aws-sdk-iam 1.25.0 → 1.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ae86c7a74f0bbf1d030029268e7cf74ae71ef2ca
-  data.tar.gz: d90754c86f70d09cc9527664a74efc54e9a57bbe
+  metadata.gz: 8310c2972d0dc5577134b2412743dc2b8e9d6511
+  data.tar.gz: 9de6bd9f1c90991b36d6b9bc2d5216f1f214c50b
 SHA512:
-  metadata.gz: 5ffdfad575e940f19fc1697e5048214b68919cb8da6276575b962be8c89ccc6e27869d5dc3605e4645261aef59e826e303b7d0486d7d00055b4bcaf9f0a6eee6
-  data.tar.gz: 937e0105ba2d064cedd46b0478a180eb813d9a2fead063fe2732a7a1dd1c4ecd033c4c3d2a2f578062383d82c481e018343344d56d7ddcbb0515bdd53d852d41
+  metadata.gz: b4fbc019daa8451fc99a629ca45649cd476f8e39cd1dcc9eefcce6742bc09c155f5413787a41715dd4cba910b159a6d204f09d1339bda4fb3a4be9de50d129d5
+  data.tar.gz: 2ece8e323ed461c95ad46b1fd8474ecc7905ea0afa68e7c9394ae65a955bec2cb0d8fb9536b794bedf35d95760c0b2c4b5a99415716b13ee98ec979a61a95050

data/lib/aws-sdk-iam.rb

@@ -64,6 +64,6 @@ require_relative 'aws-sdk-iam/customizations'
 # @service
 module Aws::IAM
 
-  GEM_VERSION = '1.25.0'
+  GEM_VERSION = '1.26.0'
 
 end

data/lib/aws-sdk-iam/client.rb

@@ -1474,7 +1474,7 @@ module Aws::IAM
     #   The trust relationship policy document that grants an entity
     #   permission to assume the role.
     #
-    #   in IAM, you must provide a JSON policy that has been converted to a
+    #   In IAM, you must provide a JSON policy that has been converted to a
     #   string. However, for AWS CloudFormation templates formatted in YAML,
     #   you can provide the policy in JSON or YAML format. AWS CloudFormation
     #   always converts a YAML policy to JSON format before submitting it to
@@ -3492,12 +3492,198 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # Generates a request for a report that includes details about when an
-    # IAM resource (user, group, role, or policy) was last used in an
-    # attempt to access AWS services. Recent activity usually appears within
-    # four hours. IAM reports activity for the last 365 days, or less if
-    # your Region began supporting this feature within the last year. For
-    # more information, see [Regions Where Data Is Tracked][1].
+    # Generates a report for service last accessed data for AWS
+    # Organizations. You can generate a report for any entities
+    # (organization root, organizational unit, or account) or policies in
+    # your organization.
+    #
+    # To call this operation, you must be signed in using your AWS
+    # Organizations master account credentials. You can use your long-term
+    # IAM user or root user credentials, or temporary credentials from
+    # assuming an IAM role. SCPs must be enabled for your organization root.
+    # You must have the required IAM and AWS Organizations permissions. For
+    # more information, see [Refining Permissions Using Service Last
+    # Accessed Data][1] in the *IAM User Guide*.
+    #
+    # You can generate a service last accessed data report for entities by
+    # specifying only the entity's path. This data includes a list of
+    # services that are allowed by any service control policies (SCPs) that
+    # apply to the entity.
+    #
+    # You can generate a service last accessed data report for a policy by
+    # specifying an entity's path and an optional AWS Organizations policy
+    # ID. This data includes a list of services that are allowed by the
+    # specified SCP.
+    #
+    # For each service in both report types, the data includes the most
+    # recent account activity that the policy allows to account principals
+    # in the entity or the entity's children. For important information
+    # about the data, reporting period, permissions required,
+    # troubleshooting, and supported Regions see [Reducing Permissions Using
+    # Service Last Accessed Data][1] in the *IAM User Guide*.
+    #
+    # The data includes all attempts to access AWS, not just the successful
+    # ones. This includes all attempts that were made using the AWS
+    # Management Console, the AWS API through any of the SDKs, or any of the
+    # command line tools. An unexpected entry in the service last accessed
+    # data does not mean that an account has been compromised, because the
+    # request might have been denied. Refer to your CloudTrail logs as the
+    # authoritative source for information about all API calls and whether
+    # they were successful or denied access. For more information,
+    # see [Logging IAM Events with CloudTrail][2] in the *IAM User Guide*.
+    #
+    # This operation returns a `JobId`. Use this parameter in the `
+    # GetOrganizationsAccessReport ` operation to check the status of the
+    # report generation. To check the status of this request, use the
+    # `JobId` parameter in the ` GetOrganizationsAccessReport ` operation
+    # and test the `JobStatus` response parameter. When the job is complete,
+    # you can retrieve the report.
+    #
+    # To generate a service last accessed data report for entities, specify
+    # an entity path without specifying the optional AWS Organizations
+    # policy ID. The type of entity that you specify determines the data
+    # returned in the report.
+    #
+    # * **Root** – When you specify the organizations root as the entity,
+    #   the resulting report lists all of the services allowed by SCPs that
+    #   are attached to your root. For each service, the report includes
+    #   data for all accounts in your organization except the master
+    #   account, because the master account is not limited by SCPs.
+    #
+    # * **OU** – When you specify an organizational unit (OU) as the entity,
+    #   the resulting report lists all of the services allowed by SCPs that
+    #   are attached to the OU and its parents. For each service, the report
+    #   includes data for all accounts in the OU or its children. This data
+    #   excludes the master account, because the master account is not
+    #   limited by SCPs.
+    #
+    # * **Master account** – When you specify the master account, the
+    #   resulting report lists all AWS services, because the master account
+    #   is not limited by SCPs. For each service, the report includes data
+    #   for only the master account.
+    #
+    # * **Account** – When you specify another account as the entity, the
+    #   resulting report lists all of the services allowed by SCPs that are
+    #   attached to the account and its parents. For each service, the
+    #   report includes data for only the specified account.
+    #
+    # To generate a service last accessed data report for policies, specify
+    # an entity path and the optional AWS Organizations policy ID. The type
+    # of entity that you specify determines the data returned for each
+    # service.
+    #
+    # * **Root** – When you specify the root entity and a policy ID, the
+    #   resulting report lists all of the services that are allowed by the
+    #   specified SCP. For each service, the report includes data for all
+    #   accounts in your organization to which the SCP applies. This data
+    #   excludes the master account, because the master account is not
+    #   limited by SCPs. If the SCP is not attached to any entities in the
+    #   organization, then the report will return a list of services with no
+    #   data.
+    #
+    # * **OU** – When you specify an OU entity and a policy ID, the
+    #   resulting report lists all of the services that are allowed by the
+    #   specified SCP. For each service, the report includes data for all
+    #   accounts in the OU or its children to which the SCP applies. This
+    #   means that other accounts outside the OU that are affected by the
+    #   SCP might not be included in the data. This data excludes the master
+    #   account, because the master account is not limited by SCPs. If the
+    #   SCP is not attached to the OU or one of its children, the report
+    #   will return a list of services with no data.
+    #
+    # * **Master account** – When you specify the master account, the
+    #   resulting report lists all AWS services, because the master account
+    #   is not limited by SCPs. If you specify a policy ID in the CLI or
+    #   API, the policy is ignored. For each service, the report includes
+    #   data for only the master account.
+    #
+    # * **Account** – When you specify another account entity and a policy
+    #   ID, the resulting report lists all of the services that are allowed
+    #   by the specified SCP. For each service, the report includes data for
+    #   only the specified account. This means that other accounts in the
+    #   organization that are affected by the SCP might not be included in
+    #   the data. If the SCP is not attached to the account, the report will
+    #   return a list of services with no data.
+    #
+    # <note markdown="1"> Service last accessed data does not use other policy types when
+    # determining whether a principal could access a service. These other
+    # policy types include identity-based policies, resource-based policies,
+    # access control lists, IAM permissions boundaries, and STS assume role
+    # policies. It only applies SCP logic. For more about the evaluation of
+    # policy types, see [Evaluating Policies][3] in the *IAM User Guide*.
+    #
+    #  </note>
+    #
+    # For more information about service last accessed data, see [Reducing
+    # Policy Scope by Viewing User Activity][1] in the *IAM User Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html
+    # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
+    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics
+    #
+    # @option params [required, String] :entity_path
+    #   The path of the AWS Organizations entity (root, OU, or account). You
+    #   can build an entity path using the known structure of your
+    #   organization. For example, assume that your account ID is
+    #   `123456789012` and its parent OU ID is `ou-rge0-awsabcde`. The
+    #   organization root ID is `r-f6g7h8i9j0example` and your organization ID
+    #   is `o-a1b2c3d4e5`. Your entity path is
+    #   `o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-rge0-awsabcde/123456789012`.
+    #
+    # @option params [String] :organizations_policy_id
+    #   The identifier of the AWS Organizations service control policy (SCP).
+    #   This parameter is optional.
+    #
+    #   This ID is used to generate information about when an account
+    #   principal that is limited by the SCP attempted to access an AWS
+    #   service.
+    #
+    # @return [Types::GenerateOrganizationsAccessReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GenerateOrganizationsAccessReportResponse#job_id #job_id} => String
+    #
+    #
+    # @example Example: To generate a service last accessed data report for an organizational unit
+    #
+    #   # The following operation generates a report for the organizational unit ou-rge0-awexample
+    #
+    #   resp = client.generate_organizations_access_report({
+    #     entity_path: "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-1a2b3c-k9l8m7n6o5example", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     job_id: "examplea-1234-b567-cde8-90fg123abcd4", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.generate_organizations_access_report({
+    #     entity_path: "organizationsEntityPathType", # required
+    #     organizations_policy_id: "organizationsPolicyIdType",
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.job_id #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GenerateOrganizationsAccessReport AWS API Documentation
+    #
+    # @overload generate_organizations_access_report(params = {})
+    # @param [Hash] params ({})
+    def generate_organizations_access_report(params = {}, options = {})
+      req = build_request(:generate_organizations_access_report, params)
+      req.send_request(options)
+    end
+
+    # Generates a report that includes details about when an IAM resource
+    # (user, group, role, or policy) was last used in an attempt to access
+    # AWS services. Recent activity usually appears within four hours. IAM
+    # reports activity for the last 365 days, or less if your Region began
+    # supporting this feature within the last year. For more information,
+    # see [Regions Where Data Is Tracked][1].
     #
     # The service last accessed data includes all attempts to access an AWS
     # API, not just the successful ones. This includes all attempts that
@@ -4449,6 +4635,151 @@ module Aws::IAM
       req.send_request(options)
     end
 
+    # Retrieves the service last accessed data report for AWS Organizations
+    # that was previously generated using the `
+    # GenerateOrganizationsAccessReport ` operation. This operation
+    # retrieves the status of your report job and the report contents.
+    #
+    # Depending on the parameters that you passed when you generated the
+    # report, the data returned could include different information. For
+    # details, see GenerateOrganizationsAccessReport.
+    #
+    # To call this operation, you must be signed in to the master account in
+    # your organization. SCPs must be enabled for your organization root.
+    # You must have permissions to perform this operation. For more
+    # information, see [Refining Permissions Using Service Last Accessed
+    # Data][1] in the *IAM User Guide*.
+    #
+    # For each service that principals in an account (root users, IAM users,
+    # or IAM roles) could access using SCPs, the operation returns details
+    # about the most recent access attempt. If there was no attempt, the
+    # service is listed without details about the most recent attempt to
+    # access the service. If the operation fails, it returns the reason that
+    # it failed.
+    #
+    # By default, the list is sorted by service namespace.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html
+    #
+    # @option params [required, String] :job_id
+    #   The identifier of the request generated by the
+    #   GenerateOrganizationsAccessReport operation.
+    #
+    # @option params [Integer] :max_items
+    #   Use this only when paginating results to indicate the maximum number
+    #   of items you want in the response. If additional items exist beyond
+    #   the maximum you specify, the `IsTruncated` response element is `true`.
+    #
+    #   If you do not include this parameter, the number of items defaults to
+    #   100. Note that IAM might return fewer results, even when there are
+    #   more results available. In that case, the `IsTruncated` response
+    #   element returns `true`, and `Marker` contains a value to include in
+    #   the subsequent call that tells the service where to continue from.
+    #
+    # @option params [String] :marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you received
+    #   to indicate where the next call should start.
+    #
+    # @option params [String] :sort_key
+    #   The key that is used to sort the results. If you choose the namespace
+    #   key, the results are returned in alphabetical order. If you choose the
+    #   time key, the results are sorted numerically by the date and time.
+    #
+    # @return [Types::GetOrganizationsAccessReportResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetOrganizationsAccessReportResponse#job_status #job_status} => String
+    #   * {Types::GetOrganizationsAccessReportResponse#job_creation_date #job_creation_date} => Time
+    #   * {Types::GetOrganizationsAccessReportResponse#job_completion_date #job_completion_date} => Time
+    #   * {Types::GetOrganizationsAccessReportResponse#number_of_services_accessible #number_of_services_accessible} => Integer
+    #   * {Types::GetOrganizationsAccessReportResponse#number_of_services_not_accessed #number_of_services_not_accessed} => Integer
+    #   * {Types::GetOrganizationsAccessReportResponse#access_details #access_details} => Array&lt;Types::AccessDetail&gt;
+    #   * {Types::GetOrganizationsAccessReportResponse#is_truncated #is_truncated} => Boolean
+    #   * {Types::GetOrganizationsAccessReportResponse#marker #marker} => String
+    #   * {Types::GetOrganizationsAccessReportResponse#error_details #error_details} => Types::ErrorDetails
+    #
+    #
+    # @example Example: To get details from a previously generated organizational unit report
+    #
+    #   # The following operation gets details about the report with the job ID: examplea-1234-b567-cde8-90fg123abcd4
+    #
+    #   resp = client.get_organizations_access_report({
+    #     job_id: "examplea-1234-b567-cde8-90fg123abcd4", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     access_details: [
+    #       {
+    #         entity_path: "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-1a2b3c-k9l8m7n6o5example/111122223333", 
+    #         last_authenticated_time: Time.parse("2019-05-25T16:29:52Z"), 
+    #         region: "us-east-1", 
+    #         service_name: "Amazon DynamoDB", 
+    #         service_namespace: "dynamodb", 
+    #         total_authenticated_entities: 2, 
+    #       }, 
+    #       {
+    #         entity_path: "o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-1a2b3c-k9l8m7n6o5example/123456789012", 
+    #         last_authenticated_time: Time.parse("2019-06-15T13:12:06Z"), 
+    #         region: "us-east-1", 
+    #         service_name: "AWS Identity and Access Management", 
+    #         service_namespace: "iam", 
+    #         total_authenticated_entities: 4, 
+    #       }, 
+    #       {
+    #         service_name: "Amazon Simple Storage Service", 
+    #         service_namespace: "s3", 
+    #         total_authenticated_entities: 0, 
+    #       }, 
+    #     ], 
+    #     is_truncated: false, 
+    #     job_completion_date: Time.parse("2019-06-18T19:47:35.241Z"), 
+    #     job_creation_date: Time.parse("2019-06-18T19:47:31.466Z"), 
+    #     job_status: "COMPLETED", 
+    #     number_of_services_accessible: 3, 
+    #     number_of_services_not_accessed: 1, 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_organizations_access_report({
+    #     job_id: "jobIDType", # required
+    #     max_items: 1,
+    #     marker: "markerType",
+    #     sort_key: "SERVICE_NAMESPACE_ASCENDING", # accepts SERVICE_NAMESPACE_ASCENDING, SERVICE_NAMESPACE_DESCENDING, LAST_AUTHENTICATED_TIME_ASCENDING, LAST_AUTHENTICATED_TIME_DESCENDING
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.job_status #=> String, one of "IN_PROGRESS", "COMPLETED", "FAILED"
+    #   resp.job_creation_date #=> Time
+    #   resp.job_completion_date #=> Time
+    #   resp.number_of_services_accessible #=> Integer
+    #   resp.number_of_services_not_accessed #=> Integer
+    #   resp.access_details #=> Array
+    #   resp.access_details[0].service_name #=> String
+    #   resp.access_details[0].service_namespace #=> String
+    #   resp.access_details[0].region #=> String
+    #   resp.access_details[0].entity_path #=> String
+    #   resp.access_details[0].last_authenticated_time #=> Time
+    #   resp.access_details[0].total_authenticated_entities #=> Integer
+    #   resp.is_truncated #=> Boolean
+    #   resp.marker #=> String
+    #   resp.error_details.message #=> String
+    #   resp.error_details.code #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetOrganizationsAccessReport AWS API Documentation
+    #
+    # @overload get_organizations_access_report(params = {})
+    # @param [Hash] params ({})
+    def get_organizations_access_report(params = {}, options = {})
+      req = build_request(:get_organizations_access_report, params)
+      req.send_request(options)
+    end
+
     # Retrieves information about the specified managed policy, including
     # the policy's default version and the total number of IAM users,
     # groups, and roles to which the policy is attached. To retrieve the
@@ -4933,11 +5264,13 @@ module Aws::IAM
       req.send_request(options)
     end
 
-    # After you generate a user, group, role, or policy report using the
-    # `GenerateServiceLastAccessedDetails` operation, you can use the
-    # `JobId` parameter in `GetServiceLastAccessedDetails`. This operation
-    # retrieves the status of your report job and a list of AWS services
-    # that the resource (user, group, role, or managed policy) can access.
+    # Retrieves a service last accessed report that was created using the
+    # `GenerateServiceLastAccessedDetails` operation. You can use the
+    # `JobId` parameter in `GetServiceLastAccessedDetails` to retrieve the
+    # status of your report job. When the report is complete, you can
+    # retrieve the generated report. The report includes a list of AWS
+    # services that the resource (user, group, role, or managed policy) can
+    # access.
     #
     # <note markdown="1"> Service last accessed data does not use other policy types when
     # determining whether a resource could access a service. These other
@@ -7926,7 +8259,14 @@ module Aws::IAM
     # @option params [required, String] :group_name
     #   The name of the group to associate the policy with.
     #
-    #   &amp;regex-name;.
+    #   This parameter allows (through its [regex pattern][1]) a string of
+    #   characters consisting of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following characters:
+    #   \_+=,.@-.
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
     #
     # @option params [required, String] :policy_name
     #   The name of the policy document.
@@ -9131,7 +9471,7 @@ module Aws::IAM
     # @option params [Array<Types::ContextEntry>] :context_entries
     #   A list of context keys and corresponding values for the simulation to
     #   use. Whenever a context key is evaluated in one of the simulated IAM
-    #   permission policies, the corresponding value is supplied.
+    #   permissions policies, the corresponding value is supplied.
     #
     # @option params [String] :resource_handling_option
     #   Specifies the type of simulation to run. Different API operations that
@@ -10970,7 +11310,7 @@ module Aws::IAM
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-iam'
-      context[:gem_version] = '1.25.0'
+      context[:gem_version] = '1.26.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-iam/client_api.rb

@@ -11,6 +11,8 @@ module Aws::IAM
 
     include Seahorse::Model
 
+    AccessDetail = Shapes::StructureShape.new(name: 'AccessDetail')
+    AccessDetails = Shapes::ListShape.new(name: 'AccessDetails')
     AccessKey = Shapes::StructureShape.new(name: 'AccessKey')
     AccessKeyLastUsed = Shapes::StructureShape.new(name: 'AccessKeyLastUsed')
     AccessKeyMetadata = Shapes::StructureShape.new(name: 'AccessKeyMetadata')
@@ -112,6 +114,8 @@ module Aws::IAM
     EvaluationResult = Shapes::StructureShape.new(name: 'EvaluationResult')
     EvaluationResultsListType = Shapes::ListShape.new(name: 'EvaluationResultsListType')
     GenerateCredentialReportResponse = Shapes::StructureShape.new(name: 'GenerateCredentialReportResponse')
+    GenerateOrganizationsAccessReportRequest = Shapes::StructureShape.new(name: 'GenerateOrganizationsAccessReportRequest')
+    GenerateOrganizationsAccessReportResponse = Shapes::StructureShape.new(name: 'GenerateOrganizationsAccessReportResponse')
     GenerateServiceLastAccessedDetailsRequest = Shapes::StructureShape.new(name: 'GenerateServiceLastAccessedDetailsRequest')
     GenerateServiceLastAccessedDetailsResponse = Shapes::StructureShape.new(name: 'GenerateServiceLastAccessedDetailsResponse')
     GetAccessKeyLastUsedRequest = Shapes::StructureShape.new(name: 'GetAccessKeyLastUsedRequest')
@@ -134,6 +138,8 @@ module Aws::IAM
     GetLoginProfileResponse = Shapes::StructureShape.new(name: 'GetLoginProfileResponse')
     GetOpenIDConnectProviderRequest = Shapes::StructureShape.new(name: 'GetOpenIDConnectProviderRequest')
     GetOpenIDConnectProviderResponse = Shapes::StructureShape.new(name: 'GetOpenIDConnectProviderResponse')
+    GetOrganizationsAccessReportRequest = Shapes::StructureShape.new(name: 'GetOrganizationsAccessReportRequest')
+    GetOrganizationsAccessReportResponse = Shapes::StructureShape.new(name: 'GetOrganizationsAccessReportResponse')
     GetPolicyRequest = Shapes::StructureShape.new(name: 'GetPolicyRequest')
     GetPolicyResponse = Shapes::StructureShape.new(name: 'GetPolicyResponse')
     GetPolicyVersionRequest = Shapes::StructureShape.new(name: 'GetPolicyVersionRequest')
@@ -269,6 +275,7 @@ module Aws::IAM
     RemoveUserFromGroupRequest = Shapes::StructureShape.new(name: 'RemoveUserFromGroupRequest')
     ReportContentType = Shapes::BlobShape.new(name: 'ReportContentType')
     ReportFormatType = Shapes::StringShape.new(name: 'ReportFormatType')
+    ReportGenerationLimitExceededException = Shapes::StructureShape.new(name: 'ReportGenerationLimitExceededException')
     ReportStateDescriptionType = Shapes::StringShape.new(name: 'ReportStateDescriptionType')
     ReportStateType = Shapes::StringShape.new(name: 'ReportStateType')
     ResetServiceSpecificCredentialRequest = Shapes::StructureShape.new(name: 'ResetServiceSpecificCredentialRequest')
@@ -401,6 +408,8 @@ module Aws::IAM
     mfaDeviceListType = Shapes::ListShape.new(name: 'mfaDeviceListType')
     minimumPasswordLengthType = Shapes::IntegerShape.new(name: 'minimumPasswordLengthType')
     noSuchEntityMessage = Shapes::StringShape.new(name: 'noSuchEntityMessage')
+    organizationsEntityPathType = Shapes::StringShape.new(name: 'organizationsEntityPathType')
+    organizationsPolicyIdType = Shapes::StringShape.new(name: 'organizationsPolicyIdType')
     passwordPolicyViolationMessage = Shapes::StringShape.new(name: 'passwordPolicyViolationMessage')
     passwordReusePreventionType = Shapes::IntegerShape.new(name: 'passwordReusePreventionType')
     passwordType = Shapes::StringShape.new(name: 'passwordType')
@@ -425,6 +434,7 @@ module Aws::IAM
     publicKeyFingerprintType = Shapes::StringShape.new(name: 'publicKeyFingerprintType')
     publicKeyIdType = Shapes::StringShape.new(name: 'publicKeyIdType')
     publicKeyMaterialType = Shapes::StringShape.new(name: 'publicKeyMaterialType')
+    reportGenerationLimitExceededMessage = Shapes::StringShape.new(name: 'reportGenerationLimitExceededMessage')
     responseMarkerType = Shapes::StringShape.new(name: 'responseMarkerType')
     roleDescriptionType = Shapes::StringShape.new(name: 'roleDescriptionType')
     roleDetailListType = Shapes::ListShape.new(name: 'roleDetailListType')
@@ -443,6 +453,7 @@ module Aws::IAM
     servicePassword = Shapes::StringShape.new(name: 'servicePassword')
     serviceSpecificCredentialId = Shapes::StringShape.new(name: 'serviceSpecificCredentialId')
     serviceUserName = Shapes::StringShape.new(name: 'serviceUserName')
+    sortKeyType = Shapes::StringShape.new(name: 'sortKeyType')
     statusType = Shapes::StringShape.new(name: 'statusType')
     stringType = Shapes::StringShape.new(name: 'stringType')
     summaryKeyType = Shapes::StringShape.new(name: 'summaryKeyType')
@@ -462,6 +473,16 @@ module Aws::IAM
     virtualMFADeviceListType = Shapes::ListShape.new(name: 'virtualMFADeviceListType')
     virtualMFADeviceName = Shapes::StringShape.new(name: 'virtualMFADeviceName')
 
+    AccessDetail.add_member(:service_name, Shapes::ShapeRef.new(shape: serviceNameType, required: true, location_name: "ServiceName"))
+    AccessDetail.add_member(:service_namespace, Shapes::ShapeRef.new(shape: serviceNamespaceType, required: true, location_name: "ServiceNamespace"))
+    AccessDetail.add_member(:region, Shapes::ShapeRef.new(shape: stringType, location_name: "Region"))
+    AccessDetail.add_member(:entity_path, Shapes::ShapeRef.new(shape: organizationsEntityPathType, location_name: "EntityPath"))
+    AccessDetail.add_member(:last_authenticated_time, Shapes::ShapeRef.new(shape: dateType, location_name: "LastAuthenticatedTime"))
+    AccessDetail.add_member(:total_authenticated_entities, Shapes::ShapeRef.new(shape: integerType, location_name: "TotalAuthenticatedEntities"))
+    AccessDetail.struct_class = Types::AccessDetail
+
+    AccessDetails.member = Shapes::ShapeRef.new(shape: AccessDetail)
+
     AccessKey.add_member(:user_name, Shapes::ShapeRef.new(shape: userNameType, required: true, location_name: "UserName"))
     AccessKey.add_member(:access_key_id, Shapes::ShapeRef.new(shape: accessKeyIdType, required: true, location_name: "AccessKeyId"))
     AccessKey.add_member(:status, Shapes::ShapeRef.new(shape: statusType, required: true, location_name: "Status"))
@@ -801,6 +822,13 @@ module Aws::IAM
     GenerateCredentialReportResponse.add_member(:description, Shapes::ShapeRef.new(shape: ReportStateDescriptionType, location_name: "Description"))
     GenerateCredentialReportResponse.struct_class = Types::GenerateCredentialReportResponse
 
+    GenerateOrganizationsAccessReportRequest.add_member(:entity_path, Shapes::ShapeRef.new(shape: organizationsEntityPathType, required: true, location_name: "EntityPath"))
+    GenerateOrganizationsAccessReportRequest.add_member(:organizations_policy_id, Shapes::ShapeRef.new(shape: organizationsPolicyIdType, location_name: "OrganizationsPolicyId"))
+    GenerateOrganizationsAccessReportRequest.struct_class = Types::GenerateOrganizationsAccessReportRequest
+
+    GenerateOrganizationsAccessReportResponse.add_member(:job_id, Shapes::ShapeRef.new(shape: jobIDType, location_name: "JobId"))
+    GenerateOrganizationsAccessReportResponse.struct_class = Types::GenerateOrganizationsAccessReportResponse
+
     GenerateServiceLastAccessedDetailsRequest.add_member(:arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "Arn"))
     GenerateServiceLastAccessedDetailsRequest.struct_class = Types::GenerateServiceLastAccessedDetailsRequest
 
@@ -889,6 +917,23 @@ module Aws::IAM
     GetOpenIDConnectProviderResponse.add_member(:create_date, Shapes::ShapeRef.new(shape: dateType, location_name: "CreateDate"))
     GetOpenIDConnectProviderResponse.struct_class = Types::GetOpenIDConnectProviderResponse
 
+    GetOrganizationsAccessReportRequest.add_member(:job_id, Shapes::ShapeRef.new(shape: jobIDType, required: true, location_name: "JobId"))
+    GetOrganizationsAccessReportRequest.add_member(:max_items, Shapes::ShapeRef.new(shape: maxItemsType, location_name: "MaxItems"))
+    GetOrganizationsAccessReportRequest.add_member(:marker, Shapes::ShapeRef.new(shape: markerType, location_name: "Marker"))
+    GetOrganizationsAccessReportRequest.add_member(:sort_key, Shapes::ShapeRef.new(shape: sortKeyType, location_name: "SortKey"))
+    GetOrganizationsAccessReportRequest.struct_class = Types::GetOrganizationsAccessReportRequest
+
+    GetOrganizationsAccessReportResponse.add_member(:job_status, Shapes::ShapeRef.new(shape: jobStatusType, required: true, location_name: "JobStatus"))
+    GetOrganizationsAccessReportResponse.add_member(:job_creation_date, Shapes::ShapeRef.new(shape: dateType, required: true, location_name: "JobCreationDate"))
+    GetOrganizationsAccessReportResponse.add_member(:job_completion_date, Shapes::ShapeRef.new(shape: dateType, location_name: "JobCompletionDate"))
+    GetOrganizationsAccessReportResponse.add_member(:number_of_services_accessible, Shapes::ShapeRef.new(shape: integerType, location_name: "NumberOfServicesAccessible"))
+    GetOrganizationsAccessReportResponse.add_member(:number_of_services_not_accessed, Shapes::ShapeRef.new(shape: integerType, location_name: "NumberOfServicesNotAccessed"))
+    GetOrganizationsAccessReportResponse.add_member(:access_details, Shapes::ShapeRef.new(shape: AccessDetails, location_name: "AccessDetails"))
+    GetOrganizationsAccessReportResponse.add_member(:is_truncated, Shapes::ShapeRef.new(shape: booleanType, location_name: "IsTruncated"))
+    GetOrganizationsAccessReportResponse.add_member(:marker, Shapes::ShapeRef.new(shape: markerType, location_name: "Marker"))
+    GetOrganizationsAccessReportResponse.add_member(:error_details, Shapes::ShapeRef.new(shape: ErrorDetails, location_name: "ErrorDetails"))
+    GetOrganizationsAccessReportResponse.struct_class = Types::GetOrganizationsAccessReportResponse
+
     GetPolicyRequest.add_member(:policy_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "PolicyArn"))
     GetPolicyRequest.struct_class = Types::GetPolicyRequest
 
@@ -1467,6 +1512,9 @@ module Aws::IAM
     RemoveUserFromGroupRequest.add_member(:user_name, Shapes::ShapeRef.new(shape: existingUserNameType, required: true, location_name: "UserName"))
     RemoveUserFromGroupRequest.struct_class = Types::RemoveUserFromGroupRequest
 
+    ReportGenerationLimitExceededException.add_member(:message, Shapes::ShapeRef.new(shape: reportGenerationLimitExceededMessage, location_name: "message"))
+    ReportGenerationLimitExceededException.struct_class = Types::ReportGenerationLimitExceededException
+
     ResetServiceSpecificCredentialRequest.add_member(:user_name, Shapes::ShapeRef.new(shape: userNameType, location_name: "UserName"))
     ResetServiceSpecificCredentialRequest.add_member(:service_specific_credential_id, Shapes::ShapeRef.new(shape: serviceSpecificCredentialId, required: true, location_name: "ServiceSpecificCredentialId"))
     ResetServiceSpecificCredentialRequest.struct_class = Types::ResetServiceSpecificCredentialRequest
@@ -2480,6 +2528,15 @@ module Aws::IAM
         o.errors << Shapes::ShapeRef.new(shape: ServiceFailureException)
       end)
 
+      api.add_operation(:generate_organizations_access_report, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GenerateOrganizationsAccessReport"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GenerateOrganizationsAccessReportRequest)
+        o.output = Shapes::ShapeRef.new(shape: GenerateOrganizationsAccessReportResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ReportGenerationLimitExceededException)
+      end)
+
       api.add_operation(:generate_service_last_accessed_details, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GenerateServiceLastAccessedDetails"
         o.http_method = "POST"
@@ -2623,6 +2680,15 @@ module Aws::IAM
         o.errors << Shapes::ShapeRef.new(shape: ServiceFailureException)
       end)
 
+      api.add_operation(:get_organizations_access_report, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetOrganizationsAccessReport"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetOrganizationsAccessReportRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetOrganizationsAccessReportResponse)
+        o.errors << Shapes::ShapeRef.new(shape: NoSuchEntityException)
+      end)
+
       api.add_operation(:get_policy, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GetPolicy"
         o.http_method = "POST"

data/lib/aws-sdk-iam/current_user.rb

@@ -85,7 +85,7 @@ module Aws::IAM
     # * A password exists but has not been used since IAM started tracking
     #   this information on October 20, 2014.
     #
-    # A null valuedoes not mean that the user *never* had a password. Also,
+    # A null value does not mean that the user *never* had a password. Also,
     # if the user does not currently have a password, but had one in the
     # past, then this field contains the date and time the most recent
     # password was used.

data/lib/aws-sdk-iam/errors.rb

@@ -362,6 +362,22 @@ module Aws::IAM
 
     end
 
+    class ReportGenerationLimitExceededException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::IAM::Types::ReportGenerationLimitExceededException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+
+    end
+
     class ServiceFailureException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-iam/resource.rb

@@ -375,7 +375,7 @@ module Aws::IAM
     #   The trust relationship policy document that grants an entity
     #   permission to assume the role.
     #
-    #   in IAM, you must provide a JSON policy that has been converted to a
+    #   In IAM, you must provide a JSON policy that has been converted to a
     #   string. However, for AWS CloudFormation templates formatted in YAML,
     #   you can provide the policy in JSON or YAML format. AWS CloudFormation
     #   always converts a YAML policy to JSON format before submitting it to

data/lib/aws-sdk-iam/types.rb

@@ -8,6 +8,94 @@
 module Aws::IAM
   module Types
 
+    # An object that contains details about when a principal in the reported
+    # AWS Organizations entity last attempted to access an AWS service. A
+    # principal can be an IAM user, an IAM role, or the AWS account root
+    # user within the reported Organizations entity.
+    #
+    # This data type is a response element in the
+    # GetOrganizationsAccessReport operation.
+    #
+    # @!attribute [rw] service_name
+    #   The name of the service in which access was attempted.
+    #   @return [String]
+    #
+    # @!attribute [rw] service_namespace
+    #   The namespace of the service in which access was attempted.
+    #
+    #   To learn the service namespace of a service, go to [Actions,
+    #   Resources, and Condition Keys for AWS Services][1] in the *IAM User
+    #   Guide*. Choose the name of the service to view details for that
+    #   service. In the first paragraph, find the service prefix. For
+    #   example, `(service prefix: a4b)`. For more information about service
+    #   namespaces, see [AWS Service Namespaces][2] in the *AWS General
+    #   Reference*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
+    #   [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces
+    #   @return [String]
+    #
+    # @!attribute [rw] region
+    #   The Region where the last service access attempt occurred.
+    #
+    #   This field is null if no principals in the reported Organizations
+    #   entity attempted to access the service within the [reporting
+    #   period][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period
+    #   @return [String]
+    #
+    # @!attribute [rw] entity_path
+    #   The path of the Organizations entity (root, organizational unit, or
+    #   account) from which an authenticated principal last attempted to
+    #   access the service. AWS does not report unauthenticated requests.
+    #
+    #   This field is null if no principals (IAM users, IAM roles, or root
+    #   users) in the reported Organizations entity attempted to access the
+    #   service within the [reporting period][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period
+    #   @return [String]
+    #
+    # @!attribute [rw] last_authenticated_time
+    #   The date and time, in [ISO 8601 date-time format][1], when an
+    #   authenticated principal most recently attempted to access the
+    #   service. AWS does not report unauthenticated requests.
+    #
+    #   This field is null if no principals in the reported Organizations
+    #   entity attempted to access the service within the [reporting
+    #   period][2].
+    #
+    #
+    #
+    #   [1]: http://www.iso.org/iso/iso8601
+    #   [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period
+    #   @return [Time]
+    #
+    # @!attribute [rw] total_authenticated_entities
+    #   The number of accounts with authenticated principals (root users,
+    #   IAM users, and IAM roles) that attempted to access the service in
+    #   the reporting period.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/AccessDetail AWS API Documentation
+    #
+    class AccessDetail < Struct.new(
+      :service_name,
+      :service_namespace,
+      :region,
+      :entity_path,
+      :last_authenticated_time,
+      :total_authenticated_entities)
+      include Aws::Structure
+    end
+
     # Contains information about an AWS access key.
     #
     # This data type is used as a response element in the CreateAccessKey
@@ -68,7 +156,7 @@ module Aws::IAM
     #   * An access key exists but has not been used since IAM began
     #     tracking this information.
     #
-    #   * There is no sign-in data associated with the user
+    #   * There is no sign-in data associated with the user.
     #
     #
     #
@@ -85,11 +173,11 @@ module Aws::IAM
     #   * An access key exists but has not been used since IAM started
     #     tracking this information.
     #
-    #   * There is no sign-in data associated with the user
+    #   * There is no sign-in data associated with the user.
     #   @return [String]
     #
     # @!attribute [rw] region
-    #   The AWS region where this access key was most recently used. The
+    #   The AWS Region where this access key was most recently used. The
     #   value for this field is "N/A" in the following situations:
     #
     #   * The user does not have an access key.
@@ -97,9 +185,9 @@ module Aws::IAM
     #   * An access key exists but has not been used since IAM began
     #     tracking this information.
     #
-    #   * There is no sign-in data associated with the user
+    #   * There is no sign-in data associated with the user.
     #
-    #   For more information about AWS regions, see [Regions and
+    #   For more information about AWS Regions, see [Regions and
     #   Endpoints][1] in the Amazon Web Services General Reference.
     #
     #
@@ -1134,7 +1222,7 @@ module Aws::IAM
     #   The trust relationship policy document that grants an entity
     #   permission to assume the role.
     #
-    #   in IAM, you must provide a JSON policy that has been converted to a
+    #   In IAM, you must provide a JSON policy that has been converted to a
     #   string. However, for AWS CloudFormation templates formatted in YAML,
     #   you can provide the policy in JSON or YAML format. AWS
     #   CloudFormation always converts a YAML policy to JSON format before
@@ -2375,7 +2463,7 @@ module Aws::IAM
     #   resources that were used by the role have not been deleted from the
     #   linked service, the role can't be deleted. This parameter includes
     #   a list of the resources that are associated with the role and the
-    #   region in which the resources are being used.
+    #   Region in which the resources are being used.
     #   @return [Array<Types::RoleUsageType>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/DeletionTaskFailureReasonType AWS API Documentation
@@ -2730,8 +2818,8 @@ module Aws::IAM
     # Contains information about the reason that the operation failed.
     #
     # This data type is used as a response element in the
-    # GetServiceLastAccessedDetails operation and the
-    # GetServiceLastAccessedDetailsWithEntities operation.
+    # GetOrganizationsAccessReport, GetServiceLastAccessedDetails, and
+    # GetServiceLastAccessedDetailsWithEntities operations.
     #
     # @!attribute [rw] message
     #   Detailed information about the reason that the operation failed.
@@ -2771,8 +2859,8 @@ module Aws::IAM
     #   A list of the statements in the input policies that determine the
     #   result for this scenario. Remember that even if multiple statements
     #   allow the operation on the resource, if only one statement denies
-    #   that operation, then the explicit deny overrides any allow.
-    #   Inaddition, the deny statement is the only entry included in the
+    #   that operation, then the explicit deny overrides any allow. In
+    #   addition, the deny statement is the only entry included in the
     #   result.
     #   @return [Array<Types::Statement>]
     #
@@ -2788,9 +2876,9 @@ module Aws::IAM
     #   @return [Array<String>]
     #
     # @!attribute [rw] organizations_decision_detail
-    #   A structure that details how AWS Organizations and its service
-    #   control policies affect the results of the simulation. Only applies
-    #   if the simulated user's account is part of an organization.
+    #   A structure that details how Organizations and its service control
+    #   policies affect the results of the simulation. Only applies if the
+    #   simulated user's account is part of an organization.
     #   @return [Types::OrganizationsDecisionDetail]
     #
     # @!attribute [rw] eval_decision_details
@@ -2845,6 +2933,53 @@ module Aws::IAM
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass GenerateOrganizationsAccessReportRequest
+    #   data as a hash:
+    #
+    #       {
+    #         entity_path: "organizationsEntityPathType", # required
+    #         organizations_policy_id: "organizationsPolicyIdType",
+    #       }
+    #
+    # @!attribute [rw] entity_path
+    #   The path of the AWS Organizations entity (root, OU, or account). You
+    #   can build an entity path using the known structure of your
+    #   organization. For example, assume that your account ID is
+    #   `123456789012` and its parent OU ID is `ou-rge0-awsabcde`. The
+    #   organization root ID is `r-f6g7h8i9j0example` and your organization
+    #   ID is `o-a1b2c3d4e5`. Your entity path is
+    #   `o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-rge0-awsabcde/123456789012`.
+    #   @return [String]
+    #
+    # @!attribute [rw] organizations_policy_id
+    #   The identifier of the AWS Organizations service control policy
+    #   (SCP). This parameter is optional.
+    #
+    #   This ID is used to generate information about when an account
+    #   principal that is limited by the SCP attempted to access an AWS
+    #   service.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GenerateOrganizationsAccessReportRequest AWS API Documentation
+    #
+    class GenerateOrganizationsAccessReportRequest < Struct.new(
+      :entity_path,
+      :organizations_policy_id)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] job_id
+    #   The job identifier that you can use in the
+    #   GetOrganizationsAccessReport operation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GenerateOrganizationsAccessReportResponse AWS API Documentation
+    #
+    class GenerateOrganizationsAccessReportResponse < Struct.new(
+      :job_id)
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass GenerateServiceLastAccessedDetailsRequest
     #   data as a hash:
     #
@@ -3481,6 +3616,137 @@ module Aws::IAM
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass GetOrganizationsAccessReportRequest
+    #   data as a hash:
+    #
+    #       {
+    #         job_id: "jobIDType", # required
+    #         max_items: 1,
+    #         marker: "markerType",
+    #         sort_key: "SERVICE_NAMESPACE_ASCENDING", # accepts SERVICE_NAMESPACE_ASCENDING, SERVICE_NAMESPACE_DESCENDING, LAST_AUTHENTICATED_TIME_ASCENDING, LAST_AUTHENTICATED_TIME_DESCENDING
+    #       }
+    #
+    # @!attribute [rw] job_id
+    #   The identifier of the request generated by the
+    #   GenerateOrganizationsAccessReport operation.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_items
+    #   Use this only when paginating results to indicate the maximum number
+    #   of items you want in the response. If additional items exist beyond
+    #   the maximum you specify, the `IsTruncated` response element is
+    #   `true`.
+    #
+    #   If you do not include this parameter, the number of items defaults
+    #   to 100. Note that IAM might return fewer results, even when there
+    #   are more results available. In that case, the `IsTruncated` response
+    #   element returns `true`, and `Marker` contains a value to include in
+    #   the subsequent call that tells the service where to continue from.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] marker
+    #   Use this parameter only when paginating results and only after you
+    #   receive a response indicating that the results are truncated. Set it
+    #   to the value of the `Marker` element in the response that you
+    #   received to indicate where the next call should start.
+    #   @return [String]
+    #
+    # @!attribute [rw] sort_key
+    #   The key that is used to sort the results. If you choose the
+    #   namespace key, the results are returned in alphabetical order. If
+    #   you choose the time key, the results are sorted numerically by the
+    #   date and time.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetOrganizationsAccessReportRequest AWS API Documentation
+    #
+    class GetOrganizationsAccessReportRequest < Struct.new(
+      :job_id,
+      :max_items,
+      :marker,
+      :sort_key)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] job_status
+    #   The status of the job.
+    #   @return [String]
+    #
+    # @!attribute [rw] job_creation_date
+    #   The date and time, in [ISO 8601 date-time format][1], when the
+    #   report job was created.
+    #
+    #
+    #
+    #   [1]: http://www.iso.org/iso/iso8601
+    #   @return [Time]
+    #
+    # @!attribute [rw] job_completion_date
+    #   The date and time, in [ISO 8601 date-time format][1], when the
+    #   generated report job was completed or failed.
+    #
+    #   This field is null if the job is still in progress, as indicated by
+    #   a job status value of `IN_PROGRESS`.
+    #
+    #
+    #
+    #   [1]: http://www.iso.org/iso/iso8601
+    #   @return [Time]
+    #
+    # @!attribute [rw] number_of_services_accessible
+    #   The number of services that the applicable SCPs allow account
+    #   principals to access.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] number_of_services_not_accessed
+    #   The number of services that account principals are allowed but did
+    #   not attempt to access.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] access_details
+    #   An object that contains details about the most recent attempt to
+    #   access the service.
+    #   @return [Array<Types::AccessDetail>]
+    #
+    # @!attribute [rw] is_truncated
+    #   A flag that indicates whether there are more items to return. If
+    #   your results were truncated, you can make a subsequent pagination
+    #   request using the `Marker` request parameter to retrieve more items.
+    #   Note that IAM might return fewer than the `MaxItems` number of
+    #   results even when there are more results available. We recommend
+    #   that you check `IsTruncated` after every call to ensure that you
+    #   receive all your results.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] marker
+    #   When `IsTruncated` is `true`, this element is present and contains
+    #   the value to use for the `Marker` parameter in a subsequent
+    #   pagination request.
+    #   @return [String]
+    #
+    # @!attribute [rw] error_details
+    #   Contains information about the reason that the operation failed.
+    #
+    #   This data type is used as a response element in the
+    #   GetOrganizationsAccessReport, GetServiceLastAccessedDetails, and
+    #   GetServiceLastAccessedDetailsWithEntities operations.
+    #   @return [Types::ErrorDetails]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetOrganizationsAccessReportResponse AWS API Documentation
+    #
+    class GetOrganizationsAccessReportResponse < Struct.new(
+      :job_status,
+      :job_creation_date,
+      :job_completion_date,
+      :number_of_services_accessible,
+      :number_of_services_not_accessed,
+      :access_details,
+      :is_truncated,
+      :marker,
+      :error_details)
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass GetPolicyRequest
     #   data as a hash:
     #
@@ -3903,7 +4169,7 @@ module Aws::IAM
     #   generated report job was completed or failed.
     #
     #   This field is null if the job is still in progress, as indicated by
-    #   a `JobStatus` value of `IN_PROGRESS`.
+    #   a job status value of `IN_PROGRESS`.
     #
     #
     #
@@ -4025,6 +4291,9 @@ module Aws::IAM
     #   The date and time, in [ISO 8601 date-time format][1], when the
     #   generated report job was completed or failed.
     #
+    #   This field is null if the job is still in progress, as indicated by
+    #   a job status value of `IN_PROGRESS`.
+    #
     #
     #
     #   [1]: http://www.iso.org/iso/iso8601
@@ -7143,11 +7412,11 @@ module Aws::IAM
       include Aws::Structure
     end
 
-    # Contains information about AWS Organizations's effect on a policy
-    # simulation.
+    # Contains information about the effect that Organizations has on a
+    # policy simulation.
     #
     # @!attribute [rw] allowed_by_organizations
-    #   Specifies whether the simulated operation is allowed by the AWS
+    #   Specifies whether the simulated operation is allowed by the
     #   Organizations service control policies that impact the simulated
     #   user's account.
     #   @return [Boolean]
@@ -7684,7 +7953,14 @@ module Aws::IAM
     # @!attribute [rw] group_name
     #   The name of the group to associate the policy with.
     #
-    #   &amp;regex-name;.
+    #   This parameter allows (through its [regex pattern][1]) a string of
+    #   characters consisting of upper and lowercase alphanumeric characters
+    #   with no spaces. You can also include any of the following
+    #   characters: \_+=,.@-.
+    #
+    #
+    #
+    #   [1]: http://wikipedia.org/wiki/regex
     #   @return [String]
     #
     # @!attribute [rw] policy_name
@@ -8043,6 +8319,19 @@ module Aws::IAM
       include Aws::Structure
     end
 
+    # The request failed because the maximum number of concurrent requests
+    # for this account are already running.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/ReportGenerationLimitExceededException AWS API Documentation
+    #
+    class ReportGenerationLimitExceededException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass ResetServiceSpecificCredentialRequest
     #   data as a hash:
     #
@@ -8427,7 +8716,7 @@ module Aws::IAM
     # GetServiceLinkedRoleDeletionStatus operation.
     #
     # @!attribute [rw] region
-    #   The name of the region where the service-linked role is being used.
+    #   The name of the Region where the service-linked role is being used.
     #   @return [String]
     #
     # @!attribute [rw] resources
@@ -8705,11 +8994,11 @@ module Aws::IAM
     #   @return [String]
     #
     # @!attribute [rw] total_authenticated_entities
-    #   The total number of authenticated entities that have attempted to
-    #   access the service.
+    #   The total number of authenticated principals (root user, IAM users,
+    #   or IAM roles) that have attempted to access the service.
     #
-    #   This field is null if no IAM entities attempted to access the
-    #   service within the [reporting period][1].
+    #   This field is null if no principals attempted to access the service
+    #   within the [reporting period][1].
     #
     #
     #
@@ -9358,7 +9647,7 @@ module Aws::IAM
     # @!attribute [rw] context_entries
     #   A list of context keys and corresponding values for the simulation
     #   to use. Whenever a context key is evaluated in one of the simulated
-    #   IAM permission policies, the corresponding value is supplied.
+    #   IAM permissions policies, the corresponding value is supplied.
     #   @return [Array<Types::ContextEntry>]
     #
     # @!attribute [rw] resource_handling_option
@@ -10814,7 +11103,7 @@ module Aws::IAM
     #   * A password exists but has not been used since IAM started tracking
     #     this information on October 20, 2014.
     #
-    #   A null valuedoes not mean that the user *never* had a password.
+    #   A null value does not mean that the user *never* had a password.
     #   Also, if the user does not currently have a password, but had one in
     #   the past, then this field contains the date and time the most recent
     #   password was used.

data/lib/aws-sdk-iam/user.rb

@@ -90,7 +90,7 @@ module Aws::IAM
     # * A password exists but has not been used since IAM started tracking
     #   this information on October 20, 2014.
     #
-    # A null valuedoes not mean that the user *never* had a password. Also,
+    # A null value does not mean that the user *never* had a password. Also,
     # if the user does not currently have a password, but had one in the
     # past, then this field contains the date and time the most recent
     # password was used.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-iam
 version: !ruby/object:Gem::Version
-  version: 1.25.0
+  version: 1.26.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-06-17 00:00:00.000000000 Z
+date: 2019-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core