aws-sdk-accessanalyzer 1.85.0 → 1.87.0

data/lib/aws-sdk-accessanalyzer/client.rb

@@ -535,6 +535,40 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Cancels an in-progress policy preview job. Jobs that are already
+    # completed, failed, or canceled cannot be canceled.
+    #
+    # @option params [required, String] :job_id
+    #   The unique identifier of the policy preview job to cancel.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    #
+    # @example Example: Successfully canceled policy preview job
+    #
+    #   resp = client.cancel_policy_preview_job({
+    #     job_id: "a1b2c3d4-e5f6-7890-abcd-ef1234567890", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.cancel_policy_preview_job({
+    #     job_id: "PolicyPreviewJobId", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyPreviewJob AWS API Documentation
+    #
+    # @overload cancel_policy_preview_job(params = {})
+    # @param [Hash] params ({})
+    def cancel_policy_preview_job(params = {}, options = {})
+      req = build_request(:cancel_policy_preview_job, params)
+      req.send_request(options)
+    end
+
     # Checks whether the specified access isn't allowed by a policy.
     #
     # @option params [required, String] :policy_document
@@ -1135,6 +1169,62 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Creates a policy preview configuration for your account. The
+    # configuration enables IAM Access Analyzer to collect and store
+    # CloudTrail authorization events needed for policy preview analysis.
+    #
+    # @option params [String] :client_token
+    #   A unique, case-sensitive identifier that you provide to ensure the
+    #   idempotency of the request. Idempotency ensures that an API request
+    #   completes only once. With an idempotent request, if the original
+    #   request completes successfully, subsequent retries with the same
+    #   client token return the result from the original successful request
+    #   and have no additional effect.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.**
+    #
+    # @option params [String] :scope
+    #   The scope of the policy preview configuration. Currently only `GLOBAL`
+    #   is supported.
+    #
+    # @return [Types::CreatePolicyPreviewConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CreatePolicyPreviewConfigurationResponse#status #status} => String
+    #
+    #
+    # @example Example: Successfully created policy preview configuration
+    #
+    #   resp = client.create_policy_preview_configuration({
+    #     client_token: "unique-token-123", 
+    #     scope: "GLOBAL", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     status: "PENDING_CREATION", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.create_policy_preview_configuration({
+    #     client_token: "String",
+    #     scope: "GLOBAL", # accepts GLOBAL
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.status #=> String, one of "ACTIVE", "PENDING_CREATION", "FAILED"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreatePolicyPreviewConfiguration AWS API Documentation
+    #
+    # @overload create_policy_preview_configuration(params = {})
+    # @param [Hash] params ({})
+    def create_policy_preview_configuration(params = {}, options = {})
+      req = build_request(:create_policy_preview_configuration, params)
+      req.send_request(options)
+    end
+
     # Deletes the specified analyzer. When you delete an analyzer, IAM
     # Access Analyzer is disabled for the account or organization in the
     # current or specific Region. All findings that were generated by the
@@ -1201,6 +1291,49 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Deletes the policy preview configuration for your account. After
+    # deletion, IAM Access Analyzer will stop collecting CloudTrail
+    # authorization events for policy preview analysis.
+    #
+    # @option params [String] :client_token
+    #   A unique, case-sensitive identifier that you provide to ensure the
+    #   idempotency of the request. Idempotency ensures that an API request
+    #   completes only once. With an idempotent request, if the original
+    #   request completes successfully, subsequent retries with the same
+    #   client token return the result from the original successful request
+    #   and have no additional effect.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.**
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    #
+    # @example Example: Successfully deleted policy preview configuration
+    #
+    #   resp = client.delete_policy_preview_configuration({
+    #     client_token: "unique-token-456", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_policy_preview_configuration({
+    #     client_token: "String",
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/DeletePolicyPreviewConfiguration AWS API Documentation
+    #
+    # @overload delete_policy_preview_configuration(params = {})
+    # @param [Hash] params ({})
+    def delete_policy_preview_configuration(params = {}, options = {})
+      req = build_request(:delete_policy_preview_configuration, params)
+      req.send_request(options)
+    end
+
     # Creates a recommendation for an unused permissions finding.
     #
     # @option params [required, String] :analyzer_arn
@@ -1915,7 +2048,7 @@ module Aws::AccessAnalyzer
     #   resp.job_details.status #=> String, one of "IN_PROGRESS", "SUCCEEDED", "FAILED", "CANCELED"
     #   resp.job_details.started_on #=> Time
     #   resp.job_details.completed_on #=> Time
-    #   resp.job_details.job_error.code #=> String, one of "AUTHORIZATION_ERROR", "RESOURCE_NOT_FOUND_ERROR", "SERVICE_QUOTA_EXCEEDED_ERROR", "SERVICE_ERROR"
+    #   resp.job_details.job_error.code #=> String, one of "AUTHORIZATION_ERROR", "RESOURCE_NOT_FOUND_ERROR", "SERVICE_QUOTA_EXCEEDED_ERROR", "SERVICE_ERROR", "CANCELED_JOB_ERROR", "INVALID_SERVICE_LINKED_ROLE", "INSUFFICIENT_PERMISSIONS_ERROR", "ORGANIZATION_ACCESS_DENIED_ERROR", "INVALID_TARGET_ERROR", "INVALID_POLICY_PREVIEW_CONFIGURATION", "INVALID_ORGANIZATION_CONFIGURATION", "S3_BUCKET_NOT_FOUND_ERROR", "S3_BUCKET_PERMISSION_ERROR"
     #   resp.job_details.job_error.message #=> String
     #   resp.generated_policy_result.properties.is_complete #=> Boolean
     #   resp.generated_policy_result.properties.principal_arn #=> String
@@ -1938,6 +2071,177 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Retrieves the policy preview configuration for your account.
+    #
+    # @return [Types::GetPolicyPreviewConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetPolicyPreviewConfigurationResponse#policy_preview_configurations #policy_preview_configurations} => Array<Types::PolicyPreviewConfiguration>
+    #
+    #
+    # @example Example: Successfully retrieved policy preview configuration
+    #
+    #   resp = client.get_policy_preview_configuration({
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     policy_preview_configurations: [
+    #       {
+    #         created_at: Time.parse("2023-05-01T10:00:00Z"), 
+    #         scope: "GLOBAL", 
+    #         status: "ACTIVE", 
+    #         updated_at: Time.parse("2023-05-01T10:30:00Z"), 
+    #       }, 
+    #     ], 
+    #   }
+    #
+    # @example Response structure
+    #
+    #   resp.policy_preview_configurations #=> Array
+    #   resp.policy_preview_configurations[0].scope #=> String, one of "GLOBAL"
+    #   resp.policy_preview_configurations[0].status #=> String, one of "ACTIVE", "PENDING_CREATION", "FAILED"
+    #   resp.policy_preview_configurations[0].created_at #=> Time
+    #   resp.policy_preview_configurations[0].updated_at #=> Time
+    #
+    #
+    # The following waiters are defined for this operation (see {Client#wait_until} for detailed usage):
+    #
+    #   * policy_preview_configuration_active
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetPolicyPreviewConfiguration AWS API Documentation
+    #
+    # @overload get_policy_preview_configuration(params = {})
+    # @param [Hash] params ({})
+    def get_policy_preview_configuration(params = {}, options = {})
+      req = build_request(:get_policy_preview_configuration, params)
+      req.send_request(options)
+    end
+
+    # Retrieves the metadata, parameters, and status for a policy preview
+    # job. Use this operation to monitor job progress and retrieve the
+    # Amazon S3 location of the completed analysis report.
+    #
+    # <note markdown="1"> Job data has a time-to-live (TTL) of 14 days and will be deleted after
+    # expiration.
+    #
+    #  </note>
+    #
+    # @option params [required, String] :job_id
+    #   The unique identifier of the policy preview job to retrieve. This is
+    #   the job ID returned by `StartPolicyPreviewJob`.
+    #
+    # @return [Types::GetPolicyPreviewJobResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetPolicyPreviewJobResponse#job_id #job_id} => String
+    #   * {Types::GetPolicyPreviewJobResponse#job_parameters #job_parameters} => Types::PolicyPreviewJobParameters
+    #   * {Types::GetPolicyPreviewJobResponse#job_details #job_details} => Types::PolicyPreviewJobDetails
+    #   * {Types::GetPolicyPreviewJobResponse#output_s3_uri #output_s3_uri} => String
+    #
+    #
+    # @example Example: Successfully fetched completed policy preview job
+    #
+    #   resp = client.get_policy_preview_job({
+    #     job_id: "a1b2c3d4-e5f6-7890-abcd-ef1234567890", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     job_details: {
+    #       completed_at: Time.parse("2023-05-01T10:30:00Z"), 
+    #       job_status: "COMPLETED", 
+    #       started_at: Time.parse("2023-05-01T10:01:00Z"), 
+    #       submitted_at: Time.parse("2023-05-01T10:00:00Z"), 
+    #     }, 
+    #     job_id: "a1b2c3d4-e5f6-7890-abcd-ef1234567890", 
+    #     job_parameters: {
+    #       end_time: Time.parse("2023-12-31T23:59:59Z"), 
+    #       policy_configurations: [
+    #         {
+    #           job_type: "SCP", 
+    #           policy_documents_list: [
+    #             "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowS3Access\",\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:ListBucket\"],\"Resource\":[\"arn:aws:s3:::example-bucket\",\"arn:aws:s3:::example-bucket/*\"]}]}", 
+    #           ], 
+    #           target_id: "123456789012", 
+    #         }, 
+    #       ], 
+    #       start_time: Time.parse("2023-01-01T00:00:00Z"), 
+    #     }, 
+    #     output_s3_uri: "s3://bucket/path", 
+    #   }
+    #
+    # @example Example: Failed policy preview job
+    #
+    #   resp = client.get_policy_preview_job({
+    #     job_id: "b2c3d4e5-f6a7-8901-bcde-f12345678901", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     job_details: {
+    #       completed_at: Time.parse("2023-05-01T10:05:00Z"), 
+    #       job_error: {
+    #         code: "SERVICE_ERROR", 
+    #         message: "Service error occurred during job execution.", 
+    #       }, 
+    #       job_status: "FAILED", 
+    #       started_at: Time.parse("2023-05-01T10:01:00Z"), 
+    #       submitted_at: Time.parse("2023-05-01T10:00:00Z"), 
+    #     }, 
+    #     job_id: "b2c3d4e5-f6a7-8901-bcde-f12345678901", 
+    #     job_parameters: {
+    #       end_time: Time.parse("2023-12-31T23:59:59Z"), 
+    #       policy_configurations: [
+    #         {
+    #           job_type: "SCP", 
+    #           policy_documents_list: [
+    #             "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowS3Access\",\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:ListBucket\"],\"Resource\":[\"arn:aws:s3:::example-bucket\",\"arn:aws:s3:::example-bucket/*\"]}]}", 
+    #           ], 
+    #           target_id: "123456789012", 
+    #         }, 
+    #       ], 
+    #       start_time: Time.parse("2023-01-01T00:00:00Z"), 
+    #     }, 
+    #     output_s3_uri: "s3://bucket/path", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_policy_preview_job({
+    #     job_id: "PolicyPreviewJobId", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.job_id #=> String
+    #   resp.job_parameters.start_time #=> Time
+    #   resp.job_parameters.end_time #=> Time
+    #   resp.job_parameters.policy_configurations #=> Array
+    #   resp.job_parameters.policy_configurations[0].job_type #=> String, one of "SCP"
+    #   resp.job_parameters.policy_configurations[0].target_id #=> String
+    #   resp.job_parameters.policy_configurations[0].policy_documents_list #=> Array
+    #   resp.job_parameters.policy_configurations[0].policy_documents_list[0] #=> String
+    #   resp.job_details.job_status #=> String, one of "SUBMITTED", "IN_PROGRESS", "COMPLETED", "FAILED", "CANCELED"
+    #   resp.job_details.submitted_at #=> Time
+    #   resp.job_details.started_at #=> Time
+    #   resp.job_details.completed_at #=> Time
+    #   resp.job_details.job_error.code #=> String, one of "AUTHORIZATION_ERROR", "RESOURCE_NOT_FOUND_ERROR", "SERVICE_QUOTA_EXCEEDED_ERROR", "SERVICE_ERROR", "CANCELED_JOB_ERROR", "INVALID_SERVICE_LINKED_ROLE", "INSUFFICIENT_PERMISSIONS_ERROR", "ORGANIZATION_ACCESS_DENIED_ERROR", "INVALID_TARGET_ERROR", "INVALID_POLICY_PREVIEW_CONFIGURATION", "INVALID_ORGANIZATION_CONFIGURATION", "S3_BUCKET_NOT_FOUND_ERROR", "S3_BUCKET_PERMISSION_ERROR"
+    #   resp.job_details.job_error.message #=> String
+    #   resp.output_s3_uri #=> String
+    #
+    #
+    # The following waiters are defined for this operation (see {Client#wait_until} for detailed usage):
+    #
+    #   * policy_preview_job_completed
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetPolicyPreviewJob AWS API Documentation
+    #
+    # @overload get_policy_preview_job(params = {})
+    # @param [Hash] params ({})
+    def get_policy_preview_job(params = {}, options = {})
+      req = build_request(:get_policy_preview_job, params)
+      req.send_request(options)
+    end
+
     # Retrieves a list of access preview findings generated by the specified
     # access preview.
     #
@@ -2468,6 +2772,94 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Lists all policy preview jobs with optional filtering by job status or
+    # target ID. Results are paginated for efficient retrieval of large
+    # result sets.
+    #
+    # @option params [Hash<String,String>] :filters
+    #   Optional filter criteria to narrow the list of returned jobs. You can
+    #   filter by job status or target ID. Maximum of one filter can be
+    #   specified.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of results to return in a single page. Minimum
+    #   value is 1.
+    #
+    # @option params [String] :next_token
+    #   A token used for pagination of results. Use the token returned in the
+    #   previous response to retrieve the next page of results.
+    #
+    # @return [Types::ListPolicyPreviewJobsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListPolicyPreviewJobsResponse#analysis_reports #analysis_reports} => Array&lt;Types::PolicyPreviewAnalysisReport&gt;
+    #   * {Types::ListPolicyPreviewJobsResponse#next_token #next_token} => String
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    #
+    # @example Example: Successfully listed policy preview jobs with filters
+    #
+    #   resp = client.list_policy_preview_jobs({
+    #     filters: {
+    #       "jobStatus" => "COMPLETED", 
+    #     }, 
+    #     max_results: 10, 
+    #     next_token: "token-123", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     analysis_reports: [
+    #       {
+    #         completed_at: Time.parse("2023-05-01T10:30:00Z"), 
+    #         job_id: "a1b2c3d4-e5f6-7890-abcd-ef1234567890", 
+    #         output_s3_uri: "s3://bucket/path", 
+    #         started_at: Time.parse("2023-05-01T10:01:00Z"), 
+    #         status: "COMPLETED", 
+    #         submitted_at: Time.parse("2023-05-01T10:00:00Z"), 
+    #       }, 
+    #       {
+    #         completed_at: Time.parse("2023-05-02T10:30:00Z"), 
+    #         job_id: "c3d4e5f6-a7b8-9012-cdef-123456789012", 
+    #         output_s3_uri: "s3://bucket/path", 
+    #         started_at: Time.parse("2023-05-02T10:01:00Z"), 
+    #         status: "COMPLETED", 
+    #         submitted_at: Time.parse("2023-05-02T10:00:00Z"), 
+    #       }, 
+    #     ], 
+    #     next_token: "token-456", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_policy_preview_jobs({
+    #     filters: {
+    #       "jobStatus" => "String",
+    #     },
+    #     max_results: 1,
+    #     next_token: "Token",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.analysis_reports #=> Array
+    #   resp.analysis_reports[0].job_id #=> String
+    #   resp.analysis_reports[0].status #=> String, one of "SUBMITTED", "IN_PROGRESS", "COMPLETED", "FAILED", "CANCELED"
+    #   resp.analysis_reports[0].submitted_at #=> Time
+    #   resp.analysis_reports[0].started_at #=> Time
+    #   resp.analysis_reports[0].completed_at #=> Time
+    #   resp.analysis_reports[0].output_s3_uri #=> String
+    #   resp.next_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyPreviewJobs AWS API Documentation
+    #
+    # @overload list_policy_preview_jobs(params = {})
+    # @param [Hash] params ({})
+    def list_policy_preview_jobs(params = {}, options = {})
+      req = build_request(:list_policy_preview_jobs, params)
+      req.send_request(options)
+    end
+
     # Retrieves a list of tags applied to the specified resource.
     #
     # @option params [required, String] :resource_arn
@@ -2559,6 +2951,120 @@ module Aws::AccessAnalyzer
       req.send_request(options)
     end
 
+    # Creates a policy preview analysis job to evaluate the impact of
+    # Service Control Policies (SCPs) before deployment. The analysis uses
+    # historical CloudTrail authorization events to identify potential
+    # access denials, helping you prevent service disruptions.
+    #
+    # The job analyzes CloudTrail events within a specified time window and
+    # generates a report identifying which events would be denied by the
+    # proposed policy. The report is stored in the specified Amazon S3
+    # location.
+    #
+    # @option params [required, Array<Types::PolicyConfiguration>] :policy_configurations
+    #   A list of policy configurations to analyze. Currently limited to one
+    #   configuration per request. Each configuration specifies the job type,
+    #   target ID, and policy documents to test.
+    #
+    # @option params [required, Time,DateTime,Date,Integer,String] :start_time
+    #   The start of the CloudTrail event analysis window. The analysis will
+    #   evaluate events from this time forward.
+    #
+    # @option params [Time,DateTime,Date,Integer,String] :end_time
+    #   The end of the analysis window. If not specified, defaults to the time
+    #   of the request. The analysis will evaluate CloudTrail events up to
+    #   this time.
+    #
+    # @option params [required, String] :output_s3_uri
+    #   The Amazon S3 URI where the completed analysis report will be stored.
+    #   The Amazon S3 bucket must grant access to the IAM Access Analyzer
+    #   service principal in its resource policy. The report will be stored at
+    #   the path: `outputS3Uri/jobId/timestamp/`.
+    #
+    # @option params [String] :client_token
+    #   A unique, case-sensitive identifier that you provide to ensure the
+    #   idempotency of the request. Idempotency ensures that an API request
+    #   completes only once. With an idempotent request, if the original
+    #   request completes successfully, subsequent retries with the same
+    #   client token return the result from the original successful request
+    #   and have no additional effect.
+    #
+    #   **A suitable default value is auto-generated.** You should normally
+    #   not need to pass this option.**
+    #
+    # @return [Types::StartPolicyPreviewJobResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::StartPolicyPreviewJobResponse#job_id #job_id} => String
+    #
+    #
+    # @example Example: Successfully started policy preview job
+    #
+    #   resp = client.start_policy_preview_job({
+    #     client_token: "unique-token-123", 
+    #     end_time: Time.parse("2023-12-31T23:59:59Z"), 
+    #     output_s3_uri: "s3://bucket/path", 
+    #     policy_configurations: [
+    #       {
+    #         job_type: "SCP", 
+    #         policy_documents_list: [
+    #           "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"AllowS3Access\",\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:ListBucket\"],\"Resource\":[\"arn:aws:s3:::example-bucket\",\"arn:aws:s3:::example-bucket/*\"]}]}", 
+    #         ], 
+    #         target_id: "123456789012", 
+    #       }, 
+    #     ], 
+    #     start_time: Time.parse("2023-01-01T00:00:00Z"), 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     job_id: "a1b2c3d4-e5f6-7890-abcd-ef1234567890", 
+    #   }
+    #
+    # @example Example: Failed field validation for invalid targetId
+    #
+    #   resp = client.start_policy_preview_job({
+    #     output_s3_uri: "s3://bucket/path", 
+    #     policy_configurations: [
+    #       {
+    #         job_type: "SCP", 
+    #         policy_documents_list: [
+    #           "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}", 
+    #         ], 
+    #         target_id: "invalid", 
+    #       }, 
+    #     ], 
+    #     start_time: Time.parse("2023-01-01T00:00:00Z"), 
+    #   })
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.start_policy_preview_job({
+    #     policy_configurations: [ # required
+    #       {
+    #         job_type: "SCP", # required, accepts SCP
+    #         target_id: "PolicyPreviewTargetId", # required
+    #         policy_documents_list: ["String"], # required
+    #       },
+    #     ],
+    #     start_time: Time.now, # required
+    #     end_time: Time.now,
+    #     output_s3_uri: "S3Uri", # required
+    #     client_token: "String",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.job_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyPreviewJob AWS API Documentation
+    #
+    # @overload start_policy_preview_job(params = {})
+    # @param [Hash] params ({})
+    def start_policy_preview_job(params = {}, options = {})
+      req = build_request(:start_policy_preview_job, params)
+      req.send_request(options)
+    end
+
     # Immediately starts a scan of the policies applied to the specified
     # resource.
     #
@@ -2936,14 +3442,129 @@ module Aws::AccessAnalyzer
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-accessanalyzer'
-      context[:gem_version] = '1.85.0'
+      context[:gem_version] = '1.87.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 
+    # Polls an API operation until a resource enters a desired state.
+    #
+    # ## Basic Usage
+    #
+    # A waiter will call an API operation until:
+    #
+    # * It is successful
+    # * It enters a terminal state
+    # * It makes the maximum number of attempts
+    #
+    # In between attempts, the waiter will sleep.
+    #
+    #     # polls in a loop, sleeping between attempts
+    #     client.wait_until(waiter_name, params)
+    #
+    # ## Configuration
+    #
+    # You can configure the maximum number of polling attempts, and the
+    # delay (in seconds) between each polling attempt. You can pass
+    # configuration as the final arguments hash.
+    #
+    #     # poll for ~25 seconds
+    #     client.wait_until(waiter_name, params, {
+    #       max_attempts: 5,
+    #       delay: 5,
+    #     })
+    #
+    # ## Callbacks
+    #
+    # You can be notified before each polling attempt and before each
+    # delay. If you throw `:success` or `:failure` from these callbacks,
+    # it will terminate the waiter.
+    #
+    #     started_at = Time.now
+    #     client.wait_until(waiter_name, params, {
+    #
+    #       # disable max attempts
+    #       max_attempts: nil,
+    #
+    #       # poll for 1 hour, instead of a number of attempts
+    #       before_wait: -> (attempts, response) do
+    #         throw :failure if Time.now - started_at > 3600
+    #       end
+    #     })
+    #
+    # ## Handling Errors
+    #
+    # When a waiter is unsuccessful, it will raise an error.
+    # All of the failure errors extend from
+    # {Aws::Waiters::Errors::WaiterFailed}.
+    #
+    #     begin
+    #       client.wait_until(...)
+    #     rescue Aws::Waiters::Errors::WaiterFailed
+    #       # resource did not enter the desired state in time
+    #     end
+    #
+    # ## Valid Waiters
+    #
+    # The following table lists the valid waiter names, the operations they call,
+    # and the default `:delay` and `:max_attempts` values.
+    #
+    # | waiter_name                         | params                                    | :delay   | :max_attempts |
+    # | ----------------------------------- | ----------------------------------------- | -------- | ------------- |
+    # | policy_preview_configuration_active | {Client#get_policy_preview_configuration} | 5        | 24            |
+    # | policy_preview_job_completed        | {Client#get_policy_preview_job}           | 30       | 5             |
+    #
+    # @raise [Errors::FailureStateError] Raised when the waiter terminates
+    #   because the waiter has entered a state that it will not transition
+    #   out of, preventing success.
+    #
+    # @raise [Errors::TooManyAttemptsError] Raised when the configured
+    #   maximum number of attempts have been made, and the waiter is not
+    #   yet successful.
+    #
+    # @raise [Errors::UnexpectedError] Raised when an error is encounted
+    #   while polling for a resource that is not expected.
+    #
+    # @raise [Errors::NoSuchWaiterError] Raised when you request to wait
+    #   for an unknown state.
+    #
+    # @return [Boolean] Returns `true` if the waiter was successful.
+    # @param [Symbol] waiter_name
+    # @param [Hash] params ({})
+    # @param [Hash] options ({})
+    # @option options [Integer] :max_attempts
+    # @option options [Integer] :delay
+    # @option options [Proc] :before_attempt
+    # @option options [Proc] :before_wait
+    def wait_until(waiter_name, params = {}, options = {})
+      w = waiter(waiter_name, options)
+      yield(w.waiter) if block_given? # deprecated
+      w.wait(params)
+    end
+
     # @api private
     # @deprecated
     def waiter_names
-      []
+      waiters.keys
+    end
+
+    private
+
+    # @param [Symbol] waiter_name
+    # @param [Hash] options ({})
+    def waiter(waiter_name, options = {})
+      waiter_class = waiters[waiter_name]
+      if waiter_class
+        waiter_class.new(options.merge(client: self))
+      else
+        raise Aws::Waiters::Errors::NoSuchWaiterError.new(waiter_name, waiters.keys)
+      end
+    end
+
+    def waiters
+      {
+        policy_preview_configuration_active: Waiters::PolicyPreviewConfigurationActive,
+        policy_preview_job_completed: Waiters::PolicyPreviewJobCompleted
+      }
     end
 
     class << self