aws-sdk-accessanalyzer 1.50.0 → 1.51.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 898843ef5646fc7c4a75cccc804f4d7b79ca0d0b1179fc5b77e4c86cf8f970ab
-  data.tar.gz: b398ef3391f7a4dfc8d54bf9f1c40c60a9198bffbb49fa1706842201a7b618f0
+  metadata.gz: 85830f512378735be96e8cfa65b9131e5f36414d4b5ab2ba4a7e80cc1536766e
+  data.tar.gz: fd8255a12adec108aa9ff29b3cbe957ed8c7692450062ba521877becb6d33e08
 SHA512:
-  metadata.gz: 1193ea94083e00ab1952f68b80f3ab4c889670e37a19d3f41163387b7e9c2a08ed4d589bc0c36150393c664ed9afde11481c02fe990ce60618a82719ddd5026e
-  data.tar.gz: 9d3b71454119f9c34d22ab664fc408bcb59653f2ef67faae9764a47e7ec572d50252de3e4fe9a630db6fa989d201f52d140b96e22bf6e83fa7752be41fd845d6
+  metadata.gz: 7c826239d70604d234b73328dc1a2f12b1d4e03cd5516b37cb0a82caf98d25782be56c5a512e7c3b7f576128ceda60867f7d8564069bc684ac3edca7b63a5df1
+  data.tar.gz: 942d85ee53690b607e54de4b656717d3171a8c7c0ef5c80687d9c95eb27857d86495b424a4a1f881ac5d2679f84d18266fd0ea1b07642127424fde95a5066809

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.51.0 (2024-06-11)
+------------------
+
+* Feature - IAM Access Analyzer now provides policy recommendations to help resolve unused permissions for IAM roles and users. Additionally, IAM Access Analyzer now extends its custom policy checks to detect when IAM policies grant public access or access to critical resources ahead of deployments.
+
 1.50.0 (2024-06-05)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.50.0
+1.51.0

data/lib/aws-sdk-accessanalyzer/client.rb

@@ -479,7 +479,12 @@ module Aws::AccessAnalyzer
     #
     # @option params [required, Array<Types::Access>] :access
     #   An access object containing the permissions that shouldn't be granted
-    #   by the specified policy.
+    #   by the specified policy. If only actions are specified, IAM Access
+    #   Analyzer checks for access of the actions on all resources in the
+    #   policy. If only resources are specified, then IAM Access Analyzer
+    #   checks which actions have access to the specified resources. If both
+    #   actions and resources are specified, then IAM Access Analyzer checks
+    #   which of the specified actions have access to the specified resources.
     #
     # @option params [required, String] :policy_type
     #   The type of policy. Identity policies grant permissions to IAM
@@ -498,13 +503,82 @@ module Aws::AccessAnalyzer
     #   * {Types::CheckAccessNotGrantedResponse#message #message} => String
     #   * {Types::CheckAccessNotGrantedResponse#reasons #reasons} => Array&lt;Types::ReasonSummary&gt;
     #
+    #
+    # @example Example: Passing check. Restrictive identity policy.
+    #
+    #   resp = client.check_access_not_granted({
+    #     access: [
+    #       {
+    #         actions: [
+    #           "s3:PutObject", 
+    #         ], 
+    #       }, 
+    #     ], 
+    #     policy_document: "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:GetObject\",\"Resource\":\"*\"}]}", 
+    #     policy_type: "RESOURCE_POLICY", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     message: "The policy document does not grant access to perform the listed actions or resources.", 
+    #     result: "PASS", 
+    #   }
+    #
+    # @example Example: Passing check. Restrictive S3 Bucket resource policy.
+    #
+    #   resp = client.check_access_not_granted({
+    #     access: [
+    #       {
+    #         resources: [
+    #           "arn:aws:s3:::sensitive-bucket/*", 
+    #         ], 
+    #       }, 
+    #     ], 
+    #     policy_document: "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::non-sensitive-bucket/*\"}]}", 
+    #     policy_type: "RESOURCE_POLICY", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     message: "The policy document does not grant access to perform the listed actions or resources.", 
+    #     result: "PASS", 
+    #   }
+    #
+    # @example Example: Failing check. Permissive S3 Bucket resource policy.
+    #
+    #   resp = client.check_access_not_granted({
+    #     access: [
+    #       {
+    #         resources: [
+    #           "arn:aws:s3:::my-bucket/*", 
+    #         ], 
+    #       }, 
+    #     ], 
+    #     policy_document: "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}", 
+    #     policy_type: "RESOURCE_POLICY", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     message: "The policy document grants access to perform one or more of the listed actions or resources.", 
+    #     reasons: [
+    #       {
+    #         description: "One or more of the listed actions or resources in the statement with sid: AllowJohnDoe.", 
+    #         statement_id: "AllowJohnDoe", 
+    #         statement_index: 0, 
+    #       }, 
+    #     ], 
+    #     result: "FAIL", 
+    #   }
+    #
     # @example Request syntax with placeholder values
     #
     #   resp = client.check_access_not_granted({
     #     policy_document: "AccessCheckPolicyDocument", # required
     #     access: [ # required
     #       {
-    #         actions: ["Action"], # required
+    #         actions: ["Action"],
+    #         resources: ["Resource"],
     #       },
     #     ],
     #     policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY
@@ -591,6 +665,85 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Checks whether a resource policy can grant public access to the
+    # specified resource type.
+    #
+    # @option params [required, String] :policy_document
+    #   The JSON policy document to evaluate for public access.
+    #
+    # @option params [required, String] :resource_type
+    #   The type of resource to evaluate for public access. For example, to
+    #   check for public access to Amazon S3 buckets, you can choose
+    #   `AWS::S3::Bucket` for the resource type.
+    #
+    #   For resource types not supported as valid values, IAM Access Analyzer
+    #   will return an error.
+    #
+    # @return [Types::CheckNoPublicAccessResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CheckNoPublicAccessResponse#result #result} => String
+    #   * {Types::CheckNoPublicAccessResponse#message #message} => String
+    #   * {Types::CheckNoPublicAccessResponse#reasons #reasons} => Array&lt;Types::ReasonSummary&gt;
+    #
+    #
+    # @example Example: Passing check. S3 Bucket policy without public access.
+    #
+    #   resp = client.check_no_public_access({
+    #     policy_document: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Bob\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:user/JohnDoe\"},\"Action\":[\"s3:GetObject\"]}]}", 
+    #     resource_type: "AWS::S3::Bucket", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     message: "The resource policy does not grant public access for the given resource type.", 
+    #     result: "PASS", 
+    #   }
+    #
+    # @example Example: Failing check. S3 Bucket policy with public access.
+    #
+    #   resp = client.check_no_public_access({
+    #     policy_document: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Bob\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"]}]}", 
+    #     resource_type: "AWS::S3::Bucket", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     message: "The resource policy grants public access for the given resource type.", 
+    #     reasons: [
+    #       {
+    #         description: "Public access granted in the following statement with sid: Bob.", 
+    #         statement_id: "Bob", 
+    #         statement_index: 0, 
+    #       }, 
+    #     ], 
+    #     result: "FAIL", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.check_no_public_access({
+    #     policy_document: "AccessCheckPolicyDocument", # required
+    #     resource_type: "AWS::DynamoDB::Table", # required, accepts AWS::DynamoDB::Table, AWS::DynamoDB::Stream, AWS::EFS::FileSystem, AWS::OpenSearchService::Domain, AWS::Kinesis::Stream, AWS::Kinesis::StreamConsumer, AWS::KMS::Key, AWS::Lambda::Function, AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3Express::DirectoryBucket, AWS::S3::Glacier, AWS::S3Outposts::Bucket, AWS::S3Outposts::AccessPoint, AWS::SecretsManager::Secret, AWS::SNS::Topic, AWS::SQS::Queue, AWS::IAM::AssumeRolePolicyDocument
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.result #=> String, one of "PASS", "FAIL"
+    #   resp.message #=> String
+    #   resp.reasons #=> Array
+    #   resp.reasons[0].description #=> String
+    #   resp.reasons[0].statement_index #=> Integer
+    #   resp.reasons[0].statement_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoPublicAccess AWS API Documentation
+    #
+    # @overload check_no_public_access(params = {})
+    # @param [Hash] params ({})
+    def check_no_public_access(params = {}, options = {})
+      req = build_request(:check_no_public_access, params)
+      req.send_request(options)
+    end
+
     # Creates an access preview that allows you to preview IAM Access
     # Analyzer findings for your resource before deploying resource
     # permissions.
@@ -943,6 +1096,56 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Creates a recommendation for an unused permissions finding.
+    #
+    # @option params [required, String] :analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the finding
+    #   recommendation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #
+    # @option params [required, String] :id
+    #   The unique ID for the finding recommendation.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    #
+    # @example Example: Successfully started generating finding recommendation
+    #
+    #   resp = client.generate_finding_recommendation({
+    #     analyzer_arn: "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a", 
+    #     id: "finding-id", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #   }
+    #
+    # @example Example: Failed field validation for id value
+    #
+    #   resp = client.generate_finding_recommendation({
+    #     analyzer_arn: "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a", 
+    #     id: "!", 
+    #   })
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.generate_finding_recommendation({
+    #     analyzer_arn: "AnalyzerArn", # required
+    #     id: "GenerateFindingRecommendationRequestIdString", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GenerateFindingRecommendation AWS API Documentation
+    #
+    # @overload generate_finding_recommendation(params = {})
+    # @param [Hash] params ({})
+    def generate_finding_recommendation(params = {}, options = {})
+      req = build_request(:generate_finding_recommendation, params)
+      req.send_request(options)
+    end
+
     # Retrieves information about an access preview for the specified
     # analyzer.
     #
@@ -1225,6 +1428,151 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Retrieves information about a finding recommendation for the specified
+    # analyzer.
+    #
+    # @option params [required, String] :analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the finding
+    #   recommendation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #
+    # @option params [required, String] :id
+    #   The unique ID for the finding recommendation.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of results to return in the response.
+    #
+    # @option params [String] :next_token
+    #   A token used for pagination of results returned.
+    #
+    # @return [Types::GetFindingRecommendationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetFindingRecommendationResponse#started_at #started_at} => Time
+    #   * {Types::GetFindingRecommendationResponse#completed_at #completed_at} => Time
+    #   * {Types::GetFindingRecommendationResponse#next_token #next_token} => String
+    #   * {Types::GetFindingRecommendationResponse#error #error} => Types::RecommendationError
+    #   * {Types::GetFindingRecommendationResponse#resource_arn #resource_arn} => String
+    #   * {Types::GetFindingRecommendationResponse#recommended_steps #recommended_steps} => Array&lt;Types::RecommendedStep&gt;
+    #   * {Types::GetFindingRecommendationResponse#recommendation_type #recommendation_type} => String
+    #   * {Types::GetFindingRecommendationResponse#status #status} => String
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    #
+    # @example Example: Successfully fetched finding recommendation
+    #
+    #   resp = client.get_finding_recommendation({
+    #     analyzer_arn: "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a", 
+    #     id: "finding-id", 
+    #     max_results: 3, 
+    #     next_token: "token", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     completed_at: Time.parse("2000-01-01T00:00:01Z"), 
+    #     recommendation_type: "UnusedPermissionRecommendation", 
+    #     recommended_steps: [
+    #       {
+    #         unused_permissions_recommended_step: {
+    #           existing_policy_id: "policy-id", 
+    #           recommended_action: "DETACH_POLICY", 
+    #         }, 
+    #       }, 
+    #       {
+    #         unused_permissions_recommended_step: {
+    #           existing_policy_id: "policy-id", 
+    #           recommended_action: "CREATE_POLICY", 
+    #           recommended_policy: "policy-content", 
+    #         }, 
+    #       }, 
+    #     ], 
+    #     resource_arn: "arn:aws:iam::111122223333:role/test", 
+    #     started_at: Time.parse("2000-01-01T00:00:00Z"), 
+    #     status: "SUCCEEDED", 
+    #   }
+    #
+    # @example Example: In progress finding recommendation
+    #
+    #   resp = client.get_finding_recommendation({
+    #     analyzer_arn: "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a", 
+    #     id: "finding-id", 
+    #     max_results: 3, 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     recommendation_type: "UnusedPermissionRecommendation", 
+    #     resource_arn: "arn:aws:iam::111122223333:role/test", 
+    #     started_at: Time.parse("2000-01-01T00:00:00Z"), 
+    #     status: "IN_PROGRESS", 
+    #   }
+    #
+    # @example Example: Failed finding recommendation
+    #
+    #   resp = client.get_finding_recommendation({
+    #     analyzer_arn: "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a", 
+    #     id: "finding-id", 
+    #     max_results: 3, 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     completed_at: Time.parse("2000-01-01T00:00:01Z"), 
+    #     error: {
+    #       code: "SERVICE_ERROR", 
+    #       message: "Service error. Please try again.", 
+    #     }, 
+    #     recommendation_type: "UnusedPermissionRecommendation", 
+    #     resource_arn: "arn:aws:iam::111122223333:role/test", 
+    #     started_at: Time.parse("2000-01-01T00:00:00Z"), 
+    #     status: "FAILED", 
+    #   }
+    #
+    # @example Example: Failed field validation for id value
+    #
+    #   resp = client.get_finding_recommendation({
+    #     analyzer_arn: "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a", 
+    #     id: "!", 
+    #   })
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_finding_recommendation({
+    #     analyzer_arn: "AnalyzerArn", # required
+    #     id: "GetFindingRecommendationRequestIdString", # required
+    #     max_results: 1,
+    #     next_token: "Token",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.started_at #=> Time
+    #   resp.completed_at #=> Time
+    #   resp.next_token #=> String
+    #   resp.error.code #=> String
+    #   resp.error.message #=> String
+    #   resp.resource_arn #=> String
+    #   resp.recommended_steps #=> Array
+    #   resp.recommended_steps[0].unused_permissions_recommended_step.policy_updated_at #=> Time
+    #   resp.recommended_steps[0].unused_permissions_recommended_step.recommended_action #=> String, one of "CREATE_POLICY", "DETACH_POLICY"
+    #   resp.recommended_steps[0].unused_permissions_recommended_step.recommended_policy #=> String
+    #   resp.recommended_steps[0].unused_permissions_recommended_step.existing_policy_id #=> String
+    #   resp.recommendation_type #=> String, one of "UnusedPermissionRecommendation"
+    #   resp.status #=> String, one of "SUCCEEDED", "FAILED", "IN_PROGRESS"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingRecommendation AWS API Documentation
+    #
+    # @overload get_finding_recommendation(params = {})
+    # @param [Hash] params ({})
+    def get_finding_recommendation(params = {}, options = {})
+      req = build_request(:get_finding_recommendation, params)
+      req.send_request(options)
+    end
+
     # Retrieves information about the specified finding. GetFinding and
     # GetFindingV2 both use `access-analyzer:GetFinding` in the `Action`
     # element of an IAM policy statement. You must have permission to
@@ -2276,7 +2624,7 @@ module Aws::AccessAnalyzer
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-accessanalyzer'
-      context[:gem_version] = '1.50.0'
+      context[:gem_version] = '1.51.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-accessanalyzer/client_api.rb

@@ -17,6 +17,7 @@ module Aws::AccessAnalyzer
     AccessActionsList = Shapes::ListShape.new(name: 'AccessActionsList')
     AccessCheckPolicyDocument = Shapes::StringShape.new(name: 'AccessCheckPolicyDocument')
     AccessCheckPolicyType = Shapes::StringShape.new(name: 'AccessCheckPolicyType')
+    AccessCheckResourceType = Shapes::StringShape.new(name: 'AccessCheckResourceType')
     AccessDeniedException = Shapes::StructureShape.new(name: 'AccessDeniedException')
     AccessPointArn = Shapes::StringShape.new(name: 'AccessPointArn')
     AccessPointPolicy = Shapes::StringShape.new(name: 'AccessPointPolicy')
@@ -30,6 +31,7 @@ module Aws::AccessAnalyzer
     AccessPreviewStatusReasonCode = Shapes::StringShape.new(name: 'AccessPreviewStatusReasonCode')
     AccessPreviewSummary = Shapes::StructureShape.new(name: 'AccessPreviewSummary')
     AccessPreviewsList = Shapes::ListShape.new(name: 'AccessPreviewsList')
+    AccessResourcesList = Shapes::ListShape.new(name: 'AccessResourcesList')
     AclCanonicalId = Shapes::StringShape.new(name: 'AclCanonicalId')
     AclGrantee = Shapes::UnionShape.new(name: 'AclGrantee')
     AclPermission = Shapes::StringShape.new(name: 'AclPermission')
@@ -57,6 +59,9 @@ module Aws::AccessAnalyzer
     CheckNoNewAccessRequest = Shapes::StructureShape.new(name: 'CheckNoNewAccessRequest')
     CheckNoNewAccessResponse = Shapes::StructureShape.new(name: 'CheckNoNewAccessResponse')
     CheckNoNewAccessResult = Shapes::StringShape.new(name: 'CheckNoNewAccessResult')
+    CheckNoPublicAccessRequest = Shapes::StructureShape.new(name: 'CheckNoPublicAccessRequest')
+    CheckNoPublicAccessResponse = Shapes::StructureShape.new(name: 'CheckNoPublicAccessResponse')
+    CheckNoPublicAccessResult = Shapes::StringShape.new(name: 'CheckNoPublicAccessResult')
     CloudTrailArn = Shapes::StringShape.new(name: 'CloudTrailArn')
     CloudTrailDetails = Shapes::StructureShape.new(name: 'CloudTrailDetails')
     CloudTrailProperties = Shapes::StructureShape.new(name: 'CloudTrailProperties')
@@ -106,6 +111,8 @@ module Aws::AccessAnalyzer
     FindingType = Shapes::StringShape.new(name: 'FindingType')
     FindingsList = Shapes::ListShape.new(name: 'FindingsList')
     FindingsListV2 = Shapes::ListShape.new(name: 'FindingsListV2')
+    GenerateFindingRecommendationRequest = Shapes::StructureShape.new(name: 'GenerateFindingRecommendationRequest')
+    GenerateFindingRecommendationRequestIdString = Shapes::StringShape.new(name: 'GenerateFindingRecommendationRequestIdString')
     GeneratedPolicy = Shapes::StructureShape.new(name: 'GeneratedPolicy')
     GeneratedPolicyList = Shapes::ListShape.new(name: 'GeneratedPolicyList')
     GeneratedPolicyProperties = Shapes::StructureShape.new(name: 'GeneratedPolicyProperties')
@@ -118,6 +125,10 @@ module Aws::AccessAnalyzer
     GetAnalyzerResponse = Shapes::StructureShape.new(name: 'GetAnalyzerResponse')
     GetArchiveRuleRequest = Shapes::StructureShape.new(name: 'GetArchiveRuleRequest')
     GetArchiveRuleResponse = Shapes::StructureShape.new(name: 'GetArchiveRuleResponse')
+    GetFindingRecommendationRequest = Shapes::StructureShape.new(name: 'GetFindingRecommendationRequest')
+    GetFindingRecommendationRequestIdString = Shapes::StringShape.new(name: 'GetFindingRecommendationRequestIdString')
+    GetFindingRecommendationRequestMaxResultsInteger = Shapes::IntegerShape.new(name: 'GetFindingRecommendationRequestMaxResultsInteger')
+    GetFindingRecommendationResponse = Shapes::StructureShape.new(name: 'GetFindingRecommendationResponse')
     GetFindingRequest = Shapes::StructureShape.new(name: 'GetFindingRequest')
     GetFindingResponse = Shapes::StructureShape.new(name: 'GetFindingResponse')
     GetFindingV2Request = Shapes::StructureShape.new(name: 'GetFindingV2Request')
@@ -205,7 +216,13 @@ module Aws::AccessAnalyzer
     ReasonCode = Shapes::StringShape.new(name: 'ReasonCode')
     ReasonSummary = Shapes::StructureShape.new(name: 'ReasonSummary')
     ReasonSummaryList = Shapes::ListShape.new(name: 'ReasonSummaryList')
+    RecommendationError = Shapes::StructureShape.new(name: 'RecommendationError')
+    RecommendationType = Shapes::StringShape.new(name: 'RecommendationType')
+    RecommendedRemediationAction = Shapes::StringShape.new(name: 'RecommendedRemediationAction')
+    RecommendedStep = Shapes::UnionShape.new(name: 'RecommendedStep')
+    RecommendedStepList = Shapes::ListShape.new(name: 'RecommendedStepList')
     RegionList = Shapes::ListShape.new(name: 'RegionList')
+    Resource = Shapes::StringShape.new(name: 'Resource')
     ResourceArn = Shapes::StringShape.new(name: 'ResourceArn')
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     ResourceType = Shapes::StringShape.new(name: 'ResourceType')
@@ -234,6 +251,7 @@ module Aws::AccessAnalyzer
     StartPolicyGenerationRequest = Shapes::StructureShape.new(name: 'StartPolicyGenerationRequest')
     StartPolicyGenerationResponse = Shapes::StructureShape.new(name: 'StartPolicyGenerationResponse')
     StartResourceScanRequest = Shapes::StructureShape.new(name: 'StartResourceScanRequest')
+    Status = Shapes::StringShape.new(name: 'Status')
     StatusReason = Shapes::StructureShape.new(name: 'StatusReason')
     String = Shapes::StringShape.new(name: 'String')
     Substring = Shapes::StructureShape.new(name: 'Substring')
@@ -259,6 +277,7 @@ module Aws::AccessAnalyzer
     UnusedIamUserAccessKeyDetails = Shapes::StructureShape.new(name: 'UnusedIamUserAccessKeyDetails')
     UnusedIamUserPasswordDetails = Shapes::StructureShape.new(name: 'UnusedIamUserPasswordDetails')
     UnusedPermissionDetails = Shapes::StructureShape.new(name: 'UnusedPermissionDetails')
+    UnusedPermissionsRecommendedStep = Shapes::StructureShape.new(name: 'UnusedPermissionsRecommendedStep')
     UpdateArchiveRuleRequest = Shapes::StructureShape.new(name: 'UpdateArchiveRuleRequest')
     UpdateFindingsRequest = Shapes::StructureShape.new(name: 'UpdateFindingsRequest')
     ValidatePolicyFinding = Shapes::StructureShape.new(name: 'ValidatePolicyFinding')
@@ -275,7 +294,8 @@ module Aws::AccessAnalyzer
     VpcConfiguration = Shapes::StructureShape.new(name: 'VpcConfiguration')
     VpcId = Shapes::StringShape.new(name: 'VpcId')
 
-    Access.add_member(:actions, Shapes::ShapeRef.new(shape: AccessActionsList, required: true, location_name: "actions"))
+    Access.add_member(:actions, Shapes::ShapeRef.new(shape: AccessActionsList, location_name: "actions"))
+    Access.add_member(:resources, Shapes::ShapeRef.new(shape: AccessResourcesList, location_name: "resources"))
     Access.struct_class = Types::Access
 
     AccessActionsList.member = Shapes::ShapeRef.new(shape: Action)
@@ -322,6 +342,8 @@ module Aws::AccessAnalyzer
 
     AccessPreviewsList.member = Shapes::ShapeRef.new(shape: AccessPreviewSummary)
 
+    AccessResourcesList.member = Shapes::ShapeRef.new(shape: Resource)
+
     AclGrantee.add_member(:id, Shapes::ShapeRef.new(shape: AclCanonicalId, location_name: "id"))
     AclGrantee.add_member(:uri, Shapes::ShapeRef.new(shape: AclUri, location_name: "uri"))
     AclGrantee.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
@@ -412,6 +434,15 @@ module Aws::AccessAnalyzer
     CheckNoNewAccessResponse.add_member(:reasons, Shapes::ShapeRef.new(shape: ReasonSummaryList, location_name: "reasons"))
     CheckNoNewAccessResponse.struct_class = Types::CheckNoNewAccessResponse
 
+    CheckNoPublicAccessRequest.add_member(:policy_document, Shapes::ShapeRef.new(shape: AccessCheckPolicyDocument, required: true, location_name: "policyDocument"))
+    CheckNoPublicAccessRequest.add_member(:resource_type, Shapes::ShapeRef.new(shape: AccessCheckResourceType, required: true, location_name: "resourceType"))
+    CheckNoPublicAccessRequest.struct_class = Types::CheckNoPublicAccessRequest
+
+    CheckNoPublicAccessResponse.add_member(:result, Shapes::ShapeRef.new(shape: CheckNoPublicAccessResult, location_name: "result"))
+    CheckNoPublicAccessResponse.add_member(:message, Shapes::ShapeRef.new(shape: String, location_name: "message"))
+    CheckNoPublicAccessResponse.add_member(:reasons, Shapes::ShapeRef.new(shape: ReasonSummaryList, location_name: "reasons"))
+    CheckNoPublicAccessResponse.struct_class = Types::CheckNoPublicAccessResponse
+
     CloudTrailDetails.add_member(:trails, Shapes::ShapeRef.new(shape: TrailList, required: true, location_name: "trails"))
     CloudTrailDetails.add_member(:access_role, Shapes::ShapeRef.new(shape: RoleArn, required: true, location_name: "accessRole"))
     CloudTrailDetails.add_member(:start_time, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "startTime"))
@@ -613,6 +644,10 @@ module Aws::AccessAnalyzer
 
     FindingsListV2.member = Shapes::ShapeRef.new(shape: FindingSummaryV2)
 
+    GenerateFindingRecommendationRequest.add_member(:analyzer_arn, Shapes::ShapeRef.new(shape: AnalyzerArn, required: true, location: "querystring", location_name: "analyzerArn"))
+    GenerateFindingRecommendationRequest.add_member(:id, Shapes::ShapeRef.new(shape: GenerateFindingRecommendationRequestIdString, required: true, location: "uri", location_name: "id"))
+    GenerateFindingRecommendationRequest.struct_class = Types::GenerateFindingRecommendationRequest
+
     GeneratedPolicy.add_member(:policy, Shapes::ShapeRef.new(shape: String, required: true, location_name: "policy"))
     GeneratedPolicy.struct_class = Types::GeneratedPolicy
 
@@ -654,6 +689,22 @@ module Aws::AccessAnalyzer
     GetArchiveRuleResponse.add_member(:archive_rule, Shapes::ShapeRef.new(shape: ArchiveRuleSummary, required: true, location_name: "archiveRule"))
     GetArchiveRuleResponse.struct_class = Types::GetArchiveRuleResponse
 
+    GetFindingRecommendationRequest.add_member(:analyzer_arn, Shapes::ShapeRef.new(shape: AnalyzerArn, required: true, location: "querystring", location_name: "analyzerArn"))
+    GetFindingRecommendationRequest.add_member(:id, Shapes::ShapeRef.new(shape: GetFindingRecommendationRequestIdString, required: true, location: "uri", location_name: "id"))
+    GetFindingRecommendationRequest.add_member(:max_results, Shapes::ShapeRef.new(shape: GetFindingRecommendationRequestMaxResultsInteger, location: "querystring", location_name: "maxResults"))
+    GetFindingRecommendationRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location: "querystring", location_name: "nextToken"))
+    GetFindingRecommendationRequest.struct_class = Types::GetFindingRecommendationRequest
+
+    GetFindingRecommendationResponse.add_member(:started_at, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "startedAt"))
+    GetFindingRecommendationResponse.add_member(:completed_at, Shapes::ShapeRef.new(shape: Timestamp, location_name: "completedAt"))
+    GetFindingRecommendationResponse.add_member(:next_token, Shapes::ShapeRef.new(shape: Token, location_name: "nextToken"))
+    GetFindingRecommendationResponse.add_member(:error, Shapes::ShapeRef.new(shape: RecommendationError, location_name: "error"))
+    GetFindingRecommendationResponse.add_member(:resource_arn, Shapes::ShapeRef.new(shape: ResourceArn, required: true, location_name: "resourceArn"))
+    GetFindingRecommendationResponse.add_member(:recommended_steps, Shapes::ShapeRef.new(shape: RecommendedStepList, location_name: "recommendedSteps"))
+    GetFindingRecommendationResponse.add_member(:recommendation_type, Shapes::ShapeRef.new(shape: RecommendationType, required: true, location_name: "recommendationType"))
+    GetFindingRecommendationResponse.add_member(:status, Shapes::ShapeRef.new(shape: Status, required: true, location_name: "status"))
+    GetFindingRecommendationResponse.struct_class = Types::GetFindingRecommendationResponse
+
     GetFindingRequest.add_member(:analyzer_arn, Shapes::ShapeRef.new(shape: AnalyzerArn, required: true, location: "querystring", location_name: "analyzerArn"))
     GetFindingRequest.add_member(:id, Shapes::ShapeRef.new(shape: FindingId, required: true, location: "uri", location_name: "id"))
     GetFindingRequest.struct_class = Types::GetFindingRequest
@@ -914,6 +965,18 @@ module Aws::AccessAnalyzer
 
     ReasonSummaryList.member = Shapes::ShapeRef.new(shape: ReasonSummary)
 
+    RecommendationError.add_member(:code, Shapes::ShapeRef.new(shape: String, required: true, location_name: "code"))
+    RecommendationError.add_member(:message, Shapes::ShapeRef.new(shape: String, required: true, location_name: "message"))
+    RecommendationError.struct_class = Types::RecommendationError
+
+    RecommendedStep.add_member(:unused_permissions_recommended_step, Shapes::ShapeRef.new(shape: UnusedPermissionsRecommendedStep, location_name: "unusedPermissionsRecommendedStep"))
+    RecommendedStep.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
+    RecommendedStep.add_member_subclass(:unused_permissions_recommended_step, Types::RecommendedStep::UnusedPermissionsRecommendedStep)
+    RecommendedStep.add_member_subclass(:unknown, Types::RecommendedStep::Unknown)
+    RecommendedStep.struct_class = Types::RecommendedStep
+
+    RecommendedStepList.member = Shapes::ShapeRef.new(shape: RecommendedStep)
+
     RegionList.member = Shapes::ShapeRef.new(shape: String)
 
     ResourceNotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: String, required: true, location_name: "message"))
@@ -1055,6 +1118,12 @@ module Aws::AccessAnalyzer
     UnusedPermissionDetails.add_member(:last_accessed, Shapes::ShapeRef.new(shape: Timestamp, location_name: "lastAccessed"))
     UnusedPermissionDetails.struct_class = Types::UnusedPermissionDetails
 
+    UnusedPermissionsRecommendedStep.add_member(:policy_updated_at, Shapes::ShapeRef.new(shape: Timestamp, location_name: "policyUpdatedAt"))
+    UnusedPermissionsRecommendedStep.add_member(:recommended_action, Shapes::ShapeRef.new(shape: RecommendedRemediationAction, required: true, location_name: "recommendedAction"))
+    UnusedPermissionsRecommendedStep.add_member(:recommended_policy, Shapes::ShapeRef.new(shape: String, location_name: "recommendedPolicy"))
+    UnusedPermissionsRecommendedStep.add_member(:existing_policy_id, Shapes::ShapeRef.new(shape: String, location_name: "existingPolicyId"))
+    UnusedPermissionsRecommendedStep.struct_class = Types::UnusedPermissionsRecommendedStep
+
     UpdateArchiveRuleRequest.add_member(:analyzer_name, Shapes::ShapeRef.new(shape: Name, required: true, location: "uri", location_name: "analyzerName"))
     UpdateArchiveRuleRequest.add_member(:rule_name, Shapes::ShapeRef.new(shape: Name, required: true, location: "uri", location_name: "ruleName"))
     UpdateArchiveRuleRequest.add_member(:filter, Shapes::ShapeRef.new(shape: FilterCriteriaMap, required: true, location_name: "filter"))
@@ -1114,8 +1183,8 @@ module Aws::AccessAnalyzer
       api.metadata = {
         "apiVersion" => "2019-11-01",
         "endpointPrefix" => "access-analyzer",
-        "jsonVersion" => "1.1",
         "protocol" => "rest-json",
+        "protocols" => ["rest-json"],
         "serviceFullName" => "Access Analyzer",
         "serviceId" => "AccessAnalyzer",
         "signatureVersion" => "v4",
@@ -1176,6 +1245,20 @@ module Aws::AccessAnalyzer
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
       end)
 
+      api.add_operation(:check_no_public_access, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "CheckNoPublicAccess"
+        o.http_method = "POST"
+        o.http_request_uri = "/policy/check-no-public-access"
+        o.input = Shapes::ShapeRef.new(shape: CheckNoPublicAccessRequest)
+        o.output = Shapes::ShapeRef.new(shape: CheckNoPublicAccessResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: UnprocessableEntityException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+      end)
+
       api.add_operation(:create_access_preview, Seahorse::Model::Operation.new.tap do |o|
         o.name = "CreateAccessPreview"
         o.http_method = "PUT"
@@ -1246,6 +1329,18 @@ module Aws::AccessAnalyzer
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
       end)
 
+      api.add_operation(:generate_finding_recommendation, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GenerateFindingRecommendation"
+        o.http_method = "POST"
+        o.http_request_uri = "/recommendation/{id}"
+        o.input = Shapes::ShapeRef.new(shape: GenerateFindingRecommendationRequest)
+        o.output = Shapes::ShapeRef.new(shape: Shapes::StructureShape.new(struct_class: Aws::EmptyStructure))
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+      end)
+
       api.add_operation(:get_access_preview, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GetAccessPreview"
         o.http_method = "GET"
@@ -1311,6 +1406,25 @@ module Aws::AccessAnalyzer
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
       end)
 
+      api.add_operation(:get_finding_recommendation, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetFindingRecommendation"
+        o.http_method = "GET"
+        o.http_request_uri = "/recommendation/{id}"
+        o.input = Shapes::ShapeRef.new(shape: GetFindingRecommendationRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetFindingRecommendationResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+        o[:pager] = Aws::Pager.new(
+          limit_key: "max_results",
+          tokens: {
+            "next_token" => "next_token"
+          }
+        )
+      end)
+
       api.add_operation(:get_finding_v2, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GetFindingV2"
         o.http_method = "GET"

data/lib/aws-sdk-accessanalyzer/endpoints.rb

@@ -68,6 +68,20 @@ module Aws::AccessAnalyzer
       end
     end
 
+    class CheckNoPublicAccess
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::AccessAnalyzer::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class CreateAccessPreview
       def self.build(context)
         unless context.config.regional_endpoint
@@ -138,6 +152,20 @@ module Aws::AccessAnalyzer
       end
     end
 
+    class GenerateFindingRecommendation
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::AccessAnalyzer::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class GetAccessPreview
       def self.build(context)
         unless context.config.regional_endpoint
@@ -208,6 +236,20 @@ module Aws::AccessAnalyzer
       end
     end
 
+    class GetFindingRecommendation
+      def self.build(context)
+        unless context.config.regional_endpoint
+          endpoint = context.config.endpoint.to_s
+        end
+        Aws::AccessAnalyzer::EndpointParameters.new(
+          region: context.config.region,
+          use_dual_stack: context.config.use_dualstack_endpoint,
+          use_fips: context.config.use_fips_endpoint,
+          endpoint: endpoint,
+        )
+      end
+    end
+
     class GetFindingV2
       def self.build(context)
         unless context.config.regional_endpoint

data/lib/aws-sdk-accessanalyzer/plugins/endpoints.rb

@@ -66,6 +66,8 @@ module Aws::AccessAnalyzer
             Aws::AccessAnalyzer::Endpoints::CheckAccessNotGranted.build(context)
           when :check_no_new_access
             Aws::AccessAnalyzer::Endpoints::CheckNoNewAccess.build(context)
+          when :check_no_public_access
+            Aws::AccessAnalyzer::Endpoints::CheckNoPublicAccess.build(context)
           when :create_access_preview
             Aws::AccessAnalyzer::Endpoints::CreateAccessPreview.build(context)
           when :create_analyzer
@@ -76,6 +78,8 @@ module Aws::AccessAnalyzer
             Aws::AccessAnalyzer::Endpoints::DeleteAnalyzer.build(context)
           when :delete_archive_rule
             Aws::AccessAnalyzer::Endpoints::DeleteArchiveRule.build(context)
+          when :generate_finding_recommendation
+            Aws::AccessAnalyzer::Endpoints::GenerateFindingRecommendation.build(context)
           when :get_access_preview
             Aws::AccessAnalyzer::Endpoints::GetAccessPreview.build(context)
           when :get_analyzed_resource
@@ -86,6 +90,8 @@ module Aws::AccessAnalyzer
             Aws::AccessAnalyzer::Endpoints::GetArchiveRule.build(context)
           when :get_finding
             Aws::AccessAnalyzer::Endpoints::GetFinding.build(context)
+          when :get_finding_recommendation
+            Aws::AccessAnalyzer::Endpoints::GetFindingRecommendation.build(context)
           when :get_finding_v2
             Aws::AccessAnalyzer::Endpoints::GetFindingV2.build(context)
           when :get_generated_policy

data/lib/aws-sdk-accessanalyzer/types.rb

@@ -10,8 +10,8 @@
 module Aws::AccessAnalyzer
   module Types
 
-    # Contains information about actions that define permissions to check
-    # against a policy.
+    # Contains information about actions and resources that define
+    # permissions to check against a policy.
     #
     # @!attribute [rw] actions
     #   A list of actions for the access permissions. Any strings that can
@@ -19,10 +19,17 @@ module Aws::AccessAnalyzer
     #   actions to check.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] resources
+    #   A list of resources for the access permissions. Any strings that can
+    #   be used as a resource in an IAM policy can be used in the list of
+    #   resources to check.
+    #   @return [Array<String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Access AWS API Documentation
     #
     class Access < Struct.new(
-      :actions)
+      :actions,
+      :resources)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -575,7 +582,13 @@ module Aws::AccessAnalyzer
     #
     # @!attribute [rw] access
     #   An access object containing the permissions that shouldn't be
-    #   granted by the specified policy.
+    #   granted by the specified policy. If only actions are specified, IAM
+    #   Access Analyzer checks for access of the actions on all resources in
+    #   the policy. If only resources are specified, then IAM Access
+    #   Analyzer checks which actions have access to the specified
+    #   resources. If both actions and resources are specified, then IAM
+    #   Access Analyzer checks which of the specified actions have access to
+    #   the specified resources.
     #   @return [Array<Types::Access>]
     #
     # @!attribute [rw] policy_type
@@ -682,6 +695,55 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # @!attribute [rw] policy_document
+    #   The JSON policy document to evaluate for public access.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of resource to evaluate for public access. For example, to
+    #   check for public access to Amazon S3 buckets, you can choose
+    #   `AWS::S3::Bucket` for the resource type.
+    #
+    #   For resource types not supported as valid values, IAM Access
+    #   Analyzer will return an error.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoPublicAccessRequest AWS API Documentation
+    #
+    class CheckNoPublicAccessRequest < Struct.new(
+      :policy_document,
+      :resource_type)
+      SENSITIVE = [:policy_document]
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] result
+    #   The result of the check for public access to the specified resource
+    #   type. If the result is `PASS`, the policy doesn't allow public
+    #   access to the specified resource type. If the result is `FAIL`, the
+    #   policy might allow public access to the specified resource type.
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   The message indicating whether the specified policy allows public
+    #   access to resources.
+    #   @return [String]
+    #
+    # @!attribute [rw] reasons
+    #   A list of reasons why the specified resource policy grants public
+    #   access for the resource type.
+    #   @return [Array<Types::ReasonSummary>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoPublicAccessResponse AWS API Documentation
+    #
+    class CheckNoPublicAccessResponse < Struct.new(
+      :result,
+      :message,
+      :reasons)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains information about CloudTrail access.
     #
     # @!attribute [rw] trails
@@ -1687,6 +1749,28 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the finding
+    #   recommendation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The unique ID for the finding recommendation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GenerateFindingRecommendationRequest AWS API Documentation
+    #
+    class GenerateFindingRecommendationRequest < Struct.new(
+      :analyzer_arn,
+      :id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains the text for the generated policy.
     #
     # @!attribute [rw] policy
@@ -1891,6 +1975,88 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # @!attribute [rw] analyzer_arn
+    #   The [ARN of the analyzer][1] used to generate the finding
+    #   recommendation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The unique ID for the finding recommendation.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results to return in the response.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingRecommendationRequest AWS API Documentation
+    #
+    class GetFindingRecommendationRequest < Struct.new(
+      :analyzer_arn,
+      :id,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] started_at
+    #   The time at which the retrieval of the finding recommendation was
+    #   started.
+    #   @return [Time]
+    #
+    # @!attribute [rw] completed_at
+    #   The time at which the retrieval of the finding recommendation was
+    #   completed.
+    #   @return [Time]
+    #
+    # @!attribute [rw] next_token
+    #   A token used for pagination of results returned.
+    #   @return [String]
+    #
+    # @!attribute [rw] error
+    #   Detailed information about the reason that the retrieval of a
+    #   recommendation for the finding failed.
+    #   @return [Types::RecommendationError]
+    #
+    # @!attribute [rw] resource_arn
+    #   The ARN of the resource of the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] recommended_steps
+    #   A group of recommended steps for the finding.
+    #   @return [Array<Types::RecommendedStep>]
+    #
+    # @!attribute [rw] recommendation_type
+    #   The type of recommendation for the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   The status of the retrieval of the finding recommendation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingRecommendationResponse AWS API Documentation
+    #
+    class GetFindingRecommendationResponse < Struct.new(
+      :started_at,
+      :completed_at,
+      :next_token,
+      :error,
+      :resource_arn,
+      :recommended_steps,
+      :recommendation_type,
+      :status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Retrieves a finding.
     #
     # @!attribute [rw] analyzer_arn
@@ -3167,6 +3333,50 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # Contains information about the reason that the retrieval of a
+    # recommendation for a finding failed.
+    #
+    # @!attribute [rw] code
+    #   The error code for a failed retrieval of a recommendation for a
+    #   finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   The error message for a failed retrieval of a recommendation for a
+    #   finding.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RecommendationError AWS API Documentation
+    #
+    class RecommendationError < Struct.new(
+      :code,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains information about a recommended step for an unused access
+    # analyzer finding.
+    #
+    # @note RecommendedStep is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of RecommendedStep corresponding to the set member.
+    #
+    # @!attribute [rw] unused_permissions_recommended_step
+    #   A recommended step for an unused permissions finding.
+    #   @return [Types::UnusedPermissionsRecommendedStep]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RecommendedStep AWS API Documentation
+    #
+    class RecommendedStep < Struct.new(
+      :unused_permissions_recommended_step,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class UnusedPermissionsRecommendedStep < RecommendedStep; end
+      class Unknown < RecommendedStep; end
+    end
+
     # The specified resource could not be found.
     #
     # @!attribute [rw] message
@@ -3930,7 +4140,7 @@ module Aws::AccessAnalyzer
     #   @return [String]
     #
     # @!attribute [rw] last_accessed
-    #   The time at which the permission last accessed.
+    #   The time at which the permission was last accessed.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedPermissionDetails AWS API Documentation
@@ -3943,6 +4153,41 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # Contains information about the action to take for a policy in an
+    # unused permissions finding.
+    #
+    # @!attribute [rw] policy_updated_at
+    #   The time at which the existing policy for the unused permissions
+    #   finding was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] recommended_action
+    #   A recommendation of whether to create or detach a policy for an
+    #   unused permissions finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] recommended_policy
+    #   If the recommended action for the unused permissions finding is to
+    #   replace the existing policy, the contents of the recommended policy
+    #   to replace the policy specified in the `existingPolicyId` field.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_policy_id
+    #   If the recommended action for the unused permissions finding is to
+    #   detach a policy, the ID of an existing policy to be detached.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedPermissionsRecommendedStep AWS API Documentation
+    #
+    class UnusedPermissionsRecommendedStep < Struct.new(
+      :policy_updated_at,
+      :recommended_action,
+      :recommended_policy,
+      :existing_policy_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Updates the specified archive rule.
     #
     # @!attribute [rw] analyzer_name

data/lib/aws-sdk-accessanalyzer.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-accessanalyzer/customizations'
 # @!group service
 module Aws::AccessAnalyzer
 
-  GEM_VERSION = '1.50.0'
+  GEM_VERSION = '1.51.0'
 
 end

data/sig/client.rbs

@@ -100,7 +100,8 @@ module Aws
                                       policy_document: ::String,
                                       access: Array[
                                         {
-                                          actions: Array[::String]
+                                          actions: Array[::String]?,
+                                          resources: Array[::String]?
                                         },
                                       ],
                                       policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY")
@@ -121,6 +122,19 @@ module Aws
                                ) -> _CheckNoNewAccessResponseSuccess
                              | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CheckNoNewAccessResponseSuccess
 
+      interface _CheckNoPublicAccessResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::CheckNoPublicAccessResponse]
+        def result: () -> ("PASS" | "FAIL")
+        def message: () -> ::String
+        def reasons: () -> ::Array[Types::ReasonSummary]
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AccessAnalyzer/Client.html#check_no_public_access-instance_method
+      def check_no_public_access: (
+                                    policy_document: ::String,
+                                    resource_type: ("AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::EFS::FileSystem" | "AWS::OpenSearchService::Domain" | "AWS::Kinesis::Stream" | "AWS::Kinesis::StreamConsumer" | "AWS::KMS::Key" | "AWS::Lambda::Function" | "AWS::S3::Bucket" | "AWS::S3::AccessPoint" | "AWS::S3Express::DirectoryBucket" | "AWS::S3::Glacier" | "AWS::S3Outposts::Bucket" | "AWS::S3Outposts::AccessPoint" | "AWS::SecretsManager::Secret" | "AWS::SNS::Topic" | "AWS::SQS::Queue" | "AWS::IAM::AssumeRolePolicyDocument")
+                                  ) -> _CheckNoPublicAccessResponseSuccess
+                                | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CheckNoPublicAccessResponseSuccess
+
       interface _CreateAccessPreviewResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::CreateAccessPreviewResponse]
         def id: () -> ::String
@@ -282,6 +296,13 @@ module Aws
                                ) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
                              | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
 
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AccessAnalyzer/Client.html#generate_finding_recommendation-instance_method
+      def generate_finding_recommendation: (
+                                             analyzer_arn: ::String,
+                                             id: ::String
+                                           ) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
+                                         | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> ::Seahorse::Client::_ResponseSuccess[::Aws::EmptyStructure]
+
       interface _GetAccessPreviewResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::GetAccessPreviewResponse]
         def access_preview: () -> Types::AccessPreview
@@ -336,6 +357,25 @@ module Aws
                        ) -> _GetFindingResponseSuccess
                      | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _GetFindingResponseSuccess
 
+      interface _GetFindingRecommendationResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::GetFindingRecommendationResponse]
+        def started_at: () -> ::Time
+        def completed_at: () -> ::Time
+        def next_token: () -> ::String
+        def resource_arn: () -> ::String
+        def recommended_steps: () -> ::Array[Types::RecommendedStep]
+        def recommendation_type: () -> ("UnusedPermissionRecommendation")
+        def status: () -> ("SUCCEEDED" | "FAILED" | "IN_PROGRESS")
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AccessAnalyzer/Client.html#get_finding_recommendation-instance_method
+      def get_finding_recommendation: (
+                                        analyzer_arn: ::String,
+                                        id: ::String,
+                                        ?max_results: ::Integer,
+                                        ?next_token: ::String
+                                      ) -> _GetFindingRecommendationResponseSuccess
+                                    | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _GetFindingRecommendationResponseSuccess
+
       interface _GetFindingV2ResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::GetFindingV2Response]
         def analyzed_at: () -> ::Time

data/sig/types.rbs

@@ -10,6 +10,7 @@ module Aws::AccessAnalyzer
 
     class Access
       attr_accessor actions: ::Array[::String]
+      attr_accessor resources: ::Array[::String]
       SENSITIVE: []
     end
 
@@ -173,6 +174,19 @@ module Aws::AccessAnalyzer
       SENSITIVE: []
     end
 
+    class CheckNoPublicAccessRequest
+      attr_accessor policy_document: ::String
+      attr_accessor resource_type: ("AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::EFS::FileSystem" | "AWS::OpenSearchService::Domain" | "AWS::Kinesis::Stream" | "AWS::Kinesis::StreamConsumer" | "AWS::KMS::Key" | "AWS::Lambda::Function" | "AWS::S3::Bucket" | "AWS::S3::AccessPoint" | "AWS::S3Express::DirectoryBucket" | "AWS::S3::Glacier" | "AWS::S3Outposts::Bucket" | "AWS::S3Outposts::AccessPoint" | "AWS::SecretsManager::Secret" | "AWS::SNS::Topic" | "AWS::SQS::Queue" | "AWS::IAM::AssumeRolePolicyDocument")
+      SENSITIVE: [:policy_document]
+    end
+
+    class CheckNoPublicAccessResponse
+      attr_accessor result: ("PASS" | "FAIL")
+      attr_accessor message: ::String
+      attr_accessor reasons: ::Array[Types::ReasonSummary]
+      SENSITIVE: []
+    end
+
     class CloudTrailDetails
       attr_accessor trails: ::Array[Types::Trail]
       attr_accessor access_role: ::String
@@ -422,6 +436,12 @@ module Aws::AccessAnalyzer
       SENSITIVE: []
     end
 
+    class GenerateFindingRecommendationRequest
+      attr_accessor analyzer_arn: ::String
+      attr_accessor id: ::String
+      SENSITIVE: []
+    end
+
     class GeneratedPolicy
       attr_accessor policy: ::String
       SENSITIVE: []
@@ -483,6 +503,26 @@ module Aws::AccessAnalyzer
       SENSITIVE: []
     end
 
+    class GetFindingRecommendationRequest
+      attr_accessor analyzer_arn: ::String
+      attr_accessor id: ::String
+      attr_accessor max_results: ::Integer
+      attr_accessor next_token: ::String
+      SENSITIVE: []
+    end
+
+    class GetFindingRecommendationResponse
+      attr_accessor started_at: ::Time
+      attr_accessor completed_at: ::Time
+      attr_accessor next_token: ::String
+      attr_accessor error: Types::RecommendationError
+      attr_accessor resource_arn: ::String
+      attr_accessor recommended_steps: ::Array[Types::RecommendedStep]
+      attr_accessor recommendation_type: ("UnusedPermissionRecommendation")
+      attr_accessor status: ("SUCCEEDED" | "FAILED" | "IN_PROGRESS")
+      SENSITIVE: []
+    end
+
     class GetFindingRequest
       attr_accessor analyzer_arn: ::String
       attr_accessor id: ::String
@@ -815,6 +855,23 @@ module Aws::AccessAnalyzer
       SENSITIVE: []
     end
 
+    class RecommendationError
+      attr_accessor code: ::String
+      attr_accessor message: ::String
+      SENSITIVE: []
+    end
+
+    class RecommendedStep
+      attr_accessor unused_permissions_recommended_step: Types::UnusedPermissionsRecommendedStep
+      attr_accessor unknown: untyped
+      SENSITIVE: []
+
+      class UnusedPermissionsRecommendedStep < RecommendedStep
+      end
+      class Unknown < RecommendedStep
+      end
+    end
+
     class ResourceNotFoundException
       attr_accessor message: ::String
       attr_accessor resource_id: ::String
@@ -996,6 +1053,14 @@ module Aws::AccessAnalyzer
       SENSITIVE: []
     end
 
+    class UnusedPermissionsRecommendedStep
+      attr_accessor policy_updated_at: ::Time
+      attr_accessor recommended_action: ("CREATE_POLICY" | "DETACH_POLICY")
+      attr_accessor recommended_policy: ::String
+      attr_accessor existing_policy_id: ::String
+      SENSITIVE: []
+    end
+
     class UpdateArchiveRuleRequest
       attr_accessor analyzer_name: ::String
       attr_accessor rule_name: ::String
@@ -1040,7 +1105,7 @@ module Aws::AccessAnalyzer
 
     class ValidationException
       attr_accessor message: ::String
-      attr_accessor reason: ("unknownOperation" | "cannotParse" | "fieldValidationFailed" | "other")
+      attr_accessor reason: ("unknownOperation" | "cannotParse" | "fieldValidationFailed" | "other" | "notSupported")
       attr_accessor field_list: ::Array[Types::ValidationExceptionField]
       SENSITIVE: []
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-accessanalyzer
 version: !ruby/object:Gem::Version
-  version: 1.50.0
+  version: 1.51.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-05 00:00:00.000000000 Z
+date: 2024-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core