aws-sdk-accessanalyzer 1.29.0 → 1.31.0

data/lib/aws-sdk-accessanalyzer/types.rb

@@ -25,6 +25,10 @@ module Aws::AccessAnalyzer
 
     # Contains information about an access preview.
     #
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
     # @!attribute [rw] analyzer_arn
     #   The ARN of the analyzer used to generate the access preview.
     #   @return [String]
@@ -37,10 +41,6 @@ module Aws::AccessAnalyzer
     #   The time at which the access preview was created.
     #   @return [Time]
     #
-    # @!attribute [rw] id
-    #   The unique ID for the access preview.
-    #   @return [String]
-    #
     # @!attribute [rw] status
     #   The status of the access preview.
     #
@@ -64,10 +64,10 @@ module Aws::AccessAnalyzer
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
     #
     class AccessPreview < Struct.new(
+      :id,
       :analyzer_arn,
       :configurations,
       :created_at,
-      :id,
       :status,
       :status_reason)
       SENSITIVE = []
@@ -76,11 +76,55 @@ module Aws::AccessAnalyzer
 
     # An access preview finding generated by the access preview.
     #
+    # @!attribute [rw] id
+    #   The ID of the access preview finding. This ID uniquely identifies
+    #   the element in the list of access preview findings and is not
+    #   related to the finding ID in Access Analyzer.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_finding_id
+    #   The existing ID of the finding in IAM Access Analyzer, provided only
+    #   for existing findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_finding_status
+    #   The existing status of the finding, provided only for existing
+    #   findings.
+    #   @return [String]
+    #
+    # @!attribute [rw] principal
+    #   The external principal that has access to a resource within the zone
+    #   of trust.
+    #   @return [Hash<String,String>]
+    #
     # @!attribute [rw] action
     #   The action in the analyzed policy statement that an external
     #   principal has permission to perform.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] condition
+    #   The condition in the analyzed policy statement that resulted in a
+    #   finding.
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] resource
+    #   The resource that an external principal has access to. This is the
+    #   resource associated with the access preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] is_public
+    #   Indicates whether the policy that generated the finding allows
+    #   public access to the resource.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of the resource that can be accessed in the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the access preview finding was created.
+    #   @return [Time]
+    #
     # @!attribute [rw] change_type
     #   Provides context on how the access preview finding compares to
     #   existing access identified in IAM Access Analyzer.
@@ -99,48 +143,12 @@ module Aws::AccessAnalyzer
     #   change.
     #   @return [String]
     #
-    # @!attribute [rw] condition
-    #   The condition in the analyzed policy statement that resulted in a
-    #   finding.
-    #   @return [Hash<String,String>]
-    #
-    # @!attribute [rw] created_at
-    #   The time at which the access preview finding was created.
-    #   @return [Time]
-    #
-    # @!attribute [rw] error
-    #   An error.
-    #   @return [String]
-    #
-    # @!attribute [rw] existing_finding_id
-    #   The existing ID of the finding in IAM Access Analyzer, provided only
-    #   for existing findings.
-    #   @return [String]
-    #
-    # @!attribute [rw] existing_finding_status
-    #   The existing status of the finding, provided only for existing
-    #   findings.
-    #   @return [String]
-    #
-    # @!attribute [rw] id
-    #   The ID of the access preview finding. This ID uniquely identifies
-    #   the element in the list of access preview findings and is not
-    #   related to the finding ID in Access Analyzer.
-    #   @return [String]
-    #
-    # @!attribute [rw] is_public
-    #   Indicates whether the policy that generated the finding allows
-    #   public access to the resource.
-    #   @return [Boolean]
-    #
-    # @!attribute [rw] principal
-    #   The external principal that has access to a resource within the zone
-    #   of trust.
-    #   @return [Hash<String,String>]
-    #
-    # @!attribute [rw] resource
-    #   The resource that an external principal has access to. This is the
-    #   resource associated with the access preview.
+    # @!attribute [rw] status
+    #   The preview status of the finding. This is what the status of the
+    #   finding would be after permissions deployment. For example, a
+    #   `Changed` finding with preview status `Resolved` and existing status
+    #   `Active` indicates the existing `Active` finding would become
+    #   `Resolved` as a result of the proposed permissions change.
     #   @return [String]
     #
     # @!attribute [rw] resource_owner_account
@@ -149,8 +157,8 @@ module Aws::AccessAnalyzer
     #   which the resource was created.
     #   @return [String]
     #
-    # @!attribute [rw] resource_type
-    #   The type of the resource that can be accessed in the finding.
+    # @!attribute [rw] error
+    #   An error.
     #   @return [String]
     #
     # @!attribute [rw] sources
@@ -159,32 +167,24 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
-    # @!attribute [rw] status
-    #   The preview status of the finding. This is what the status of the
-    #   finding would be after permissions deployment. For example, a
-    #   `Changed` finding with preview status `Resolved` and existing status
-    #   `Active` indicates the existing `Active` finding would become
-    #   `Resolved` as a result of the proposed permissions change.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
     #
     class AccessPreviewFinding < Struct.new(
-      :action,
-      :change_type,
-      :condition,
-      :created_at,
-      :error,
+      :id,
       :existing_finding_id,
       :existing_finding_status,
-      :id,
-      :is_public,
       :principal,
+      :action,
+      :condition,
       :resource,
-      :resource_owner_account,
+      :is_public,
       :resource_type,
-      :sources,
-      :status)
+      :created_at,
+      :change_type,
+      :status,
+      :resource_owner_account,
+      :error,
+      :sources)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -208,6 +208,10 @@ module Aws::AccessAnalyzer
 
     # Contains a summary of information about an access preview.
     #
+    # @!attribute [rw] id
+    #   The unique ID for the access preview.
+    #   @return [String]
+    #
     # @!attribute [rw] analyzer_arn
     #   The ARN of the analyzer used to generate the access preview.
     #   @return [String]
@@ -216,10 +220,6 @@ module Aws::AccessAnalyzer
     #   The time at which the access preview was created.
     #   @return [Time]
     #
-    # @!attribute [rw] id
-    #   The unique ID for the access preview.
-    #   @return [String]
-    #
     # @!attribute [rw] status
     #   The status of the access preview.
     #
@@ -242,9 +242,9 @@ module Aws::AccessAnalyzer
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
     #
     class AccessPreviewSummary < Struct.new(
+      :id,
       :analyzer_arn,
       :created_at,
-      :id,
       :status,
       :status_reason)
       SENSITIVE = []
@@ -289,39 +289,35 @@ module Aws::AccessAnalyzer
 
     # Contains details about the analyzed resource.
     #
-    # @!attribute [rw] actions
-    #   The actions that an external principal is granted permission to use
-    #   by the policy that generated the finding.
-    #   @return [Array<String>]
+    # @!attribute [rw] resource_arn
+    #   The ARN of the resource that was analyzed.
+    #   @return [String]
     #
-    # @!attribute [rw] analyzed_at
-    #   The time at which the resource was analyzed.
-    #   @return [Time]
+    # @!attribute [rw] resource_type
+    #   The type of the resource that was analyzed.
+    #   @return [String]
     #
     # @!attribute [rw] created_at
     #   The time at which the finding was created.
     #   @return [Time]
     #
-    # @!attribute [rw] error
-    #   An error message.
-    #   @return [String]
+    # @!attribute [rw] analyzed_at
+    #   The time at which the resource was analyzed.
+    #   @return [Time]
+    #
+    # @!attribute [rw] updated_at
+    #   The time at which the finding was updated.
+    #   @return [Time]
     #
     # @!attribute [rw] is_public
     #   Indicates whether the policy that generated the finding grants
     #   public access to the resource.
     #   @return [Boolean]
     #
-    # @!attribute [rw] resource_arn
-    #   The ARN of the resource that was analyzed.
-    #   @return [String]
-    #
-    # @!attribute [rw] resource_owner_account
-    #   The Amazon Web Services account ID that owns the resource.
-    #   @return [String]
-    #
-    # @!attribute [rw] resource_type
-    #   The type of the resource that was analyzed.
-    #   @return [String]
+    # @!attribute [rw] actions
+    #   The actions that an external principal is granted permission to use
+    #   by the policy that generated the finding.
+    #   @return [Array<String>]
     #
     # @!attribute [rw] shared_via
     #   Indicates how the access that generated the finding is granted. This
@@ -333,24 +329,28 @@ module Aws::AccessAnalyzer
     #   resource.
     #   @return [String]
     #
-    # @!attribute [rw] updated_at
-    #   The time at which the finding was updated.
-    #   @return [Time]
+    # @!attribute [rw] resource_owner_account
+    #   The Amazon Web Services account ID that owns the resource.
+    #   @return [String]
+    #
+    # @!attribute [rw] error
+    #   An error message.
+    #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzedResource AWS API Documentation
     #
     class AnalyzedResource < Struct.new(
-      :actions,
-      :analyzed_at,
-      :created_at,
-      :error,
-      :is_public,
       :resource_arn,
-      :resource_owner_account,
       :resource_type,
+      :created_at,
+      :analyzed_at,
+      :updated_at,
+      :is_public,
+      :actions,
       :shared_via,
       :status,
-      :updated_at)
+      :resource_owner_account,
+      :error)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -385,6 +385,15 @@ module Aws::AccessAnalyzer
     #   The ARN of the analyzer.
     #   @return [String]
     #
+    # @!attribute [rw] name
+    #   The name of the analyzer.
+    #   @return [String]
+    #
+    # @!attribute [rw] type
+    #   The type of analyzer, which corresponds to the zone of trust chosen
+    #   for the analyzer.
+    #   @return [String]
+    #
     # @!attribute [rw] created_at
     #   A timestamp for the time at which the analyzer was created.
     #   @return [Time]
@@ -397,9 +406,9 @@ module Aws::AccessAnalyzer
     #   The time at which the most recently analyzed resource was analyzed.
     #   @return [Time]
     #
-    # @!attribute [rw] name
-    #   The name of the analyzer.
-    #   @return [String]
+    # @!attribute [rw] tags
+    #   The tags added to the analyzer.
+    #   @return [Hash<String,String>]
     #
     # @!attribute [rw] status
     #   The status of the analyzer. An `Active` analyzer successfully
@@ -420,27 +429,18 @@ module Aws::AccessAnalyzer
     #   Web Services organization.
     #   @return [Types::StatusReason]
     #
-    # @!attribute [rw] tags
-    #   The tags added to the analyzer.
-    #   @return [Hash<String,String>]
-    #
-    # @!attribute [rw] type
-    #   The type of analyzer, which corresponds to the zone of trust chosen
-    #   for the analyzer.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerSummary AWS API Documentation
     #
     class AnalyzerSummary < Struct.new(
       :arn,
+      :name,
+      :type,
       :created_at,
       :last_resource_analyzed,
       :last_resource_analyzed_at,
-      :name,
-      :status,
-      :status_reason,
       :tags,
-      :type)
+      :status,
+      :status_reason)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -452,14 +452,18 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_arn: "AnalyzerArn", # required
-    #         client_token: "String",
     #         rule_name: "Name", # required
+    #         client_token: "String",
     #       }
     #
     # @!attribute [rw] analyzer_arn
     #   The Amazon resource name (ARN) of the analyzer.
     #   @return [String]
     #
+    # @!attribute [rw] rule_name
+    #   The name of the rule to apply.
+    #   @return [String]
+    #
     # @!attribute [rw] client_token
     #   A client token.
     #
@@ -467,33 +471,29 @@ module Aws::AccessAnalyzer
     #   not need to pass this option.
     #   @return [String]
     #
-    # @!attribute [rw] rule_name
-    #   The name of the rule to apply.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ApplyArchiveRuleRequest AWS API Documentation
     #
     class ApplyArchiveRuleRequest < Struct.new(
       :analyzer_arn,
-      :client_token,
-      :rule_name)
+      :rule_name,
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains information about an archive rule.
     #
-    # @!attribute [rw] created_at
-    #   The time at which the archive rule was created.
-    #   @return [Time]
+    # @!attribute [rw] rule_name
+    #   The name of the archive rule.
+    #   @return [String]
     #
     # @!attribute [rw] filter
     #   A filter used to define the archive rule.
     #   @return [Hash<String,Types::Criterion>]
     #
-    # @!attribute [rw] rule_name
-    #   The name of the archive rule.
-    #   @return [String]
+    # @!attribute [rw] created_at
+    #   The time at which the archive rule was created.
+    #   @return [Time]
     #
     # @!attribute [rw] updated_at
     #   The time at which the archive rule was last updated.
@@ -502,9 +502,9 @@ module Aws::AccessAnalyzer
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ArchiveRuleSummary AWS API Documentation
     #
     class ArchiveRuleSummary < Struct.new(
-      :created_at,
-      :filter,
       :rule_name,
+      :filter,
+      :created_at,
       :updated_at)
       SENSITIVE = []
       include Aws::Structure
@@ -542,59 +542,57 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
-    #         access_role: "RoleArn", # required
-    #         end_time: Time.now,
-    #         start_time: Time.now, # required
     #         trails: [ # required
     #           {
-    #             all_regions: false,
     #             cloud_trail_arn: "CloudTrailArn", # required
     #             regions: ["String"],
+    #             all_regions: false,
     #           },
     #         ],
+    #         access_role: "RoleArn", # required
+    #         start_time: Time.now, # required
+    #         end_time: Time.now,
     #       }
     #
+    # @!attribute [rw] trails
+    #   A `Trail` object that contains settings for a trail.
+    #   @return [Array<Types::Trail>]
+    #
     # @!attribute [rw] access_role
     #   The ARN of the service role that IAM Access Analyzer uses to access
     #   your CloudTrail trail and service last accessed information.
     #   @return [String]
     #
-    # @!attribute [rw] end_time
-    #   The end of the time range for which IAM Access Analyzer reviews your
-    #   CloudTrail events. Events with a timestamp after this time are not
-    #   considered to generate a policy. If this is not included in the
-    #   request, the default value is the current time.
-    #   @return [Time]
-    #
     # @!attribute [rw] start_time
     #   The start of the time range for which IAM Access Analyzer reviews
     #   your CloudTrail events. Events with a timestamp before this time are
     #   not considered to generate a policy.
     #   @return [Time]
     #
-    # @!attribute [rw] trails
-    #   A `Trail` object that contains settings for a trail.
-    #   @return [Array<Types::Trail>]
+    # @!attribute [rw] end_time
+    #   The end of the time range for which IAM Access Analyzer reviews your
+    #   CloudTrail events. Events with a timestamp after this time are not
+    #   considered to generate a policy. If this is not included in the
+    #   request, the default value is the current time.
+    #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailDetails AWS API Documentation
     #
     class CloudTrailDetails < Struct.new(
+      :trails,
       :access_role,
-      :end_time,
       :start_time,
-      :trails)
+      :end_time)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains information about CloudTrail access.
     #
-    # @!attribute [rw] end_time
-    #   The end of the time range for which IAM Access Analyzer reviews your
-    #   CloudTrail events. Events with a timestamp after this time are not
-    #   considered to generate a policy. If this is not included in the
-    #   request, the default value is the current time.
-    #   @return [Time]
+    # @!attribute [rw] trail_properties
+    #   A `TrailProperties` object that contains settings for trail
+    #   properties.
+    #   @return [Array<Types::TrailProperties>]
     #
     # @!attribute [rw] start_time
     #   The start of the time range for which IAM Access Analyzer reviews
@@ -602,17 +600,19 @@ module Aws::AccessAnalyzer
     #   not considered to generate a policy.
     #   @return [Time]
     #
-    # @!attribute [rw] trail_properties
-    #   A `TrailProperties` object that contains settings for trail
-    #   properties.
-    #   @return [Array<Types::TrailProperties>]
+    # @!attribute [rw] end_time
+    #   The end of the time range for which IAM Access Analyzer reviews your
+    #   CloudTrail events. Events with a timestamp after this time are not
+    #   considered to generate a policy. If this is not included in the
+    #   request, the default value is the current time.
+    #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailProperties AWS API Documentation
     #
     class CloudTrailProperties < Struct.new(
-      :end_time,
+      :trail_properties,
       :start_time,
-      :trail_properties)
+      :end_time)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -625,22 +625,48 @@ module Aws::AccessAnalyzer
     #
     # @note Configuration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of Configuration corresponding to the set member.
     #
+    # @!attribute [rw] ebs_snapshot
+    #   The access control configuration is for an Amazon EBS volume
+    #   snapshot.
+    #   @return [Types::EbsSnapshotConfiguration]
+    #
+    # @!attribute [rw] ecr_repository
+    #   The access control configuration is for an Amazon ECR repository.
+    #   @return [Types::EcrRepositoryConfiguration]
+    #
     # @!attribute [rw] iam_role
     #   The access control configuration is for an IAM role.
     #   @return [Types::IamRoleConfiguration]
     #
+    # @!attribute [rw] efs_file_system
+    #   The access control configuration is for an Amazon EFS file system.
+    #   @return [Types::EfsFileSystemConfiguration]
+    #
     # @!attribute [rw] kms_key
     #   The access control configuration is for a KMS key.
     #   @return [Types::KmsKeyConfiguration]
     #
-    # @!attribute [rw] s3_bucket
-    #   The access control configuration is for an Amazon S3 Bucket.
-    #   @return [Types::S3BucketConfiguration]
+    # @!attribute [rw] rds_db_cluster_snapshot
+    #   The access control configuration is for an Amazon RDS DB cluster
+    #   snapshot.
+    #   @return [Types::RdsDbClusterSnapshotConfiguration]
+    #
+    # @!attribute [rw] rds_db_snapshot
+    #   The access control configuration is for an Amazon RDS DB snapshot.
+    #   @return [Types::RdsDbSnapshotConfiguration]
     #
     # @!attribute [rw] secrets_manager_secret
     #   The access control configuration is for a Secrets Manager secret.
     #   @return [Types::SecretsManagerSecretConfiguration]
     #
+    # @!attribute [rw] s3_bucket
+    #   The access control configuration is for an Amazon S3 Bucket.
+    #   @return [Types::S3BucketConfiguration]
+    #
+    # @!attribute [rw] sns_topic
+    #   The access control configuration is for an Amazon SNS topic
+    #   @return [Types::SnsTopicConfiguration]
+    #
     # @!attribute [rw] sqs_queue
     #   The access control configuration is for an Amazon SQS queue.
     #   @return [Types::SqsQueueConfiguration]
@@ -648,20 +674,32 @@ module Aws::AccessAnalyzer
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
     #
     class Configuration < Struct.new(
+      :ebs_snapshot,
+      :ecr_repository,
       :iam_role,
+      :efs_file_system,
       :kms_key,
-      :s3_bucket,
+      :rds_db_cluster_snapshot,
+      :rds_db_snapshot,
       :secrets_manager_secret,
+      :s3_bucket,
+      :sns_topic,
       :sqs_queue,
       :unknown)
       SENSITIVE = []
       include Aws::Structure
       include Aws::Structure::Union
 
+      class EbsSnapshot < Configuration; end
+      class EcrRepository < Configuration; end
       class IamRole < Configuration; end
+      class EfsFileSystem < Configuration; end
       class KmsKey < Configuration; end
-      class S3Bucket < Configuration; end
+      class RdsDbClusterSnapshot < Configuration; end
+      class RdsDbSnapshot < Configuration; end
       class SecretsManagerSecret < Configuration; end
+      class S3Bucket < Configuration; end
+      class SnsTopic < Configuration; end
       class SqsQueue < Configuration; end
       class Unknown < Configuration; end
     end
@@ -694,15 +732,31 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_arn: "AnalyzerArn", # required
-    #         client_token: "String",
     #         configurations: { # required
     #           "ConfigurationsMapKey" => {
+    #             ebs_snapshot: {
+    #               user_ids: ["EbsUserId"],
+    #               groups: ["EbsGroup"],
+    #               kms_key_id: "EbsSnapshotDataEncryptionKeyId",
+    #             },
+    #             ecr_repository: {
+    #               repository_policy: "EcrRepositoryPolicy",
+    #             },
     #             iam_role: {
     #               trust_policy: "IamTrustPolicy",
     #             },
+    #             efs_file_system: {
+    #               file_system_policy: "EfsFileSystemPolicy",
+    #             },
     #             kms_key: {
+    #               key_policies: {
+    #                 "PolicyName" => "KmsKeyPolicy",
+    #               },
     #               grants: [
     #                 {
+    #                   operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #                   grantee_principal: "GranteePrincipal", # required
+    #                   retiring_principal: "RetiringPrincipal",
     #                   constraints: {
     #                     encryption_context_equals: {
     #                       "KmsConstraintsKey" => "KmsConstraintsValue",
@@ -711,57 +765,71 @@ module Aws::AccessAnalyzer
     #                       "KmsConstraintsKey" => "KmsConstraintsValue",
     #                     },
     #                   },
-    #                   grantee_principal: "GranteePrincipal", # required
     #                   issuing_account: "IssuingAccount", # required
-    #                   operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
-    #                   retiring_principal: "RetiringPrincipal",
     #                 },
     #               ],
-    #               key_policies: {
-    #                 "PolicyName" => "KmsKeyPolicy",
+    #             },
+    #             rds_db_cluster_snapshot: {
+    #               attributes: {
+    #                 "RdsDbClusterSnapshotAttributeName" => {
+    #                   account_ids: ["RdsDbClusterSnapshotAccountId"],
+    #                 },
     #               },
+    #               kms_key_id: "RdsDbClusterSnapshotKmsKeyId",
     #             },
-    #             s3_bucket: {
-    #               access_points: {
-    #                 "AccessPointArn" => {
-    #                   access_point_policy: "AccessPointPolicy",
-    #                   network_origin: {
-    #                     internet_configuration: {
-    #                     },
-    #                     vpc_configuration: {
-    #                       vpc_id: "VpcId", # required
-    #                     },
-    #                   },
-    #                   public_access_block: {
-    #                     ignore_public_acls: false, # required
-    #                     restrict_public_buckets: false, # required
-    #                   },
+    #             rds_db_snapshot: {
+    #               attributes: {
+    #                 "RdsDbSnapshotAttributeName" => {
+    #                   account_ids: ["RdsDbSnapshotAccountId"],
     #                 },
     #               },
+    #               kms_key_id: "RdsDbSnapshotKmsKeyId",
+    #             },
+    #             secrets_manager_secret: {
+    #               kms_key_id: "SecretsManagerSecretKmsId",
+    #               secret_policy: "SecretsManagerSecretPolicy",
+    #             },
+    #             s3_bucket: {
+    #               bucket_policy: "S3BucketPolicy",
     #               bucket_acl_grants: [
     #                 {
+    #                   permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
     #                   grantee: { # required
     #                     id: "AclCanonicalId",
     #                     uri: "AclUri",
     #                   },
-    #                   permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
     #                 },
     #               ],
-    #               bucket_policy: "S3BucketPolicy",
     #               bucket_public_access_block: {
     #                 ignore_public_acls: false, # required
     #                 restrict_public_buckets: false, # required
     #               },
+    #               access_points: {
+    #                 "AccessPointArn" => {
+    #                   access_point_policy: "AccessPointPolicy",
+    #                   public_access_block: {
+    #                     ignore_public_acls: false, # required
+    #                     restrict_public_buckets: false, # required
+    #                   },
+    #                   network_origin: {
+    #                     vpc_configuration: {
+    #                       vpc_id: "VpcId", # required
+    #                     },
+    #                     internet_configuration: {
+    #                     },
+    #                   },
+    #                 },
+    #               },
     #             },
-    #             secrets_manager_secret: {
-    #               kms_key_id: "SecretsManagerSecretKmsId",
-    #               secret_policy: "SecretsManagerSecretPolicy",
+    #             sns_topic: {
+    #               topic_policy: "SnsTopicPolicy",
     #             },
     #             sqs_queue: {
     #               queue_policy: "SqsQueuePolicy",
     #             },
     #           },
     #         },
+    #         client_token: "String",
     #       }
     #
     # @!attribute [rw] analyzer_arn
@@ -774,13 +842,6 @@ module Aws::AccessAnalyzer
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
-    # @!attribute [rw] client_token
-    #   A client token.
-    #
-    #   **A suitable default value is auto-generated.** You should normally
-    #   not need to pass this option.
-    #   @return [String]
-    #
     # @!attribute [rw] configurations
     #   Access control configuration for your resource that is used to
     #   generate the access preview. The access preview includes findings
@@ -789,12 +850,19 @@ module Aws::AccessAnalyzer
     #   element.
     #   @return [Hash<String,Types::Configuration>]
     #
+    # @!attribute [rw] client_token
+    #   A client token.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
     #
     class CreateAccessPreviewRequest < Struct.new(
       :analyzer_arn,
-      :client_token,
-      :configurations)
+      :configurations,
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -818,36 +886,47 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_name: "Name", # required
+    #         type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
     #         archive_rules: [
     #           {
+    #             rule_name: "Name", # required
     #             filter: { # required
     #               "String" => {
-    #                 contains: ["String"],
     #                 eq: ["String"],
-    #                 exists: false,
     #                 neq: ["String"],
+    #                 contains: ["String"],
+    #                 exists: false,
     #               },
     #             },
-    #             rule_name: "Name", # required
     #           },
     #         ],
-    #         client_token: "String",
     #         tags: {
     #           "String" => "String",
     #         },
-    #         type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION
+    #         client_token: "String",
     #       }
     #
     # @!attribute [rw] analyzer_name
     #   The name of the analyzer to create.
     #   @return [String]
     #
+    # @!attribute [rw] type
+    #   The type of analyzer to create. Only ACCOUNT and ORGANIZATION
+    #   analyzers are supported. You can create only one analyzer per
+    #   account per Region. You can create up to 5 analyzers per
+    #   organization per Region.
+    #   @return [String]
+    #
     # @!attribute [rw] archive_rules
     #   Specifies the archive rules to add for the analyzer. Archive rules
     #   automatically archive findings that meet the criteria you define for
     #   the rule.
     #   @return [Array<Types::InlineArchiveRule>]
     #
+    # @!attribute [rw] tags
+    #   The tags to apply to the analyzer.
+    #   @return [Hash<String,String>]
+    #
     # @!attribute [rw] client_token
     #   A client token.
     #
@@ -855,25 +934,14 @@ module Aws::AccessAnalyzer
     #   not need to pass this option.
     #   @return [String]
     #
-    # @!attribute [rw] tags
-    #   The tags to apply to the analyzer.
-    #   @return [Hash<String,String>]
-    #
-    # @!attribute [rw] type
-    #   The type of analyzer to create. Only ACCOUNT and ORGANIZATION
-    #   analyzers are supported. You can create only one analyzer per
-    #   account per Region. You can create up to 5 analyzers per
-    #   organization per Region.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
     #
     class CreateAnalyzerRequest < Struct.new(
       :analyzer_name,
+      :type,
       :archive_rules,
-      :client_token,
       :tags,
-      :type)
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -899,44 +967,44 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_name: "Name", # required
-    #         client_token: "String",
+    #         rule_name: "Name", # required
     #         filter: { # required
     #           "String" => {
-    #             contains: ["String"],
     #             eq: ["String"],
-    #             exists: false,
     #             neq: ["String"],
+    #             contains: ["String"],
+    #             exists: false,
     #           },
     #         },
-    #         rule_name: "Name", # required
+    #         client_token: "String",
     #       }
     #
     # @!attribute [rw] analyzer_name
     #   The name of the created analyzer.
     #   @return [String]
     #
-    # @!attribute [rw] client_token
-    #   A client token.
-    #
-    #   **A suitable default value is auto-generated.** You should normally
-    #   not need to pass this option.
+    # @!attribute [rw] rule_name
+    #   The name of the rule to create.
     #   @return [String]
     #
     # @!attribute [rw] filter
     #   The criteria for the rule.
     #   @return [Hash<String,Types::Criterion>]
     #
-    # @!attribute [rw] rule_name
-    #   The name of the rule to create.
+    # @!attribute [rw] client_token
+    #   A client token.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateArchiveRuleRequest AWS API Documentation
     #
     class CreateArchiveRuleRequest < Struct.new(
       :analyzer_name,
-      :client_token,
+      :rule_name,
       :filter,
-      :rule_name)
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -947,19 +1015,24 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
-    #         contains: ["String"],
     #         eq: ["String"],
-    #         exists: false,
     #         neq: ["String"],
+    #         contains: ["String"],
+    #         exists: false,
     #       }
     #
-    # @!attribute [rw] contains
-    #   A "contains" operator to match for the filter used to create the
+    # @!attribute [rw] eq
+    #   An "equals" operator to match for the filter used to create the
     #   rule.
     #   @return [Array<String>]
     #
-    # @!attribute [rw] eq
-    #   An "equals" operator to match for the filter used to create the
+    # @!attribute [rw] neq
+    #   A "not equals" operator to match for the filter used to create the
+    #   rule.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] contains
+    #   A "contains" operator to match for the filter used to create the
     #   rule.
     #   @return [Array<String>]
     #
@@ -968,18 +1041,13 @@ module Aws::AccessAnalyzer
     #   rule.
     #   @return [Boolean]
     #
-    # @!attribute [rw] neq
-    #   A "not equals" operator to match for the filter used to create the
-    #   rule.
-    #   @return [Array<String>]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Criterion AWS API Documentation
     #
     class Criterion < Struct.new(
-      :contains,
       :eq,
-      :exists,
-      :neq)
+      :neq,
+      :contains,
+      :exists)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1021,8 +1089,8 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_name: "Name", # required
-    #         client_token: "String",
     #         rule_name: "Name", # required
+    #         client_token: "String",
     #       }
     #
     # @!attribute [rw] analyzer_name
@@ -1030,6 +1098,10 @@ module Aws::AccessAnalyzer
     #   delete.
     #   @return [String]
     #
+    # @!attribute [rw] rule_name
+    #   The name of the rule to delete.
+    #   @return [String]
+    #
     # @!attribute [rw] client_token
     #   A client token.
     #
@@ -1037,68 +1109,241 @@ module Aws::AccessAnalyzer
     #   not need to pass this option.
     #   @return [String]
     #
-    # @!attribute [rw] rule_name
-    #   The name of the rule to delete.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/DeleteArchiveRuleRequest AWS API Documentation
     #
     class DeleteArchiveRuleRequest < Struct.new(
       :analyzer_name,
-      :client_token,
-      :rule_name)
+      :rule_name,
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # Contains information about a finding.
+    # The proposed access control configuration for an Amazon EBS volume
+    # snapshot. You can propose a configuration for a new Amazon EBS volume
+    # snapshot or an Amazon EBS volume snapshot that you own by specifying
+    # the user IDs, groups, and optional KMS encryption key. For more
+    # information, see [ModifySnapshotAttribute][1].
     #
-    # @!attribute [rw] action
-    #   The action in the analyzed policy statement that an external
-    #   principal has permission to use.
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html
+    #
+    # @note When making an API call, you may pass EbsSnapshotConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         user_ids: ["EbsUserId"],
+    #         groups: ["EbsGroup"],
+    #         kms_key_id: "EbsSnapshotDataEncryptionKeyId",
+    #       }
+    #
+    # @!attribute [rw] user_ids
+    #   The IDs of the Amazon Web Services accounts that have access to the
+    #   Amazon EBS volume snapshot.
+    #
+    #   * If the configuration is for an existing Amazon EBS volume snapshot
+    #     and you do not specify the `userIds`, then the access preview uses
+    #     the existing shared `userIds` for the snapshot.
+    #
+    #   * If the access preview is for a new resource and you do not specify
+    #     the `userIds`, then the access preview considers the snapshot
+    #     without any `userIds`.
+    #
+    #   * To propose deletion of existing shared `accountIds`, you can
+    #     specify an empty list for `userIds`.
     #   @return [Array<String>]
     #
-    # @!attribute [rw] analyzed_at
-    #   The time at which the resource was analyzed.
-    #   @return [Time]
+    # @!attribute [rw] groups
+    #   The groups that have access to the Amazon EBS volume snapshot. If
+    #   the value `all` is specified, then the Amazon EBS volume snapshot is
+    #   public.
     #
-    # @!attribute [rw] condition
-    #   The condition in the analyzed policy statement that resulted in a
-    #   finding.
-    #   @return [Hash<String,String>]
+    #   * If the configuration is for an existing Amazon EBS volume snapshot
+    #     and you do not specify the `groups`, then the access preview uses
+    #     the existing shared `groups` for the snapshot.
     #
-    # @!attribute [rw] created_at
-    #   The time at which the finding was generated.
-    #   @return [Time]
+    #   * If the access preview is for a new resource and you do not specify
+    #     the `groups`, then the access preview considers the snapshot
+    #     without any `groups`.
     #
-    # @!attribute [rw] error
-    #   An error.
+    #   * To propose deletion of existing shared `groups`, you can specify
+    #     an empty list for `groups`.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] kms_key_id
+    #   The KMS key identifier for an encrypted Amazon EBS volume snapshot.
+    #   The KMS key identifier is the key ARN, key ID, alias ARN, or alias
+    #   name for the KMS key.
+    #
+    #   * If the configuration is for an existing Amazon EBS volume snapshot
+    #     and you do not specify the `kmsKeyId`, or you specify an empty
+    #     string, then the access preview uses the existing `kmsKeyId` of
+    #     the snapshot.
+    #
+    #   * If the access preview is for a new resource and you do not specify
+    #     the `kmsKeyId`, the access preview considers the snapshot as
+    #     unencrypted.
     #   @return [String]
     #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/EbsSnapshotConfiguration AWS API Documentation
+    #
+    class EbsSnapshotConfiguration < Struct.new(
+      :user_ids,
+      :groups,
+      :kms_key_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The proposed access control configuration for an Amazon ECR
+    # repository. You can propose a configuration for a new Amazon ECR
+    # repository or an existing Amazon ECR repository that you own by
+    # specifying the Amazon ECR policy. For more information, see
+    # [Repository][1].
+    #
+    # * If the configuration is for an existing Amazon ECR repository and
+    #   you do not specify the Amazon ECR policy, then the access preview
+    #   uses the existing Amazon ECR policy for the repository.
+    #
+    # * If the access preview is for a new resource and you do not specify
+    #   the policy, then the access preview assumes an Amazon ECR repository
+    #   without a policy.
+    #
+    # * To propose deletion of an existing Amazon ECR repository policy, you
+    #   can specify an empty string for the Amazon ECR policy.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Repository.html
+    #
+    # @note When making an API call, you may pass EcrRepositoryConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         repository_policy: "EcrRepositoryPolicy",
+    #       }
+    #
+    # @!attribute [rw] repository_policy
+    #   The JSON repository policy text to apply to the Amazon ECR
+    #   repository. For more information, see [Private repository policy
+    #   examples][1] in the *Amazon ECR User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/EcrRepositoryConfiguration AWS API Documentation
+    #
+    class EcrRepositoryConfiguration < Struct.new(
+      :repository_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The proposed access control configuration for an Amazon EFS file
+    # system. You can propose a configuration for a new Amazon EFS file
+    # system or an existing Amazon EFS file system that you own by
+    # specifying the Amazon EFS policy. For more information, see [Using
+    # file systems in Amazon EFS][1].
+    #
+    # * If the configuration is for an existing Amazon EFS file system and
+    #   you do not specify the Amazon EFS policy, then the access preview
+    #   uses the existing Amazon EFS policy for the file system.
+    #
+    # * If the access preview is for a new resource and you do not specify
+    #   the policy, then the access preview assumes an Amazon EFS file
+    #   system without a policy.
+    #
+    # * To propose deletion of an existing Amazon EFS file system policy,
+    #   you can specify an empty string for the Amazon EFS policy.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/efs/latest/ug/using-fs.html
+    #
+    # @note When making an API call, you may pass EfsFileSystemConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         file_system_policy: "EfsFileSystemPolicy",
+    #       }
+    #
+    # @!attribute [rw] file_system_policy
+    #   The JSON policy definition to apply to the Amazon EFS file system.
+    #   For more information on the elements that make up a file system
+    #   policy, see [Amazon EFS Resource-based policies][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/efs/latest/ug/access-control-overview.html#access-control-manage-access-intro-resource-policies
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/EfsFileSystemConfiguration AWS API Documentation
+    #
+    class EfsFileSystemConfiguration < Struct.new(
+      :file_system_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains information about a finding.
+    #
     # @!attribute [rw] id
     #   The ID of the finding.
     #   @return [String]
     #
-    # @!attribute [rw] is_public
-    #   Indicates whether the policy that generated the finding allows
-    #   public access to the resource.
-    #   @return [Boolean]
-    #
     # @!attribute [rw] principal
     #   The external principal that access to a resource within the zone of
     #   trust.
     #   @return [Hash<String,String>]
     #
+    # @!attribute [rw] action
+    #   The action in the analyzed policy statement that an external
+    #   principal has permission to use.
+    #   @return [Array<String>]
+    #
     # @!attribute [rw] resource
     #   The resource that an external principal has access to.
     #   @return [String]
     #
+    # @!attribute [rw] is_public
+    #   Indicates whether the policy that generated the finding allows
+    #   public access to the resource.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of the resource identified in the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] condition
+    #   The condition in the analyzed policy statement that resulted in a
+    #   finding.
+    #   @return [Hash<String,String>]
+    #
+    # @!attribute [rw] created_at
+    #   The time at which the finding was generated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] analyzed_at
+    #   The time at which the resource was analyzed.
+    #   @return [Time]
+    #
+    # @!attribute [rw] updated_at
+    #   The time at which the finding was updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] status
+    #   The current status of the finding.
+    #   @return [String]
+    #
     # @!attribute [rw] resource_owner_account
     #   The Amazon Web Services account ID that owns the resource.
     #   @return [String]
     #
-    # @!attribute [rw] resource_type
-    #   The type of the resource identified in the finding.
+    # @!attribute [rw] error
+    #   An error.
     #   @return [String]
     #
     # @!attribute [rw] sources
@@ -1107,31 +1352,23 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
-    # @!attribute [rw] status
-    #   The current status of the finding.
-    #   @return [String]
-    #
-    # @!attribute [rw] updated_at
-    #   The time at which the finding was updated.
-    #   @return [Time]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Finding AWS API Documentation
     #
     class Finding < Struct.new(
-      :action,
-      :analyzed_at,
-      :condition,
-      :created_at,
-      :error,
       :id,
-      :is_public,
       :principal,
+      :action,
       :resource,
-      :resource_owner_account,
+      :is_public,
       :resource_type,
-      :sources,
+      :condition,
+      :created_at,
+      :analyzed_at,
+      :updated_at,
       :status,
-      :updated_at)
+      :resource_owner_account,
+      :error,
+      :sources)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1140,20 +1377,20 @@ module Aws::AccessAnalyzer
     # generated the finding is granted. It is populated for Amazon S3 bucket
     # findings.
     #
+    # @!attribute [rw] type
+    #   Indicates the type of access that generated the finding.
+    #   @return [String]
+    #
     # @!attribute [rw] detail
     #   Includes details about how the access that generated the finding is
     #   granted. This is populated for Amazon S3 bucket findings.
     #   @return [Types::FindingSourceDetail]
     #
-    # @!attribute [rw] type
-    #   Indicates the type of access that generated the finding.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSource AWS API Documentation
     #
     class FindingSource < Struct.new(
-      :detail,
-      :type)
+      :type,
+      :detail)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1177,15 +1414,32 @@ module Aws::AccessAnalyzer
 
     # Contains information about a finding.
     #
+    # @!attribute [rw] id
+    #   The ID of the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] principal
+    #   The external principal that has access to a resource within the zone
+    #   of trust.
+    #   @return [Hash<String,String>]
+    #
     # @!attribute [rw] action
     #   The action in the analyzed policy statement that an external
     #   principal has permission to use.
     #   @return [Array<String>]
     #
-    # @!attribute [rw] analyzed_at
-    #   The time at which the resource-based policy that generated the
-    #   finding was analyzed.
-    #   @return [Time]
+    # @!attribute [rw] resource
+    #   The resource that the external principal has access to.
+    #   @return [String]
+    #
+    # @!attribute [rw] is_public
+    #   Indicates whether the finding reports a resource that has a policy
+    #   that allows public access.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of the resource that the external principal has access to.
+    #   @return [String]
     #
     # @!attribute [rw] condition
     #   The condition in the analyzed policy statement that resulted in a
@@ -1196,34 +1450,25 @@ module Aws::AccessAnalyzer
     #   The time at which the finding was created.
     #   @return [Time]
     #
-    # @!attribute [rw] error
-    #   The error that resulted in an Error finding.
-    #   @return [String]
-    #
-    # @!attribute [rw] id
-    #   The ID of the finding.
-    #   @return [String]
-    #
-    # @!attribute [rw] is_public
-    #   Indicates whether the finding reports a resource that has a policy
-    #   that allows public access.
-    #   @return [Boolean]
+    # @!attribute [rw] analyzed_at
+    #   The time at which the resource-based policy that generated the
+    #   finding was analyzed.
+    #   @return [Time]
     #
-    # @!attribute [rw] principal
-    #   The external principal that has access to a resource within the zone
-    #   of trust.
-    #   @return [Hash<String,String>]
+    # @!attribute [rw] updated_at
+    #   The time at which the finding was most recently updated.
+    #   @return [Time]
     #
-    # @!attribute [rw] resource
-    #   The resource that the external principal has access to.
+    # @!attribute [rw] status
+    #   The status of the finding.
     #   @return [String]
     #
     # @!attribute [rw] resource_owner_account
     #   The Amazon Web Services account ID that owns the resource.
     #   @return [String]
     #
-    # @!attribute [rw] resource_type
-    #   The type of the resource that the external principal has access to.
+    # @!attribute [rw] error
+    #   The error that resulted in an Error finding.
     #   @return [String]
     #
     # @!attribute [rw] sources
@@ -1232,31 +1477,23 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
-    # @!attribute [rw] status
-    #   The status of the finding.
-    #   @return [String]
-    #
-    # @!attribute [rw] updated_at
-    #   The time at which the finding was most recently updated.
-    #   @return [Time]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSummary AWS API Documentation
     #
     class FindingSummary < Struct.new(
-      :action,
-      :analyzed_at,
-      :condition,
-      :created_at,
-      :error,
       :id,
-      :is_public,
       :principal,
+      :action,
       :resource,
-      :resource_owner_account,
+      :is_public,
       :resource_type,
-      :sources,
+      :condition,
+      :created_at,
+      :analyzed_at,
+      :updated_at,
       :status,
-      :updated_at)
+      :resource_owner_account,
+      :error,
+      :sources)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1282,10 +1519,6 @@ module Aws::AccessAnalyzer
 
     # Contains the generated policy details.
     #
-    # @!attribute [rw] cloud_trail_properties
-    #   Lists details about the `Trail` used to generated policy.
-    #   @return [Types::CloudTrailProperties]
-    #
     # @!attribute [rw] is_complete
     #   This value is set to `true` if the generated policy contains all
     #   possible actions for a service that IAM Access Analyzer identified
@@ -1297,18 +1530,27 @@ module Aws::AccessAnalyzer
     #   generating a policy.
     #   @return [String]
     #
+    # @!attribute [rw] cloud_trail_properties
+    #   Lists details about the `Trail` used to generated policy.
+    #   @return [Types::CloudTrailProperties]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyProperties AWS API Documentation
     #
     class GeneratedPolicyProperties < Struct.new(
-      :cloud_trail_properties,
       :is_complete,
-      :principal_arn)
+      :principal_arn,
+      :cloud_trail_properties)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains the text for the generated policy and its details.
     #
+    # @!attribute [rw] properties
+    #   A `GeneratedPolicyProperties` object that contains properties of the
+    #   generated policy.
+    #   @return [Types::GeneratedPolicyProperties]
+    #
     # @!attribute [rw] generated_policies
     #   The text to use as the content for the new policy. The policy is
     #   created using the [CreatePolicy][1] action.
@@ -1318,16 +1560,11 @@ module Aws::AccessAnalyzer
     #   [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
     #   @return [Array<Types::GeneratedPolicy>]
     #
-    # @!attribute [rw] properties
-    #   A `GeneratedPolicyProperties` object that contains properties of the
-    #   generated policy.
-    #   @return [Types::GeneratedPolicyProperties]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyResult AWS API Documentation
     #
     class GeneratedPolicyResult < Struct.new(
-      :generated_policies,
-      :properties)
+      :properties,
+      :generated_policies)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1545,11 +1782,18 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
+    #         job_id: "JobId", # required
     #         include_resource_placeholders: false,
     #         include_service_level_template: false,
-    #         job_id: "JobId", # required
     #       }
     #
+    # @!attribute [rw] job_id
+    #   The `JobId` that is returned by the `StartPolicyGeneration`
+    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
+    #   retrieve the generated policies or used with
+    #   `CancelPolicyGeneration` to cancel the policy generation request.
+    #   @return [String]
+    #
     # @!attribute [rw] include_resource_placeholders
     #   The level of detail that you want to generate. You can specify
     #   whether to generate policies with placeholders for resource ARNs for
@@ -1569,38 +1813,31 @@ module Aws::AccessAnalyzer
     #   template.
     #   @return [Boolean]
     #
-    # @!attribute [rw] job_id
-    #   The `JobId` that is returned by the `StartPolicyGeneration`
-    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
-    #   retrieve the generated policies or used with
-    #   `CancelPolicyGeneration` to cancel the policy generation request.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyRequest AWS API Documentation
     #
     class GetGeneratedPolicyRequest < Struct.new(
+      :job_id,
       :include_resource_placeholders,
-      :include_service_level_template,
-      :job_id)
+      :include_service_level_template)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @!attribute [rw] generated_policy_result
-    #   A `GeneratedPolicyResult` object that contains the generated
-    #   policies and associated details.
-    #   @return [Types::GeneratedPolicyResult]
-    #
     # @!attribute [rw] job_details
     #   A `GeneratedPolicyDetails` object that contains details about the
     #   generated policy.
     #   @return [Types::JobDetails]
     #
+    # @!attribute [rw] generated_policy_result
+    #   A `GeneratedPolicyResult` object that contains the generated
+    #   policies and associated details.
+    #   @return [Types::GeneratedPolicyResult]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyResponse AWS API Documentation
     #
     class GetGeneratedPolicyResponse < Struct.new(
-      :generated_policy_result,
-      :job_details)
+      :job_details,
+      :generated_policy_result)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1645,30 +1882,30 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
+    #         rule_name: "Name", # required
     #         filter: { # required
     #           "String" => {
-    #             contains: ["String"],
     #             eq: ["String"],
-    #             exists: false,
     #             neq: ["String"],
+    #             contains: ["String"],
+    #             exists: false,
     #           },
     #         },
-    #         rule_name: "Name", # required
     #       }
     #
-    # @!attribute [rw] filter
-    #   The condition and values for a criterion.
-    #   @return [Hash<String,Types::Criterion>]
-    #
     # @!attribute [rw] rule_name
     #   The name of the rule.
     #   @return [String]
     #
+    # @!attribute [rw] filter
+    #   The condition and values for a criterion.
+    #   @return [Hash<String,Types::Criterion>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InlineArchiveRule AWS API Documentation
     #
     class InlineArchiveRule < Struct.new(
-      :filter,
-      :rule_name)
+      :rule_name,
+      :filter)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1702,14 +1939,6 @@ module Aws::AccessAnalyzer
 
     # Contains details about the policy generation request.
     #
-    # @!attribute [rw] completed_on
-    #   A timestamp of when the job was completed.
-    #   @return [Time]
-    #
-    # @!attribute [rw] job_error
-    #   The job error for the policy generation request.
-    #   @return [Types::JobError]
-    #
     # @!attribute [rw] job_id
     #   The `JobId` that is returned by the `StartPolicyGeneration`
     #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
@@ -1717,22 +1946,30 @@ module Aws::AccessAnalyzer
     #   `CancelPolicyGeneration` to cancel the policy generation request.
     #   @return [String]
     #
+    # @!attribute [rw] status
+    #   The status of the job request.
+    #   @return [String]
+    #
     # @!attribute [rw] started_on
     #   A timestamp of when the job was started.
     #   @return [Time]
     #
-    # @!attribute [rw] status
-    #   The status of the job request.
-    #   @return [String]
+    # @!attribute [rw] completed_on
+    #   A timestamp of when the job was completed.
+    #   @return [Time]
+    #
+    # @!attribute [rw] job_error
+    #   The job error for the policy generation request.
+    #   @return [Types::JobError]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobDetails AWS API Documentation
     #
     class JobDetails < Struct.new(
-      :completed_on,
-      :job_error,
       :job_id,
+      :status,
       :started_on,
-      :status)
+      :completed_on,
+      :job_error)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1768,6 +2005,9 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
+    #         operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #         grantee_principal: "GranteePrincipal", # required
+    #         retiring_principal: "RetiringPrincipal",
     #         constraints: {
     #           encryption_context_equals: {
     #             "KmsConstraintsKey" => "KmsConstraintsValue",
@@ -1776,12 +2016,27 @@ module Aws::AccessAnalyzer
     #             "KmsConstraintsKey" => "KmsConstraintsValue",
     #           },
     #         },
-    #         grantee_principal: "GranteePrincipal", # required
     #         issuing_account: "IssuingAccount", # required
-    #         operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
-    #         retiring_principal: "RetiringPrincipal",
     #       }
     #
+    # @!attribute [rw] operations
+    #   A list of operations that the grant permits.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] grantee_principal
+    #   The principal that is given permission to perform the operations
+    #   that the grant permits.
+    #   @return [String]
+    #
+    # @!attribute [rw] retiring_principal
+    #   The principal that is given permission to retire the grant by using
+    #   [RetireGrant][1] operation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
+    #   @return [String]
+    #
     # @!attribute [rw] constraints
     #   Use this structure to propose allowing [cryptographic operations][1]
     #   in the grant only when the operation request includes the specified
@@ -1793,38 +2048,20 @@ module Aws::AccessAnalyzer
     #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
     #   @return [Types::KmsGrantConstraints]
     #
-    # @!attribute [rw] grantee_principal
-    #   The principal that is given permission to perform the operations
-    #   that the grant permits.
-    #   @return [String]
-    #
     # @!attribute [rw] issuing_account
     #   The Amazon Web Services account under which the grant was issued.
     #   The account is used to propose KMS grants issued by accounts other
     #   than the owner of the key.
     #   @return [String]
     #
-    # @!attribute [rw] operations
-    #   A list of operations that the grant permits.
-    #   @return [Array<String>]
-    #
-    # @!attribute [rw] retiring_principal
-    #   The principal that is given permission to retire the grant by using
-    #   [RetireGrant][1] operation.
-    #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
     #
     class KmsGrantConfiguration < Struct.new(
-      :constraints,
-      :grantee_principal,
-      :issuing_account,
       :operations,
-      :retiring_principal)
+      :grantee_principal,
+      :retiring_principal,
+      :constraints,
+      :issuing_account)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1907,8 +2144,14 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
+    #         key_policies: {
+    #           "PolicyName" => "KmsKeyPolicy",
+    #         },
     #         grants: [
     #           {
+    #             operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
+    #             grantee_principal: "GranteePrincipal", # required
+    #             retiring_principal: "RetiringPrincipal",
     #             constraints: {
     #               encryption_context_equals: {
     #                 "KmsConstraintsKey" => "KmsConstraintsValue",
@@ -1917,24 +2160,10 @@ module Aws::AccessAnalyzer
     #                 "KmsConstraintsKey" => "KmsConstraintsValue",
     #               },
     #             },
-    #             grantee_principal: "GranteePrincipal", # required
     #             issuing_account: "IssuingAccount", # required
-    #             operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
-    #             retiring_principal: "RetiringPrincipal",
     #           },
-    #         ],
-    #         key_policies: {
-    #           "PolicyName" => "KmsKeyPolicy",
-    #         },
-    #       }
-    #
-    # @!attribute [rw] grants
-    #   A list of proposed grant configurations for the KMS key. If the
-    #   proposed grant configuration is for an existing key, the access
-    #   preview uses the proposed list of grant configurations in place of
-    #   the existing grants. Otherwise, the access preview uses the existing
-    #   grants for the key.
-    #   @return [Array<Types::KmsGrantConfiguration>]
+    #         ],
+    #       }
     #
     # @!attribute [rw] key_policies
     #   Resource policy configuration for the KMS key. The only valid value
@@ -1946,11 +2175,19 @@ module Aws::AccessAnalyzer
     #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
     #   @return [Hash<String,String>]
     #
+    # @!attribute [rw] grants
+    #   A list of proposed grant configurations for the KMS key. If the
+    #   proposed grant configuration is for an existing key, the access
+    #   preview uses the proposed list of grant configurations in place of
+    #   the existing grants. Otherwise, the access preview uses the existing
+    #   grants for the key.
+    #   @return [Array<Types::KmsGrantConfiguration>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
     #
     class KmsKeyConfiguration < Struct.new(
-      :grants,
-      :key_policies)
+      :key_policies,
+      :grants)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1963,14 +2200,14 @@ module Aws::AccessAnalyzer
     #         analyzer_arn: "AnalyzerArn", # required
     #         filter: {
     #           "String" => {
-    #             contains: ["String"],
     #             eq: ["String"],
-    #             exists: false,
     #             neq: ["String"],
+    #             contains: ["String"],
+    #             exists: false,
     #           },
     #         },
-    #         max_results: 1,
     #         next_token: "Token",
+    #         max_results: 1,
     #       }
     #
     # @!attribute [rw] access_preview_id
@@ -1989,22 +2226,22 @@ module Aws::AccessAnalyzer
     #   Criteria to filter the returned findings.
     #   @return [Hash<String,Types::Criterion>]
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the response.
-    #   @return [Integer]
-    #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
     #
     class ListAccessPreviewFindingsRequest < Struct.new(
       :access_preview_id,
       :analyzer_arn,
       :filter,
-      :max_results,
-      :next_token)
+      :next_token,
+      :max_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2032,8 +2269,8 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_arn: "AnalyzerArn", # required
-    #         max_results: 1,
     #         next_token: "Token",
+    #         max_results: 1,
     #       }
     #
     # @!attribute [rw] analyzer_arn
@@ -2044,20 +2281,20 @@ module Aws::AccessAnalyzer
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the response.
-    #   @return [Integer]
-    #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
     #
     class ListAccessPreviewsRequest < Struct.new(
       :analyzer_arn,
-      :max_results,
-      :next_token)
+      :next_token,
+      :max_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2086,9 +2323,9 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_arn: "AnalyzerArn", # required
-    #         max_results: 1,
+    #         resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret, AWS::EFS::FileSystem, AWS::EC2::Snapshot, AWS::ECR::Repository, AWS::RDS::DBSnapshot, AWS::RDS::DBClusterSnapshot, AWS::SNS::Topic
     #         next_token: "Token",
-    #         resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret
+    #         max_results: 1,
     #       }
     #
     # @!attribute [rw] analyzer_arn
@@ -2100,25 +2337,25 @@ module Aws::AccessAnalyzer
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the response.
-    #   @return [Integer]
+    # @!attribute [rw] resource_type
+    #   The type of resource.
+    #   @return [String]
     #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
-    # @!attribute [rw] resource_type
-    #   The type of resource.
-    #   @return [String]
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
     #
     class ListAnalyzedResourcesRequest < Struct.new(
       :analyzer_arn,
-      :max_results,
+      :resource_type,
       :next_token,
-      :resource_type)
+      :max_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2148,19 +2385,19 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
-    #         max_results: 1,
     #         next_token: "Token",
+    #         max_results: 1,
     #         type: "ACCOUNT", # accepts ACCOUNT, ORGANIZATION
     #       }
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the response.
-    #   @return [Integer]
-    #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
     # @!attribute [rw] type
     #   The type of analyzer.
     #   @return [String]
@@ -2168,8 +2405,8 @@ module Aws::AccessAnalyzer
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
     #
     class ListAnalyzersRequest < Struct.new(
-      :max_results,
       :next_token,
+      :max_results,
       :type)
       SENSITIVE = []
       include Aws::Structure
@@ -2201,28 +2438,28 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_name: "Name", # required
-    #         max_results: 1,
     #         next_token: "Token",
+    #         max_results: 1,
     #       }
     #
     # @!attribute [rw] analyzer_name
     #   The name of the analyzer to retrieve rules from.
     #   @return [String]
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the request.
-    #   @return [Integer]
-    #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the request.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
     #
     class ListArchiveRulesRequest < Struct.new(
       :analyzer_name,
-      :max_results,
-      :next_token)
+      :next_token,
+      :max_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2255,18 +2492,18 @@ module Aws::AccessAnalyzer
     #         analyzer_arn: "AnalyzerArn", # required
     #         filter: {
     #           "String" => {
-    #             contains: ["String"],
     #             eq: ["String"],
-    #             exists: false,
     #             neq: ["String"],
+    #             contains: ["String"],
+    #             exists: false,
     #           },
     #         },
-    #         max_results: 1,
-    #         next_token: "Token",
     #         sort: {
     #           attribute_name: "String",
     #           order_by: "ASC", # accepts ASC, DESC
     #         },
+    #         next_token: "Token",
+    #         max_results: 1,
     #       }
     #
     # @!attribute [rw] analyzer_arn
@@ -2281,26 +2518,26 @@ module Aws::AccessAnalyzer
     #   A filter to match for the findings to return.
     #   @return [Hash<String,Types::Criterion>]
     #
-    # @!attribute [rw] max_results
-    #   The maximum number of results to return in the response.
-    #   @return [Integer]
+    # @!attribute [rw] sort
+    #   The sort order for the findings returned.
+    #   @return [Types::SortCriteria]
     #
     # @!attribute [rw] next_token
     #   A token used for pagination of results returned.
     #   @return [String]
     #
-    # @!attribute [rw] sort
-    #   The sort order for the findings returned.
-    #   @return [Types::SortCriteria]
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
     #
     class ListFindingsRequest < Struct.new(
       :analyzer_arn,
       :filter,
-      :max_results,
+      :sort,
       :next_token,
-      :sort)
+      :max_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2329,11 +2566,17 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
+    #         principal_arn: "PrincipalArn",
     #         max_results: 1,
     #         next_token: "Token",
-    #         principal_arn: "PrincipalArn",
     #       }
     #
+    # @!attribute [rw] principal_arn
+    #   The ARN of the IAM entity (user or role) for which you are
+    #   generating a policy. Use this with `ListGeneratedPolicies` to filter
+    #   the results to only include results for a specific principal.
+    #   @return [String]
+    #
     # @!attribute [rw] max_results
     #   The maximum number of results to return in the response.
     #   @return [Integer]
@@ -2342,36 +2585,30 @@ module Aws::AccessAnalyzer
     #   A token used for pagination of results returned.
     #   @return [String]
     #
-    # @!attribute [rw] principal_arn
-    #   The ARN of the IAM entity (user or role) for which you are
-    #   generating a policy. Use this with `ListGeneratedPolicies` to filter
-    #   the results to only include results for a specific principal.
-    #   @return [String]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsRequest AWS API Documentation
     #
     class ListPolicyGenerationsRequest < Struct.new(
+      :principal_arn,
       :max_results,
-      :next_token,
-      :principal_arn)
+      :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
 
-    # @!attribute [rw] next_token
-    #   A token used for pagination of results returned.
-    #   @return [String]
-    #
     # @!attribute [rw] policy_generations
     #   A `PolicyGeneration` object that contains details about the
     #   generated policy.
     #   @return [Array<Types::PolicyGeneration>]
     #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsResponse AWS API Documentation
     #
     class ListPolicyGenerationsResponse < Struct.new(
-      :next_token,
-      :policy_generations)
+      :policy_generations,
+      :next_token)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2447,11 +2684,6 @@ module Aws::AccessAnalyzer
     #
     # @note NetworkOriginConfiguration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of NetworkOriginConfiguration corresponding to the set member.
     #
-    # @!attribute [rw] internet_configuration
-    #   The configuration for the Amazon S3 access point or multi-region
-    #   access point with an `Internet` origin.
-    #   @return [Types::InternetConfiguration]
-    #
     # @!attribute [rw] vpc_configuration
     #   The proposed virtual private cloud (VPC) configuration for the
     #   Amazon S3 access point. VPC configuration does not apply to
@@ -2463,18 +2695,23 @@ module Aws::AccessAnalyzer
     #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
     #   @return [Types::VpcConfiguration]
     #
+    # @!attribute [rw] internet_configuration
+    #   The configuration for the Amazon S3 access point or multi-region
+    #   access point with an `Internet` origin.
+    #   @return [Types::InternetConfiguration]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
     #
     class NetworkOriginConfiguration < Struct.new(
-      :internet_configuration,
       :vpc_configuration,
+      :internet_configuration,
       :unknown)
       SENSITIVE = []
       include Aws::Structure
       include Aws::Structure::Union
 
-      class InternetConfiguration < NetworkOriginConfiguration; end
       class VpcConfiguration < NetworkOriginConfiguration; end
+      class InternetConfiguration < NetworkOriginConfiguration; end
       class Unknown < NetworkOriginConfiguration; end
     end
 
@@ -2520,10 +2757,6 @@ module Aws::AccessAnalyzer
 
     # Contains details about the policy generation status and properties.
     #
-    # @!attribute [rw] completed_on
-    #   A timestamp of when the policy generation was completed.
-    #   @return [Time]
-    #
     # @!attribute [rw] job_id
     #   The `JobId` that is returned by the `StartPolicyGeneration`
     #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
@@ -2536,22 +2769,26 @@ module Aws::AccessAnalyzer
     #   generating a policy.
     #   @return [String]
     #
+    # @!attribute [rw] status
+    #   The status of the policy generation request.
+    #   @return [String]
+    #
     # @!attribute [rw] started_on
     #   A timestamp of when the policy generation started.
     #   @return [Time]
     #
-    # @!attribute [rw] status
-    #   The status of the policy generation request.
-    #   @return [String]
+    # @!attribute [rw] completed_on
+    #   A timestamp of when the policy generation was completed.
+    #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGeneration AWS API Documentation
     #
     class PolicyGeneration < Struct.new(
-      :completed_on,
       :job_id,
       :principal_arn,
+      :status,
       :started_on,
-      :status)
+      :completed_on)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2581,14 +2818,14 @@ module Aws::AccessAnalyzer
 
     # A position in a policy.
     #
-    # @!attribute [rw] column
-    #   The column of the position, starting from 0.
-    #   @return [Integer]
-    #
     # @!attribute [rw] line
     #   The line of the position, starting from 1.
     #   @return [Integer]
     #
+    # @!attribute [rw] column
+    #   The column of the position, starting from 0.
+    #   @return [Integer]
+    #
     # @!attribute [rw] offset
     #   The offset within the policy that corresponds to the position,
     #   starting from 0.
@@ -2597,13 +2834,203 @@ module Aws::AccessAnalyzer
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
     #
     class Position < Struct.new(
-      :column,
       :line,
+      :column,
       :offset)
       SENSITIVE = []
       include Aws::Structure
     end
 
+    # The values for a manual Amazon RDS DB cluster snapshot attribute.
+    #
+    # @note RdsDbClusterSnapshotAttributeValue is a union - when making an API calls you must set exactly one of the members.
+    #
+    # @note RdsDbClusterSnapshotAttributeValue is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of RdsDbClusterSnapshotAttributeValue corresponding to the set member.
+    #
+    # @!attribute [rw] account_ids
+    #   The Amazon Web Services account IDs that have access to the manual
+    #   Amazon RDS DB cluster snapshot. If the value `all` is specified,
+    #   then the Amazon RDS DB cluster snapshot is public and can be copied
+    #   or restored by all Amazon Web Services accounts.
+    #
+    #   * If the configuration is for an existing Amazon RDS DB cluster
+    #     snapshot and you do not specify the `accountIds` in
+    #     `RdsDbClusterSnapshotAttributeValue`, then the access preview uses
+    #     the existing shared `accountIds` for the snapshot.
+    #
+    #   * If the access preview is for a new resource and you do not specify
+    #     the specify the `accountIds` in
+    #     `RdsDbClusterSnapshotAttributeValue`, then the access preview
+    #     considers the snapshot without any attributes.
+    #
+    #   * To propose deletion of existing shared `accountIds`, you can
+    #     specify an empty list for `accountIds` in the
+    #     `RdsDbClusterSnapshotAttributeValue`.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbClusterSnapshotAttributeValue AWS API Documentation
+    #
+    class RdsDbClusterSnapshotAttributeValue < Struct.new(
+      :account_ids,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class AccountIds < RdsDbClusterSnapshotAttributeValue; end
+      class Unknown < RdsDbClusterSnapshotAttributeValue; end
+    end
+
+    # The proposed access control configuration for an Amazon RDS DB cluster
+    # snapshot. You can propose a configuration for a new Amazon RDS DB
+    # cluster snapshot or an Amazon RDS DB cluster snapshot that you own by
+    # specifying the `RdsDbClusterSnapshotAttributeValue` and optional KMS
+    # encryption key. For more information, see
+    # [ModifyDBClusterSnapshotAttribute][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBClusterSnapshotAttribute.html
+    #
+    # @note When making an API call, you may pass RdsDbClusterSnapshotConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         attributes: {
+    #           "RdsDbClusterSnapshotAttributeName" => {
+    #             account_ids: ["RdsDbClusterSnapshotAccountId"],
+    #           },
+    #         },
+    #         kms_key_id: "RdsDbClusterSnapshotKmsKeyId",
+    #       }
+    #
+    # @!attribute [rw] attributes
+    #   The names and values of manual DB cluster snapshot attributes.
+    #   Manual DB cluster snapshot attributes are used to authorize other
+    #   Amazon Web Services accounts to restore a manual DB cluster
+    #   snapshot. The only valid value for `AttributeName` for the attribute
+    #   map is `restore`
+    #   @return [Hash<String,Types::RdsDbClusterSnapshotAttributeValue>]
+    #
+    # @!attribute [rw] kms_key_id
+    #   The KMS key identifier for an encrypted Amazon RDS DB cluster
+    #   snapshot. The KMS key identifier is the key ARN, key ID, alias ARN,
+    #   or alias name for the KMS key.
+    #
+    #   * If the configuration is for an existing Amazon RDS DB cluster
+    #     snapshot and you do not specify the `kmsKeyId`, or you specify an
+    #     empty string, then the access preview uses the existing `kmsKeyId`
+    #     of the snapshot.
+    #
+    #   * If the access preview is for a new resource and you do not specify
+    #     the specify the `kmsKeyId`, then the access preview considers the
+    #     snapshot as unencrypted.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbClusterSnapshotConfiguration AWS API Documentation
+    #
+    class RdsDbClusterSnapshotConfiguration < Struct.new(
+      :attributes,
+      :kms_key_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The name and values of a manual Amazon RDS DB snapshot attribute.
+    # Manual DB snapshot attributes are used to authorize other Amazon Web
+    # Services accounts to restore a manual DB snapshot.
+    #
+    # @note RdsDbSnapshotAttributeValue is a union - when making an API calls you must set exactly one of the members.
+    #
+    # @note RdsDbSnapshotAttributeValue is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of RdsDbSnapshotAttributeValue corresponding to the set member.
+    #
+    # @!attribute [rw] account_ids
+    #   The Amazon Web Services account IDs that have access to the manual
+    #   Amazon RDS DB snapshot. If the value `all` is specified, then the
+    #   Amazon RDS DB snapshot is public and can be copied or restored by
+    #   all Amazon Web Services accounts.
+    #
+    #   * If the configuration is for an existing Amazon RDS DB snapshot and
+    #     you do not specify the `accountIds` in
+    #     `RdsDbSnapshotAttributeValue`, then the access preview uses the
+    #     existing shared `accountIds` for the snapshot.
+    #
+    #   * If the access preview is for a new resource and you do not specify
+    #     the specify the `accountIds` in `RdsDbSnapshotAttributeValue`,
+    #     then the access preview considers the snapshot without any
+    #     attributes.
+    #
+    #   * To propose deletion of an existing shared `accountIds`, you can
+    #     specify an empty list for `accountIds` in the
+    #     `RdsDbSnapshotAttributeValue`.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbSnapshotAttributeValue AWS API Documentation
+    #
+    class RdsDbSnapshotAttributeValue < Struct.new(
+      :account_ids,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class AccountIds < RdsDbSnapshotAttributeValue; end
+      class Unknown < RdsDbSnapshotAttributeValue; end
+    end
+
+    # The proposed access control configuration for an Amazon RDS DB
+    # snapshot. You can propose a configuration for a new Amazon RDS DB
+    # snapshot or an Amazon RDS DB snapshot that you own by specifying the
+    # `RdsDbSnapshotAttributeValue` and optional KMS encryption key. For
+    # more information, see [ModifyDBSnapshotAttribute][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html
+    #
+    # @note When making an API call, you may pass RdsDbSnapshotConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         attributes: {
+    #           "RdsDbSnapshotAttributeName" => {
+    #             account_ids: ["RdsDbSnapshotAccountId"],
+    #           },
+    #         },
+    #         kms_key_id: "RdsDbSnapshotKmsKeyId",
+    #       }
+    #
+    # @!attribute [rw] attributes
+    #   The names and values of manual DB snapshot attributes. Manual DB
+    #   snapshot attributes are used to authorize other Amazon Web Services
+    #   accounts to restore a manual DB snapshot. The only valid value for
+    #   `attributeName` for the attribute map is restore.
+    #   @return [Hash<String,Types::RdsDbSnapshotAttributeValue>]
+    #
+    # @!attribute [rw] kms_key_id
+    #   The KMS key identifier for an encrypted Amazon RDS DB snapshot. The
+    #   KMS key identifier is the key ARN, key ID, alias ARN, or alias name
+    #   for the KMS key.
+    #
+    #   * If the configuration is for an existing Amazon RDS DB snapshot and
+    #     you do not specify the `kmsKeyId`, or you specify an empty string,
+    #     then the access preview uses the existing `kmsKeyId` of the
+    #     snapshot.
+    #
+    #   * If the access preview is for a new resource and you do not specify
+    #     the specify the `kmsKeyId`, then the access preview considers the
+    #     snapshot as unencrypted.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbSnapshotConfiguration AWS API Documentation
+    #
+    class RdsDbSnapshotConfiguration < Struct.new(
+      :attributes,
+      :kms_key_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The specified resource could not be found.
     #
     # @!attribute [rw] message
@@ -2640,7 +3067,7 @@ module Aws::AccessAnalyzer
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
+    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
     # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
     #
     # @note When making an API call, you may pass S3AccessPointConfiguration
@@ -2648,23 +3075,28 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         access_point_policy: "AccessPointPolicy",
+    #         public_access_block: {
+    #           ignore_public_acls: false, # required
+    #           restrict_public_buckets: false, # required
+    #         },
     #         network_origin: {
-    #           internet_configuration: {
-    #           },
     #           vpc_configuration: {
     #             vpc_id: "VpcId", # required
     #           },
+    #           internet_configuration: {
+    #           },
     #         },
-    #         public_access_block: {
-    #           ignore_public_acls: false, # required
-    #           restrict_public_buckets: false, # required
-    #         },
     #       }
     #
     # @!attribute [rw] access_point_policy
     #   The access point or multi-region access point policy.
     #   @return [String]
     #
+    # @!attribute [rw] public_access_block
+    #   The proposed `S3PublicAccessBlock` configuration to apply to this
+    #   Amazon S3 access point or multi-region access point.
+    #   @return [Types::S3PublicAccessBlockConfiguration]
+    #
     # @!attribute [rw] network_origin
     #   The proposed `Internet` and `VpcConfiguration` to apply to this
     #   Amazon S3 access point. `VpcConfiguration` does not apply to
@@ -2675,17 +3107,12 @@ module Aws::AccessAnalyzer
     #   the exiting network origin.
     #   @return [Types::NetworkOriginConfiguration]
     #
-    # @!attribute [rw] public_access_block
-    #   The proposed `S3PublicAccessBlock` configuration to apply to this
-    #   Amazon S3 access point or multi-region access point.
-    #   @return [Types::S3PublicAccessBlockConfiguration]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
     #
     class S3AccessPointConfiguration < Struct.new(
       :access_point_policy,
-      :network_origin,
-      :public_access_block)
+      :public_access_block,
+      :network_origin)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2701,26 +3128,26 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
+    #         permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
     #         grantee: { # required
     #           id: "AclCanonicalId",
     #           uri: "AclUri",
     #         },
-    #         permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
     #       }
     #
-    # @!attribute [rw] grantee
-    #   The grantee to whom you’re assigning access rights.
-    #   @return [Types::AclGrantee]
-    #
     # @!attribute [rw] permission
     #   The permissions being granted.
     #   @return [String]
     #
+    # @!attribute [rw] grantee
+    #   The grantee to whom you’re assigning access rights.
+    #   @return [Types::AclGrantee]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
     #
     class S3BucketAclGrantConfiguration < Struct.new(
-      :grantee,
-      :permission)
+      :permission,
+      :grantee)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2747,43 +3174,41 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
-    #         access_points: {
-    #           "AccessPointArn" => {
-    #             access_point_policy: "AccessPointPolicy",
-    #             network_origin: {
-    #               internet_configuration: {
-    #               },
-    #               vpc_configuration: {
-    #                 vpc_id: "VpcId", # required
-    #               },
-    #             },
-    #             public_access_block: {
-    #               ignore_public_acls: false, # required
-    #               restrict_public_buckets: false, # required
-    #             },
-    #           },
-    #         },
+    #         bucket_policy: "S3BucketPolicy",
     #         bucket_acl_grants: [
     #           {
+    #             permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
     #             grantee: { # required
     #               id: "AclCanonicalId",
     #               uri: "AclUri",
     #             },
-    #             permission: "READ", # required, accepts READ, WRITE, READ_ACP, WRITE_ACP, FULL_CONTROL
     #           },
     #         ],
-    #         bucket_policy: "S3BucketPolicy",
     #         bucket_public_access_block: {
     #           ignore_public_acls: false, # required
     #           restrict_public_buckets: false, # required
     #         },
+    #         access_points: {
+    #           "AccessPointArn" => {
+    #             access_point_policy: "AccessPointPolicy",
+    #             public_access_block: {
+    #               ignore_public_acls: false, # required
+    #               restrict_public_buckets: false, # required
+    #             },
+    #             network_origin: {
+    #               vpc_configuration: {
+    #                 vpc_id: "VpcId", # required
+    #               },
+    #               internet_configuration: {
+    #               },
+    #             },
+    #           },
+    #         },
     #       }
     #
-    # @!attribute [rw] access_points
-    #   The configuration of Amazon S3 access points or multi-region access
-    #   points for the bucket. You can propose up to 10 new access points
-    #   per bucket.
-    #   @return [Hash<String,Types::S3AccessPointConfiguration>]
+    # @!attribute [rw] bucket_policy
+    #   The proposed bucket policy for the Amazon S3 bucket.
+    #   @return [String]
     #
     # @!attribute [rw] bucket_acl_grants
     #   The proposed list of ACL grants for the Amazon S3 bucket. You can
@@ -2794,22 +3219,24 @@ module Aws::AccessAnalyzer
     #   the bucket.
     #   @return [Array<Types::S3BucketAclGrantConfiguration>]
     #
-    # @!attribute [rw] bucket_policy
-    #   The proposed bucket policy for the Amazon S3 bucket.
-    #   @return [String]
-    #
     # @!attribute [rw] bucket_public_access_block
     #   The proposed block public access configuration for the Amazon S3
     #   bucket.
     #   @return [Types::S3PublicAccessBlockConfiguration]
     #
+    # @!attribute [rw] access_points
+    #   The configuration of Amazon S3 access points or multi-region access
+    #   points for the bucket. You can propose up to 10 new access points
+    #   per bucket.
+    #   @return [Hash<String,Types::S3AccessPointConfiguration>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
     #
     class S3BucketConfiguration < Struct.new(
-      :access_points,
-      :bucket_acl_grants,
       :bucket_policy,
-      :bucket_public_access_block)
+      :bucket_acl_grants,
+      :bucket_public_access_block,
+      :access_points)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2927,6 +3354,47 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # The proposed access control configuration for an Amazon SNS topic. You
+    # can propose a configuration for a new Amazon SNS topic or an existing
+    # Amazon SNS topic that you own by specifying the policy. If the
+    # configuration is for an existing Amazon SNS topic and you do not
+    # specify the Amazon SNS policy, then the access preview uses the
+    # existing Amazon SNS policy for the topic. If the access preview is for
+    # a new resource and you do not specify the policy, then the access
+    # preview assumes an Amazon SNS topic without a policy. To propose
+    # deletion of an existing Amazon SNS topic policy, you can specify an
+    # empty string for the Amazon SNS policy. For more information, see
+    # [Topic][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/sns/latest/api/API_Topic.html
+    #
+    # @note When making an API call, you may pass SnsTopicConfiguration
+    #   data as a hash:
+    #
+    #       {
+    #         topic_policy: "SnsTopicPolicy",
+    #       }
+    #
+    # @!attribute [rw] topic_policy
+    #   The JSON policy text that defines who can access an Amazon SNS
+    #   topic. For more information, see [Example cases for Amazon SNS
+    #   access control][1] in the *Amazon SNS Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SnsTopicConfiguration AWS API Documentation
+    #
+    class SnsTopicConfiguration < Struct.new(
+      :topic_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The criteria used to sort.
     #
     # @note When making an API call, you may pass SortCriteria
@@ -2957,19 +3425,19 @@ module Aws::AccessAnalyzer
     # A span in a policy. The span consists of a start position (inclusive)
     # and end position (exclusive).
     #
-    # @!attribute [rw] end
-    #   The end position of the span (exclusive).
-    #   @return [Types::Position]
-    #
     # @!attribute [rw] start
     #   The start position of the span (inclusive).
     #   @return [Types::Position]
     #
+    # @!attribute [rw] end
+    #   The end position of the span (exclusive).
+    #   @return [Types::Position]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
     #
     class Span < Struct.new(
-      :end,
-      :start)
+      :start,
+      :end)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3013,24 +3481,34 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
-    #         client_token: "String",
+    #         policy_generation_details: { # required
+    #           principal_arn: "PrincipalArn", # required
+    #         },
     #         cloud_trail_details: {
-    #           access_role: "RoleArn", # required
-    #           end_time: Time.now,
-    #           start_time: Time.now, # required
     #           trails: [ # required
     #             {
-    #               all_regions: false,
     #               cloud_trail_arn: "CloudTrailArn", # required
     #               regions: ["String"],
+    #               all_regions: false,
     #             },
     #           ],
+    #           access_role: "RoleArn", # required
+    #           start_time: Time.now, # required
+    #           end_time: Time.now,
     #         },
-    #         policy_generation_details: { # required
-    #           principal_arn: "PrincipalArn", # required
-    #         },
+    #         client_token: "String",
     #       }
     #
+    # @!attribute [rw] policy_generation_details
+    #   Contains the ARN of the IAM entity (user or role) for which you are
+    #   generating a policy.
+    #   @return [Types::PolicyGenerationDetails]
+    #
+    # @!attribute [rw] cloud_trail_details
+    #   A `CloudTrailDetails` object that contains details about a `Trail`
+    #   that you want to analyze to generate policies.
+    #   @return [Types::CloudTrailDetails]
+    #
     # @!attribute [rw] client_token
     #   A unique, case-sensitive identifier that you provide to ensure the
     #   idempotency of the request. Idempotency ensures that an API request
@@ -3046,22 +3524,12 @@ module Aws::AccessAnalyzer
     #   not need to pass this option.
     #   @return [String]
     #
-    # @!attribute [rw] cloud_trail_details
-    #   A `CloudTrailDetails` object that contains details about a `Trail`
-    #   that you want to analyze to generate policies.
-    #   @return [Types::CloudTrailDetails]
-    #
-    # @!attribute [rw] policy_generation_details
-    #   Contains the ARN of the IAM entity (user or role) for which you are
-    #   generating a policy.
-    #   @return [Types::PolicyGenerationDetails]
-    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationRequest AWS API Documentation
     #
     class StartPolicyGenerationRequest < Struct.new(
-      :client_token,
+      :policy_generation_details,
       :cloud_trail_details,
-      :policy_generation_details)
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3089,6 +3557,7 @@ module Aws::AccessAnalyzer
     #       {
     #         analyzer_arn: "AnalyzerArn", # required
     #         resource_arn: "ResourceArn", # required
+    #         resource_owner_account: "String",
     #       }
     #
     # @!attribute [rw] analyzer_arn
@@ -3104,11 +3573,18 @@ module Aws::AccessAnalyzer
     #   The ARN of the resource to scan.
     #   @return [String]
     #
+    # @!attribute [rw] resource_owner_account
+    #   The Amazon Web Services account ID that owns the resource. For most
+    #   Amazon Web Services resources, the owning account is the account in
+    #   which the resource was created.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartResourceScanRequest AWS API Documentation
     #
     class StartResourceScanRequest < Struct.new(
       :analyzer_arn,
-      :resource_arn)
+      :resource_arn,
+      :resource_owner_account)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3133,19 +3609,19 @@ module Aws::AccessAnalyzer
 
     # A reference to a substring of a literal string in a JSON document.
     #
-    # @!attribute [rw] length
-    #   The length of the substring.
-    #   @return [Integer]
-    #
     # @!attribute [rw] start
     #   The start index of the substring, starting from 0.
     #   @return [Integer]
     #
+    # @!attribute [rw] length
+    #   The length of the substring.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
     #
     class Substring < Struct.new(
-      :length,
-      :start)
+      :start,
+      :length)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3210,17 +3686,11 @@ module Aws::AccessAnalyzer
     #   data as a hash:
     #
     #       {
-    #         all_regions: false,
     #         cloud_trail_arn: "CloudTrailArn", # required
     #         regions: ["String"],
+    #         all_regions: false,
     #       }
     #
-    # @!attribute [rw] all_regions
-    #   Possible values are `true` or `false`. If set to `true`, IAM Access
-    #   Analyzer retrieves CloudTrail data from all regions to analyze and
-    #   generate a policy.
-    #   @return [Boolean]
-    #
     # @!attribute [rw] cloud_trail_arn
     #   Specifies the ARN of the trail. The format of a trail ARN is
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
@@ -3231,12 +3701,18 @@ module Aws::AccessAnalyzer
     #   generate a policy.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] all_regions
+    #   Possible values are `true` or `false`. If set to `true`, IAM Access
+    #   Analyzer retrieves CloudTrail data from all regions to analyze and
+    #   generate a policy.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Trail AWS API Documentation
     #
     class Trail < Struct.new(
-      :all_regions,
       :cloud_trail_arn,
-      :regions)
+      :regions,
+      :all_regions)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3244,12 +3720,6 @@ module Aws::AccessAnalyzer
     # Contains details about the CloudTrail trail being analyzed to generate
     # a policy.
     #
-    # @!attribute [rw] all_regions
-    #   Possible values are `true` or `false`. If set to `true`, IAM Access
-    #   Analyzer retrieves CloudTrail data from all regions to analyze and
-    #   generate a policy.
-    #   @return [Boolean]
-    #
     # @!attribute [rw] cloud_trail_arn
     #   Specifies the ARN of the trail. The format of a trail ARN is
     #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
@@ -3260,12 +3730,18 @@ module Aws::AccessAnalyzer
     #   generate a policy.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] all_regions
+    #   Possible values are `true` or `false`. If set to `true`, IAM Access
+    #   Analyzer retrieves CloudTrail data from all regions to analyze and
+    #   generate a policy.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/TrailProperties AWS API Documentation
     #
     class TrailProperties < Struct.new(
-      :all_regions,
       :cloud_trail_arn,
-      :regions)
+      :regions,
+      :all_regions)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3310,27 +3786,24 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_name: "Name", # required
-    #         client_token: "String",
+    #         rule_name: "Name", # required
     #         filter: { # required
     #           "String" => {
-    #             contains: ["String"],
     #             eq: ["String"],
-    #             exists: false,
     #             neq: ["String"],
+    #             contains: ["String"],
+    #             exists: false,
     #           },
     #         },
-    #         rule_name: "Name", # required
+    #         client_token: "String",
     #       }
     #
     # @!attribute [rw] analyzer_name
     #   The name of the analyzer to update the archive rules for.
     #   @return [String]
     #
-    # @!attribute [rw] client_token
-    #   A client token.
-    #
-    #   **A suitable default value is auto-generated.** You should normally
-    #   not need to pass this option.
+    # @!attribute [rw] rule_name
+    #   The name of the rule to update.
     #   @return [String]
     #
     # @!attribute [rw] filter
@@ -3338,17 +3811,20 @@ module Aws::AccessAnalyzer
     #   filter are updated.
     #   @return [Hash<String,Types::Criterion>]
     #
-    # @!attribute [rw] rule_name
-    #   The name of the rule to update.
+    # @!attribute [rw] client_token
+    #   A client token.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UpdateArchiveRuleRequest AWS API Documentation
     #
     class UpdateArchiveRuleRequest < Struct.new(
       :analyzer_name,
-      :client_token,
+      :rule_name,
       :filter,
-      :rule_name)
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3360,10 +3836,10 @@ module Aws::AccessAnalyzer
     #
     #       {
     #         analyzer_arn: "AnalyzerArn", # required
-    #         client_token: "String",
+    #         status: "ACTIVE", # required, accepts ACTIVE, ARCHIVED
     #         ids: ["FindingId"],
     #         resource_arn: "ResourceArn",
-    #         status: "ACTIVE", # required, accepts ACTIVE, ARCHIVED
+    #         client_token: "String",
     #       }
     #
     # @!attribute [rw] analyzer_arn
@@ -3374,11 +3850,11 @@ module Aws::AccessAnalyzer
     #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
     #   @return [String]
     #
-    # @!attribute [rw] client_token
-    #   A client token.
-    #
-    #   **A suitable default value is auto-generated.** You should normally
-    #   not need to pass this option.
+    # @!attribute [rw] status
+    #   The state represents the action to take to update the finding
+    #   Status. Use `ARCHIVE` to change an Active finding to an Archived
+    #   finding. Use `ACTIVE` to change an Archived finding to an Active
+    #   finding.
     #   @return [String]
     #
     # @!attribute [rw] ids
@@ -3389,21 +3865,21 @@ module Aws::AccessAnalyzer
     #   The ARN of the resource identified in the finding.
     #   @return [String]
     #
-    # @!attribute [rw] status
-    #   The state represents the action to take to update the finding
-    #   Status. Use `ARCHIVE` to change an Active finding to an Archived
-    #   finding. Use `ACTIVE` to change an Archived finding to an Active
-    #   finding.
+    # @!attribute [rw] client_token
+    #   A client token.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UpdateFindingsRequest AWS API Documentation
     #
     class UpdateFindingsRequest < Struct.new(
       :analyzer_arn,
-      :client_token,
+      :status,
       :ids,
       :resource_arn,
-      :status)
+      :client_token)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3467,7 +3943,7 @@ module Aws::AccessAnalyzer
     #         next_token: "Token",
     #         policy_document: "PolicyDocument", # required
     #         policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
-    #         validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint
+    #         validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint, AWS::IAM::AssumeRolePolicyDocument
     #       }
     #
     # @!attribute [rw] locale
@@ -3548,10 +4024,6 @@ module Aws::AccessAnalyzer
 
     # Validation exception error.
     #
-    # @!attribute [rw] field_list
-    #   A list of fields that didn't validate.
-    #   @return [Array<Types::ValidationExceptionField>]
-    #
     # @!attribute [rw] message
     #   @return [String]
     #
@@ -3559,31 +4031,35 @@ module Aws::AccessAnalyzer
     #   The reason for the exception.
     #   @return [String]
     #
+    # @!attribute [rw] field_list
+    #   A list of fields that didn't validate.
+    #   @return [Array<Types::ValidationExceptionField>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidationException AWS API Documentation
     #
     class ValidationException < Struct.new(
-      :field_list,
       :message,
-      :reason)
+      :reason,
+      :field_list)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # Contains information about a validation exception.
     #
-    # @!attribute [rw] message
-    #   A message about the validation exception.
-    #   @return [String]
-    #
     # @!attribute [rw] name
     #   The name of the validation exception.
     #   @return [String]
     #
+    # @!attribute [rw] message
+    #   A message about the validation exception.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidationExceptionField AWS API Documentation
     #
     class ValidationExceptionField < Struct.new(
-      :message,
-      :name)
+      :name,
+      :message)
       SENSITIVE = []
       include Aws::Structure
     end