aws-sdk-accessanalyzer 1.61.0 → 1.64.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53a13ba99f718e6aa61c3c5260551d9cb47474ca19d3384890c357d144ff79cd
-  data.tar.gz: e0354b42a617673d2e21200d6dc25a58905fc2060ec1f99de67f3f6b7d0d47f4
+  metadata.gz: 298dda42069806317c1cc578827d1d6ac1e9fb87647caca6ee559aedee6b7b1e
+  data.tar.gz: 9b9cccaec291cf7d0c29352775c55968ec23c98d5c840695be9ad46de206d27c
 SHA512:
-  metadata.gz: 99b53c539273846884dfd65a1ef2af8a7f0b1669de84f373b17ac883e528e9bd05e675d020087d7fa90bba777e642a1676fa99588e1d94e67266e044de152e8e
-  data.tar.gz: 6c598991dcb7889b26e20932036e7ccfaad576bc430d20dee6e1d0945f55446428a701afa2fe6ed9d8bf5abe6f5de50d102e3ba5d08bbb465855885d2ca5823f
+  metadata.gz: 4f9dae2dd2eed42a9c7f3ceeb447a13bfbb95a1e8353fbe36e32e54ea7907e90c8d099f958fd7c69369d13e150907295809732f685183af645c7163ba191b7a8
+  data.tar.gz: 25c7805436c022ebb2ff139f608f8d5599b6a1d124c8e1bfcdeff9c25694ef38f9872aa85d3de8b8e482cae5f0d13d68889321af6c6e26f73563ae99335d49b5

data/CHANGELOG.md

@@ -1,6 +1,21 @@
 Unreleased Changes
 ------------------
 
+1.64.0 (2024-11-14)
+------------------
+
+* Feature - Expand analyzer configuration capabilities for unused access analyzers. Unused access analyzer configurations now support the ability to exclude accounts and resource tags from analysis providing more granular control over the scope of analysis.
+
+1.63.0 (2024-11-13)
+------------------
+
+* Feature - This release adds support for policy validation and external access findings for resource control policies (RCP). IAM Access Analyzer helps you author functional and secure RCPs and awareness that a RCP may restrict external access. Updated service API, documentation, and paginators.
+
+1.62.0 (2024-11-06)
+------------------
+
+* Feature - Code Generated Changes, see `./build_tools` or `aws-sdk-core`'s CHANGELOG.md for details.
+
 1.61.0 (2024-10-18)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.61.0
+1.64.0

data/lib/aws-sdk-accessanalyzer/client.rb

@@ -514,11 +514,12 @@ module Aws::AccessAnalyzer
     # @option params [required, Array<Types::Access>] :access
     #   An access object containing the permissions that shouldn't be granted
     #   by the specified policy. If only actions are specified, IAM Access
-    #   Analyzer checks for access of the actions on all resources in the
-    #   policy. If only resources are specified, then IAM Access Analyzer
-    #   checks which actions have access to the specified resources. If both
-    #   actions and resources are specified, then IAM Access Analyzer checks
-    #   which of the specified actions have access to the specified resources.
+    #   Analyzer checks for access to peform at least one of the actions on
+    #   any resource in the policy. If only resources are specified, then IAM
+    #   Access Analyzer checks for access to perform any action on at least
+    #   one of the resources. If both actions and resources are specified, IAM
+    #   Access Analyzer checks for access to perform at least one of the
+    #   specified actions on at least one of the specified resources.
     #
     # @option params [required, String] :policy_type
     #   The type of policy. Identity policies grant permissions to IAM
@@ -527,9 +528,7 @@ module Aws::AccessAnalyzer
     #
     #   Resource policies grant permissions on Amazon Web Services resources.
     #   Resource policies include trust policies for IAM roles and bucket
-    #   policies for Amazon S3 buckets. You can provide a generic input such
-    #   as identity policy or resource policy or a specific input such as
-    #   managed policy or Amazon S3 bucket policy.
+    #   policies for Amazon S3 buckets.
     #
     # @return [Types::CheckAccessNotGrantedResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -951,7 +950,15 @@ module Aws::AccessAnalyzer
     #   the rule.
     #
     # @option params [Hash<String,String>] :tags
-    #   An array of key-value pairs to apply to the analyzer.
+    #   An array of key-value pairs to apply to the analyzer. You can use the
+    #   set of Unicode letters, digits, whitespace, `_`, `.`, `/`, `=`, `+`,
+    #   and `-`.
+    #
+    #   For the tag key, you can specify a value that is 1 to 128 characters
+    #   in length and cannot be prefixed with `aws:`.
+    #
+    #   For the tag value, you can specify a value that is 0 to 256 characters
+    #   in length.
     #
     # @option params [String] :client_token
     #   A client token.
@@ -962,8 +969,7 @@ module Aws::AccessAnalyzer
     # @option params [Types::AnalyzerConfiguration] :configuration
     #   Specifies the configuration of the analyzer. If the analyzer is an
     #   unused access analyzer, the specified scope of unused access is used
-    #   for the configuration. If the analyzer is an external access analyzer,
-    #   this field is not used.
+    #   for the configuration.
     #
     # @return [Types::CreateAnalyzerResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -994,6 +1000,18 @@ module Aws::AccessAnalyzer
     #     configuration: {
     #       unused_access: {
     #         unused_access_age: 1,
+    #         analysis_rule: {
+    #           exclusions: [
+    #             {
+    #               account_ids: ["String"],
+    #               resource_tags: [
+    #                 {
+    #                   "String" => "String",
+    #                 },
+    #               ],
+    #             },
+    #           ],
+    #         },
     #       },
     #     },
     #   })
@@ -1295,7 +1313,7 @@ module Aws::AccessAnalyzer
     # @example Response structure
     #
     #   resp.resource.resource_arn #=> String
-    #   resp.resource.resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream"
+    #   resp.resource.resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User"
     #   resp.resource.created_at #=> Time
     #   resp.resource.analyzed_at #=> Time
     #   resp.resource.updated_at #=> Time
@@ -1345,6 +1363,12 @@ module Aws::AccessAnalyzer
     #   resp.analyzer.status #=> String, one of "ACTIVE", "CREATING", "DISABLED", "FAILED"
     #   resp.analyzer.status_reason.code #=> String, one of "AWS_SERVICE_ACCESS_DISABLED", "DELEGATED_ADMINISTRATOR_DEREGISTERED", "ORGANIZATION_DELETED", "SERVICE_LINKED_ROLE_CREATION_FAILED"
     #   resp.analyzer.configuration.unused_access.unused_access_age #=> Integer
+    #   resp.analyzer.configuration.unused_access.analysis_rule.exclusions #=> Array
+    #   resp.analyzer.configuration.unused_access.analysis_rule.exclusions[0].account_ids #=> Array
+    #   resp.analyzer.configuration.unused_access.analysis_rule.exclusions[0].account_ids[0] #=> String
+    #   resp.analyzer.configuration.unused_access.analysis_rule.exclusions[0].resource_tags #=> Array
+    #   resp.analyzer.configuration.unused_access.analysis_rule.exclusions[0].resource_tags[0] #=> Hash
+    #   resp.analyzer.configuration.unused_access.analysis_rule.exclusions[0].resource_tags[0]["String"] #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzer AWS API Documentation
     #
@@ -1439,7 +1463,7 @@ module Aws::AccessAnalyzer
     #   resp.finding.action[0] #=> String
     #   resp.finding.resource #=> String
     #   resp.finding.is_public #=> Boolean
-    #   resp.finding.resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream"
+    #   resp.finding.resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User"
     #   resp.finding.condition #=> Hash
     #   resp.finding.condition["String"] #=> String
     #   resp.finding.created_at #=> Time
@@ -1452,6 +1476,7 @@ module Aws::AccessAnalyzer
     #   resp.finding.sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.finding.sources[0].detail.access_point_arn #=> String
     #   resp.finding.sources[0].detail.access_point_account #=> String
+    #   resp.finding.resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFinding AWS API Documentation
     #
@@ -1662,7 +1687,7 @@ module Aws::AccessAnalyzer
     #   resp.id #=> String
     #   resp.next_token #=> String
     #   resp.resource #=> String
-    #   resp.resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream"
+    #   resp.resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User"
     #   resp.resource_owner_account #=> String
     #   resp.status #=> String, one of "ACTIVE", "ARCHIVED", "RESOLVED"
     #   resp.updated_at #=> Time
@@ -1678,6 +1703,7 @@ module Aws::AccessAnalyzer
     #   resp.finding_details[0].external_access_details.sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.finding_details[0].external_access_details.sources[0].detail.access_point_arn #=> String
     #   resp.finding_details[0].external_access_details.sources[0].detail.access_point_account #=> String
+    #   resp.finding_details[0].external_access_details.resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #   resp.finding_details[0].unused_permission_details.actions #=> Array
     #   resp.finding_details[0].unused_permission_details.actions[0].action #=> String
     #   resp.finding_details[0].unused_permission_details.actions[0].last_accessed #=> Time
@@ -1712,8 +1738,8 @@ module Aws::AccessAnalyzer
     #   that support resource level granularity in policies.
     #
     #   For example, in the resource section of a policy, you can receive a
-    #   placeholder such as `"Resource":"arn:aws:s3:::$\{BucketName\}"`
-    #   instead of `"*"`.
+    #   placeholder such as `"Resource":"arn:aws:s3:::${BucketName}"` instead
+    #   of `"*"`.
     #
     # @option params [Boolean] :include_service_level_template
     #   The level of detail that you want to generate. You can specify whether
@@ -1825,7 +1851,7 @@ module Aws::AccessAnalyzer
     #   resp.findings[0].condition["String"] #=> String
     #   resp.findings[0].resource #=> String
     #   resp.findings[0].is_public #=> Boolean
-    #   resp.findings[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream"
+    #   resp.findings[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User"
     #   resp.findings[0].created_at #=> Time
     #   resp.findings[0].change_type #=> String, one of "CHANGED", "NEW", "UNCHANGED"
     #   resp.findings[0].status #=> String, one of "ACTIVE", "ARCHIVED", "RESOLVED"
@@ -1835,6 +1861,7 @@ module Aws::AccessAnalyzer
     #   resp.findings[0].sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.findings[0].sources[0].detail.access_point_arn #=> String
     #   resp.findings[0].sources[0].detail.access_point_account #=> String
+    #   resp.findings[0].resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindings AWS API Documentation
@@ -1896,8 +1923,7 @@ module Aws::AccessAnalyzer
     end
 
     # Retrieves a list of resources of the specified type that have been
-    # analyzed by the specified external access analyzer. This action is not
-    # supported for unused access analyzers.
+    # analyzed by the specified analyzer.
     #
     # @option params [required, String] :analyzer_arn
     #   The [ARN of the analyzer][1] to retrieve a list of analyzed resources
@@ -1927,7 +1953,7 @@ module Aws::AccessAnalyzer
     #
     #   resp = client.list_analyzed_resources({
     #     analyzer_arn: "AnalyzerArn", # required
-    #     resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret, AWS::EFS::FileSystem, AWS::EC2::Snapshot, AWS::ECR::Repository, AWS::RDS::DBSnapshot, AWS::RDS::DBClusterSnapshot, AWS::SNS::Topic, AWS::S3Express::DirectoryBucket, AWS::DynamoDB::Table, AWS::DynamoDB::Stream
+    #     resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::IAM::Role, AWS::SQS::Queue, AWS::Lambda::Function, AWS::Lambda::LayerVersion, AWS::KMS::Key, AWS::SecretsManager::Secret, AWS::EFS::FileSystem, AWS::EC2::Snapshot, AWS::ECR::Repository, AWS::RDS::DBSnapshot, AWS::RDS::DBClusterSnapshot, AWS::SNS::Topic, AWS::S3Express::DirectoryBucket, AWS::DynamoDB::Table, AWS::DynamoDB::Stream, AWS::IAM::User
     #     next_token: "Token",
     #     max_results: 1,
     #   })
@@ -1937,7 +1963,7 @@ module Aws::AccessAnalyzer
     #   resp.analyzed_resources #=> Array
     #   resp.analyzed_resources[0].resource_arn #=> String
     #   resp.analyzed_resources[0].resource_owner_account #=> String
-    #   resp.analyzed_resources[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream"
+    #   resp.analyzed_resources[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User"
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResources AWS API Documentation
@@ -1989,6 +2015,12 @@ module Aws::AccessAnalyzer
     #   resp.analyzers[0].status #=> String, one of "ACTIVE", "CREATING", "DISABLED", "FAILED"
     #   resp.analyzers[0].status_reason.code #=> String, one of "AWS_SERVICE_ACCESS_DISABLED", "DELEGATED_ADMINISTRATOR_DEREGISTERED", "ORGANIZATION_DELETED", "SERVICE_LINKED_ROLE_CREATION_FAILED"
     #   resp.analyzers[0].configuration.unused_access.unused_access_age #=> Integer
+    #   resp.analyzers[0].configuration.unused_access.analysis_rule.exclusions #=> Array
+    #   resp.analyzers[0].configuration.unused_access.analysis_rule.exclusions[0].account_ids #=> Array
+    #   resp.analyzers[0].configuration.unused_access.analysis_rule.exclusions[0].account_ids[0] #=> String
+    #   resp.analyzers[0].configuration.unused_access.analysis_rule.exclusions[0].resource_tags #=> Array
+    #   resp.analyzers[0].configuration.unused_access.analysis_rule.exclusions[0].resource_tags[0] #=> Hash
+    #   resp.analyzers[0].configuration.unused_access.analysis_rule.exclusions[0].resource_tags[0]["String"] #=> String
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzers AWS API Documentation
@@ -2121,7 +2153,7 @@ module Aws::AccessAnalyzer
     #   resp.findings[0].action[0] #=> String
     #   resp.findings[0].resource #=> String
     #   resp.findings[0].is_public #=> Boolean
-    #   resp.findings[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream"
+    #   resp.findings[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User"
     #   resp.findings[0].condition #=> Hash
     #   resp.findings[0].condition["String"] #=> String
     #   resp.findings[0].created_at #=> Time
@@ -2134,6 +2166,7 @@ module Aws::AccessAnalyzer
     #   resp.findings[0].sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.findings[0].sources[0].detail.access_point_arn #=> String
     #   resp.findings[0].sources[0].detail.access_point_account #=> String
+    #   resp.findings[0].resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindings AWS API Documentation
@@ -2213,7 +2246,7 @@ module Aws::AccessAnalyzer
     #   resp.findings[0].error #=> String
     #   resp.findings[0].id #=> String
     #   resp.findings[0].resource #=> String
-    #   resp.findings[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream"
+    #   resp.findings[0].resource_type #=> String, one of "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User"
     #   resp.findings[0].resource_owner_account #=> String
     #   resp.findings[0].status #=> String, one of "ACTIVE", "ARCHIVED", "RESOLVED"
     #   resp.findings[0].updated_at #=> Time
@@ -2459,6 +2492,61 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Modifies the configuration of an existing analyzer.
+    #
+    # @option params [required, String] :analyzer_name
+    #   The name of the analyzer to modify.
+    #
+    # @option params [Types::AnalyzerConfiguration] :configuration
+    #   Contains information about the configuration of an analyzer for an
+    #   Amazon Web Services organization or account.
+    #
+    # @return [Types::UpdateAnalyzerResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::UpdateAnalyzerResponse#configuration #configuration} => Types::AnalyzerConfiguration
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.update_analyzer({
+    #     analyzer_name: "Name", # required
+    #     configuration: {
+    #       unused_access: {
+    #         unused_access_age: 1,
+    #         analysis_rule: {
+    #           exclusions: [
+    #             {
+    #               account_ids: ["String"],
+    #               resource_tags: [
+    #                 {
+    #                   "String" => "String",
+    #                 },
+    #               ],
+    #             },
+    #           ],
+    #         },
+    #       },
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.configuration.unused_access.unused_access_age #=> Integer
+    #   resp.configuration.unused_access.analysis_rule.exclusions #=> Array
+    #   resp.configuration.unused_access.analysis_rule.exclusions[0].account_ids #=> Array
+    #   resp.configuration.unused_access.analysis_rule.exclusions[0].account_ids[0] #=> String
+    #   resp.configuration.unused_access.analysis_rule.exclusions[0].resource_tags #=> Array
+    #   resp.configuration.unused_access.analysis_rule.exclusions[0].resource_tags[0] #=> Hash
+    #   resp.configuration.unused_access.analysis_rule.exclusions[0].resource_tags[0]["String"] #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UpdateAnalyzer AWS API Documentation
+    #
+    # @overload update_analyzer(params = {})
+    # @param [Hash] params ({})
+    def update_analyzer(params = {}, options = {})
+      req = build_request(:update_analyzer, params)
+      req.send_request(options)
+    end
+
     # Updates the criteria and values for the specified archive rule.
     #
     # @option params [required, String] :analyzer_name
@@ -2610,7 +2698,7 @@ module Aws::AccessAnalyzer
     #     max_results: 1,
     #     next_token: "Token",
     #     policy_document: "PolicyDocument", # required
-    #     policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
+    #     policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY, RESOURCE_CONTROL_POLICY
     #     validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint, AWS::IAM::AssumeRolePolicyDocument, AWS::DynamoDB::Table
     #   })
     #
@@ -2663,7 +2751,7 @@ module Aws::AccessAnalyzer
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-accessanalyzer'
-      context[:gem_version] = '1.61.0'
+      context[:gem_version] = '1.64.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-accessanalyzer/client_api.rb

@@ -33,12 +33,16 @@ module Aws::AccessAnalyzer
     AccessPreviewSummary = Shapes::StructureShape.new(name: 'AccessPreviewSummary')
     AccessPreviewsList = Shapes::ListShape.new(name: 'AccessPreviewsList')
     AccessResourcesList = Shapes::ListShape.new(name: 'AccessResourcesList')
+    AccountIdsList = Shapes::ListShape.new(name: 'AccountIdsList')
     AclCanonicalId = Shapes::StringShape.new(name: 'AclCanonicalId')
     AclGrantee = Shapes::UnionShape.new(name: 'AclGrantee')
     AclPermission = Shapes::StringShape.new(name: 'AclPermission')
     AclUri = Shapes::StringShape.new(name: 'AclUri')
     Action = Shapes::StringShape.new(name: 'Action')
     ActionList = Shapes::ListShape.new(name: 'ActionList')
+    AnalysisRule = Shapes::StructureShape.new(name: 'AnalysisRule')
+    AnalysisRuleCriteria = Shapes::StructureShape.new(name: 'AnalysisRuleCriteria')
+    AnalysisRuleCriteriaList = Shapes::ListShape.new(name: 'AnalysisRuleCriteriaList')
     AnalyzedResource = Shapes::StructureShape.new(name: 'AnalyzedResource')
     AnalyzedResourceSummary = Shapes::StructureShape.new(name: 'AnalyzedResourceSummary')
     AnalyzedResourcesList = Shapes::ListShape.new(name: 'AnalyzedResourcesList')
@@ -225,6 +229,7 @@ module Aws::AccessAnalyzer
     RegionList = Shapes::ListShape.new(name: 'RegionList')
     Resource = Shapes::StringShape.new(name: 'Resource')
     ResourceArn = Shapes::StringShape.new(name: 'ResourceArn')
+    ResourceControlPolicyRestriction = Shapes::StringShape.new(name: 'ResourceControlPolicyRestriction')
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     ResourceType = Shapes::StringShape.new(name: 'ResourceType')
     RetiringPrincipal = Shapes::StringShape.new(name: 'RetiringPrincipal')
@@ -259,6 +264,7 @@ module Aws::AccessAnalyzer
     TagKeys = Shapes::ListShape.new(name: 'TagKeys')
     TagResourceRequest = Shapes::StructureShape.new(name: 'TagResourceRequest')
     TagResourceResponse = Shapes::StructureShape.new(name: 'TagResourceResponse')
+    TagsList = Shapes::ListShape.new(name: 'TagsList')
     TagsMap = Shapes::MapShape.new(name: 'TagsMap')
     ThrottlingException = Shapes::StructureShape.new(name: 'ThrottlingException')
     Timestamp = Shapes::TimestampShape.new(name: 'Timestamp', timestampFormat: "iso8601")
@@ -279,6 +285,8 @@ module Aws::AccessAnalyzer
     UnusedIamUserPasswordDetails = Shapes::StructureShape.new(name: 'UnusedIamUserPasswordDetails')
     UnusedPermissionDetails = Shapes::StructureShape.new(name: 'UnusedPermissionDetails')
     UnusedPermissionsRecommendedStep = Shapes::StructureShape.new(name: 'UnusedPermissionsRecommendedStep')
+    UpdateAnalyzerRequest = Shapes::StructureShape.new(name: 'UpdateAnalyzerRequest')
+    UpdateAnalyzerResponse = Shapes::StructureShape.new(name: 'UpdateAnalyzerResponse')
     UpdateArchiveRuleRequest = Shapes::StructureShape.new(name: 'UpdateArchiveRuleRequest')
     UpdateFindingsRequest = Shapes::StructureShape.new(name: 'UpdateFindingsRequest')
     ValidatePolicyFinding = Shapes::StructureShape.new(name: 'ValidatePolicyFinding')
@@ -327,6 +335,7 @@ module Aws::AccessAnalyzer
     AccessPreviewFinding.add_member(:resource_owner_account, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceOwnerAccount"))
     AccessPreviewFinding.add_member(:error, Shapes::ShapeRef.new(shape: String, location_name: "error"))
     AccessPreviewFinding.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    AccessPreviewFinding.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     AccessPreviewFinding.struct_class = Types::AccessPreviewFinding
 
     AccessPreviewFindingsList.member = Shapes::ShapeRef.new(shape: AccessPreviewFinding)
@@ -345,6 +354,8 @@ module Aws::AccessAnalyzer
 
     AccessResourcesList.member = Shapes::ShapeRef.new(shape: Resource)
 
+    AccountIdsList.member = Shapes::ShapeRef.new(shape: String)
+
     AclGrantee.add_member(:id, Shapes::ShapeRef.new(shape: AclCanonicalId, location_name: "id"))
     AclGrantee.add_member(:uri, Shapes::ShapeRef.new(shape: AclUri, location_name: "uri"))
     AclGrantee.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
@@ -355,6 +366,15 @@ module Aws::AccessAnalyzer
 
     ActionList.member = Shapes::ShapeRef.new(shape: String)
 
+    AnalysisRule.add_member(:exclusions, Shapes::ShapeRef.new(shape: AnalysisRuleCriteriaList, location_name: "exclusions"))
+    AnalysisRule.struct_class = Types::AnalysisRule
+
+    AnalysisRuleCriteria.add_member(:account_ids, Shapes::ShapeRef.new(shape: AccountIdsList, location_name: "accountIds"))
+    AnalysisRuleCriteria.add_member(:resource_tags, Shapes::ShapeRef.new(shape: TagsList, location_name: "resourceTags"))
+    AnalysisRuleCriteria.struct_class = Types::AnalysisRuleCriteria
+
+    AnalysisRuleCriteriaList.member = Shapes::ShapeRef.new(shape: AnalysisRuleCriteria)
+
     AnalyzedResource.add_member(:resource_arn, Shapes::ShapeRef.new(shape: ResourceArn, required: true, location_name: "resourceArn"))
     AnalyzedResource.add_member(:resource_type, Shapes::ShapeRef.new(shape: ResourceType, required: true, location_name: "resourceType"))
     AnalyzedResource.add_member(:created_at, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "createdAt"))
@@ -564,6 +584,7 @@ module Aws::AccessAnalyzer
     ExternalAccessDetails.add_member(:is_public, Shapes::ShapeRef.new(shape: Boolean, location_name: "isPublic"))
     ExternalAccessDetails.add_member(:principal, Shapes::ShapeRef.new(shape: PrincipalMap, location_name: "principal"))
     ExternalAccessDetails.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    ExternalAccessDetails.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     ExternalAccessDetails.struct_class = Types::ExternalAccessDetails
 
     FilterCriteriaMap.key = Shapes::ShapeRef.new(shape: String)
@@ -583,6 +604,7 @@ module Aws::AccessAnalyzer
     Finding.add_member(:resource_owner_account, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceOwnerAccount"))
     Finding.add_member(:error, Shapes::ShapeRef.new(shape: String, location_name: "error"))
     Finding.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    Finding.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     Finding.struct_class = Types::Finding
 
     FindingDetails.add_member(:external_access_details, Shapes::ShapeRef.new(shape: ExternalAccessDetails, location_name: "externalAccessDetails"))
@@ -627,6 +649,7 @@ module Aws::AccessAnalyzer
     FindingSummary.add_member(:resource_owner_account, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceOwnerAccount"))
     FindingSummary.add_member(:error, Shapes::ShapeRef.new(shape: String, location_name: "error"))
     FindingSummary.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    FindingSummary.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     FindingSummary.struct_class = Types::FindingSummary
 
     FindingSummaryV2.add_member(:analyzed_at, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "analyzedAt"))
@@ -1065,6 +1088,8 @@ module Aws::AccessAnalyzer
 
     TagResourceResponse.struct_class = Types::TagResourceResponse
 
+    TagsList.member = Shapes::ShapeRef.new(shape: TagsMap)
+
     TagsMap.key = Shapes::ShapeRef.new(shape: String)
     TagsMap.value = Shapes::ShapeRef.new(shape: String)
 
@@ -1096,6 +1121,7 @@ module Aws::AccessAnalyzer
     UntagResourceResponse.struct_class = Types::UntagResourceResponse
 
     UnusedAccessConfiguration.add_member(:unused_access_age, Shapes::ShapeRef.new(shape: Integer, location_name: "unusedAccessAge"))
+    UnusedAccessConfiguration.add_member(:analysis_rule, Shapes::ShapeRef.new(shape: AnalysisRule, location_name: "analysisRule"))
     UnusedAccessConfiguration.struct_class = Types::UnusedAccessConfiguration
 
     UnusedAction.add_member(:action, Shapes::ShapeRef.new(shape: String, required: true, location_name: "action"))
@@ -1125,6 +1151,13 @@ module Aws::AccessAnalyzer
     UnusedPermissionsRecommendedStep.add_member(:existing_policy_id, Shapes::ShapeRef.new(shape: String, location_name: "existingPolicyId"))
     UnusedPermissionsRecommendedStep.struct_class = Types::UnusedPermissionsRecommendedStep
 
+    UpdateAnalyzerRequest.add_member(:analyzer_name, Shapes::ShapeRef.new(shape: Name, required: true, location: "uri", location_name: "analyzerName"))
+    UpdateAnalyzerRequest.add_member(:configuration, Shapes::ShapeRef.new(shape: AnalyzerConfiguration, location_name: "configuration"))
+    UpdateAnalyzerRequest.struct_class = Types::UpdateAnalyzerRequest
+
+    UpdateAnalyzerResponse.add_member(:configuration, Shapes::ShapeRef.new(shape: AnalyzerConfiguration, location_name: "configuration"))
+    UpdateAnalyzerResponse.struct_class = Types::UpdateAnalyzerResponse
+
     UpdateArchiveRuleRequest.add_member(:analyzer_name, Shapes::ShapeRef.new(shape: Name, required: true, location: "uri", location_name: "analyzerName"))
     UpdateArchiveRuleRequest.add_member(:rule_name, Shapes::ShapeRef.new(shape: Name, required: true, location: "uri", location_name: "ruleName"))
     UpdateArchiveRuleRequest.add_member(:filter, Shapes::ShapeRef.new(shape: FilterCriteriaMap, required: true, location_name: "filter"))
@@ -1183,6 +1216,7 @@ module Aws::AccessAnalyzer
 
       api.metadata = {
         "apiVersion" => "2019-11-01",
+        "auth" => ["aws.auth#sigv4"],
         "endpointPrefix" => "access-analyzer",
         "protocol" => "rest-json",
         "protocols" => ["rest-json"],
@@ -1673,6 +1707,20 @@ module Aws::AccessAnalyzer
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
       end)
 
+      api.add_operation(:update_analyzer, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "UpdateAnalyzer"
+        o.http_method = "PUT"
+        o.http_request_uri = "/analyzer/{analyzerName}"
+        o.input = Shapes::ShapeRef.new(shape: UpdateAnalyzerRequest)
+        o.output = Shapes::ShapeRef.new(shape: UpdateAnalyzerResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: ConflictException)
+        o.errors << Shapes::ShapeRef.new(shape: ValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
+      end)
+
       api.add_operation(:update_archive_rule, Seahorse::Model::Operation.new.tap do |o|
         o.name = "UpdateArchiveRule"
         o.http_method = "PUT"

data/lib/aws-sdk-accessanalyzer/types.rb

@@ -21,8 +21,9 @@ module Aws::AccessAnalyzer
     #
     # @!attribute [rw] resources
     #   A list of resources for the access permissions. Any strings that can
-    #   be used as a resource in an IAM policy can be used in the list of
-    #   resources to check.
+    #   be used as an Amazon Resource Name (ARN) in an IAM policy can be
+    #   used in the list of resources to check. You can only use a wildcard
+    #   in the portion of the ARN that specifies the resource ID.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Access AWS API Documentation
@@ -191,6 +192,11 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
     #
     class AccessPreviewFinding < Struct.new(
@@ -208,7 +214,8 @@ module Aws::AccessAnalyzer
       :status,
       :resource_owner_account,
       :error,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -311,6 +318,57 @@ module Aws::AccessAnalyzer
       class Unknown < AclGrantee; end
     end
 
+    # Contains information about analysis rules for the analyzer. Analysis
+    # rules determine which entities will generate findings based on the
+    # criteria you define when you create the rule.
+    #
+    # @!attribute [rw] exclusions
+    #   A list of rules for the analyzer containing criteria to exclude from
+    #   analysis. Entities that meet the rule criteria will not generate
+    #   findings.
+    #   @return [Array<Types::AnalysisRuleCriteria>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalysisRule AWS API Documentation
+    #
+    class AnalysisRule < Struct.new(
+      :exclusions)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The criteria for an analysis rule for an analyzer. The criteria
+    # determine which entities will generate findings.
+    #
+    # @!attribute [rw] account_ids
+    #   A list of Amazon Web Services account IDs to apply to the analysis
+    #   rule criteria. The accounts cannot include the organization analyzer
+    #   owner account. Account IDs can only be applied to the analysis rule
+    #   criteria for organization-level analyzers. The list cannot include
+    #   more than 2,000 account IDs.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] resource_tags
+    #   An array of key-value pairs to match for your resources. You can use
+    #   the set of Unicode letters, digits, whitespace, `_`, `.`, `/`, `=`,
+    #   `+`, and `-`.
+    #
+    #   For the tag key, you can specify a value that is 1 to 128 characters
+    #   in length and cannot be prefixed with `aws:`.
+    #
+    #   For the tag value, you can specify a value that is 0 to 256
+    #   characters in length. If the specified tag value is 0 characters,
+    #   the rule is applied to all principals with the specified tag key.
+    #   @return [Array<Hash<String,String>>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalysisRuleCriteria AWS API Documentation
+    #
+    class AnalysisRuleCriteria < Struct.new(
+      :account_ids,
+      :resource_tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Contains details about the analyzed resource.
     #
     # @!attribute [rw] resource_arn
@@ -403,8 +461,8 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # Contains information about the configuration of an unused access
-    # analyzer for an Amazon Web Services organization or account.
+    # Contains information about the configuration of an analyzer for an
+    # Amazon Web Services organization or account.
     #
     # @note AnalyzerConfiguration is a union - when making an API calls you must set exactly one of the members.
     #
@@ -412,8 +470,7 @@ module Aws::AccessAnalyzer
     #
     # @!attribute [rw] unused_access
     #   Specifies the configuration of an unused access analyzer for an
-    #   Amazon Web Services organization or account. External access
-    #   analyzers do not support any configuration.
+    #   Amazon Web Services organization or account.
     #   @return [Types::UnusedAccessConfiguration]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerConfiguration AWS API Documentation
@@ -528,7 +585,9 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
-    # Contains information about an archive rule.
+    # Contains information about an archive rule. Archive rules
+    # automatically archive new findings that meet the criteria you define
+    # when you create the rule.
     #
     # @!attribute [rw] rule_name
     #   The name of the archive rule.
@@ -583,12 +642,13 @@ module Aws::AccessAnalyzer
     # @!attribute [rw] access
     #   An access object containing the permissions that shouldn't be
     #   granted by the specified policy. If only actions are specified, IAM
-    #   Access Analyzer checks for access of the actions on all resources in
-    #   the policy. If only resources are specified, then IAM Access
-    #   Analyzer checks which actions have access to the specified
-    #   resources. If both actions and resources are specified, then IAM
-    #   Access Analyzer checks which of the specified actions have access to
-    #   the specified resources.
+    #   Access Analyzer checks for access to peform at least one of the
+    #   actions on any resource in the policy. If only resources are
+    #   specified, then IAM Access Analyzer checks for access to perform any
+    #   action on at least one of the resources. If both actions and
+    #   resources are specified, IAM Access Analyzer checks for access to
+    #   perform at least one of the specified actions on at least one of the
+    #   specified resources.
     #   @return [Array<Types::Access>]
     #
     # @!attribute [rw] policy_type
@@ -598,9 +658,7 @@ module Aws::AccessAnalyzer
     #
     #   Resource policies grant permissions on Amazon Web Services
     #   resources. Resource policies include trust policies for IAM roles
-    #   and bucket policies for Amazon S3 buckets. You can provide a generic
-    #   input such as identity policy or resource policy or a specific input
-    #   such as managed policy or Amazon S3 bucket policy.
+    #   and bucket policies for Amazon S3 buckets.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedRequest AWS API Documentation
@@ -1006,7 +1064,15 @@ module Aws::AccessAnalyzer
     #   @return [Array<Types::InlineArchiveRule>]
     #
     # @!attribute [rw] tags
-    #   An array of key-value pairs to apply to the analyzer.
+    #   An array of key-value pairs to apply to the analyzer. You can use
+    #   the set of Unicode letters, digits, whitespace, `_`, `.`, `/`, `=`,
+    #   `+`, and `-`.
+    #
+    #   For the tag key, you can specify a value that is 1 to 128 characters
+    #   in length and cannot be prefixed with `aws:`.
+    #
+    #   For the tag value, you can specify a value that is 0 to 256
+    #   characters in length.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_token
@@ -1019,8 +1085,7 @@ module Aws::AccessAnalyzer
     # @!attribute [rw] configuration
     #   Specifies the configuration of the analyzer. If the analyzer is an
     #   unused access analyzer, the specified scope of unused access is used
-    #   for the configuration. If the analyzer is an external access
-    #   analyzer, this field is not used.
+    #   for the configuration.
     #   @return [Types::AnalyzerConfiguration]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
@@ -1411,6 +1476,11 @@ module Aws::AccessAnalyzer
     #   Amazon S3 bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ExternalAccessDetails AWS API Documentation
     #
     class ExternalAccessDetails < Struct.new(
@@ -1418,7 +1488,8 @@ module Aws::AccessAnalyzer
       :condition,
       :is_public,
       :principal,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1487,6 +1558,11 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Finding AWS API Documentation
     #
     class Finding < Struct.new(
@@ -1503,7 +1579,8 @@ module Aws::AccessAnalyzer
       :status,
       :resource_owner_account,
       :error,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1668,6 +1745,11 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSummary AWS API Documentation
     #
     class FindingSummary < Struct.new(
@@ -1684,7 +1766,8 @@ module Aws::AccessAnalyzer
       :status,
       :resource_owner_account,
       :error,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1964,7 +2047,9 @@ module Aws::AccessAnalyzer
     # The response to the request.
     #
     # @!attribute [rw] archive_rule
-    #   Contains information about an archive rule.
+    #   Contains information about an archive rule. Archive rules
+    #   automatically archive new findings that meet the criteria you define
+    #   when you create the rule.
     #   @return [Types::ArchiveRuleSummary]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetArchiveRuleResponse AWS API Documentation
@@ -2210,7 +2295,7 @@ module Aws::AccessAnalyzer
     #   actions that support resource level granularity in policies.
     #
     #   For example, in the resource section of a policy, you can receive a
-    #   placeholder such as `"Resource":"arn:aws:s3:::$\{BucketName\}"`
+    #   placeholder such as `"Resource":"arn:aws:s3:::${BucketName}"`
     #   instead of `"*"`.
     #   @return [Boolean]
     #
@@ -4014,13 +4099,20 @@ module Aws::AccessAnalyzer
     #   will generate findings for IAM entities within the accounts of the
     #   selected organization for any access that hasn't been used in 90 or
     #   more days since the analyzer's last scan. You can choose a value
-    #   between 1 and 180 days.
+    #   between 1 and 365 days.
     #   @return [Integer]
     #
+    # @!attribute [rw] analysis_rule
+    #   Contains information about analysis rules for the analyzer. Analysis
+    #   rules determine which entities will generate findings based on the
+    #   criteria you define when you create the rule.
+    #   @return [Types::AnalysisRule]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedAccessConfiguration AWS API Documentation
     #
     class UnusedAccessConfiguration < Struct.new(
-      :unused_access_age)
+      :unused_access_age,
+      :analysis_rule)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4188,6 +4280,37 @@ module Aws::AccessAnalyzer
       include Aws::Structure
     end
 
+    # @!attribute [rw] analyzer_name
+    #   The name of the analyzer to modify.
+    #   @return [String]
+    #
+    # @!attribute [rw] configuration
+    #   Contains information about the configuration of an analyzer for an
+    #   Amazon Web Services organization or account.
+    #   @return [Types::AnalyzerConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UpdateAnalyzerRequest AWS API Documentation
+    #
+    class UpdateAnalyzerRequest < Struct.new(
+      :analyzer_name,
+      :configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] configuration
+    #   Contains information about the configuration of an analyzer for an
+    #   Amazon Web Services organization or account.
+    #   @return [Types::AnalyzerConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UpdateAnalyzerResponse AWS API Documentation
+    #
+    class UpdateAnalyzerResponse < Struct.new(
+      :configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Updates the specified archive rule.
     #
     # @!attribute [rw] analyzer_name

data/lib/aws-sdk-accessanalyzer.rb

@@ -54,7 +54,7 @@ module Aws::AccessAnalyzer
   autoload :EndpointProvider, 'aws-sdk-accessanalyzer/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-accessanalyzer/endpoints'
 
-  GEM_VERSION = '1.61.0'
+  GEM_VERSION = '1.64.0'
 
 end
 

data/sig/client.rbs

@@ -264,7 +264,17 @@ module Aws
                              ?client_token: ::String,
                              ?configuration: {
                                unused_access: {
-                                 unused_access_age: ::Integer?
+                                 unused_access_age: ::Integer?,
+                                 analysis_rule: {
+                                   exclusions: Array[
+                                     {
+                                       account_ids: Array[::String]?,
+                                       resource_tags: Array[
+                                         Hash[::String, ::String],
+                                       ]?
+                                     },
+                                   ]?
+                                 }?
                                }?
                              }
                            ) -> _CreateAnalyzerResponseSuccess
@@ -386,7 +396,7 @@ module Aws
         def id: () -> ::String
         def next_token: () -> ::String
         def resource: () -> ::String
-        def resource_type: () -> ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+        def resource_type: () -> ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
         def resource_owner_account: () -> ::String
         def status: () -> ("ACTIVE" | "ARCHIVED" | "RESOLVED")
         def updated_at: () -> ::Time
@@ -456,7 +466,7 @@ module Aws
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AccessAnalyzer/Client.html#list_analyzed_resources-instance_method
       def list_analyzed_resources: (
                                      analyzer_arn: ::String,
-                                     ?resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream"),
+                                     ?resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User"),
                                      ?next_token: ::String,
                                      ?max_results: ::Integer
                                    ) -> _ListAnalyzedResourcesResponseSuccess
@@ -610,6 +620,31 @@ module Aws
                           ) -> _UntagResourceResponseSuccess
                         | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _UntagResourceResponseSuccess
 
+      interface _UpdateAnalyzerResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::UpdateAnalyzerResponse]
+        def configuration: () -> Types::AnalyzerConfiguration
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AccessAnalyzer/Client.html#update_analyzer-instance_method
+      def update_analyzer: (
+                             analyzer_name: ::String,
+                             ?configuration: {
+                               unused_access: {
+                                 unused_access_age: ::Integer?,
+                                 analysis_rule: {
+                                   exclusions: Array[
+                                     {
+                                       account_ids: Array[::String]?,
+                                       resource_tags: Array[
+                                         Hash[::String, ::String],
+                                       ]?
+                                     },
+                                   ]?
+                                 }?
+                               }?
+                             }
+                           ) -> _UpdateAnalyzerResponseSuccess
+                         | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _UpdateAnalyzerResponseSuccess
+
       # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/AccessAnalyzer/Client.html#update_archive_rule-instance_method
       def update_archive_rule: (
                                  analyzer_name: ::String,
@@ -645,7 +680,7 @@ module Aws
                              ?max_results: ::Integer,
                              ?next_token: ::String,
                              policy_document: ::String,
-                             policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY"),
+                             policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY" | "RESOURCE_CONTROL_POLICY"),
                              ?validate_policy_resource_type: ("AWS::S3::Bucket" | "AWS::S3::AccessPoint" | "AWS::S3::MultiRegionAccessPoint" | "AWS::S3ObjectLambda::AccessPoint" | "AWS::IAM::AssumeRolePolicyDocument" | "AWS::DynamoDB::Table")
                            ) -> _ValidatePolicyResponseSuccess
                          | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _ValidatePolicyResponseSuccess

data/sig/types.rbs

@@ -38,13 +38,14 @@ module Aws::AccessAnalyzer
       attr_accessor condition: ::Hash[::String, ::String]
       attr_accessor resource: ::String
       attr_accessor is_public: bool
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       attr_accessor created_at: ::Time
       attr_accessor change_type: ("CHANGED" | "NEW" | "UNCHANGED")
       attr_accessor status: ("ACTIVE" | "ARCHIVED" | "RESOLVED")
       attr_accessor resource_owner_account: ::String
       attr_accessor error: ::String
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -76,9 +77,20 @@ module Aws::AccessAnalyzer
       end
     end
 
+    class AnalysisRule
+      attr_accessor exclusions: ::Array[Types::AnalysisRuleCriteria]
+      SENSITIVE: []
+    end
+
+    class AnalysisRuleCriteria
+      attr_accessor account_ids: ::Array[::String]
+      attr_accessor resource_tags: ::Array[::Hash[::String, ::String]]
+      SENSITIVE: []
+    end
+
     class AnalyzedResource
       attr_accessor resource_arn: ::String
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       attr_accessor created_at: ::Time
       attr_accessor analyzed_at: ::Time
       attr_accessor updated_at: ::Time
@@ -94,7 +106,7 @@ module Aws::AccessAnalyzer
     class AnalyzedResourceSummary
       attr_accessor resource_arn: ::String
       attr_accessor resource_owner_account: ::String
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       SENSITIVE: []
     end
 
@@ -348,6 +360,7 @@ module Aws::AccessAnalyzer
       attr_accessor is_public: bool
       attr_accessor principal: ::Hash[::String, ::String]
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -357,7 +370,7 @@ module Aws::AccessAnalyzer
       attr_accessor action: ::Array[::String]
       attr_accessor resource: ::String
       attr_accessor is_public: bool
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       attr_accessor condition: ::Hash[::String, ::String]
       attr_accessor created_at: ::Time
       attr_accessor analyzed_at: ::Time
@@ -366,6 +379,7 @@ module Aws::AccessAnalyzer
       attr_accessor resource_owner_account: ::String
       attr_accessor error: ::String
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -410,7 +424,7 @@ module Aws::AccessAnalyzer
       attr_accessor action: ::Array[::String]
       attr_accessor resource: ::String
       attr_accessor is_public: bool
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       attr_accessor condition: ::Hash[::String, ::String]
       attr_accessor created_at: ::Time
       attr_accessor analyzed_at: ::Time
@@ -419,6 +433,7 @@ module Aws::AccessAnalyzer
       attr_accessor resource_owner_account: ::String
       attr_accessor error: ::String
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -428,7 +443,7 @@ module Aws::AccessAnalyzer
       attr_accessor error: ::String
       attr_accessor id: ::String
       attr_accessor resource: ::String
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       attr_accessor resource_owner_account: ::String
       attr_accessor status: ("ACTIVE" | "ARCHIVED" | "RESOLVED")
       attr_accessor updated_at: ::Time
@@ -549,7 +564,7 @@ module Aws::AccessAnalyzer
       attr_accessor id: ::String
       attr_accessor next_token: ::String
       attr_accessor resource: ::String
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       attr_accessor resource_owner_account: ::String
       attr_accessor status: ("ACTIVE" | "ARCHIVED" | "RESOLVED")
       attr_accessor updated_at: ::Time
@@ -662,7 +677,7 @@ module Aws::AccessAnalyzer
 
     class ListAnalyzedResourcesRequest
       attr_accessor analyzer_arn: ::String
-      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream")
+      attr_accessor resource_type: ("AWS::S3::Bucket" | "AWS::IAM::Role" | "AWS::SQS::Queue" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::KMS::Key" | "AWS::SecretsManager::Secret" | "AWS::EFS::FileSystem" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::RDS::DBSnapshot" | "AWS::RDS::DBClusterSnapshot" | "AWS::SNS::Topic" | "AWS::S3Express::DirectoryBucket" | "AWS::DynamoDB::Table" | "AWS::DynamoDB::Stream" | "AWS::IAM::User")
       attr_accessor next_token: ::String
       attr_accessor max_results: ::Integer
       SENSITIVE: []
@@ -1021,6 +1036,7 @@ module Aws::AccessAnalyzer
 
     class UnusedAccessConfiguration
       attr_accessor unused_access_age: ::Integer
+      attr_accessor analysis_rule: Types::AnalysisRule
       SENSITIVE: []
     end
 
@@ -1061,6 +1077,17 @@ module Aws::AccessAnalyzer
       SENSITIVE: []
     end
 
+    class UpdateAnalyzerRequest
+      attr_accessor analyzer_name: ::String
+      attr_accessor configuration: Types::AnalyzerConfiguration
+      SENSITIVE: []
+    end
+
+    class UpdateAnalyzerResponse
+      attr_accessor configuration: Types::AnalyzerConfiguration
+      SENSITIVE: []
+    end
+
     class UpdateArchiveRuleRequest
       attr_accessor analyzer_name: ::String
       attr_accessor rule_name: ::String
@@ -1092,7 +1119,7 @@ module Aws::AccessAnalyzer
       attr_accessor max_results: ::Integer
       attr_accessor next_token: ::String
       attr_accessor policy_document: ::String
-      attr_accessor policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY")
+      attr_accessor policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY" | "RESOURCE_CONTROL_POLICY")
       attr_accessor validate_policy_resource_type: ("AWS::S3::Bucket" | "AWS::S3::AccessPoint" | "AWS::S3::MultiRegionAccessPoint" | "AWS::S3ObjectLambda::AccessPoint" | "AWS::IAM::AssumeRolePolicyDocument" | "AWS::DynamoDB::Table")
       SENSITIVE: []
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-accessanalyzer
 version: !ruby/object:Gem::Version
-  version: 1.61.0
+  version: 1.64.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-18 00:00:00.000000000 Z
+date: 2024-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -36,14 +36,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.5'
 description: Official AWS Ruby gem for Access Analyzer. This gem is part of the AWS
   SDK for Ruby.
 email: