating the
-    #   service-linked roles required in the member accounts of the AWS
-    #   organization.
+    #   service-linked roles required in the member accounts of the Amazon
+    #   Web Services organization.
     #   @return [Types::StatusReason]
     #
     # @!attribute [rw] tags
@@ -553,21 +555,21 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] access_role
-    #   The ARN of the service role that Access Analyzer uses to access your
-    #   CloudTrail trail and service last accessed information.
+    #   The ARN of the service role that IAM Access Analyzer uses to access
+    #   your CloudTrail trail and service last accessed information.
     #   @return [String]
     #
     # @!attribute [rw] end_time
-    #   The end of the time range for which Access Analyzer reviews your
+    #   The end of the time range for which IAM Access Analyzer reviews your
     #   CloudTrail events. Events with a timestamp after this time are not
     #   considered to generate a policy. If this is not included in the
     #   request, the default value is the current time.
     #   @return [Time]
     #
     # @!attribute [rw] start_time
-    #   The start of the time range for which Access Analyzer reviews your
-    #   CloudTrail events. Events with a timestamp before this time are not
-    #   considered to generate a policy.
+    #   The start of the time range for which IAM Access Analyzer reviews
+    #   your CloudTrail events. Events with a timestamp before this time are
+    #   not considered to generate a policy.
     #   @return [Time]
     #
     # @!attribute [rw] trails
@@ -588,16 +590,16 @@ module Aws::AccessAnalyzer
     # Contains information about CloudTrail access.
     #
     # @!attribute [rw] end_time
-    #   The end of the time range for which Access Analyzer reviews your
+    #   The end of the time range for which IAM Access Analyzer reviews your
     #   CloudTrail events. Events with a timestamp after this time are not
     #   considered to generate a policy. If this is not included in the
     #   request, the default value is the current time.
     #   @return [Time]
     #
     # @!attribute [rw] start_time
-    #   The start of the time range for which Access Analyzer reviews your
-    #   CloudTrail events. Events with a timestamp before this time are not
-    #   considered to generate a policy.
+    #   The start of the time range for which IAM Access Analyzer reviews
+    #   your CloudTrail events. Events with a timestamp before this time are
+    #   not considered to generate a policy.
     #   @return [Time]
     #
     # @!attribute [rw] trail_properties
@@ -640,7 +642,7 @@ module Aws::AccessAnalyzer
     #   @return [Types::SecretsManagerSecretConfiguration]
     #
     # @!attribute [rw] sqs_queue
-    #   The access control configuration is for an SQS queue.
+    #   The access control configuration is for an Amazon SQS queue.
     #   @return [Types::SqsQueueConfiguration]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
@@ -1092,7 +1094,7 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] resource_owner_account
-    #   The AWS account ID that owns the resource.
+    #   The Amazon Web Services account ID that owns the resource.
     #   @return [String]
     #
     # @!attribute [rw] resource_type
@@ -1160,7 +1162,9 @@ module Aws::AccessAnalyzer
     # granted. This is populated for Amazon S3 bucket findings.
     #
     # @!attribute [rw] access_point_arn
-    #   The ARN of the access point that generated the finding.
+    #   The ARN of the access point that generated the finding. The ARN
+    #   format depends on whether the ARN represents an access point or a
+    #   multi-region access point.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSourceDetail AWS API Documentation
@@ -1215,7 +1219,7 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] resource_owner_account
-    #   The AWS account ID that owns the resource.
+    #   The Amazon Web Services account ID that owns the resource.
     #   @return [String]
     #
     # @!attribute [rw] resource_type
@@ -1284,8 +1288,8 @@ module Aws::AccessAnalyzer
     #
     # @!attribute [rw] is_complete
     #   This value is set to `true` if the generated policy contains all
-    #   possible actions for a service that Access Analyzer identified from
-    #   the CloudTrail trail that you specified, and `false` otherwise.
+    #   possible actions for a service that IAM Access Analyzer identified
+    #   from the CloudTrail trail that you specified, and `false` otherwise.
     #   @return [Boolean]
     #
     # @!attribute [rw] principal_arn
@@ -1403,8 +1407,8 @@ module Aws::AccessAnalyzer
     # The response to the request.
     #
     # @!attribute [rw] resource
-    #   An `AnalyzedResource` object that contains information that Access
-    #   Analyzer found when it analyzed the resource.
+    #   An `AnalyzedResource` object that contains information that IAM
+    #   Access Analyzer found when it analyzed the resource.
     #   @return [Types::AnalyzedResource]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceResponse AWS API Documentation
@@ -1560,8 +1564,9 @@ module Aws::AccessAnalyzer
     #   The level of detail that you want to generate. You can specify
     #   whether to generate service-level policies.
     #
-    #   Access Analyzer uses `iam:servicelastaccessed` to identify services
-    #   that have been used recently to create this service-level template.
+    #   IAM Access Analyzer uses `iam:servicelastaccessed` to identify
+    #   services that have been used recently to create this service-level
+    #   template.
     #   @return [Boolean]
     #
     # @!attribute [rw] job_id
@@ -1686,8 +1691,8 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # This configuration sets the Amazon S3 access point network origin to
-    # `Internet`.
+    # This configuration sets the network origin for the Amazon S3 access
+    # point or multi-region access point to `Internet`.
     #
     # @api private
     #
@@ -1702,7 +1707,7 @@ module Aws::AccessAnalyzer
     #   @return [Time]
     #
     # @!attribute [rw] job_error
-    #   Contains the details about the policy generation error.
+    #   The job error for the policy generation request.
     #   @return [Types::JobError]
     #
     # @!attribute [rw] job_id
@@ -1794,9 +1799,9 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] issuing_account
-    #   The AWS account under which the grant was issued. The account is
-    #   used to propose KMS grants issued by accounts other than the owner
-    #   of the key.
+    #   The Amazon Web Services account under which the grant was issued.
+    #   The account is used to propose KMS grants issued by accounts other
+    #   than the owner of the key.
     #   @return [String]
     #
     # @!attribute [rw] operations
@@ -2427,7 +2432,8 @@ module Aws::AccessAnalyzer
     end
 
     # The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
-    # the Amazon S3 Access point. You can make the access point accessible
+    # the Amazon S3 access point. `VpcConfiguration` does not apply to
+    # multi-region access points. You can make the access point accessible
     # from the internet, or you can specify that all requests made through
     # that access point must originate from a specific virtual private cloud
     # (VPC). You can specify only one type of network configuration. For
@@ -2442,13 +2448,14 @@ module Aws::AccessAnalyzer
     # @note NetworkOriginConfiguration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of NetworkOriginConfiguration corresponding to the set member.
     #
     # @!attribute [rw] internet_configuration
-    #   The configuration for the Amazon S3 access point with an `Internet`
-    #   origin.
+    #   The configuration for the Amazon S3 access point or multi-region
+    #   access point with an `Internet` origin.
     #   @return [Types::InternetConfiguration]
     #
     # @!attribute [rw] vpc_configuration
     #   The proposed virtual private cloud (VPC) configuration for the
-    #   Amazon S3 access point. For more information, see
+    #   Amazon S3 access point. VPC configuration does not apply to
+    #   multi-region access points. For more information, see
     #   [VpcConfiguration][1].
     #
     #
@@ -2620,9 +2627,10 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # The configuration for an Amazon S3 access point for the bucket. You
-    # can propose up to 10 access points per bucket. If the proposed Amazon
-    # S3 access point configuration is for an existing bucket, the access
+    # The configuration for an Amazon S3 access point or multi-region access
+    # point for the bucket. You can propose up to 10 access points or
+    # multi-region access points per bucket. If the proposed Amazon S3
+    # access point configuration is for an existing bucket, the access
     # preview uses the proposed access point configuration in place of the
     # existing access points. To propose an access point without a policy,
     # you can provide an empty string as the access point policy. For more
@@ -2654,21 +2662,22 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] access_point_policy
-    #   The access point policy.
+    #   The access point or multi-region access point policy.
     #   @return [String]
     #
     # @!attribute [rw] network_origin
     #   The proposed `Internet` and `VpcConfiguration` to apply to this
-    #   Amazon S3 access point. If the access preview is for a new resource
-    #   and neither is specified, the access preview uses `Internet` for the
-    #   network origin. If the access preview is for an existing resource
-    #   and neither is specified, the access preview uses the exiting
-    #   network origin.
+    #   Amazon S3 access point. `VpcConfiguration` does not apply to
+    #   multi-region access points. If the access preview is for a new
+    #   resource and neither is specified, the access preview uses
+    #   `Internet` for the network origin. If the access preview is for an
+    #   existing resource and neither is specified, the access preview uses
+    #   the exiting network origin.
     #   @return [Types::NetworkOriginConfiguration]
     #
     # @!attribute [rw] public_access_block
     #   The proposed `S3PublicAccessBlock` configuration to apply to this
-    #   Amazon S3 Access Point.
+    #   Amazon S3 access point or multi-region access point.
     #   @return [Types::S3PublicAccessBlockConfiguration]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
@@ -2719,15 +2728,16 @@ module Aws::AccessAnalyzer
     # Proposed access control configuration for an Amazon S3 bucket. You can
     # propose a configuration for a new Amazon S3 bucket or an existing
     # Amazon S3 bucket that you own by specifying the Amazon S3 bucket
-    # policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points
-    # attached to the bucket. If the configuration is for an existing Amazon
-    # S3 bucket and you do not specify the Amazon S3 bucket policy, the
-    # access preview uses the existing policy attached to the bucket. If the
-    # access preview is for a new resource and you do not specify the Amazon
-    # S3 bucket policy, the access preview assumes a bucket without a
-    # policy. To propose deletion of an existing bucket policy, you can
-    # specify an empty string. For more information about bucket policy
-    # limits, see [Bucket Policy Examples][1].
+    # policy, bucket ACLs, bucket BPA settings, Amazon S3 access points, and
+    # multi-region access points attached to the bucket. If the
+    # configuration is for an existing Amazon S3 bucket and you do not
+    # specify the Amazon S3 bucket policy, the access preview uses the
+    # existing policy attached to the bucket. If the access preview is for a
+    # new resource and you do not specify the Amazon S3 bucket policy, the
+    # access preview assumes a bucket without a policy. To propose deletion
+    # of an existing bucket policy, you can specify an empty string. For
+    # more information about bucket policy limits, see [Bucket Policy
+    # Examples][1].
     #
     #
     #
@@ -2770,7 +2780,9 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] access_points
-    #   The configuration of Amazon S3 access points for the bucket.
+    #   The configuration of Amazon S3 access points or multi-region access
+    #   points for the bucket. You can propose up to 10 new access points
+    #   per bucket.
     #   @return [Hash<String,Types::S3AccessPointConfiguration>]
     #
     # @!attribute [rw] bucket_acl_grants
@@ -2807,10 +2819,10 @@ module Aws::AccessAnalyzer
     # bucket and the configuration is not specified, the access preview uses
     # the existing setting. If the proposed configuration is for a new
     # bucket and the configuration is not specified, the access preview uses
-    # `false`. If the proposed configuration is for a new access point and
-    # the access point BPA configuration is not specified, the access
-    # preview uses `true`. For more information, see
-    # [PublicAccessBlockConfiguration][1].
+    # `false`. If the proposed configuration is for a new access point or
+    # multi-region access point and the access point BPA configuration is
+    # not specified, the access preview uses `true`. For more information,
+    # see [PublicAccessBlockConfiguration][1].
     #
     #
     #
@@ -2855,10 +2867,11 @@ module Aws::AccessAnalyzer
     # without a policy. To propose deletion of an existing policy, you can
     # specify an empty string. If the proposed configuration is for a new
     # secret and you do not specify the KMS key ID, the access preview uses
-    # the default CMK of the AWS account. If you specify an empty string for
-    # the KMS key ID, the access preview uses the default CMK of the AWS
+    # the Amazon Web Services managed key `aws/secretsmanager`. If you
+    # specify an empty string for the KMS key ID, the access preview uses
+    # the Amazon Web Services managed key of the Amazon Web Services
     # account. For more information about secret policy limits, see [Quotas
-    # for AWS Secrets Manager.][2].
+    # for Secrets Manager.][2].
     #
     #
     #
@@ -2874,8 +2887,7 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] kms_key_id
-    #   The proposed ARN, key ID, or alias of the AWS KMS customer master
-    #   key (CMK).
+    #   The proposed ARN, key ID, or alias of the KMS key.
     #   @return [String]
     #
     # @!attribute [rw] secret_policy
@@ -2962,15 +2974,16 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # The proposed access control configuration for an SQS queue. You can
-    # propose a configuration for a new SQS queue or an existing SQS queue
-    # that you own by specifying the SQS policy. If the configuration is for
-    # an existing SQS queue and you do not specify the SQS policy, the
-    # access preview uses the existing SQS policy for the queue. If the
-    # access preview is for a new resource and you do not specify the
-    # policy, the access preview assumes an SQS queue without a policy. To
-    # propose deletion of an existing SQS queue policy, you can specify an
-    # empty string for the SQS policy. For more information about SQS policy
+    # The proposed access control configuration for an Amazon SQS queue. You
+    # can propose a configuration for a new Amazon SQS queue or an existing
+    # Amazon SQS queue that you own by specifying the Amazon SQS policy. If
+    # the configuration is for an existing Amazon SQS queue and you do not
+    # specify the Amazon SQS policy, the access preview uses the existing
+    # Amazon SQS policy for the queue. If the access preview is for a new
+    # resource and you do not specify the policy, the access preview assumes
+    # an Amazon SQS queue without a policy. To propose deletion of an
+    # existing Amazon SQS queue policy, you can specify an empty string for
+    # the Amazon SQS policy. For more information about Amazon SQS policy
     # limits, see [Quotas related to policies][1].
     #
     #
@@ -2985,7 +2998,7 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] queue_policy
-    #   The proposed resource policy for the SQS queue.
+    #   The proposed resource policy for the Amazon SQS queue.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
@@ -3027,7 +3040,7 @@ module Aws::AccessAnalyzer
     #   and they have no additional effect.
     #
     #   If you do not specify a client token, one is automatically generated
-    #   by the AWS SDK.
+    #   by the Amazon Web Services SDK.
     #
     #   **A suitable default value is auto-generated.** You should normally
     #   not need to pass this option.
@@ -3104,7 +3117,7 @@ module Aws::AccessAnalyzer
     # example, if the creation for the analyzer fails, a `Failed` status is
     # returned. For an analyzer with organization as the type, this failure
     # can be due to an issue with creating the service-linked roles required
-    # in the member accounts of the AWS organization.
+    # in the member accounts of the Amazon Web Services organization.
     #
     # @!attribute [rw] code
     #   The reason code for the current status of the analyzer.
@@ -3203,7 +3216,7 @@ module Aws::AccessAnalyzer
     #       }
     #
     # @!attribute [rw] all_regions
-    #   Possible values are `true` or `false`. If set to `true`, Access
+    #   Possible values are `true` or `false`. If set to `true`, IAM Access
     #   Analyzer retrieves CloudTrail data from all regions to analyze and
     #   generate a policy.
     #   @return [Boolean]
@@ -3232,7 +3245,7 @@ module Aws::AccessAnalyzer
     # a policy.
     #
     # @!attribute [rw] all_regions
-    #   Possible values are `true` or `false`. If set to `true`, Access
+    #   Possible values are `true` or `false`. If set to `true`, IAM Access
     #   Analyzer retrieves CloudTrail data from all regions to analyze and
     #   generate a policy.
     #   @return [Boolean]
@@ -3454,6 +3467,7 @@ module Aws::AccessAnalyzer
     #         next_token: "Token",
     #         policy_document: "PolicyDocument", # required
     #         policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
+    #         validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint
     #       }
     #
     # @!attribute [rw] locale
@@ -3476,14 +3490,29 @@ module Aws::AccessAnalyzer
     #   The type of policy to validate. Identity policies grant permissions
     #   to IAM principals. Identity policies include managed and inline
     #   policies for IAM roles, users, and groups. They also include
-    #   service-control policies (SCPs) that are attached to an AWS
-    #   organization, organizational unit (OU), or an account.
+    #   service-control policies (SCPs) that are attached to an Amazon Web
+    #   Services organization, organizational unit (OU), or an account.
     #
-    #   Resource policies grant permissions on AWS resources. Resource
-    #   policies include trust policies for IAM roles and bucket policies
-    #   for S3 buckets. You can provide a generic input such as identity
-    #   policy or resource policy or a specific input such as managed policy
-    #   or S3 bucket policy.
+    #   Resource policies grant permissions on Amazon Web Services
+    #   resources. Resource policies include trust policies for IAM roles
+    #   and bucket policies for Amazon S3 buckets. You can provide a generic
+    #   input such as identity policy or resource policy or a specific input
+    #   such as managed policy or Amazon S3 bucket policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] validate_policy_resource_type
+    #   The type of resource to attach to your resource policy. Specify a
+    #   value for the policy validation resource type only if the policy
+    #   type is `RESOURCE_POLICY`. For example, to validate a resource
+    #   policy to attach to an Amazon S3 bucket, you can choose
+    #   `AWS::S3::Bucket` for the policy validation resource type.
+    #
+    #   For resource types not supported as valid values, IAM Access
+    #   Analyzer runs policy checks that apply to all resource policies. For
+    #   example, to validate a resource policy to attach to a KMS key, do
+    #   not specify a value for the policy validation resource type and IAM
+    #   Access Analyzer will run policy checks that apply to all resource
+    #   policies.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
@@ -3493,14 +3522,15 @@ module Aws::AccessAnalyzer
       :max_results,
       :next_token,
       :policy_document,
-      :policy_type)
+      :policy_type,
+      :validate_policy_resource_type)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] findings
-    #   The list of findings in a policy returned by Access Analyzer based
-    #   on its suite of policy checks.
+    #   The list of findings in a policy returned by IAM Access Analyzer
+    #   based on its suite of policy checks.
     #   @return [Array<Types::ValidatePolicyFinding>]
     #
     # @!attribute [rw] next_token
@@ -3559,7 +3589,8 @@ module Aws::AccessAnalyzer
     end
 
     # The proposed virtual private cloud (VPC) configuration for the Amazon
-    # S3 access point. For more information, see [VpcConfiguration][1].
+    # S3 access point. VPC configuration does not apply to multi-region
+    # access points. For more information, see [VpcConfiguration][1].
     #
     #
     #

data/lib/aws-sdk-accessanalyzer.rb

@@ -48,6 +48,6 @@ require_relative 'aws-sdk-accessanalyzer/customizations'
 # @!group service
 module Aws::AccessAnalyzer
 
-  GEM_VERSION = '1.22.0'
+  GEM_VERSION = '1.26.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-accessanalyzer
 version: !ruby/object:Gem::Version
-  version: 1.22.0
+  version: 1.26.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-09-01 00:00:00.000000000 Z
+date: 2021-11-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -19,7 +19,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.120.0
+        version: 3.122.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.120.0
+        version: 3.122.0
 - !ruby/object:Gem::Dependency
   name: aws-sigv4
   requirement: !ruby/object:Gem::Requirement