aws-sdk-accessanalyzer 1.42.0 → 1.44.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -10,6 +10,21 @@
10
10
  module Aws::AccessAnalyzer
11
11
  module Types
12
12
 
13
+ # Contains information about actions that define permissions to check
14
+ # against a policy.
15
+ #
16
+ # @!attribute [rw] actions
17
+ # A list of actions for the access permissions.
18
+ # @return [Array<String>]
19
+ #
20
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Access AWS API Documentation
21
+ #
22
+ class Access < Struct.new(
23
+ :actions)
24
+ SENSITIVE = []
25
+ include Aws::Structure
26
+ end
27
+
13
28
  # You do not have sufficient access to perform this action.
14
29
  #
15
30
  # @!attribute [rw] message
@@ -379,6 +394,32 @@ module Aws::AccessAnalyzer
379
394
  include Aws::Structure
380
395
  end
381
396
 
397
+ # Contains information about the configuration of an unused access
398
+ # analyzer for an Amazon Web Services organization or account.
399
+ #
400
+ # @note AnalyzerConfiguration is a union - when making an API calls you must set exactly one of the members.
401
+ #
402
+ # @note AnalyzerConfiguration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of AnalyzerConfiguration corresponding to the set member.
403
+ #
404
+ # @!attribute [rw] unused_access
405
+ # Specifies the configuration of an unused access analyzer for an
406
+ # Amazon Web Services organization or account. External access
407
+ # analyzers do not support any configuration.
408
+ # @return [Types::UnusedAccessConfiguration]
409
+ #
410
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerConfiguration AWS API Documentation
411
+ #
412
+ class AnalyzerConfiguration < Struct.new(
413
+ :unused_access,
414
+ :unknown)
415
+ SENSITIVE = []
416
+ include Aws::Structure
417
+ include Aws::Structure::Union
418
+
419
+ class UnusedAccess < AnalyzerConfiguration; end
420
+ class Unknown < AnalyzerConfiguration; end
421
+ end
422
+
382
423
  # Contains information about the analyzer.
383
424
  #
384
425
  # @!attribute [rw] arn
@@ -429,6 +470,11 @@ module Aws::AccessAnalyzer
429
470
  # Web Services organization.
430
471
  # @return [Types::StatusReason]
431
472
  #
473
+ # @!attribute [rw] configuration
474
+ # Specifies whether the analyzer is an external access or unused
475
+ # access analyzer.
476
+ # @return [Types::AnalyzerConfiguration]
477
+ #
432
478
  # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerSummary AWS API Documentation
433
479
  #
434
480
  class AnalyzerSummary < Struct.new(
@@ -440,7 +486,8 @@ module Aws::AccessAnalyzer
440
486
  :last_resource_analyzed_at,
441
487
  :tags,
442
488
  :status,
443
- :status_reason)
489
+ :status_reason,
490
+ :configuration)
444
491
  SENSITIVE = []
445
492
  include Aws::Structure
446
493
  end
@@ -520,6 +567,119 @@ module Aws::AccessAnalyzer
520
567
  #
521
568
  class CancelPolicyGenerationResponse < Aws::EmptyStructure; end
522
569
 
570
+ # @!attribute [rw] policy_document
571
+ # The JSON policy document to use as the content for the policy.
572
+ # @return [String]
573
+ #
574
+ # @!attribute [rw] access
575
+ # An access object containing the permissions that shouldn't be
576
+ # granted by the specified policy.
577
+ # @return [Array<Types::Access>]
578
+ #
579
+ # @!attribute [rw] policy_type
580
+ # The type of policy. Identity policies grant permissions to IAM
581
+ # principals. Identity policies include managed and inline policies
582
+ # for IAM roles, users, and groups.
583
+ #
584
+ # Resource policies grant permissions on Amazon Web Services
585
+ # resources. Resource policies include trust policies for IAM roles
586
+ # and bucket policies for Amazon S3 buckets. You can provide a generic
587
+ # input such as identity policy or resource policy or a specific input
588
+ # such as managed policy or Amazon S3 bucket policy.
589
+ # @return [String]
590
+ #
591
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedRequest AWS API Documentation
592
+ #
593
+ class CheckAccessNotGrantedRequest < Struct.new(
594
+ :policy_document,
595
+ :access,
596
+ :policy_type)
597
+ SENSITIVE = [:policy_document]
598
+ include Aws::Structure
599
+ end
600
+
601
+ # @!attribute [rw] result
602
+ # The result of the check for whether the access is allowed. If the
603
+ # result is `PASS`, the specified policy doesn't allow any of the
604
+ # specified permissions in the access object. If the result is `FAIL`,
605
+ # the specified policy might allow some or all of the permissions in
606
+ # the access object.
607
+ # @return [String]
608
+ #
609
+ # @!attribute [rw] message
610
+ # The message indicating whether the specified access is allowed.
611
+ # @return [String]
612
+ #
613
+ # @!attribute [rw] reasons
614
+ # A description of the reasoning of the result.
615
+ # @return [Array<Types::ReasonSummary>]
616
+ #
617
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedResponse AWS API Documentation
618
+ #
619
+ class CheckAccessNotGrantedResponse < Struct.new(
620
+ :result,
621
+ :message,
622
+ :reasons)
623
+ SENSITIVE = []
624
+ include Aws::Structure
625
+ end
626
+
627
+ # @!attribute [rw] new_policy_document
628
+ # The JSON policy document to use as the content for the updated
629
+ # policy.
630
+ # @return [String]
631
+ #
632
+ # @!attribute [rw] existing_policy_document
633
+ # The JSON policy document to use as the content for the existing
634
+ # policy.
635
+ # @return [String]
636
+ #
637
+ # @!attribute [rw] policy_type
638
+ # The type of policy to compare. Identity policies grant permissions
639
+ # to IAM principals. Identity policies include managed and inline
640
+ # policies for IAM roles, users, and groups.
641
+ #
642
+ # Resource policies grant permissions on Amazon Web Services
643
+ # resources. Resource policies include trust policies for IAM roles
644
+ # and bucket policies for Amazon S3 buckets. You can provide a generic
645
+ # input such as identity policy or resource policy or a specific input
646
+ # such as managed policy or Amazon S3 bucket policy.
647
+ # @return [String]
648
+ #
649
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoNewAccessRequest AWS API Documentation
650
+ #
651
+ class CheckNoNewAccessRequest < Struct.new(
652
+ :new_policy_document,
653
+ :existing_policy_document,
654
+ :policy_type)
655
+ SENSITIVE = [:new_policy_document, :existing_policy_document]
656
+ include Aws::Structure
657
+ end
658
+
659
+ # @!attribute [rw] result
660
+ # The result of the check for new access. If the result is `PASS`, no
661
+ # new access is allowed by the updated policy. If the result is
662
+ # `FAIL`, the updated policy might allow new access.
663
+ # @return [String]
664
+ #
665
+ # @!attribute [rw] message
666
+ # The message indicating whether the updated policy allows new access.
667
+ # @return [String]
668
+ #
669
+ # @!attribute [rw] reasons
670
+ # A description of the reasoning of the result.
671
+ # @return [Array<Types::ReasonSummary>]
672
+ #
673
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoNewAccessResponse AWS API Documentation
674
+ #
675
+ class CheckNoNewAccessResponse < Struct.new(
676
+ :result,
677
+ :message,
678
+ :reasons)
679
+ SENSITIVE = []
680
+ include Aws::Structure
681
+ end
682
+
523
683
  # Contains information about CloudTrail access.
524
684
  #
525
685
  # @!attribute [rw] trails
@@ -628,7 +788,7 @@ module Aws::AccessAnalyzer
628
788
  # @return [Types::SecretsManagerSecretConfiguration]
629
789
  #
630
790
  # @!attribute [rw] s3_bucket
631
- # The access control configuration is for an Amazon S3 Bucket.
791
+ # The access control configuration is for an Amazon S3 bucket.
632
792
  # @return [Types::S3BucketConfiguration]
633
793
  #
634
794
  # @!attribute [rw] sns_topic
@@ -639,6 +799,11 @@ module Aws::AccessAnalyzer
639
799
  # The access control configuration is for an Amazon SQS queue.
640
800
  # @return [Types::SqsQueueConfiguration]
641
801
  #
802
+ # @!attribute [rw] s3_express_directory_bucket
803
+ # The access control configuration is for an Amazon S3 directory
804
+ # bucket.
805
+ # @return [Types::S3ExpressDirectoryBucketConfiguration]
806
+ #
642
807
  # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
643
808
  #
644
809
  class Configuration < Struct.new(
@@ -653,6 +818,7 @@ module Aws::AccessAnalyzer
653
818
  :s3_bucket,
654
819
  :sns_topic,
655
820
  :sqs_queue,
821
+ :s3_express_directory_bucket,
656
822
  :unknown)
657
823
  SENSITIVE = []
658
824
  include Aws::Structure
@@ -669,6 +835,7 @@ module Aws::AccessAnalyzer
669
835
  class S3Bucket < Configuration; end
670
836
  class SnsTopic < Configuration; end
671
837
  class SqsQueue < Configuration; end
838
+ class S3ExpressDirectoryBucket < Configuration; end
672
839
  class Unknown < Configuration; end
673
840
  end
674
841
 
@@ -749,10 +916,11 @@ module Aws::AccessAnalyzer
749
916
  # @return [String]
750
917
  #
751
918
  # @!attribute [rw] type
752
- # The type of analyzer to create. Only ACCOUNT and ORGANIZATION
753
- # analyzers are supported. You can create only one analyzer per
754
- # account per Region. You can create up to 5 analyzers per
755
- # organization per Region.
919
+ # The type of analyzer to create. Only `ACCOUNT`, `ORGANIZATION`,
920
+ # `ACCOUNT_UNUSED_ACCESS`, and `ORGANIZTAION_UNUSED_ACCESS` analyzers
921
+ # are supported. You can create only one analyzer per account per
922
+ # Region. You can create up to 5 analyzers per organization per
923
+ # Region.
756
924
  # @return [String]
757
925
  #
758
926
  # @!attribute [rw] archive_rules
@@ -762,7 +930,7 @@ module Aws::AccessAnalyzer
762
930
  # @return [Array<Types::InlineArchiveRule>]
763
931
  #
764
932
  # @!attribute [rw] tags
765
- # The tags to apply to the analyzer.
933
+ # An array of key-value pairs to apply to the analyzer.
766
934
  # @return [Hash<String,String>]
767
935
  #
768
936
  # @!attribute [rw] client_token
@@ -772,6 +940,13 @@ module Aws::AccessAnalyzer
772
940
  # not need to pass this option.
773
941
  # @return [String]
774
942
  #
943
+ # @!attribute [rw] configuration
944
+ # Specifies the configuration of the analyzer. If the analyzer is an
945
+ # unused access analyzer, the specified scope of unused access is used
946
+ # for the configuration. If the analyzer is an external access
947
+ # analyzer, this field is not used.
948
+ # @return [Types::AnalyzerConfiguration]
949
+ #
775
950
  # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
776
951
  #
777
952
  class CreateAnalyzerRequest < Struct.new(
@@ -779,7 +954,8 @@ module Aws::AccessAnalyzer
779
954
  :type,
780
955
  :archive_rules,
781
956
  :tags,
782
- :client_token)
957
+ :client_token,
958
+ :configuration)
783
959
  SENSITIVE = []
784
960
  include Aws::Structure
785
961
  end
@@ -1065,6 +1241,45 @@ module Aws::AccessAnalyzer
1065
1241
  include Aws::Structure
1066
1242
  end
1067
1243
 
1244
+ # Contains information about an external access finding.
1245
+ #
1246
+ # @!attribute [rw] action
1247
+ # The action in the analyzed policy statement that an external
1248
+ # principal has permission to use.
1249
+ # @return [Array<String>]
1250
+ #
1251
+ # @!attribute [rw] condition
1252
+ # The condition in the analyzed policy statement that resulted in an
1253
+ # external access finding.
1254
+ # @return [Hash<String,String>]
1255
+ #
1256
+ # @!attribute [rw] is_public
1257
+ # Specifies whether the external access finding is public.
1258
+ # @return [Boolean]
1259
+ #
1260
+ # @!attribute [rw] principal
1261
+ # The external principal that has access to a resource within the zone
1262
+ # of trust.
1263
+ # @return [Hash<String,String>]
1264
+ #
1265
+ # @!attribute [rw] sources
1266
+ # The sources of the external access finding. This indicates how the
1267
+ # access that generated the finding is granted. It is populated for
1268
+ # Amazon S3 bucket findings.
1269
+ # @return [Array<Types::FindingSource>]
1270
+ #
1271
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ExternalAccessDetails AWS API Documentation
1272
+ #
1273
+ class ExternalAccessDetails < Struct.new(
1274
+ :action,
1275
+ :condition,
1276
+ :is_public,
1277
+ :principal,
1278
+ :sources)
1279
+ SENSITIVE = []
1280
+ include Aws::Structure
1281
+ end
1282
+
1068
1283
  # Contains information about a finding.
1069
1284
  #
1070
1285
  # @!attribute [rw] id
@@ -1072,8 +1287,8 @@ module Aws::AccessAnalyzer
1072
1287
  # @return [String]
1073
1288
  #
1074
1289
  # @!attribute [rw] principal
1075
- # The external principal that access to a resource within the zone of
1076
- # trust.
1290
+ # The external principal that has access to a resource within the zone
1291
+ # of trust.
1077
1292
  # @return [Hash<String,String>]
1078
1293
  #
1079
1294
  # @!attribute [rw] action
@@ -1150,6 +1365,56 @@ module Aws::AccessAnalyzer
1150
1365
  include Aws::Structure
1151
1366
  end
1152
1367
 
1368
+ # Contains information about an external access or unused access
1369
+ # finding. Only one parameter can be used in a `FindingDetails` object.
1370
+ #
1371
+ # @note FindingDetails is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of FindingDetails corresponding to the set member.
1372
+ #
1373
+ # @!attribute [rw] external_access_details
1374
+ # The details for an external access analyzer finding.
1375
+ # @return [Types::ExternalAccessDetails]
1376
+ #
1377
+ # @!attribute [rw] unused_permission_details
1378
+ # The details for an unused access analyzer finding with an unused
1379
+ # permission finding type.
1380
+ # @return [Types::UnusedPermissionDetails]
1381
+ #
1382
+ # @!attribute [rw] unused_iam_user_access_key_details
1383
+ # The details for an unused access analyzer finding with an unused IAM
1384
+ # user access key finding type.
1385
+ # @return [Types::UnusedIamUserAccessKeyDetails]
1386
+ #
1387
+ # @!attribute [rw] unused_iam_role_details
1388
+ # The details for an unused access analyzer finding with an unused IAM
1389
+ # role finding type.
1390
+ # @return [Types::UnusedIamRoleDetails]
1391
+ #
1392
+ # @!attribute [rw] unused_iam_user_password_details
1393
+ # The details for an unused access analyzer finding with an unused IAM
1394
+ # user password finding type.
1395
+ # @return [Types::UnusedIamUserPasswordDetails]
1396
+ #
1397
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingDetails AWS API Documentation
1398
+ #
1399
+ class FindingDetails < Struct.new(
1400
+ :external_access_details,
1401
+ :unused_permission_details,
1402
+ :unused_iam_user_access_key_details,
1403
+ :unused_iam_role_details,
1404
+ :unused_iam_user_password_details,
1405
+ :unknown)
1406
+ SENSITIVE = []
1407
+ include Aws::Structure
1408
+ include Aws::Structure::Union
1409
+
1410
+ class ExternalAccessDetails < FindingDetails; end
1411
+ class UnusedPermissionDetails < FindingDetails; end
1412
+ class UnusedIamUserAccessKeyDetails < FindingDetails; end
1413
+ class UnusedIamRoleDetails < FindingDetails; end
1414
+ class UnusedIamUserPasswordDetails < FindingDetails; end
1415
+ class Unknown < FindingDetails; end
1416
+ end
1417
+
1153
1418
  # The source of the finding. This indicates how the access that
1154
1419
  # generated the finding is granted. It is populated for Amazon S3 bucket
1155
1420
  # findings.
@@ -1281,6 +1546,66 @@ module Aws::AccessAnalyzer
1281
1546
  include Aws::Structure
1282
1547
  end
1283
1548
 
1549
+ # Contains information about a finding.
1550
+ #
1551
+ # @!attribute [rw] analyzed_at
1552
+ # The time at which the resource-based policy or IAM entity that
1553
+ # generated the finding was analyzed.
1554
+ # @return [Time]
1555
+ #
1556
+ # @!attribute [rw] created_at
1557
+ # The time at which the finding was created.
1558
+ # @return [Time]
1559
+ #
1560
+ # @!attribute [rw] error
1561
+ # The error that resulted in an Error finding.
1562
+ # @return [String]
1563
+ #
1564
+ # @!attribute [rw] id
1565
+ # The ID of the finding.
1566
+ # @return [String]
1567
+ #
1568
+ # @!attribute [rw] resource
1569
+ # The resource that the external principal has access to.
1570
+ # @return [String]
1571
+ #
1572
+ # @!attribute [rw] resource_type
1573
+ # The type of the resource that the external principal has access to.
1574
+ # @return [String]
1575
+ #
1576
+ # @!attribute [rw] resource_owner_account
1577
+ # The Amazon Web Services account ID that owns the resource.
1578
+ # @return [String]
1579
+ #
1580
+ # @!attribute [rw] status
1581
+ # The status of the finding.
1582
+ # @return [String]
1583
+ #
1584
+ # @!attribute [rw] updated_at
1585
+ # The time at which the finding was most recently updated.
1586
+ # @return [Time]
1587
+ #
1588
+ # @!attribute [rw] finding_type
1589
+ # The type of the external access or unused access finding.
1590
+ # @return [String]
1591
+ #
1592
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSummaryV2 AWS API Documentation
1593
+ #
1594
+ class FindingSummaryV2 < Struct.new(
1595
+ :analyzed_at,
1596
+ :created_at,
1597
+ :error,
1598
+ :id,
1599
+ :resource,
1600
+ :resource_type,
1601
+ :resource_owner_account,
1602
+ :status,
1603
+ :updated_at,
1604
+ :finding_type)
1605
+ SENSITIVE = []
1606
+ include Aws::Structure
1607
+ end
1608
+
1284
1609
  # Contains the text for the generated policy.
1285
1610
  #
1286
1611
  # @!attribute [rw] policy
@@ -1522,6 +1847,109 @@ module Aws::AccessAnalyzer
1522
1847
  include Aws::Structure
1523
1848
  end
1524
1849
 
1850
+ # @!attribute [rw] analyzer_arn
1851
+ # The [ARN of the analyzer][1] that generated the finding.
1852
+ #
1853
+ #
1854
+ #
1855
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
1856
+ # @return [String]
1857
+ #
1858
+ # @!attribute [rw] id
1859
+ # The ID of the finding to retrieve.
1860
+ # @return [String]
1861
+ #
1862
+ # @!attribute [rw] max_results
1863
+ # The maximum number of results to return in the response.
1864
+ # @return [Integer]
1865
+ #
1866
+ # @!attribute [rw] next_token
1867
+ # A token used for pagination of results returned.
1868
+ # @return [String]
1869
+ #
1870
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingV2Request AWS API Documentation
1871
+ #
1872
+ class GetFindingV2Request < Struct.new(
1873
+ :analyzer_arn,
1874
+ :id,
1875
+ :max_results,
1876
+ :next_token)
1877
+ SENSITIVE = []
1878
+ include Aws::Structure
1879
+ end
1880
+
1881
+ # @!attribute [rw] analyzed_at
1882
+ # The time at which the resource-based policy or IAM entity that
1883
+ # generated the finding was analyzed.
1884
+ # @return [Time]
1885
+ #
1886
+ # @!attribute [rw] created_at
1887
+ # The time at which the finding was created.
1888
+ # @return [Time]
1889
+ #
1890
+ # @!attribute [rw] error
1891
+ # An error.
1892
+ # @return [String]
1893
+ #
1894
+ # @!attribute [rw] id
1895
+ # The ID of the finding to retrieve.
1896
+ # @return [String]
1897
+ #
1898
+ # @!attribute [rw] next_token
1899
+ # A token used for pagination of results returned.
1900
+ # @return [String]
1901
+ #
1902
+ # @!attribute [rw] resource
1903
+ # The resource that generated the finding.
1904
+ # @return [String]
1905
+ #
1906
+ # @!attribute [rw] resource_type
1907
+ # The type of the resource identified in the finding.
1908
+ # @return [String]
1909
+ #
1910
+ # @!attribute [rw] resource_owner_account
1911
+ # Tye Amazon Web Services account ID that owns the resource.
1912
+ # @return [String]
1913
+ #
1914
+ # @!attribute [rw] status
1915
+ # The status of the finding.
1916
+ # @return [String]
1917
+ #
1918
+ # @!attribute [rw] updated_at
1919
+ # The time at which the finding was updated.
1920
+ # @return [Time]
1921
+ #
1922
+ # @!attribute [rw] finding_details
1923
+ # A localized message that explains the finding and provides guidance
1924
+ # on how to address it.
1925
+ # @return [Array<Types::FindingDetails>]
1926
+ #
1927
+ # @!attribute [rw] finding_type
1928
+ # The type of the finding. For external access analyzers, the type is
1929
+ # `ExternalAccess`. For unused access analyzers, the type can be
1930
+ # `UnusedIAMRole`, `UnusedIAMUserAccessKey`, `UnusedIAMUserPassword`,
1931
+ # or `UnusedPermission`.
1932
+ # @return [String]
1933
+ #
1934
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingV2Response AWS API Documentation
1935
+ #
1936
+ class GetFindingV2Response < Struct.new(
1937
+ :analyzed_at,
1938
+ :created_at,
1939
+ :error,
1940
+ :id,
1941
+ :next_token,
1942
+ :resource,
1943
+ :resource_type,
1944
+ :resource_owner_account,
1945
+ :status,
1946
+ :updated_at,
1947
+ :finding_details,
1948
+ :finding_type)
1949
+ SENSITIVE = []
1950
+ include Aws::Structure
1951
+ end
1952
+
1525
1953
  # @!attribute [rw] job_id
1526
1954
  # The `JobId` that is returned by the `StartPolicyGeneration`
1527
1955
  # operation. The `JobId` can be used with `GetGeneratedPolicy` to
@@ -1650,6 +2078,19 @@ module Aws::AccessAnalyzer
1650
2078
  #
1651
2079
  class InternetConfiguration < Aws::EmptyStructure; end
1652
2080
 
2081
+ # The specified parameter is invalid.
2082
+ #
2083
+ # @!attribute [rw] message
2084
+ # @return [String]
2085
+ #
2086
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InvalidParameterException AWS API Documentation
2087
+ #
2088
+ class InvalidParameterException < Struct.new(
2089
+ :message)
2090
+ SENSITIVE = []
2091
+ include Aws::Structure
2092
+ end
2093
+
1653
2094
  # Contains details about the policy generation request.
1654
2095
  #
1655
2096
  # @!attribute [rw] job_id
@@ -2144,6 +2585,60 @@ module Aws::AccessAnalyzer
2144
2585
  include Aws::Structure
2145
2586
  end
2146
2587
 
2588
+ # @!attribute [rw] analyzer_arn
2589
+ # The [ARN of the analyzer][1] to retrieve findings from.
2590
+ #
2591
+ #
2592
+ #
2593
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
2594
+ # @return [String]
2595
+ #
2596
+ # @!attribute [rw] filter
2597
+ # A filter to match for the findings to return.
2598
+ # @return [Hash<String,Types::Criterion>]
2599
+ #
2600
+ # @!attribute [rw] max_results
2601
+ # The maximum number of results to return in the response.
2602
+ # @return [Integer]
2603
+ #
2604
+ # @!attribute [rw] next_token
2605
+ # A token used for pagination of results returned.
2606
+ # @return [String]
2607
+ #
2608
+ # @!attribute [rw] sort
2609
+ # The criteria used to sort.
2610
+ # @return [Types::SortCriteria]
2611
+ #
2612
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsV2Request AWS API Documentation
2613
+ #
2614
+ class ListFindingsV2Request < Struct.new(
2615
+ :analyzer_arn,
2616
+ :filter,
2617
+ :max_results,
2618
+ :next_token,
2619
+ :sort)
2620
+ SENSITIVE = []
2621
+ include Aws::Structure
2622
+ end
2623
+
2624
+ # @!attribute [rw] findings
2625
+ # A list of findings retrieved from the analyzer that match the filter
2626
+ # criteria specified, if any.
2627
+ # @return [Array<Types::FindingSummaryV2>]
2628
+ #
2629
+ # @!attribute [rw] next_token
2630
+ # A token used for pagination of results returned.
2631
+ # @return [String]
2632
+ #
2633
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsV2Response AWS API Documentation
2634
+ #
2635
+ class ListFindingsV2Response < Struct.new(
2636
+ :findings,
2637
+ :next_token)
2638
+ SENSITIVE = []
2639
+ include Aws::Structure
2640
+ end
2641
+
2147
2642
  # @!attribute [rw] principal_arn
2148
2643
  # The ARN of the IAM entity (user or role) for which you are
2149
2644
  # generating a policy. Use this with `ListGeneratedPolicies` to filter
@@ -2566,6 +3061,31 @@ module Aws::AccessAnalyzer
2566
3061
  include Aws::Structure
2567
3062
  end
2568
3063
 
3064
+ # Contains information about the reasoning why a check for access passed
3065
+ # or failed.
3066
+ #
3067
+ # @!attribute [rw] description
3068
+ # A description of the reasoning of a result of checking for access.
3069
+ # @return [String]
3070
+ #
3071
+ # @!attribute [rw] statement_index
3072
+ # The index number of the reason statement.
3073
+ # @return [Integer]
3074
+ #
3075
+ # @!attribute [rw] statement_id
3076
+ # The identifier for the reason statement.
3077
+ # @return [String]
3078
+ #
3079
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ReasonSummary AWS API Documentation
3080
+ #
3081
+ class ReasonSummary < Struct.new(
3082
+ :description,
3083
+ :statement_index,
3084
+ :statement_id)
3085
+ SENSITIVE = []
3086
+ include Aws::Structure
3087
+ end
3088
+
2569
3089
  # The specified resource could not be found.
2570
3090
  #
2571
3091
  # @!attribute [rw] message
@@ -2711,6 +3231,35 @@ module Aws::AccessAnalyzer
2711
3231
  include Aws::Structure
2712
3232
  end
2713
3233
 
3234
+ # Proposed access control configuration for an Amazon S3 directory
3235
+ # bucket. You can propose a configuration for a new Amazon S3 directory
3236
+ # bucket or an existing Amazon S3 directory bucket that you own by
3237
+ # specifying the Amazon S3 bucket policy. If the configuration is for an
3238
+ # existing Amazon S3 directory bucket and you do not specify the Amazon
3239
+ # S3 bucket policy, the access preview uses the existing policy attached
3240
+ # to the directory bucket. If the access preview is for a new resource
3241
+ # and you do not specify the Amazon S3 bucket policy, the access preview
3242
+ # assumes an directory bucket without a policy. To propose deletion of
3243
+ # an existing bucket policy, you can specify an empty string. For more
3244
+ # information about bucket policy limits, see [Example bucket
3245
+ # policies][1].
3246
+ #
3247
+ #
3248
+ #
3249
+ # [1]: https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html
3250
+ #
3251
+ # @!attribute [rw] bucket_policy
3252
+ # The proposed bucket policy for the Amazon S3 directory bucket.
3253
+ # @return [String]
3254
+ #
3255
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3ExpressDirectoryBucketConfiguration AWS API Documentation
3256
+ #
3257
+ class S3ExpressDirectoryBucketConfiguration < Struct.new(
3258
+ :bucket_policy)
3259
+ SENSITIVE = []
3260
+ include Aws::Structure
3261
+ end
3262
+
2714
3263
  # The `PublicAccessBlock` configuration to apply to this Amazon S3
2715
3264
  # bucket. If the proposed configuration is for an existing Amazon S3
2716
3265
  # bucket and the configuration is not specified, the access preview uses
@@ -3128,6 +3677,19 @@ module Aws::AccessAnalyzer
3128
3677
  include Aws::Structure
3129
3678
  end
3130
3679
 
3680
+ # The specified entity could not be processed.
3681
+ #
3682
+ # @!attribute [rw] message
3683
+ # @return [String]
3684
+ #
3685
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnprocessableEntityException AWS API Documentation
3686
+ #
3687
+ class UnprocessableEntityException < Struct.new(
3688
+ :message)
3689
+ SENSITIVE = []
3690
+ include Aws::Structure
3691
+ end
3692
+
3131
3693
  # Removes a tag from the specified resource.
3132
3694
  #
3133
3695
  # @!attribute [rw] resource_arn
@@ -3153,6 +3715,153 @@ module Aws::AccessAnalyzer
3153
3715
  #
3154
3716
  class UntagResourceResponse < Aws::EmptyStructure; end
3155
3717
 
3718
+ # Contains information about an unused access analyzer.
3719
+ #
3720
+ # @!attribute [rw] unused_access_age
3721
+ # The specified access age in days for which to generate findings for
3722
+ # unused access. For example, if you specify 90 days, the analyzer
3723
+ # will generate findings for IAM entities within the accounts of the
3724
+ # selected organization for any access that hasn't been used in 90 or
3725
+ # more days since the analyzer's last scan. You can choose a value
3726
+ # between 1 and 180 days.
3727
+ # @return [Integer]
3728
+ #
3729
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedAccessConfiguration AWS API Documentation
3730
+ #
3731
+ class UnusedAccessConfiguration < Struct.new(
3732
+ :unused_access_age)
3733
+ SENSITIVE = []
3734
+ include Aws::Structure
3735
+ end
3736
+
3737
+ # Contains information about an unused access finding for an action. IAM
3738
+ # Access Analyzer charges for unused access analysis based on the number
3739
+ # of IAM roles and users analyzed per month. For more details on
3740
+ # pricing, see [IAM Access Analyzer pricing][1].
3741
+ #
3742
+ #
3743
+ #
3744
+ # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
3745
+ #
3746
+ # @!attribute [rw] action
3747
+ # The action for which the unused access finding was generated.
3748
+ # @return [String]
3749
+ #
3750
+ # @!attribute [rw] last_accessed
3751
+ # The time at which the action was last accessed.
3752
+ # @return [Time]
3753
+ #
3754
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedAction AWS API Documentation
3755
+ #
3756
+ class UnusedAction < Struct.new(
3757
+ :action,
3758
+ :last_accessed)
3759
+ SENSITIVE = []
3760
+ include Aws::Structure
3761
+ end
3762
+
3763
+ # Contains information about an unused access finding for an IAM role.
3764
+ # IAM Access Analyzer charges for unused access analysis based on the
3765
+ # number of IAM roles and users analyzed per month. For more details on
3766
+ # pricing, see [IAM Access Analyzer pricing][1].
3767
+ #
3768
+ #
3769
+ #
3770
+ # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
3771
+ #
3772
+ # @!attribute [rw] last_accessed
3773
+ # The time at which the role was last accessed.
3774
+ # @return [Time]
3775
+ #
3776
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamRoleDetails AWS API Documentation
3777
+ #
3778
+ class UnusedIamRoleDetails < Struct.new(
3779
+ :last_accessed)
3780
+ SENSITIVE = []
3781
+ include Aws::Structure
3782
+ end
3783
+
3784
+ # Contains information about an unused access finding for an IAM user
3785
+ # access key. IAM Access Analyzer charges for unused access analysis
3786
+ # based on the number of IAM roles and users analyzed per month. For
3787
+ # more details on pricing, see [IAM Access Analyzer pricing][1].
3788
+ #
3789
+ #
3790
+ #
3791
+ # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
3792
+ #
3793
+ # @!attribute [rw] access_key_id
3794
+ # The ID of the access key for which the unused access finding was
3795
+ # generated.
3796
+ # @return [String]
3797
+ #
3798
+ # @!attribute [rw] last_accessed
3799
+ # The time at which the access key was last accessed.
3800
+ # @return [Time]
3801
+ #
3802
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamUserAccessKeyDetails AWS API Documentation
3803
+ #
3804
+ class UnusedIamUserAccessKeyDetails < Struct.new(
3805
+ :access_key_id,
3806
+ :last_accessed)
3807
+ SENSITIVE = []
3808
+ include Aws::Structure
3809
+ end
3810
+
3811
+ # Contains information about an unused access finding for an IAM user
3812
+ # password. IAM Access Analyzer charges for unused access analysis based
3813
+ # on the number of IAM roles and users analyzed per month. For more
3814
+ # details on pricing, see [IAM Access Analyzer pricing][1].
3815
+ #
3816
+ #
3817
+ #
3818
+ # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
3819
+ #
3820
+ # @!attribute [rw] last_accessed
3821
+ # The time at which the password was last accessed.
3822
+ # @return [Time]
3823
+ #
3824
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamUserPasswordDetails AWS API Documentation
3825
+ #
3826
+ class UnusedIamUserPasswordDetails < Struct.new(
3827
+ :last_accessed)
3828
+ SENSITIVE = []
3829
+ include Aws::Structure
3830
+ end
3831
+
3832
+ # Contains information about an unused access finding for a permission.
3833
+ # IAM Access Analyzer charges for unused access analysis based on the
3834
+ # number of IAM roles and users analyzed per month. For more details on
3835
+ # pricing, see [IAM Access Analyzer pricing][1].
3836
+ #
3837
+ #
3838
+ #
3839
+ # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
3840
+ #
3841
+ # @!attribute [rw] actions
3842
+ # A list of unused actions for which the unused access finding was
3843
+ # generated.
3844
+ # @return [Array<Types::UnusedAction>]
3845
+ #
3846
+ # @!attribute [rw] service_namespace
3847
+ # The namespace of the Amazon Web Services service that contains the
3848
+ # unused actions.
3849
+ # @return [String]
3850
+ #
3851
+ # @!attribute [rw] last_accessed
3852
+ # The time at which the permission last accessed.
3853
+ # @return [Time]
3854
+ #
3855
+ # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedPermissionDetails AWS API Documentation
3856
+ #
3857
+ class UnusedPermissionDetails < Struct.new(
3858
+ :actions,
3859
+ :service_namespace,
3860
+ :last_accessed)
3861
+ SENSITIVE = []
3862
+ include Aws::Structure
3863
+ end
3864
+
3156
3865
  # Updates the specified archive rule.
3157
3866
  #
3158
3867
  # @!attribute [rw] analyzer_name
@@ -3299,15 +4008,17 @@ module Aws::AccessAnalyzer
3299
4008
  # @!attribute [rw] policy_type
3300
4009
  # The type of policy to validate. Identity policies grant permissions
3301
4010
  # to IAM principals. Identity policies include managed and inline
3302
- # policies for IAM roles, users, and groups. They also include
3303
- # service-control policies (SCPs) that are attached to an Amazon Web
3304
- # Services organization, organizational unit (OU), or an account.
4011
+ # policies for IAM roles, users, and groups.
3305
4012
  #
3306
4013
  # Resource policies grant permissions on Amazon Web Services
3307
4014
  # resources. Resource policies include trust policies for IAM roles
3308
4015
  # and bucket policies for Amazon S3 buckets. You can provide a generic
3309
4016
  # input such as identity policy or resource policy or a specific input
3310
4017
  # such as managed policy or Amazon S3 bucket policy.
4018
+ #
4019
+ # Service control policies (SCPs) are a type of organization policy
4020
+ # attached to an Amazon Web Services organization, organizational unit
4021
+ # (OU), or an account.
3311
4022
  # @return [String]
3312
4023
  #
3313
4024
  # @!attribute [rw] validate_policy_resource_type