aws-sdk-accessanalyzer 1.42.0 → 1.44.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-accessanalyzer/client.rb +325 -19
- data/lib/aws-sdk-accessanalyzer/client_api.rb +247 -0
- data/lib/aws-sdk-accessanalyzer/endpoint_provider.rb +2 -2
- data/lib/aws-sdk-accessanalyzer/endpoints.rb +56 -0
- data/lib/aws-sdk-accessanalyzer/errors.rb +36 -0
- data/lib/aws-sdk-accessanalyzer/plugins/endpoints.rb +11 -2
- data/lib/aws-sdk-accessanalyzer/types.rb +724 -13
- data/lib/aws-sdk-accessanalyzer.rb +1 -1
- metadata +2 -2
@@ -10,6 +10,21 @@
|
|
10
10
|
module Aws::AccessAnalyzer
|
11
11
|
module Types
|
12
12
|
|
13
|
+
# Contains information about actions that define permissions to check
|
14
|
+
# against a policy.
|
15
|
+
#
|
16
|
+
# @!attribute [rw] actions
|
17
|
+
# A list of actions for the access permissions.
|
18
|
+
# @return [Array<String>]
|
19
|
+
#
|
20
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Access AWS API Documentation
|
21
|
+
#
|
22
|
+
class Access < Struct.new(
|
23
|
+
:actions)
|
24
|
+
SENSITIVE = []
|
25
|
+
include Aws::Structure
|
26
|
+
end
|
27
|
+
|
13
28
|
# You do not have sufficient access to perform this action.
|
14
29
|
#
|
15
30
|
# @!attribute [rw] message
|
@@ -379,6 +394,32 @@ module Aws::AccessAnalyzer
|
|
379
394
|
include Aws::Structure
|
380
395
|
end
|
381
396
|
|
397
|
+
# Contains information about the configuration of an unused access
|
398
|
+
# analyzer for an Amazon Web Services organization or account.
|
399
|
+
#
|
400
|
+
# @note AnalyzerConfiguration is a union - when making an API calls you must set exactly one of the members.
|
401
|
+
#
|
402
|
+
# @note AnalyzerConfiguration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of AnalyzerConfiguration corresponding to the set member.
|
403
|
+
#
|
404
|
+
# @!attribute [rw] unused_access
|
405
|
+
# Specifies the configuration of an unused access analyzer for an
|
406
|
+
# Amazon Web Services organization or account. External access
|
407
|
+
# analyzers do not support any configuration.
|
408
|
+
# @return [Types::UnusedAccessConfiguration]
|
409
|
+
#
|
410
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerConfiguration AWS API Documentation
|
411
|
+
#
|
412
|
+
class AnalyzerConfiguration < Struct.new(
|
413
|
+
:unused_access,
|
414
|
+
:unknown)
|
415
|
+
SENSITIVE = []
|
416
|
+
include Aws::Structure
|
417
|
+
include Aws::Structure::Union
|
418
|
+
|
419
|
+
class UnusedAccess < AnalyzerConfiguration; end
|
420
|
+
class Unknown < AnalyzerConfiguration; end
|
421
|
+
end
|
422
|
+
|
382
423
|
# Contains information about the analyzer.
|
383
424
|
#
|
384
425
|
# @!attribute [rw] arn
|
@@ -429,6 +470,11 @@ module Aws::AccessAnalyzer
|
|
429
470
|
# Web Services organization.
|
430
471
|
# @return [Types::StatusReason]
|
431
472
|
#
|
473
|
+
# @!attribute [rw] configuration
|
474
|
+
# Specifies whether the analyzer is an external access or unused
|
475
|
+
# access analyzer.
|
476
|
+
# @return [Types::AnalyzerConfiguration]
|
477
|
+
#
|
432
478
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerSummary AWS API Documentation
|
433
479
|
#
|
434
480
|
class AnalyzerSummary < Struct.new(
|
@@ -440,7 +486,8 @@ module Aws::AccessAnalyzer
|
|
440
486
|
:last_resource_analyzed_at,
|
441
487
|
:tags,
|
442
488
|
:status,
|
443
|
-
:status_reason
|
489
|
+
:status_reason,
|
490
|
+
:configuration)
|
444
491
|
SENSITIVE = []
|
445
492
|
include Aws::Structure
|
446
493
|
end
|
@@ -520,6 +567,119 @@ module Aws::AccessAnalyzer
|
|
520
567
|
#
|
521
568
|
class CancelPolicyGenerationResponse < Aws::EmptyStructure; end
|
522
569
|
|
570
|
+
# @!attribute [rw] policy_document
|
571
|
+
# The JSON policy document to use as the content for the policy.
|
572
|
+
# @return [String]
|
573
|
+
#
|
574
|
+
# @!attribute [rw] access
|
575
|
+
# An access object containing the permissions that shouldn't be
|
576
|
+
# granted by the specified policy.
|
577
|
+
# @return [Array<Types::Access>]
|
578
|
+
#
|
579
|
+
# @!attribute [rw] policy_type
|
580
|
+
# The type of policy. Identity policies grant permissions to IAM
|
581
|
+
# principals. Identity policies include managed and inline policies
|
582
|
+
# for IAM roles, users, and groups.
|
583
|
+
#
|
584
|
+
# Resource policies grant permissions on Amazon Web Services
|
585
|
+
# resources. Resource policies include trust policies for IAM roles
|
586
|
+
# and bucket policies for Amazon S3 buckets. You can provide a generic
|
587
|
+
# input such as identity policy or resource policy or a specific input
|
588
|
+
# such as managed policy or Amazon S3 bucket policy.
|
589
|
+
# @return [String]
|
590
|
+
#
|
591
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedRequest AWS API Documentation
|
592
|
+
#
|
593
|
+
class CheckAccessNotGrantedRequest < Struct.new(
|
594
|
+
:policy_document,
|
595
|
+
:access,
|
596
|
+
:policy_type)
|
597
|
+
SENSITIVE = [:policy_document]
|
598
|
+
include Aws::Structure
|
599
|
+
end
|
600
|
+
|
601
|
+
# @!attribute [rw] result
|
602
|
+
# The result of the check for whether the access is allowed. If the
|
603
|
+
# result is `PASS`, the specified policy doesn't allow any of the
|
604
|
+
# specified permissions in the access object. If the result is `FAIL`,
|
605
|
+
# the specified policy might allow some or all of the permissions in
|
606
|
+
# the access object.
|
607
|
+
# @return [String]
|
608
|
+
#
|
609
|
+
# @!attribute [rw] message
|
610
|
+
# The message indicating whether the specified access is allowed.
|
611
|
+
# @return [String]
|
612
|
+
#
|
613
|
+
# @!attribute [rw] reasons
|
614
|
+
# A description of the reasoning of the result.
|
615
|
+
# @return [Array<Types::ReasonSummary>]
|
616
|
+
#
|
617
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedResponse AWS API Documentation
|
618
|
+
#
|
619
|
+
class CheckAccessNotGrantedResponse < Struct.new(
|
620
|
+
:result,
|
621
|
+
:message,
|
622
|
+
:reasons)
|
623
|
+
SENSITIVE = []
|
624
|
+
include Aws::Structure
|
625
|
+
end
|
626
|
+
|
627
|
+
# @!attribute [rw] new_policy_document
|
628
|
+
# The JSON policy document to use as the content for the updated
|
629
|
+
# policy.
|
630
|
+
# @return [String]
|
631
|
+
#
|
632
|
+
# @!attribute [rw] existing_policy_document
|
633
|
+
# The JSON policy document to use as the content for the existing
|
634
|
+
# policy.
|
635
|
+
# @return [String]
|
636
|
+
#
|
637
|
+
# @!attribute [rw] policy_type
|
638
|
+
# The type of policy to compare. Identity policies grant permissions
|
639
|
+
# to IAM principals. Identity policies include managed and inline
|
640
|
+
# policies for IAM roles, users, and groups.
|
641
|
+
#
|
642
|
+
# Resource policies grant permissions on Amazon Web Services
|
643
|
+
# resources. Resource policies include trust policies for IAM roles
|
644
|
+
# and bucket policies for Amazon S3 buckets. You can provide a generic
|
645
|
+
# input such as identity policy or resource policy or a specific input
|
646
|
+
# such as managed policy or Amazon S3 bucket policy.
|
647
|
+
# @return [String]
|
648
|
+
#
|
649
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoNewAccessRequest AWS API Documentation
|
650
|
+
#
|
651
|
+
class CheckNoNewAccessRequest < Struct.new(
|
652
|
+
:new_policy_document,
|
653
|
+
:existing_policy_document,
|
654
|
+
:policy_type)
|
655
|
+
SENSITIVE = [:new_policy_document, :existing_policy_document]
|
656
|
+
include Aws::Structure
|
657
|
+
end
|
658
|
+
|
659
|
+
# @!attribute [rw] result
|
660
|
+
# The result of the check for new access. If the result is `PASS`, no
|
661
|
+
# new access is allowed by the updated policy. If the result is
|
662
|
+
# `FAIL`, the updated policy might allow new access.
|
663
|
+
# @return [String]
|
664
|
+
#
|
665
|
+
# @!attribute [rw] message
|
666
|
+
# The message indicating whether the updated policy allows new access.
|
667
|
+
# @return [String]
|
668
|
+
#
|
669
|
+
# @!attribute [rw] reasons
|
670
|
+
# A description of the reasoning of the result.
|
671
|
+
# @return [Array<Types::ReasonSummary>]
|
672
|
+
#
|
673
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoNewAccessResponse AWS API Documentation
|
674
|
+
#
|
675
|
+
class CheckNoNewAccessResponse < Struct.new(
|
676
|
+
:result,
|
677
|
+
:message,
|
678
|
+
:reasons)
|
679
|
+
SENSITIVE = []
|
680
|
+
include Aws::Structure
|
681
|
+
end
|
682
|
+
|
523
683
|
# Contains information about CloudTrail access.
|
524
684
|
#
|
525
685
|
# @!attribute [rw] trails
|
@@ -628,7 +788,7 @@ module Aws::AccessAnalyzer
|
|
628
788
|
# @return [Types::SecretsManagerSecretConfiguration]
|
629
789
|
#
|
630
790
|
# @!attribute [rw] s3_bucket
|
631
|
-
# The access control configuration is for an Amazon S3
|
791
|
+
# The access control configuration is for an Amazon S3 bucket.
|
632
792
|
# @return [Types::S3BucketConfiguration]
|
633
793
|
#
|
634
794
|
# @!attribute [rw] sns_topic
|
@@ -639,6 +799,11 @@ module Aws::AccessAnalyzer
|
|
639
799
|
# The access control configuration is for an Amazon SQS queue.
|
640
800
|
# @return [Types::SqsQueueConfiguration]
|
641
801
|
#
|
802
|
+
# @!attribute [rw] s3_express_directory_bucket
|
803
|
+
# The access control configuration is for an Amazon S3 directory
|
804
|
+
# bucket.
|
805
|
+
# @return [Types::S3ExpressDirectoryBucketConfiguration]
|
806
|
+
#
|
642
807
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
|
643
808
|
#
|
644
809
|
class Configuration < Struct.new(
|
@@ -653,6 +818,7 @@ module Aws::AccessAnalyzer
|
|
653
818
|
:s3_bucket,
|
654
819
|
:sns_topic,
|
655
820
|
:sqs_queue,
|
821
|
+
:s3_express_directory_bucket,
|
656
822
|
:unknown)
|
657
823
|
SENSITIVE = []
|
658
824
|
include Aws::Structure
|
@@ -669,6 +835,7 @@ module Aws::AccessAnalyzer
|
|
669
835
|
class S3Bucket < Configuration; end
|
670
836
|
class SnsTopic < Configuration; end
|
671
837
|
class SqsQueue < Configuration; end
|
838
|
+
class S3ExpressDirectoryBucket < Configuration; end
|
672
839
|
class Unknown < Configuration; end
|
673
840
|
end
|
674
841
|
|
@@ -749,10 +916,11 @@ module Aws::AccessAnalyzer
|
|
749
916
|
# @return [String]
|
750
917
|
#
|
751
918
|
# @!attribute [rw] type
|
752
|
-
# The type of analyzer to create. Only ACCOUNT
|
753
|
-
#
|
754
|
-
#
|
755
|
-
# organization per
|
919
|
+
# The type of analyzer to create. Only `ACCOUNT`, `ORGANIZATION`,
|
920
|
+
# `ACCOUNT_UNUSED_ACCESS`, and `ORGANIZTAION_UNUSED_ACCESS` analyzers
|
921
|
+
# are supported. You can create only one analyzer per account per
|
922
|
+
# Region. You can create up to 5 analyzers per organization per
|
923
|
+
# Region.
|
756
924
|
# @return [String]
|
757
925
|
#
|
758
926
|
# @!attribute [rw] archive_rules
|
@@ -762,7 +930,7 @@ module Aws::AccessAnalyzer
|
|
762
930
|
# @return [Array<Types::InlineArchiveRule>]
|
763
931
|
#
|
764
932
|
# @!attribute [rw] tags
|
765
|
-
#
|
933
|
+
# An array of key-value pairs to apply to the analyzer.
|
766
934
|
# @return [Hash<String,String>]
|
767
935
|
#
|
768
936
|
# @!attribute [rw] client_token
|
@@ -772,6 +940,13 @@ module Aws::AccessAnalyzer
|
|
772
940
|
# not need to pass this option.
|
773
941
|
# @return [String]
|
774
942
|
#
|
943
|
+
# @!attribute [rw] configuration
|
944
|
+
# Specifies the configuration of the analyzer. If the analyzer is an
|
945
|
+
# unused access analyzer, the specified scope of unused access is used
|
946
|
+
# for the configuration. If the analyzer is an external access
|
947
|
+
# analyzer, this field is not used.
|
948
|
+
# @return [Types::AnalyzerConfiguration]
|
949
|
+
#
|
775
950
|
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
|
776
951
|
#
|
777
952
|
class CreateAnalyzerRequest < Struct.new(
|
@@ -779,7 +954,8 @@ module Aws::AccessAnalyzer
|
|
779
954
|
:type,
|
780
955
|
:archive_rules,
|
781
956
|
:tags,
|
782
|
-
:client_token
|
957
|
+
:client_token,
|
958
|
+
:configuration)
|
783
959
|
SENSITIVE = []
|
784
960
|
include Aws::Structure
|
785
961
|
end
|
@@ -1065,6 +1241,45 @@ module Aws::AccessAnalyzer
|
|
1065
1241
|
include Aws::Structure
|
1066
1242
|
end
|
1067
1243
|
|
1244
|
+
# Contains information about an external access finding.
|
1245
|
+
#
|
1246
|
+
# @!attribute [rw] action
|
1247
|
+
# The action in the analyzed policy statement that an external
|
1248
|
+
# principal has permission to use.
|
1249
|
+
# @return [Array<String>]
|
1250
|
+
#
|
1251
|
+
# @!attribute [rw] condition
|
1252
|
+
# The condition in the analyzed policy statement that resulted in an
|
1253
|
+
# external access finding.
|
1254
|
+
# @return [Hash<String,String>]
|
1255
|
+
#
|
1256
|
+
# @!attribute [rw] is_public
|
1257
|
+
# Specifies whether the external access finding is public.
|
1258
|
+
# @return [Boolean]
|
1259
|
+
#
|
1260
|
+
# @!attribute [rw] principal
|
1261
|
+
# The external principal that has access to a resource within the zone
|
1262
|
+
# of trust.
|
1263
|
+
# @return [Hash<String,String>]
|
1264
|
+
#
|
1265
|
+
# @!attribute [rw] sources
|
1266
|
+
# The sources of the external access finding. This indicates how the
|
1267
|
+
# access that generated the finding is granted. It is populated for
|
1268
|
+
# Amazon S3 bucket findings.
|
1269
|
+
# @return [Array<Types::FindingSource>]
|
1270
|
+
#
|
1271
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ExternalAccessDetails AWS API Documentation
|
1272
|
+
#
|
1273
|
+
class ExternalAccessDetails < Struct.new(
|
1274
|
+
:action,
|
1275
|
+
:condition,
|
1276
|
+
:is_public,
|
1277
|
+
:principal,
|
1278
|
+
:sources)
|
1279
|
+
SENSITIVE = []
|
1280
|
+
include Aws::Structure
|
1281
|
+
end
|
1282
|
+
|
1068
1283
|
# Contains information about a finding.
|
1069
1284
|
#
|
1070
1285
|
# @!attribute [rw] id
|
@@ -1072,8 +1287,8 @@ module Aws::AccessAnalyzer
|
|
1072
1287
|
# @return [String]
|
1073
1288
|
#
|
1074
1289
|
# @!attribute [rw] principal
|
1075
|
-
# The external principal that access to a resource within the zone
|
1076
|
-
# trust.
|
1290
|
+
# The external principal that has access to a resource within the zone
|
1291
|
+
# of trust.
|
1077
1292
|
# @return [Hash<String,String>]
|
1078
1293
|
#
|
1079
1294
|
# @!attribute [rw] action
|
@@ -1150,6 +1365,56 @@ module Aws::AccessAnalyzer
|
|
1150
1365
|
include Aws::Structure
|
1151
1366
|
end
|
1152
1367
|
|
1368
|
+
# Contains information about an external access or unused access
|
1369
|
+
# finding. Only one parameter can be used in a `FindingDetails` object.
|
1370
|
+
#
|
1371
|
+
# @note FindingDetails is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of FindingDetails corresponding to the set member.
|
1372
|
+
#
|
1373
|
+
# @!attribute [rw] external_access_details
|
1374
|
+
# The details for an external access analyzer finding.
|
1375
|
+
# @return [Types::ExternalAccessDetails]
|
1376
|
+
#
|
1377
|
+
# @!attribute [rw] unused_permission_details
|
1378
|
+
# The details for an unused access analyzer finding with an unused
|
1379
|
+
# permission finding type.
|
1380
|
+
# @return [Types::UnusedPermissionDetails]
|
1381
|
+
#
|
1382
|
+
# @!attribute [rw] unused_iam_user_access_key_details
|
1383
|
+
# The details for an unused access analyzer finding with an unused IAM
|
1384
|
+
# user access key finding type.
|
1385
|
+
# @return [Types::UnusedIamUserAccessKeyDetails]
|
1386
|
+
#
|
1387
|
+
# @!attribute [rw] unused_iam_role_details
|
1388
|
+
# The details for an unused access analyzer finding with an unused IAM
|
1389
|
+
# role finding type.
|
1390
|
+
# @return [Types::UnusedIamRoleDetails]
|
1391
|
+
#
|
1392
|
+
# @!attribute [rw] unused_iam_user_password_details
|
1393
|
+
# The details for an unused access analyzer finding with an unused IAM
|
1394
|
+
# user password finding type.
|
1395
|
+
# @return [Types::UnusedIamUserPasswordDetails]
|
1396
|
+
#
|
1397
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingDetails AWS API Documentation
|
1398
|
+
#
|
1399
|
+
class FindingDetails < Struct.new(
|
1400
|
+
:external_access_details,
|
1401
|
+
:unused_permission_details,
|
1402
|
+
:unused_iam_user_access_key_details,
|
1403
|
+
:unused_iam_role_details,
|
1404
|
+
:unused_iam_user_password_details,
|
1405
|
+
:unknown)
|
1406
|
+
SENSITIVE = []
|
1407
|
+
include Aws::Structure
|
1408
|
+
include Aws::Structure::Union
|
1409
|
+
|
1410
|
+
class ExternalAccessDetails < FindingDetails; end
|
1411
|
+
class UnusedPermissionDetails < FindingDetails; end
|
1412
|
+
class UnusedIamUserAccessKeyDetails < FindingDetails; end
|
1413
|
+
class UnusedIamRoleDetails < FindingDetails; end
|
1414
|
+
class UnusedIamUserPasswordDetails < FindingDetails; end
|
1415
|
+
class Unknown < FindingDetails; end
|
1416
|
+
end
|
1417
|
+
|
1153
1418
|
# The source of the finding. This indicates how the access that
|
1154
1419
|
# generated the finding is granted. It is populated for Amazon S3 bucket
|
1155
1420
|
# findings.
|
@@ -1281,6 +1546,66 @@ module Aws::AccessAnalyzer
|
|
1281
1546
|
include Aws::Structure
|
1282
1547
|
end
|
1283
1548
|
|
1549
|
+
# Contains information about a finding.
|
1550
|
+
#
|
1551
|
+
# @!attribute [rw] analyzed_at
|
1552
|
+
# The time at which the resource-based policy or IAM entity that
|
1553
|
+
# generated the finding was analyzed.
|
1554
|
+
# @return [Time]
|
1555
|
+
#
|
1556
|
+
# @!attribute [rw] created_at
|
1557
|
+
# The time at which the finding was created.
|
1558
|
+
# @return [Time]
|
1559
|
+
#
|
1560
|
+
# @!attribute [rw] error
|
1561
|
+
# The error that resulted in an Error finding.
|
1562
|
+
# @return [String]
|
1563
|
+
#
|
1564
|
+
# @!attribute [rw] id
|
1565
|
+
# The ID of the finding.
|
1566
|
+
# @return [String]
|
1567
|
+
#
|
1568
|
+
# @!attribute [rw] resource
|
1569
|
+
# The resource that the external principal has access to.
|
1570
|
+
# @return [String]
|
1571
|
+
#
|
1572
|
+
# @!attribute [rw] resource_type
|
1573
|
+
# The type of the resource that the external principal has access to.
|
1574
|
+
# @return [String]
|
1575
|
+
#
|
1576
|
+
# @!attribute [rw] resource_owner_account
|
1577
|
+
# The Amazon Web Services account ID that owns the resource.
|
1578
|
+
# @return [String]
|
1579
|
+
#
|
1580
|
+
# @!attribute [rw] status
|
1581
|
+
# The status of the finding.
|
1582
|
+
# @return [String]
|
1583
|
+
#
|
1584
|
+
# @!attribute [rw] updated_at
|
1585
|
+
# The time at which the finding was most recently updated.
|
1586
|
+
# @return [Time]
|
1587
|
+
#
|
1588
|
+
# @!attribute [rw] finding_type
|
1589
|
+
# The type of the external access or unused access finding.
|
1590
|
+
# @return [String]
|
1591
|
+
#
|
1592
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSummaryV2 AWS API Documentation
|
1593
|
+
#
|
1594
|
+
class FindingSummaryV2 < Struct.new(
|
1595
|
+
:analyzed_at,
|
1596
|
+
:created_at,
|
1597
|
+
:error,
|
1598
|
+
:id,
|
1599
|
+
:resource,
|
1600
|
+
:resource_type,
|
1601
|
+
:resource_owner_account,
|
1602
|
+
:status,
|
1603
|
+
:updated_at,
|
1604
|
+
:finding_type)
|
1605
|
+
SENSITIVE = []
|
1606
|
+
include Aws::Structure
|
1607
|
+
end
|
1608
|
+
|
1284
1609
|
# Contains the text for the generated policy.
|
1285
1610
|
#
|
1286
1611
|
# @!attribute [rw] policy
|
@@ -1522,6 +1847,109 @@ module Aws::AccessAnalyzer
|
|
1522
1847
|
include Aws::Structure
|
1523
1848
|
end
|
1524
1849
|
|
1850
|
+
# @!attribute [rw] analyzer_arn
|
1851
|
+
# The [ARN of the analyzer][1] that generated the finding.
|
1852
|
+
#
|
1853
|
+
#
|
1854
|
+
#
|
1855
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
1856
|
+
# @return [String]
|
1857
|
+
#
|
1858
|
+
# @!attribute [rw] id
|
1859
|
+
# The ID of the finding to retrieve.
|
1860
|
+
# @return [String]
|
1861
|
+
#
|
1862
|
+
# @!attribute [rw] max_results
|
1863
|
+
# The maximum number of results to return in the response.
|
1864
|
+
# @return [Integer]
|
1865
|
+
#
|
1866
|
+
# @!attribute [rw] next_token
|
1867
|
+
# A token used for pagination of results returned.
|
1868
|
+
# @return [String]
|
1869
|
+
#
|
1870
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingV2Request AWS API Documentation
|
1871
|
+
#
|
1872
|
+
class GetFindingV2Request < Struct.new(
|
1873
|
+
:analyzer_arn,
|
1874
|
+
:id,
|
1875
|
+
:max_results,
|
1876
|
+
:next_token)
|
1877
|
+
SENSITIVE = []
|
1878
|
+
include Aws::Structure
|
1879
|
+
end
|
1880
|
+
|
1881
|
+
# @!attribute [rw] analyzed_at
|
1882
|
+
# The time at which the resource-based policy or IAM entity that
|
1883
|
+
# generated the finding was analyzed.
|
1884
|
+
# @return [Time]
|
1885
|
+
#
|
1886
|
+
# @!attribute [rw] created_at
|
1887
|
+
# The time at which the finding was created.
|
1888
|
+
# @return [Time]
|
1889
|
+
#
|
1890
|
+
# @!attribute [rw] error
|
1891
|
+
# An error.
|
1892
|
+
# @return [String]
|
1893
|
+
#
|
1894
|
+
# @!attribute [rw] id
|
1895
|
+
# The ID of the finding to retrieve.
|
1896
|
+
# @return [String]
|
1897
|
+
#
|
1898
|
+
# @!attribute [rw] next_token
|
1899
|
+
# A token used for pagination of results returned.
|
1900
|
+
# @return [String]
|
1901
|
+
#
|
1902
|
+
# @!attribute [rw] resource
|
1903
|
+
# The resource that generated the finding.
|
1904
|
+
# @return [String]
|
1905
|
+
#
|
1906
|
+
# @!attribute [rw] resource_type
|
1907
|
+
# The type of the resource identified in the finding.
|
1908
|
+
# @return [String]
|
1909
|
+
#
|
1910
|
+
# @!attribute [rw] resource_owner_account
|
1911
|
+
# Tye Amazon Web Services account ID that owns the resource.
|
1912
|
+
# @return [String]
|
1913
|
+
#
|
1914
|
+
# @!attribute [rw] status
|
1915
|
+
# The status of the finding.
|
1916
|
+
# @return [String]
|
1917
|
+
#
|
1918
|
+
# @!attribute [rw] updated_at
|
1919
|
+
# The time at which the finding was updated.
|
1920
|
+
# @return [Time]
|
1921
|
+
#
|
1922
|
+
# @!attribute [rw] finding_details
|
1923
|
+
# A localized message that explains the finding and provides guidance
|
1924
|
+
# on how to address it.
|
1925
|
+
# @return [Array<Types::FindingDetails>]
|
1926
|
+
#
|
1927
|
+
# @!attribute [rw] finding_type
|
1928
|
+
# The type of the finding. For external access analyzers, the type is
|
1929
|
+
# `ExternalAccess`. For unused access analyzers, the type can be
|
1930
|
+
# `UnusedIAMRole`, `UnusedIAMUserAccessKey`, `UnusedIAMUserPassword`,
|
1931
|
+
# or `UnusedPermission`.
|
1932
|
+
# @return [String]
|
1933
|
+
#
|
1934
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingV2Response AWS API Documentation
|
1935
|
+
#
|
1936
|
+
class GetFindingV2Response < Struct.new(
|
1937
|
+
:analyzed_at,
|
1938
|
+
:created_at,
|
1939
|
+
:error,
|
1940
|
+
:id,
|
1941
|
+
:next_token,
|
1942
|
+
:resource,
|
1943
|
+
:resource_type,
|
1944
|
+
:resource_owner_account,
|
1945
|
+
:status,
|
1946
|
+
:updated_at,
|
1947
|
+
:finding_details,
|
1948
|
+
:finding_type)
|
1949
|
+
SENSITIVE = []
|
1950
|
+
include Aws::Structure
|
1951
|
+
end
|
1952
|
+
|
1525
1953
|
# @!attribute [rw] job_id
|
1526
1954
|
# The `JobId` that is returned by the `StartPolicyGeneration`
|
1527
1955
|
# operation. The `JobId` can be used with `GetGeneratedPolicy` to
|
@@ -1650,6 +2078,19 @@ module Aws::AccessAnalyzer
|
|
1650
2078
|
#
|
1651
2079
|
class InternetConfiguration < Aws::EmptyStructure; end
|
1652
2080
|
|
2081
|
+
# The specified parameter is invalid.
|
2082
|
+
#
|
2083
|
+
# @!attribute [rw] message
|
2084
|
+
# @return [String]
|
2085
|
+
#
|
2086
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InvalidParameterException AWS API Documentation
|
2087
|
+
#
|
2088
|
+
class InvalidParameterException < Struct.new(
|
2089
|
+
:message)
|
2090
|
+
SENSITIVE = []
|
2091
|
+
include Aws::Structure
|
2092
|
+
end
|
2093
|
+
|
1653
2094
|
# Contains details about the policy generation request.
|
1654
2095
|
#
|
1655
2096
|
# @!attribute [rw] job_id
|
@@ -2144,6 +2585,60 @@ module Aws::AccessAnalyzer
|
|
2144
2585
|
include Aws::Structure
|
2145
2586
|
end
|
2146
2587
|
|
2588
|
+
# @!attribute [rw] analyzer_arn
|
2589
|
+
# The [ARN of the analyzer][1] to retrieve findings from.
|
2590
|
+
#
|
2591
|
+
#
|
2592
|
+
#
|
2593
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
|
2594
|
+
# @return [String]
|
2595
|
+
#
|
2596
|
+
# @!attribute [rw] filter
|
2597
|
+
# A filter to match for the findings to return.
|
2598
|
+
# @return [Hash<String,Types::Criterion>]
|
2599
|
+
#
|
2600
|
+
# @!attribute [rw] max_results
|
2601
|
+
# The maximum number of results to return in the response.
|
2602
|
+
# @return [Integer]
|
2603
|
+
#
|
2604
|
+
# @!attribute [rw] next_token
|
2605
|
+
# A token used for pagination of results returned.
|
2606
|
+
# @return [String]
|
2607
|
+
#
|
2608
|
+
# @!attribute [rw] sort
|
2609
|
+
# The criteria used to sort.
|
2610
|
+
# @return [Types::SortCriteria]
|
2611
|
+
#
|
2612
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsV2Request AWS API Documentation
|
2613
|
+
#
|
2614
|
+
class ListFindingsV2Request < Struct.new(
|
2615
|
+
:analyzer_arn,
|
2616
|
+
:filter,
|
2617
|
+
:max_results,
|
2618
|
+
:next_token,
|
2619
|
+
:sort)
|
2620
|
+
SENSITIVE = []
|
2621
|
+
include Aws::Structure
|
2622
|
+
end
|
2623
|
+
|
2624
|
+
# @!attribute [rw] findings
|
2625
|
+
# A list of findings retrieved from the analyzer that match the filter
|
2626
|
+
# criteria specified, if any.
|
2627
|
+
# @return [Array<Types::FindingSummaryV2>]
|
2628
|
+
#
|
2629
|
+
# @!attribute [rw] next_token
|
2630
|
+
# A token used for pagination of results returned.
|
2631
|
+
# @return [String]
|
2632
|
+
#
|
2633
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsV2Response AWS API Documentation
|
2634
|
+
#
|
2635
|
+
class ListFindingsV2Response < Struct.new(
|
2636
|
+
:findings,
|
2637
|
+
:next_token)
|
2638
|
+
SENSITIVE = []
|
2639
|
+
include Aws::Structure
|
2640
|
+
end
|
2641
|
+
|
2147
2642
|
# @!attribute [rw] principal_arn
|
2148
2643
|
# The ARN of the IAM entity (user or role) for which you are
|
2149
2644
|
# generating a policy. Use this with `ListGeneratedPolicies` to filter
|
@@ -2566,6 +3061,31 @@ module Aws::AccessAnalyzer
|
|
2566
3061
|
include Aws::Structure
|
2567
3062
|
end
|
2568
3063
|
|
3064
|
+
# Contains information about the reasoning why a check for access passed
|
3065
|
+
# or failed.
|
3066
|
+
#
|
3067
|
+
# @!attribute [rw] description
|
3068
|
+
# A description of the reasoning of a result of checking for access.
|
3069
|
+
# @return [String]
|
3070
|
+
#
|
3071
|
+
# @!attribute [rw] statement_index
|
3072
|
+
# The index number of the reason statement.
|
3073
|
+
# @return [Integer]
|
3074
|
+
#
|
3075
|
+
# @!attribute [rw] statement_id
|
3076
|
+
# The identifier for the reason statement.
|
3077
|
+
# @return [String]
|
3078
|
+
#
|
3079
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ReasonSummary AWS API Documentation
|
3080
|
+
#
|
3081
|
+
class ReasonSummary < Struct.new(
|
3082
|
+
:description,
|
3083
|
+
:statement_index,
|
3084
|
+
:statement_id)
|
3085
|
+
SENSITIVE = []
|
3086
|
+
include Aws::Structure
|
3087
|
+
end
|
3088
|
+
|
2569
3089
|
# The specified resource could not be found.
|
2570
3090
|
#
|
2571
3091
|
# @!attribute [rw] message
|
@@ -2711,6 +3231,35 @@ module Aws::AccessAnalyzer
|
|
2711
3231
|
include Aws::Structure
|
2712
3232
|
end
|
2713
3233
|
|
3234
|
+
# Proposed access control configuration for an Amazon S3 directory
|
3235
|
+
# bucket. You can propose a configuration for a new Amazon S3 directory
|
3236
|
+
# bucket or an existing Amazon S3 directory bucket that you own by
|
3237
|
+
# specifying the Amazon S3 bucket policy. If the configuration is for an
|
3238
|
+
# existing Amazon S3 directory bucket and you do not specify the Amazon
|
3239
|
+
# S3 bucket policy, the access preview uses the existing policy attached
|
3240
|
+
# to the directory bucket. If the access preview is for a new resource
|
3241
|
+
# and you do not specify the Amazon S3 bucket policy, the access preview
|
3242
|
+
# assumes an directory bucket without a policy. To propose deletion of
|
3243
|
+
# an existing bucket policy, you can specify an empty string. For more
|
3244
|
+
# information about bucket policy limits, see [Example bucket
|
3245
|
+
# policies][1].
|
3246
|
+
#
|
3247
|
+
#
|
3248
|
+
#
|
3249
|
+
# [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
|
3250
|
+
#
|
3251
|
+
# @!attribute [rw] bucket_policy
|
3252
|
+
# The proposed bucket policy for the Amazon S3 directory bucket.
|
3253
|
+
# @return [String]
|
3254
|
+
#
|
3255
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3ExpressDirectoryBucketConfiguration AWS API Documentation
|
3256
|
+
#
|
3257
|
+
class S3ExpressDirectoryBucketConfiguration < Struct.new(
|
3258
|
+
:bucket_policy)
|
3259
|
+
SENSITIVE = []
|
3260
|
+
include Aws::Structure
|
3261
|
+
end
|
3262
|
+
|
2714
3263
|
# The `PublicAccessBlock` configuration to apply to this Amazon S3
|
2715
3264
|
# bucket. If the proposed configuration is for an existing Amazon S3
|
2716
3265
|
# bucket and the configuration is not specified, the access preview uses
|
@@ -3128,6 +3677,19 @@ module Aws::AccessAnalyzer
|
|
3128
3677
|
include Aws::Structure
|
3129
3678
|
end
|
3130
3679
|
|
3680
|
+
# The specified entity could not be processed.
|
3681
|
+
#
|
3682
|
+
# @!attribute [rw] message
|
3683
|
+
# @return [String]
|
3684
|
+
#
|
3685
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnprocessableEntityException AWS API Documentation
|
3686
|
+
#
|
3687
|
+
class UnprocessableEntityException < Struct.new(
|
3688
|
+
:message)
|
3689
|
+
SENSITIVE = []
|
3690
|
+
include Aws::Structure
|
3691
|
+
end
|
3692
|
+
|
3131
3693
|
# Removes a tag from the specified resource.
|
3132
3694
|
#
|
3133
3695
|
# @!attribute [rw] resource_arn
|
@@ -3153,6 +3715,153 @@ module Aws::AccessAnalyzer
|
|
3153
3715
|
#
|
3154
3716
|
class UntagResourceResponse < Aws::EmptyStructure; end
|
3155
3717
|
|
3718
|
+
# Contains information about an unused access analyzer.
|
3719
|
+
#
|
3720
|
+
# @!attribute [rw] unused_access_age
|
3721
|
+
# The specified access age in days for which to generate findings for
|
3722
|
+
# unused access. For example, if you specify 90 days, the analyzer
|
3723
|
+
# will generate findings for IAM entities within the accounts of the
|
3724
|
+
# selected organization for any access that hasn't been used in 90 or
|
3725
|
+
# more days since the analyzer's last scan. You can choose a value
|
3726
|
+
# between 1 and 180 days.
|
3727
|
+
# @return [Integer]
|
3728
|
+
#
|
3729
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedAccessConfiguration AWS API Documentation
|
3730
|
+
#
|
3731
|
+
class UnusedAccessConfiguration < Struct.new(
|
3732
|
+
:unused_access_age)
|
3733
|
+
SENSITIVE = []
|
3734
|
+
include Aws::Structure
|
3735
|
+
end
|
3736
|
+
|
3737
|
+
# Contains information about an unused access finding for an action. IAM
|
3738
|
+
# Access Analyzer charges for unused access analysis based on the number
|
3739
|
+
# of IAM roles and users analyzed per month. For more details on
|
3740
|
+
# pricing, see [IAM Access Analyzer pricing][1].
|
3741
|
+
#
|
3742
|
+
#
|
3743
|
+
#
|
3744
|
+
# [1]: https://aws.amazon.com/iam/access-analyzer/pricing
|
3745
|
+
#
|
3746
|
+
# @!attribute [rw] action
|
3747
|
+
# The action for which the unused access finding was generated.
|
3748
|
+
# @return [String]
|
3749
|
+
#
|
3750
|
+
# @!attribute [rw] last_accessed
|
3751
|
+
# The time at which the action was last accessed.
|
3752
|
+
# @return [Time]
|
3753
|
+
#
|
3754
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedAction AWS API Documentation
|
3755
|
+
#
|
3756
|
+
class UnusedAction < Struct.new(
|
3757
|
+
:action,
|
3758
|
+
:last_accessed)
|
3759
|
+
SENSITIVE = []
|
3760
|
+
include Aws::Structure
|
3761
|
+
end
|
3762
|
+
|
3763
|
+
# Contains information about an unused access finding for an IAM role.
|
3764
|
+
# IAM Access Analyzer charges for unused access analysis based on the
|
3765
|
+
# number of IAM roles and users analyzed per month. For more details on
|
3766
|
+
# pricing, see [IAM Access Analyzer pricing][1].
|
3767
|
+
#
|
3768
|
+
#
|
3769
|
+
#
|
3770
|
+
# [1]: https://aws.amazon.com/iam/access-analyzer/pricing
|
3771
|
+
#
|
3772
|
+
# @!attribute [rw] last_accessed
|
3773
|
+
# The time at which the role was last accessed.
|
3774
|
+
# @return [Time]
|
3775
|
+
#
|
3776
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamRoleDetails AWS API Documentation
|
3777
|
+
#
|
3778
|
+
class UnusedIamRoleDetails < Struct.new(
|
3779
|
+
:last_accessed)
|
3780
|
+
SENSITIVE = []
|
3781
|
+
include Aws::Structure
|
3782
|
+
end
|
3783
|
+
|
3784
|
+
# Contains information about an unused access finding for an IAM user
|
3785
|
+
# access key. IAM Access Analyzer charges for unused access analysis
|
3786
|
+
# based on the number of IAM roles and users analyzed per month. For
|
3787
|
+
# more details on pricing, see [IAM Access Analyzer pricing][1].
|
3788
|
+
#
|
3789
|
+
#
|
3790
|
+
#
|
3791
|
+
# [1]: https://aws.amazon.com/iam/access-analyzer/pricing
|
3792
|
+
#
|
3793
|
+
# @!attribute [rw] access_key_id
|
3794
|
+
# The ID of the access key for which the unused access finding was
|
3795
|
+
# generated.
|
3796
|
+
# @return [String]
|
3797
|
+
#
|
3798
|
+
# @!attribute [rw] last_accessed
|
3799
|
+
# The time at which the access key was last accessed.
|
3800
|
+
# @return [Time]
|
3801
|
+
#
|
3802
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamUserAccessKeyDetails AWS API Documentation
|
3803
|
+
#
|
3804
|
+
class UnusedIamUserAccessKeyDetails < Struct.new(
|
3805
|
+
:access_key_id,
|
3806
|
+
:last_accessed)
|
3807
|
+
SENSITIVE = []
|
3808
|
+
include Aws::Structure
|
3809
|
+
end
|
3810
|
+
|
3811
|
+
# Contains information about an unused access finding for an IAM user
|
3812
|
+
# password. IAM Access Analyzer charges for unused access analysis based
|
3813
|
+
# on the number of IAM roles and users analyzed per month. For more
|
3814
|
+
# details on pricing, see [IAM Access Analyzer pricing][1].
|
3815
|
+
#
|
3816
|
+
#
|
3817
|
+
#
|
3818
|
+
# [1]: https://aws.amazon.com/iam/access-analyzer/pricing
|
3819
|
+
#
|
3820
|
+
# @!attribute [rw] last_accessed
|
3821
|
+
# The time at which the password was last accessed.
|
3822
|
+
# @return [Time]
|
3823
|
+
#
|
3824
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamUserPasswordDetails AWS API Documentation
|
3825
|
+
#
|
3826
|
+
class UnusedIamUserPasswordDetails < Struct.new(
|
3827
|
+
:last_accessed)
|
3828
|
+
SENSITIVE = []
|
3829
|
+
include Aws::Structure
|
3830
|
+
end
|
3831
|
+
|
3832
|
+
# Contains information about an unused access finding for a permission.
|
3833
|
+
# IAM Access Analyzer charges for unused access analysis based on the
|
3834
|
+
# number of IAM roles and users analyzed per month. For more details on
|
3835
|
+
# pricing, see [IAM Access Analyzer pricing][1].
|
3836
|
+
#
|
3837
|
+
#
|
3838
|
+
#
|
3839
|
+
# [1]: https://aws.amazon.com/iam/access-analyzer/pricing
|
3840
|
+
#
|
3841
|
+
# @!attribute [rw] actions
|
3842
|
+
# A list of unused actions for which the unused access finding was
|
3843
|
+
# generated.
|
3844
|
+
# @return [Array<Types::UnusedAction>]
|
3845
|
+
#
|
3846
|
+
# @!attribute [rw] service_namespace
|
3847
|
+
# The namespace of the Amazon Web Services service that contains the
|
3848
|
+
# unused actions.
|
3849
|
+
# @return [String]
|
3850
|
+
#
|
3851
|
+
# @!attribute [rw] last_accessed
|
3852
|
+
# The time at which the permission last accessed.
|
3853
|
+
# @return [Time]
|
3854
|
+
#
|
3855
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedPermissionDetails AWS API Documentation
|
3856
|
+
#
|
3857
|
+
class UnusedPermissionDetails < Struct.new(
|
3858
|
+
:actions,
|
3859
|
+
:service_namespace,
|
3860
|
+
:last_accessed)
|
3861
|
+
SENSITIVE = []
|
3862
|
+
include Aws::Structure
|
3863
|
+
end
|
3864
|
+
|
3156
3865
|
# Updates the specified archive rule.
|
3157
3866
|
#
|
3158
3867
|
# @!attribute [rw] analyzer_name
|
@@ -3299,15 +4008,17 @@ module Aws::AccessAnalyzer
|
|
3299
4008
|
# @!attribute [rw] policy_type
|
3300
4009
|
# The type of policy to validate. Identity policies grant permissions
|
3301
4010
|
# to IAM principals. Identity policies include managed and inline
|
3302
|
-
# policies for IAM roles, users, and groups.
|
3303
|
-
# service-control policies (SCPs) that are attached to an Amazon Web
|
3304
|
-
# Services organization, organizational unit (OU), or an account.
|
4011
|
+
# policies for IAM roles, users, and groups.
|
3305
4012
|
#
|
3306
4013
|
# Resource policies grant permissions on Amazon Web Services
|
3307
4014
|
# resources. Resource policies include trust policies for IAM roles
|
3308
4015
|
# and bucket policies for Amazon S3 buckets. You can provide a generic
|
3309
4016
|
# input such as identity policy or resource policy or a specific input
|
3310
4017
|
# such as managed policy or Amazon S3 bucket policy.
|
4018
|
+
#
|
4019
|
+
# Service control policies (SCPs) are a type of organization policy
|
4020
|
+
# attached to an Amazon Web Services organization, organizational unit
|
4021
|
+
# (OU), or an account.
|
3311
4022
|
# @return [String]
|
3312
4023
|
#
|
3313
4024
|
# @!attribute [rw] validate_policy_resource_type
|