aws-sdk-accessanalyzer 1.62.0 → 1.63.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 12a6c41022a8c2e51a54bbc7d94fbd5ebb6150cbfa1b9f8ae28a245751684c5e
-  data.tar.gz: 944488ffb334f325076e717b517dc406f5e53fead8c50f27646a22d9c20485b0
+  metadata.gz: c447bf8de1d6dd1a90d8e44347b1ac0c11b4e4f66631639613f55e7e46befd42
+  data.tar.gz: 9c7ae9c351e0d8259bf12f8af1e344d696a7ed44e77d1cc12e4f3563f7f757bb
 SHA512:
-  metadata.gz: b4e2445cc0667c0bf98d69ce646b31de63897159f728c439b05ad3a4c0c02a3cac9c65892a4a2c2d8e14fd68afa586b6d1366bdaa6f20e4cee07388aa715962a
-  data.tar.gz: 44a4cfce4536f2b317b76f4c71ce66a2fdd399c22ab12d36c8c578e66909d1b17ea215870eb158bd74caf7c31b5490ba631186f2f34432a42504bb4f1b9e654c
+  metadata.gz: bb005943fd3fb07e498393000ce199903ad7ee88531bea0b7183686202fc53afcb34c7709263cbd850280cba1e2b25a7f011ea3b3d8274609a93a711ac8f3ffd
+  data.tar.gz: 60b3142ad2acbccdef1908dae580bb99f08c7411aac664e6edb25cb8d38afa2381d04c7e6252bc177adcd288b17fbb4bf4e289e4fc65722525850ae3dc476605

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.63.0 (2024-11-13)
+------------------
+
+* Feature - This release adds support for policy validation and external access findings for resource control policies (RCP). IAM Access Analyzer helps you author functional and secure RCPs and awareness that a RCP may restrict external access. Updated service API, documentation, and paginators.
+
 1.62.0 (2024-11-06)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.62.0
+1.63.0

data/lib/aws-sdk-accessanalyzer/client.rb

@@ -514,11 +514,12 @@ module Aws::AccessAnalyzer
     # @option params [required, Array<Types::Access>] :access
     #   An access object containing the permissions that shouldn't be granted
     #   by the specified policy. If only actions are specified, IAM Access
-    #   Analyzer checks for access of the actions on all resources in the
-    #   policy. If only resources are specified, then IAM Access Analyzer
-    #   checks which actions have access to the specified resources. If both
-    #   actions and resources are specified, then IAM Access Analyzer checks
-    #   which of the specified actions have access to the specified resources.
+    #   Analyzer checks for access to peform at least one of the actions on
+    #   any resource in the policy. If only resources are specified, then IAM
+    #   Access Analyzer checks for access to perform any action on at least
+    #   one of the resources. If both actions and resources are specified, IAM
+    #   Access Analyzer checks for access to perform at least one of the
+    #   specified actions on at least one of the specified resources.
     #
     # @option params [required, String] :policy_type
     #   The type of policy. Identity policies grant permissions to IAM
@@ -527,9 +528,7 @@ module Aws::AccessAnalyzer
     #
     #   Resource policies grant permissions on Amazon Web Services resources.
     #   Resource policies include trust policies for IAM roles and bucket
-    #   policies for Amazon S3 buckets. You can provide a generic input such
-    #   as identity policy or resource policy or a specific input such as
-    #   managed policy or Amazon S3 bucket policy.
+    #   policies for Amazon S3 buckets.
     #
     # @return [Types::CheckAccessNotGrantedResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1452,6 +1451,7 @@ module Aws::AccessAnalyzer
     #   resp.finding.sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.finding.sources[0].detail.access_point_arn #=> String
     #   resp.finding.sources[0].detail.access_point_account #=> String
+    #   resp.finding.resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFinding AWS API Documentation
     #
@@ -1678,6 +1678,7 @@ module Aws::AccessAnalyzer
     #   resp.finding_details[0].external_access_details.sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.finding_details[0].external_access_details.sources[0].detail.access_point_arn #=> String
     #   resp.finding_details[0].external_access_details.sources[0].detail.access_point_account #=> String
+    #   resp.finding_details[0].external_access_details.resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #   resp.finding_details[0].unused_permission_details.actions #=> Array
     #   resp.finding_details[0].unused_permission_details.actions[0].action #=> String
     #   resp.finding_details[0].unused_permission_details.actions[0].last_accessed #=> Time
@@ -1835,6 +1836,7 @@ module Aws::AccessAnalyzer
     #   resp.findings[0].sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.findings[0].sources[0].detail.access_point_arn #=> String
     #   resp.findings[0].sources[0].detail.access_point_account #=> String
+    #   resp.findings[0].resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindings AWS API Documentation
@@ -2134,6 +2136,7 @@ module Aws::AccessAnalyzer
     #   resp.findings[0].sources[0].type #=> String, one of "POLICY", "BUCKET_ACL", "S3_ACCESS_POINT", "S3_ACCESS_POINT_ACCOUNT"
     #   resp.findings[0].sources[0].detail.access_point_arn #=> String
     #   resp.findings[0].sources[0].detail.access_point_account #=> String
+    #   resp.findings[0].resource_control_policy_restriction #=> String, one of "APPLICABLE", "FAILED_TO_EVALUATE_RCP", "NOT_APPLICABLE"
     #   resp.next_token #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindings AWS API Documentation
@@ -2610,7 +2613,7 @@ module Aws::AccessAnalyzer
     #     max_results: 1,
     #     next_token: "Token",
     #     policy_document: "PolicyDocument", # required
-    #     policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY
+    #     policy_type: "IDENTITY_POLICY", # required, accepts IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY, RESOURCE_CONTROL_POLICY
     #     validate_policy_resource_type: "AWS::S3::Bucket", # accepts AWS::S3::Bucket, AWS::S3::AccessPoint, AWS::S3::MultiRegionAccessPoint, AWS::S3ObjectLambda::AccessPoint, AWS::IAM::AssumeRolePolicyDocument, AWS::DynamoDB::Table
     #   })
     #
@@ -2663,7 +2666,7 @@ module Aws::AccessAnalyzer
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-accessanalyzer'
-      context[:gem_version] = '1.62.0'
+      context[:gem_version] = '1.63.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-accessanalyzer/client_api.rb

@@ -225,6 +225,7 @@ module Aws::AccessAnalyzer
     RegionList = Shapes::ListShape.new(name: 'RegionList')
     Resource = Shapes::StringShape.new(name: 'Resource')
     ResourceArn = Shapes::StringShape.new(name: 'ResourceArn')
+    ResourceControlPolicyRestriction = Shapes::StringShape.new(name: 'ResourceControlPolicyRestriction')
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     ResourceType = Shapes::StringShape.new(name: 'ResourceType')
     RetiringPrincipal = Shapes::StringShape.new(name: 'RetiringPrincipal')
@@ -327,6 +328,7 @@ module Aws::AccessAnalyzer
     AccessPreviewFinding.add_member(:resource_owner_account, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceOwnerAccount"))
     AccessPreviewFinding.add_member(:error, Shapes::ShapeRef.new(shape: String, location_name: "error"))
     AccessPreviewFinding.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    AccessPreviewFinding.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     AccessPreviewFinding.struct_class = Types::AccessPreviewFinding
 
     AccessPreviewFindingsList.member = Shapes::ShapeRef.new(shape: AccessPreviewFinding)
@@ -564,6 +566,7 @@ module Aws::AccessAnalyzer
     ExternalAccessDetails.add_member(:is_public, Shapes::ShapeRef.new(shape: Boolean, location_name: "isPublic"))
     ExternalAccessDetails.add_member(:principal, Shapes::ShapeRef.new(shape: PrincipalMap, location_name: "principal"))
     ExternalAccessDetails.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    ExternalAccessDetails.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     ExternalAccessDetails.struct_class = Types::ExternalAccessDetails
 
     FilterCriteriaMap.key = Shapes::ShapeRef.new(shape: String)
@@ -583,6 +586,7 @@ module Aws::AccessAnalyzer
     Finding.add_member(:resource_owner_account, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceOwnerAccount"))
     Finding.add_member(:error, Shapes::ShapeRef.new(shape: String, location_name: "error"))
     Finding.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    Finding.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     Finding.struct_class = Types::Finding
 
     FindingDetails.add_member(:external_access_details, Shapes::ShapeRef.new(shape: ExternalAccessDetails, location_name: "externalAccessDetails"))
@@ -627,6 +631,7 @@ module Aws::AccessAnalyzer
     FindingSummary.add_member(:resource_owner_account, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceOwnerAccount"))
     FindingSummary.add_member(:error, Shapes::ShapeRef.new(shape: String, location_name: "error"))
     FindingSummary.add_member(:sources, Shapes::ShapeRef.new(shape: FindingSourceList, location_name: "sources"))
+    FindingSummary.add_member(:resource_control_policy_restriction, Shapes::ShapeRef.new(shape: ResourceControlPolicyRestriction, location_name: "resourceControlPolicyRestriction"))
     FindingSummary.struct_class = Types::FindingSummary
 
     FindingSummaryV2.add_member(:analyzed_at, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "analyzedAt"))
@@ -1183,6 +1188,7 @@ module Aws::AccessAnalyzer
 
       api.metadata = {
         "apiVersion" => "2019-11-01",
+        "auth" => ["aws.auth#sigv4"],
         "endpointPrefix" => "access-analyzer",
         "protocol" => "rest-json",
         "protocols" => ["rest-json"],

data/lib/aws-sdk-accessanalyzer/types.rb

@@ -21,8 +21,9 @@ module Aws::AccessAnalyzer
     #
     # @!attribute [rw] resources
     #   A list of resources for the access permissions. Any strings that can
-    #   be used as a resource in an IAM policy can be used in the list of
-    #   resources to check.
+    #   be used as an Amazon Resource Name (ARN) in an IAM policy can be
+    #   used in the list of resources to check. You can only use a wildcard
+    #   in the portion of the ARN that specifies the resource ID.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Access AWS API Documentation
@@ -191,6 +192,11 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
     #
     class AccessPreviewFinding < Struct.new(
@@ -208,7 +214,8 @@ module Aws::AccessAnalyzer
       :status,
       :resource_owner_account,
       :error,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -583,12 +590,13 @@ module Aws::AccessAnalyzer
     # @!attribute [rw] access
     #   An access object containing the permissions that shouldn't be
     #   granted by the specified policy. If only actions are specified, IAM
-    #   Access Analyzer checks for access of the actions on all resources in
-    #   the policy. If only resources are specified, then IAM Access
-    #   Analyzer checks which actions have access to the specified
-    #   resources. If both actions and resources are specified, then IAM
-    #   Access Analyzer checks which of the specified actions have access to
-    #   the specified resources.
+    #   Access Analyzer checks for access to peform at least one of the
+    #   actions on any resource in the policy. If only resources are
+    #   specified, then IAM Access Analyzer checks for access to perform any
+    #   action on at least one of the resources. If both actions and
+    #   resources are specified, IAM Access Analyzer checks for access to
+    #   perform at least one of the specified actions on at least one of the
+    #   specified resources.
     #   @return [Array<Types::Access>]
     #
     # @!attribute [rw] policy_type
@@ -598,9 +606,7 @@ module Aws::AccessAnalyzer
     #
     #   Resource policies grant permissions on Amazon Web Services
     #   resources. Resource policies include trust policies for IAM roles
-    #   and bucket policies for Amazon S3 buckets. You can provide a generic
-    #   input such as identity policy or resource policy or a specific input
-    #   such as managed policy or Amazon S3 bucket policy.
+    #   and bucket policies for Amazon S3 buckets.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedRequest AWS API Documentation
@@ -1411,6 +1417,11 @@ module Aws::AccessAnalyzer
     #   Amazon S3 bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ExternalAccessDetails AWS API Documentation
     #
     class ExternalAccessDetails < Struct.new(
@@ -1418,7 +1429,8 @@ module Aws::AccessAnalyzer
       :condition,
       :is_public,
       :principal,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1487,6 +1499,11 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Finding AWS API Documentation
     #
     class Finding < Struct.new(
@@ -1503,7 +1520,8 @@ module Aws::AccessAnalyzer
       :status,
       :resource_owner_account,
       :error,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1668,6 +1686,11 @@ module Aws::AccessAnalyzer
     #   bucket findings.
     #   @return [Array<Types::FindingSource>]
     #
+    # @!attribute [rw] resource_control_policy_restriction
+    #   The type of restriction applied to the finding by the resource owner
+    #   with an Organizations resource control policy (RCP).
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSummary AWS API Documentation
     #
     class FindingSummary < Struct.new(
@@ -1684,7 +1707,8 @@ module Aws::AccessAnalyzer
       :status,
       :resource_owner_account,
       :error,
-      :sources)
+      :sources,
+      :resource_control_policy_restriction)
       SENSITIVE = []
       include Aws::Structure
     end

data/lib/aws-sdk-accessanalyzer.rb

@@ -54,7 +54,7 @@ module Aws::AccessAnalyzer
   autoload :EndpointProvider, 'aws-sdk-accessanalyzer/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-accessanalyzer/endpoints'
 
-  GEM_VERSION = '1.62.0'
+  GEM_VERSION = '1.63.0'
 
 end
 

data/sig/client.rbs

@@ -645,7 +645,7 @@ module Aws
                              ?max_results: ::Integer,
                              ?next_token: ::String,
                              policy_document: ::String,
-                             policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY"),
+                             policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY" | "RESOURCE_CONTROL_POLICY"),
                              ?validate_policy_resource_type: ("AWS::S3::Bucket" | "AWS::S3::AccessPoint" | "AWS::S3::MultiRegionAccessPoint" | "AWS::S3ObjectLambda::AccessPoint" | "AWS::IAM::AssumeRolePolicyDocument" | "AWS::DynamoDB::Table")
                            ) -> _ValidatePolicyResponseSuccess
                          | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _ValidatePolicyResponseSuccess

data/sig/types.rbs

@@ -45,6 +45,7 @@ module Aws::AccessAnalyzer
       attr_accessor resource_owner_account: ::String
       attr_accessor error: ::String
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -348,6 +349,7 @@ module Aws::AccessAnalyzer
       attr_accessor is_public: bool
       attr_accessor principal: ::Hash[::String, ::String]
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -366,6 +368,7 @@ module Aws::AccessAnalyzer
       attr_accessor resource_owner_account: ::String
       attr_accessor error: ::String
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -419,6 +422,7 @@ module Aws::AccessAnalyzer
       attr_accessor resource_owner_account: ::String
       attr_accessor error: ::String
       attr_accessor sources: ::Array[Types::FindingSource]
+      attr_accessor resource_control_policy_restriction: ("APPLICABLE" | "FAILED_TO_EVALUATE_RCP" | "NOT_APPLICABLE")
       SENSITIVE: []
     end
 
@@ -1092,7 +1096,7 @@ module Aws::AccessAnalyzer
       attr_accessor max_results: ::Integer
       attr_accessor next_token: ::String
       attr_accessor policy_document: ::String
-      attr_accessor policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY")
+      attr_accessor policy_type: ("IDENTITY_POLICY" | "RESOURCE_POLICY" | "SERVICE_CONTROL_POLICY" | "RESOURCE_CONTROL_POLICY")
       attr_accessor validate_policy_resource_type: ("AWS::S3::Bucket" | "AWS::S3::AccessPoint" | "AWS::S3::MultiRegionAccessPoint" | "AWS::S3ObjectLambda::AccessPoint" | "AWS::IAM::AssumeRolePolicyDocument" | "AWS::DynamoDB::Table")
       SENSITIVE: []
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-accessanalyzer
 version: !ruby/object:Gem::Version
-  version: 1.62.0
+  version: 1.63.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-06 00:00:00.000000000 Z
+date: 2024-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -36,14 +36,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.5'
 description: Official AWS Ruby gem for Access Analyzer. This gem is part of the AWS
   SDK for Ruby.
 email: