@aws-sdk/client-accessanalyzer 3.451.0 → 3.458.0

package/dist-types/models/models_0.d.ts

@@ -1,5 +1,17 @@
 import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client";
 import { AccessAnalyzerServiceException as __BaseException } from "./AccessAnalyzerServiceException";
+/**
+ * @public
+ * <p>Contains information about actions that define permissions to check against a
+ *          policy.</p>
+ */
+export interface Access {
+    /**
+     * @public
+     * <p>A list of actions for the access permissions.</p>
+     */
+    actions: string[] | undefined;
+}
 /**
  * @public
  * <p>You do not have sufficient access to perform this action.</p>
@@ -37,8 +49,8 @@ export declare class ConflictException extends __BaseException {
 /**
  * @public
  * <p>The criteria to use in the filter that defines the archive rule. For more information on
- *          available filter keys, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html">IAM Access Analyzer
- *             filter keys</a>.</p>
+ *          available filter keys, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html">IAM Access Analyzer filter
+ *             keys</a>.</p>
  */
 export interface Criterion {
     /**
@@ -379,8 +391,55 @@ export interface InlineArchiveRule {
 }
 /**
  * @public
+ * <p>Contains information about an unused access analyzer.</p>
  */
-export type Type = "ACCOUNT" | "ORGANIZATION";
+export interface UnusedAccessConfiguration {
+    /**
+     * @public
+     * <p>The specified access age in days for which to generate findings for unused access. For
+     *          example, if you specify 90 days, the analyzer will generate findings for IAM entities
+     *          within the accounts of the selected organization for any access that hasn't been used in 90
+     *          or more days since the analyzer's last scan. You can choose a value between 1 and 180
+     *          days.</p>
+     */
+    unusedAccessAge?: number;
+}
+/**
+ * @public
+ * <p>Contains information about the configuration of an unused access analyzer for an Amazon Web Services
+ *          organization or account.</p>
+ */
+export type AnalyzerConfiguration = AnalyzerConfiguration.UnusedAccessMember | AnalyzerConfiguration.$UnknownMember;
+/**
+ * @public
+ */
+export declare namespace AnalyzerConfiguration {
+    /**
+     * @public
+     * <p>Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or
+     *          account. External access analyzers do not support any configuration.</p>
+     */
+    interface UnusedAccessMember {
+        unusedAccess: UnusedAccessConfiguration;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     */
+    interface $UnknownMember {
+        unusedAccess?: never;
+        $unknown: [string, any];
+    }
+    interface Visitor<T> {
+        unusedAccess: (value: UnusedAccessConfiguration) => T;
+        _: (name: string, value: any) => T;
+    }
+    const visit: <T>(value: AnalyzerConfiguration, visitor: Visitor<T>) => T;
+}
+/**
+ * @public
+ */
+export type Type = "ACCOUNT" | "ACCOUNT_UNUSED_ACCESS" | "ORGANIZATION" | "ORGANIZATION_UNUSED_ACCESS";
 /**
  * @public
  * <p>Creates an analyzer.</p>
@@ -393,9 +452,10 @@ export interface CreateAnalyzerRequest {
     analyzerName: string | undefined;
     /**
      * @public
-     * <p>The type of analyzer to create. Only ACCOUNT and ORGANIZATION analyzers are supported.
-     *          You can create only one analyzer per account per Region. You can create up to 5 analyzers
-     *          per organization per Region.</p>
+     * <p>The type of analyzer to create. Only <code>ACCOUNT</code>, <code>ORGANIZATION</code>,
+     *             <code>ACCOUNT_UNUSED_ACCESS</code>, and <code>ORGANIZTAION_UNUSED_ACCESS</code>
+     *          analyzers are supported. You can create only one analyzer per account per Region. You can
+     *          create up to 5 analyzers per organization per Region.</p>
      */
     type: Type | undefined;
     /**
@@ -406,7 +466,7 @@ export interface CreateAnalyzerRequest {
     archiveRules?: InlineArchiveRule[];
     /**
      * @public
-     * <p>The tags to apply to the analyzer.</p>
+     * <p>An array of key-value pairs to apply to the analyzer.</p>
      */
     tags?: Record<string, string>;
     /**
@@ -414,6 +474,13 @@ export interface CreateAnalyzerRequest {
      * <p>A client token.</p>
      */
     clientToken?: string;
+    /**
+     * @public
+     * <p>Specifies the configuration of the analyzer. If the analyzer is an unused access
+     *          analyzer, the specified scope of unused access is used for the configuration. If the
+     *          analyzer is an external access analyzer, this field is not used.</p>
+     */
+    configuration?: AnalyzerConfiguration;
 }
 /**
  * @public
@@ -535,6 +602,11 @@ export interface AnalyzerSummary {
      *          organization.</p>
      */
     statusReason?: StatusReason;
+    /**
+     * @public
+     * <p>Specifies whether the analyzer is an external access or unused access analyzer.</p>
+     */
+    configuration?: AnalyzerConfiguration;
 }
 /**
  * @public
@@ -624,6 +696,185 @@ export interface CancelPolicyGenerationRequest {
  */
 export interface CancelPolicyGenerationResponse {
 }
+/**
+ * @public
+ * @enum
+ */
+export declare const AccessCheckPolicyType: {
+    readonly IDENTITY_POLICY: "IDENTITY_POLICY";
+    readonly RESOURCE_POLICY: "RESOURCE_POLICY";
+};
+/**
+ * @public
+ */
+export type AccessCheckPolicyType = (typeof AccessCheckPolicyType)[keyof typeof AccessCheckPolicyType];
+/**
+ * @public
+ */
+export interface CheckAccessNotGrantedRequest {
+    /**
+     * @public
+     * <p>The JSON policy document to use as the content for the policy.</p>
+     */
+    policyDocument: string | undefined;
+    /**
+     * @public
+     * <p>An access object containing the permissions that shouldn't be granted by the specified
+     *          policy.</p>
+     */
+    access: Access[] | undefined;
+    /**
+     * @public
+     * <p>The type of policy. Identity policies grant permissions to IAM principals. Identity
+     *          policies include managed and inline policies for IAM roles, users, and groups.</p>
+     *          <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust
+     *          policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic
+     *          input such as identity policy or resource policy or a specific input such as managed policy
+     *          or Amazon S3 bucket policy.</p>
+     */
+    policyType: AccessCheckPolicyType | undefined;
+}
+/**
+ * @public
+ * <p>Contains information about the reasoning why a check for access passed or failed.</p>
+ */
+export interface ReasonSummary {
+    /**
+     * @public
+     * <p>A description of the reasoning of a result of checking for access.</p>
+     */
+    description?: string;
+    /**
+     * @public
+     * <p>The index number of the reason statement.</p>
+     */
+    statementIndex?: number;
+    /**
+     * @public
+     * <p>The identifier for the reason statement.</p>
+     */
+    statementId?: string;
+}
+/**
+ * @public
+ * @enum
+ */
+export declare const CheckAccessNotGrantedResult: {
+    readonly FAIL: "FAIL";
+    readonly PASS: "PASS";
+};
+/**
+ * @public
+ */
+export type CheckAccessNotGrantedResult = (typeof CheckAccessNotGrantedResult)[keyof typeof CheckAccessNotGrantedResult];
+/**
+ * @public
+ */
+export interface CheckAccessNotGrantedResponse {
+    /**
+     * @public
+     * <p>The result of the check for whether the access is allowed. If the result is
+     *             <code>PASS</code>, the specified policy doesn't allow any of the specified permissions
+     *          in the access object. If the result is <code>FAIL</code>, the specified policy might allow
+     *          some or all of the permissions in the access object.</p>
+     */
+    result?: CheckAccessNotGrantedResult;
+    /**
+     * @public
+     * <p>The message indicating whether the specified access is allowed.</p>
+     */
+    message?: string;
+    /**
+     * @public
+     * <p>A description of the reasoning of the result.</p>
+     */
+    reasons?: ReasonSummary[];
+}
+/**
+ * @public
+ * <p>The specified parameter is invalid.</p>
+ */
+export declare class InvalidParameterException extends __BaseException {
+    readonly name: "InvalidParameterException";
+    readonly $fault: "client";
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<InvalidParameterException, __BaseException>);
+}
+/**
+ * @public
+ * <p>The specified entity could not be processed.</p>
+ */
+export declare class UnprocessableEntityException extends __BaseException {
+    readonly name: "UnprocessableEntityException";
+    readonly $fault: "client";
+    $retryable: {};
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<UnprocessableEntityException, __BaseException>);
+}
+/**
+ * @public
+ */
+export interface CheckNoNewAccessRequest {
+    /**
+     * @public
+     * <p>The JSON policy document to use as the content for the updated policy.</p>
+     */
+    newPolicyDocument: string | undefined;
+    /**
+     * @public
+     * <p>The JSON policy document to use as the content for the existing policy.</p>
+     */
+    existingPolicyDocument: string | undefined;
+    /**
+     * @public
+     * <p>The type of policy to compare. Identity policies grant permissions to IAM principals.
+     *          Identity policies include managed and inline policies for IAM roles, users, and
+     *          groups.</p>
+     *          <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust
+     *          policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic
+     *          input such as identity policy or resource policy or a specific input such as managed policy
+     *          or Amazon S3 bucket policy.</p>
+     */
+    policyType: AccessCheckPolicyType | undefined;
+}
+/**
+ * @public
+ * @enum
+ */
+export declare const CheckNoNewAccessResult: {
+    readonly FAIL: "FAIL";
+    readonly PASS: "PASS";
+};
+/**
+ * @public
+ */
+export type CheckNoNewAccessResult = (typeof CheckNoNewAccessResult)[keyof typeof CheckNoNewAccessResult];
+/**
+ * @public
+ */
+export interface CheckNoNewAccessResponse {
+    /**
+     * @public
+     * <p>The result of the check for new access. If the result is <code>PASS</code>, no new
+     *          access is allowed by the updated policy. If the result is <code>FAIL</code>, the updated
+     *          policy might allow new access.</p>
+     */
+    result?: CheckNoNewAccessResult;
+    /**
+     * @public
+     * <p>The message indicating whether the updated policy allows new access.</p>
+     */
+    message?: string;
+    /**
+     * @public
+     * <p>A description of the reasoning of the result.</p>
+     */
+    reasons?: ReasonSummary[];
+}
 /**
  * @public
  * <p>The proposed access control configuration for an Amazon EBS volume snapshot. You can propose
@@ -1935,7 +2186,7 @@ export interface Finding {
     id: string | undefined;
     /**
      * @public
-     * <p>The external principal that access to a resource within the zone of trust.</p>
+     * <p>The external principal that has access to a resource within the zone of trust.</p>
      */
     principal?: Record<string, string>;
     /**
@@ -2013,6 +2264,336 @@ export interface GetFindingResponse {
      */
     finding?: Finding;
 }
+/**
+ * @public
+ */
+export interface GetFindingV2Request {
+    /**
+     * @public
+     * <p>The <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources">ARN of
+     *             the analyzer</a> that generated the finding.</p>
+     */
+    analyzerArn: string | undefined;
+    /**
+     * @public
+     * <p>The ID of the finding to retrieve.</p>
+     */
+    id: string | undefined;
+    /**
+     * @public
+     * <p>The maximum number of results to return in the response.</p>
+     */
+    maxResults?: number;
+    /**
+     * @public
+     * <p>A token used for pagination of results returned.</p>
+     */
+    nextToken?: string;
+}
+/**
+ * @public
+ * <p>Contains information about an external access finding.</p>
+ */
+export interface ExternalAccessDetails {
+    /**
+     * @public
+     * <p>The action in the analyzed policy statement that an external principal has permission to
+     *          use.</p>
+     */
+    action?: string[];
+    /**
+     * @public
+     * <p>The condition in the analyzed policy statement that resulted in an external access
+     *          finding.</p>
+     */
+    condition: Record<string, string> | undefined;
+    /**
+     * @public
+     * <p>Specifies whether the external access finding is public.</p>
+     */
+    isPublic?: boolean;
+    /**
+     * @public
+     * <p>The external principal that has access to a resource within the zone of trust.</p>
+     */
+    principal?: Record<string, string>;
+    /**
+     * @public
+     * <p>The sources of the external access finding. This indicates how the access that generated
+     *          the finding is granted. It is populated for Amazon S3 bucket findings.</p>
+     */
+    sources?: FindingSource[];
+}
+/**
+ * @public
+ * <p>Contains information about an unused access finding for an IAM role. IAM Access Analyzer
+ *          charges for unused access analysis based on the number of IAM roles and users analyzed
+ *          per month. For more details on pricing, see <a href="https://aws.amazon.com/iam/access-analyzer/pricing">IAM Access Analyzer
+ *          pricing</a>.</p>
+ */
+export interface UnusedIamRoleDetails {
+    /**
+     * @public
+     * <p>The time at which the role was last accessed.</p>
+     */
+    lastAccessed?: Date;
+}
+/**
+ * @public
+ * <p>Contains information about an unused access finding for an IAM user access key.
+ *          IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and
+ *          users analyzed per month. For more details on pricing, see <a href="https://aws.amazon.com/iam/access-analyzer/pricing">IAM Access Analyzer
+ *          pricing</a>.</p>
+ */
+export interface UnusedIamUserAccessKeyDetails {
+    /**
+     * @public
+     * <p>The ID of the access key for which the unused access finding was generated.</p>
+     */
+    accessKeyId: string | undefined;
+    /**
+     * @public
+     * <p>The time at which the access key was last accessed.</p>
+     */
+    lastAccessed?: Date;
+}
+/**
+ * @public
+ * <p>Contains information about an unused access finding for an IAM user password.
+ *          IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and
+ *          users analyzed per month. For more details on pricing, see <a href="https://aws.amazon.com/iam/access-analyzer/pricing">IAM Access Analyzer
+ *          pricing</a>.</p>
+ */
+export interface UnusedIamUserPasswordDetails {
+    /**
+     * @public
+     * <p>The time at which the password was last accessed.</p>
+     */
+    lastAccessed?: Date;
+}
+/**
+ * @public
+ * <p>Contains information about an unused access finding for an action. IAM Access Analyzer charges
+ *          for unused access analysis based on the number of IAM roles and users analyzed per month.
+ *          For more details on pricing, see <a href="https://aws.amazon.com/iam/access-analyzer/pricing">IAM Access Analyzer
+ *          pricing</a>.</p>
+ */
+export interface UnusedAction {
+    /**
+     * @public
+     * <p>The action for which the unused access finding was generated.</p>
+     */
+    action: string | undefined;
+    /**
+     * @public
+     * <p>The time at which the action was last accessed.</p>
+     */
+    lastAccessed?: Date;
+}
+/**
+ * @public
+ * <p>Contains information about an unused access finding for a permission. IAM Access Analyzer
+ *          charges for unused access analysis based on the number of IAM roles and users analyzed
+ *          per month. For more details on pricing, see <a href="https://aws.amazon.com/iam/access-analyzer/pricing">IAM Access Analyzer
+ *          pricing</a>.</p>
+ */
+export interface UnusedPermissionDetails {
+    /**
+     * @public
+     * <p>A list of unused actions for which the unused access finding was generated.</p>
+     */
+    actions?: UnusedAction[];
+    /**
+     * @public
+     * <p>The namespace of the Amazon Web Services service that contains the unused actions.</p>
+     */
+    serviceNamespace: string | undefined;
+    /**
+     * @public
+     * <p>The time at which the permission last accessed.</p>
+     */
+    lastAccessed?: Date;
+}
+/**
+ * @public
+ * <p>Contains information about an external access or unused access finding. Only one
+ *          parameter can be used in a <code>FindingDetails</code> object.</p>
+ */
+export type FindingDetails = FindingDetails.ExternalAccessDetailsMember | FindingDetails.UnusedIamRoleDetailsMember | FindingDetails.UnusedIamUserAccessKeyDetailsMember | FindingDetails.UnusedIamUserPasswordDetailsMember | FindingDetails.UnusedPermissionDetailsMember | FindingDetails.$UnknownMember;
+/**
+ * @public
+ */
+export declare namespace FindingDetails {
+    /**
+     * @public
+     * <p>The details for an external access analyzer finding.</p>
+     */
+    interface ExternalAccessDetailsMember {
+        externalAccessDetails: ExternalAccessDetails;
+        unusedPermissionDetails?: never;
+        unusedIamUserAccessKeyDetails?: never;
+        unusedIamRoleDetails?: never;
+        unusedIamUserPasswordDetails?: never;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     * <p>The details for an unused access analyzer finding with an unused permission finding
+     *          type.</p>
+     */
+    interface UnusedPermissionDetailsMember {
+        externalAccessDetails?: never;
+        unusedPermissionDetails: UnusedPermissionDetails;
+        unusedIamUserAccessKeyDetails?: never;
+        unusedIamRoleDetails?: never;
+        unusedIamUserPasswordDetails?: never;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     * <p>The details for an unused access analyzer finding with an unused IAM user access key
+     *          finding type.</p>
+     */
+    interface UnusedIamUserAccessKeyDetailsMember {
+        externalAccessDetails?: never;
+        unusedPermissionDetails?: never;
+        unusedIamUserAccessKeyDetails: UnusedIamUserAccessKeyDetails;
+        unusedIamRoleDetails?: never;
+        unusedIamUserPasswordDetails?: never;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     * <p>The details for an unused access analyzer finding with an unused IAM role finding
+     *          type.</p>
+     */
+    interface UnusedIamRoleDetailsMember {
+        externalAccessDetails?: never;
+        unusedPermissionDetails?: never;
+        unusedIamUserAccessKeyDetails?: never;
+        unusedIamRoleDetails: UnusedIamRoleDetails;
+        unusedIamUserPasswordDetails?: never;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     * <p>The details for an unused access analyzer finding with an unused IAM user password
+     *          finding type.</p>
+     */
+    interface UnusedIamUserPasswordDetailsMember {
+        externalAccessDetails?: never;
+        unusedPermissionDetails?: never;
+        unusedIamUserAccessKeyDetails?: never;
+        unusedIamRoleDetails?: never;
+        unusedIamUserPasswordDetails: UnusedIamUserPasswordDetails;
+        $unknown?: never;
+    }
+    /**
+     * @public
+     */
+    interface $UnknownMember {
+        externalAccessDetails?: never;
+        unusedPermissionDetails?: never;
+        unusedIamUserAccessKeyDetails?: never;
+        unusedIamRoleDetails?: never;
+        unusedIamUserPasswordDetails?: never;
+        $unknown: [string, any];
+    }
+    interface Visitor<T> {
+        externalAccessDetails: (value: ExternalAccessDetails) => T;
+        unusedPermissionDetails: (value: UnusedPermissionDetails) => T;
+        unusedIamUserAccessKeyDetails: (value: UnusedIamUserAccessKeyDetails) => T;
+        unusedIamRoleDetails: (value: UnusedIamRoleDetails) => T;
+        unusedIamUserPasswordDetails: (value: UnusedIamUserPasswordDetails) => T;
+        _: (name: string, value: any) => T;
+    }
+    const visit: <T>(value: FindingDetails, visitor: Visitor<T>) => T;
+}
+/**
+ * @public
+ * @enum
+ */
+export declare const FindingType: {
+    readonly EXTERNAL_ACCESS: "ExternalAccess";
+    readonly UNUSED_IAM_ROLE: "UnusedIAMRole";
+    readonly UNUSED_IAM_USER_ACCESS_KEY: "UnusedIAMUserAccessKey";
+    readonly UNUSED_IAM_USER_PASSWORD: "UnusedIAMUserPassword";
+    readonly UNUSED_PERMISSION: "UnusedPermission";
+};
+/**
+ * @public
+ */
+export type FindingType = (typeof FindingType)[keyof typeof FindingType];
+/**
+ * @public
+ */
+export interface GetFindingV2Response {
+    /**
+     * @public
+     * <p>The time at which the resource-based policy or IAM entity that generated the finding
+     *          was analyzed.</p>
+     */
+    analyzedAt: Date | undefined;
+    /**
+     * @public
+     * <p>The time at which the finding was created.</p>
+     */
+    createdAt: Date | undefined;
+    /**
+     * @public
+     * <p>An error.</p>
+     */
+    error?: string;
+    /**
+     * @public
+     * <p>The ID of the finding to retrieve.</p>
+     */
+    id: string | undefined;
+    /**
+     * @public
+     * <p>A token used for pagination of results returned.</p>
+     */
+    nextToken?: string;
+    /**
+     * @public
+     * <p>The resource that generated the finding.</p>
+     */
+    resource?: string;
+    /**
+     * @public
+     * <p>The type of the resource identified in the finding.</p>
+     */
+    resourceType: ResourceType | undefined;
+    /**
+     * @public
+     * <p>Tye Amazon Web Services account ID that owns the resource.</p>
+     */
+    resourceOwnerAccount: string | undefined;
+    /**
+     * @public
+     * <p>The status of the finding.</p>
+     */
+    status: FindingStatus | undefined;
+    /**
+     * @public
+     * <p>The time at which the finding was updated.</p>
+     */
+    updatedAt: Date | undefined;
+    /**
+     * @public
+     * <p>A localized message that explains the finding and provides guidance on how to address
+     *          it.</p>
+     */
+    findingDetails: FindingDetails[] | undefined;
+    /**
+     * @public
+     * <p>The type of the finding. For external access analyzers, the type is
+     *             <code>ExternalAccess</code>. For unused access analyzers, the type can be
+     *             <code>UnusedIAMRole</code>, <code>UnusedIAMUserAccessKey</code>,
+     *             <code>UnusedIAMUserPassword</code>, or <code>UnusedPermission</code>.</p>
+     */
+    findingType?: FindingType;
+}
 /**
  * @public
  */
@@ -2711,6 +3292,110 @@ export interface ListFindingsResponse {
      */
     nextToken?: string;
 }
+/**
+ * @public
+ */
+export interface ListFindingsV2Request {
+    /**
+     * @public
+     * <p>The <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources">ARN of
+     *             the analyzer</a> to retrieve findings from.</p>
+     */
+    analyzerArn: string | undefined;
+    /**
+     * @public
+     * <p>A filter to match for the findings to return.</p>
+     */
+    filter?: Record<string, Criterion>;
+    /**
+     * @public
+     * <p>The maximum number of results to return in the response.</p>
+     */
+    maxResults?: number;
+    /**
+     * @public
+     * <p>A token used for pagination of results returned.</p>
+     */
+    nextToken?: string;
+    /**
+     * @public
+     * <p>The criteria used to sort.</p>
+     */
+    sort?: SortCriteria;
+}
+/**
+ * @public
+ * <p>Contains information about a finding.</p>
+ */
+export interface FindingSummaryV2 {
+    /**
+     * @public
+     * <p>The time at which the resource-based policy or IAM entity that generated the finding
+     *          was analyzed.</p>
+     */
+    analyzedAt: Date | undefined;
+    /**
+     * @public
+     * <p>The time at which the finding was created.</p>
+     */
+    createdAt: Date | undefined;
+    /**
+     * @public
+     * <p>The error that resulted in an Error finding.</p>
+     */
+    error?: string;
+    /**
+     * @public
+     * <p>The ID of the finding.</p>
+     */
+    id: string | undefined;
+    /**
+     * @public
+     * <p>The resource that the external principal has access to.</p>
+     */
+    resource?: string;
+    /**
+     * @public
+     * <p>The type of the resource that the external principal has access to.</p>
+     */
+    resourceType: ResourceType | undefined;
+    /**
+     * @public
+     * <p>The Amazon Web Services account ID that owns the resource.</p>
+     */
+    resourceOwnerAccount: string | undefined;
+    /**
+     * @public
+     * <p>The status of the finding.</p>
+     */
+    status: FindingStatus | undefined;
+    /**
+     * @public
+     * <p>The time at which the finding was most recently updated.</p>
+     */
+    updatedAt: Date | undefined;
+    /**
+     * @public
+     * <p>The type of the external access or unused access finding.</p>
+     */
+    findingType?: FindingType;
+}
+/**
+ * @public
+ */
+export interface ListFindingsV2Response {
+    /**
+     * @public
+     * <p>A list of findings retrieved from the analyzer that match the filter criteria specified,
+     *          if any.</p>
+     */
+    findings: FindingSummaryV2[] | undefined;
+    /**
+     * @public
+     * <p>A token used for pagination of results returned.</p>
+     */
+    nextToken?: string;
+}
 /**
  * @public
  */
@@ -3093,13 +3778,14 @@ export interface ValidatePolicyRequest {
     /**
      * @public
      * <p>The type of policy to validate. Identity policies grant permissions to IAM principals.
-     *          Identity policies include managed and inline policies for IAM roles, users, and groups.
-     *          They also include service-control policies (SCPs) that are attached to an Amazon Web Services
-     *          organization, organizational unit (OU), or an account.</p>
+     *          Identity policies include managed and inline policies for IAM roles, users, and
+     *          groups.</p>
      *          <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust
      *          policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic
      *          input such as identity policy or resource policy or a specific input such as managed policy
      *          or Amazon S3 bucket policy. </p>
+     *          <p>Service control policies (SCPs) are a type of organization policy attached to an Amazon Web Services
+     *          organization, organizational unit (OU), or an account.</p>
      */
     policyType: PolicyType | undefined;
     /**
@@ -3329,3 +4015,11 @@ export interface ValidatePolicyResponse {
      */
     nextToken?: string;
 }
+/**
+ * @internal
+ */
+export declare const CheckAccessNotGrantedRequestFilterSensitiveLog: (obj: CheckAccessNotGrantedRequest) => any;
+/**
+ * @internal
+ */
+export declare const CheckNoNewAccessRequestFilterSensitiveLog: (obj: CheckNoNewAccessRequest) => any;