@aws-sdk/client-accessanalyzer 3.687.0 → 3.692.0

package/dist-types/models/models_0.d.ts

@@ -11,13 +11,15 @@ export interface Access {
      *          in an IAM policy can be used in the list of actions to check.</p>
      * @public
      */
-    actions?: string[];
+    actions?: string[] | undefined;
     /**
-     * <p>A list of resources for the access permissions. Any strings that can be used as a
-     *          resource in an IAM policy can be used in the list of resources to check.</p>
+     * <p>A list of resources for the access permissions. Any strings that can be used as an
+     *          Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to
+     *          check. You can only use a wildcard in the portion of the ARN that specifies the resource
+     *          ID.</p>
      * @public
      */
-    resources?: string[];
+    resources?: string[] | undefined;
 }
 /**
  * <p>You do not have sufficient access to perform this action.</p>
@@ -64,22 +66,22 @@ export interface Criterion {
      * <p>An "equals" operator to match for the filter used to create the rule.</p>
      * @public
      */
-    eq?: string[];
+    eq?: string[] | undefined;
     /**
      * <p>A "not equals" operator to match for the filter used to create the rule.</p>
      * @public
      */
-    neq?: string[];
+    neq?: string[] | undefined;
     /**
      * <p>A "contains" operator to match for the filter used to create the rule.</p>
      * @public
      */
-    contains?: string[];
+    contains?: string[] | undefined;
     /**
      * <p>An "exists" operator to match for the filter used to create the rule. </p>
      * @public
      */
-    exists?: boolean;
+    exists?: boolean | undefined;
 }
 /**
  * <p>Creates an archive rule.</p>
@@ -105,7 +107,7 @@ export interface CreateArchiveRuleRequest {
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * <p>Internal server error.</p>
@@ -119,7 +121,7 @@ export declare class InternalServerException extends __BaseException {
      * <p>The seconds to wait to retry.</p>
      * @public
      */
-    retryAfterSeconds?: number;
+    retryAfterSeconds?: number | undefined;
     /**
      * @internal
      */
@@ -183,7 +185,7 @@ export declare class ThrottlingException extends __BaseException {
      * <p>The seconds to wait to retry.</p>
      * @public
      */
-    retryAfterSeconds?: number;
+    retryAfterSeconds?: number | undefined;
     /**
      * @internal
      */
@@ -236,7 +238,7 @@ export declare class ValidationException extends __BaseException {
      * <p>A list of fields that didn't validate.</p>
      * @public
      */
-    fieldList?: ValidationExceptionField[];
+    fieldList?: ValidationExceptionField[] | undefined;
     /**
      * @internal
      */
@@ -261,7 +263,7 @@ export interface DeleteArchiveRuleRequest {
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * <p>Retrieves an archive rule.</p>
@@ -280,7 +282,8 @@ export interface GetArchiveRuleRequest {
     ruleName: string | undefined;
 }
 /**
- * <p>Contains information about an archive rule.</p>
+ * <p>Contains information about an archive rule. Archive rules automatically archive new
+ *          findings that meet the criteria you define when you create the rule.</p>
  * @public
  */
 export interface ArchiveRuleSummary {
@@ -311,7 +314,8 @@ export interface ArchiveRuleSummary {
  */
 export interface GetArchiveRuleResponse {
     /**
-     * <p>Contains information about an archive rule.</p>
+     * <p>Contains information about an archive rule. Archive rules automatically archive new
+     *          findings that meet the criteria you define when you create the rule.</p>
      * @public
      */
     archiveRule: ArchiveRuleSummary | undefined;
@@ -330,12 +334,12 @@ export interface ListArchiveRulesRequest {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The maximum number of results to return in the request.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
 }
 /**
  * <p>The response to the request.</p>
@@ -351,7 +355,7 @@ export interface ListArchiveRulesResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * <p>Updates the specified archive rule.</p>
@@ -378,7 +382,7 @@ export interface UpdateArchiveRuleRequest {
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * <p>An criterion statement in an archive rule. Each archive rule may have multiple
@@ -397,6 +401,47 @@ export interface InlineArchiveRule {
      */
     filter: Record<string, Criterion> | undefined;
 }
+/**
+ * <p>The criteria for an analysis rule for an analyzer. The criteria determine which entities
+ *          will generate findings.</p>
+ * @public
+ */
+export interface AnalysisRuleCriteria {
+    /**
+     * <p>A list of Amazon Web Services account IDs to apply to the analysis rule criteria. The accounts cannot
+     *          include the organization analyzer owner account. Account IDs can only be applied to the
+     *          analysis rule criteria for organization-level analyzers. The list cannot include more than
+     *          2,000 account IDs.</p>
+     * @public
+     */
+    accountIds?: string[] | undefined;
+    /**
+     * <p>An array of key-value pairs to match for your resources. You can use the set of Unicode
+     *          letters, digits, whitespace, <code>_</code>, <code>.</code>, <code>/</code>,
+     *          <code>=</code>, <code>+</code>, and <code>-</code>.</p>
+     *          <p>For the tag key, you can specify a value that is 1 to 128 characters in length and
+     *          cannot be prefixed with <code>aws:</code>.</p>
+     *          <p>For the tag value, you can specify a value that is 0 to 256 characters in length. If the
+     *          specified tag value is 0 characters, the rule is applied to all principals with the
+     *          specified tag key.</p>
+     * @public
+     */
+    resourceTags?: Record<string, string>[] | undefined;
+}
+/**
+ * <p>Contains information about analysis rules for the analyzer. Analysis rules determine
+ *          which entities will generate findings based on the criteria you define when you create the
+ *          rule.</p>
+ * @public
+ */
+export interface AnalysisRule {
+    /**
+     * <p>A list of rules for the analyzer containing criteria to exclude from analysis. Entities
+     *          that meet the rule criteria will not generate findings.</p>
+     * @public
+     */
+    exclusions?: AnalysisRuleCriteria[] | undefined;
+}
 /**
  * <p>Contains information about an unused access analyzer.</p>
  * @public
@@ -406,15 +451,22 @@ export interface UnusedAccessConfiguration {
      * <p>The specified access age in days for which to generate findings for unused access. For
      *          example, if you specify 90 days, the analyzer will generate findings for IAM entities
      *          within the accounts of the selected organization for any access that hasn't been used in 90
-     *          or more days since the analyzer's last scan. You can choose a value between 1 and 180
+     *          or more days since the analyzer's last scan. You can choose a value between 1 and 365
      *          days.</p>
      * @public
      */
-    unusedAccessAge?: number;
+    unusedAccessAge?: number | undefined;
+    /**
+     * <p>Contains information about analysis rules for the analyzer. Analysis rules determine
+     *          which entities will generate findings based on the criteria you define when you create the
+     *          rule.</p>
+     * @public
+     */
+    analysisRule?: AnalysisRule | undefined;
 }
 /**
- * <p>Contains information about the configuration of an unused access analyzer for an Amazon Web Services
- *          organization or account.</p>
+ * <p>Contains information about the configuration of an analyzer for an Amazon Web Services organization or
+ *          account.</p>
  * @public
  */
 export type AnalyzerConfiguration = AnalyzerConfiguration.UnusedAccessMember | AnalyzerConfiguration.$UnknownMember;
@@ -424,7 +476,7 @@ export type AnalyzerConfiguration = AnalyzerConfiguration.UnusedAccessMember | A
 export declare namespace AnalyzerConfiguration {
     /**
      * <p>Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or
-     *          account. External access analyzers do not support any configuration.</p>
+     *          account.</p>
      * @public
      */
     interface UnusedAccessMember {
@@ -471,24 +523,28 @@ export interface CreateAnalyzerRequest {
      *          findings that meet the criteria you define for the rule.</p>
      * @public
      */
-    archiveRules?: InlineArchiveRule[];
+    archiveRules?: InlineArchiveRule[] | undefined;
     /**
-     * <p>An array of key-value pairs to apply to the analyzer.</p>
+     * <p>An array of key-value pairs to apply to the analyzer. You can use the set of Unicode
+     *          letters, digits, whitespace, <code>_</code>, <code>.</code>, <code>/</code>,
+     *          <code>=</code>, <code>+</code>, and <code>-</code>.</p>
+     *          <p>For the tag key, you can specify a value that is 1 to 128 characters in length and
+     *          cannot be prefixed with <code>aws:</code>.</p>
+     *          <p>For the tag value, you can specify a value that is 0 to 256 characters in length.</p>
      * @public
      */
-    tags?: Record<string, string>;
+    tags?: Record<string, string> | undefined;
     /**
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
     /**
      * <p>Specifies the configuration of the analyzer. If the analyzer is an unused access
-     *          analyzer, the specified scope of unused access is used for the configuration. If the
-     *          analyzer is an external access analyzer, this field is not used.</p>
+     *          analyzer, the specified scope of unused access is used for the configuration.</p>
      * @public
      */
-    configuration?: AnalyzerConfiguration;
+    configuration?: AnalyzerConfiguration | undefined;
 }
 /**
  * <p>The response to the request to create an analyzer.</p>
@@ -499,7 +555,7 @@ export interface CreateAnalyzerResponse {
      * <p>The ARN of the analyzer that was created by the request.</p>
      * @public
      */
-    arn?: string;
+    arn?: string | undefined;
 }
 /**
  * <p>Deletes an analyzer.</p>
@@ -515,7 +571,7 @@ export interface DeleteAnalyzerRequest {
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * <p>Retrieves an analyzer.</p>
@@ -580,17 +636,17 @@ export interface AnalyzerSummary {
      * <p>The resource that was most recently analyzed by the analyzer.</p>
      * @public
      */
-    lastResourceAnalyzed?: string;
+    lastResourceAnalyzed?: string | undefined;
     /**
      * <p>The time at which the most recently analyzed resource was analyzed.</p>
      * @public
      */
-    lastResourceAnalyzedAt?: Date;
+    lastResourceAnalyzedAt?: Date | undefined;
     /**
      * <p>The tags added to the analyzer.</p>
      * @public
      */
-    tags?: Record<string, string>;
+    tags?: Record<string, string> | undefined;
     /**
      * <p>The status of the analyzer. An <code>Active</code> analyzer successfully monitors
      *          supported resources and generates new findings. The analyzer is <code>Disabled</code> when
@@ -609,12 +665,12 @@ export interface AnalyzerSummary {
      *          organization.</p>
      * @public
      */
-    statusReason?: StatusReason;
+    statusReason?: StatusReason | undefined;
     /**
      * <p>Specifies whether the analyzer is an external access or unused access analyzer.</p>
      * @public
      */
-    configuration?: AnalyzerConfiguration;
+    configuration?: AnalyzerConfiguration | undefined;
 }
 /**
  * <p>The response to the request.</p>
@@ -637,17 +693,17 @@ export interface ListAnalyzersRequest {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
     /**
      * <p>The type of analyzer.</p>
      * @public
      */
-    type?: Type;
+    type?: Type | undefined;
 }
 /**
  * <p>The response to the request.</p>
@@ -663,7 +719,34 @@ export interface ListAnalyzersResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateAnalyzerRequest {
+    /**
+     * <p>The name of the analyzer to modify.</p>
+     * @public
+     */
+    analyzerName: string | undefined;
+    /**
+     * <p>Contains information about the configuration of an analyzer for an Amazon Web Services organization or
+     *          account.</p>
+     * @public
+     */
+    configuration?: AnalyzerConfiguration | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateAnalyzerResponse {
+    /**
+     * <p>Contains information about the configuration of an analyzer for an Amazon Web Services organization or
+     *          account.</p>
+     * @public
+     */
+    configuration?: AnalyzerConfiguration | undefined;
 }
 /**
  * <p>Retroactively applies an archive rule.</p>
@@ -684,7 +767,7 @@ export interface ApplyArchiveRuleRequest {
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * @public
@@ -727,11 +810,11 @@ export interface CheckAccessNotGrantedRequest {
     policyDocument: string | undefined;
     /**
      * <p>An access object containing the permissions that shouldn't be granted by the specified
-     *          policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on
-     *          all resources in the policy. If only resources are specified, then IAM Access Analyzer checks
-     *          which actions have access to the specified resources. If both actions and resources are
-     *          specified, then IAM Access Analyzer checks which of the specified actions have access to the
-     *          specified resources.</p>
+     *          policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least
+     *          one of the actions on any resource in the policy. If only resources are specified, then
+     *          IAM Access Analyzer checks for access to perform any action on at least one of the resources. If
+     *          both actions and resources are specified, IAM Access Analyzer checks for access to perform at
+     *          least one of the specified actions on at least one of the specified resources.</p>
      * @public
      */
     access: Access[] | undefined;
@@ -739,9 +822,7 @@ export interface CheckAccessNotGrantedRequest {
      * <p>The type of policy. Identity policies grant permissions to IAM principals. Identity
      *          policies include managed and inline policies for IAM roles, users, and groups.</p>
      *          <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust
-     *          policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic
-     *          input such as identity policy or resource policy or a specific input such as managed policy
-     *          or Amazon S3 bucket policy.</p>
+     *          policies for IAM roles and bucket policies for Amazon S3 buckets.</p>
      * @public
      */
     policyType: AccessCheckPolicyType | undefined;
@@ -755,17 +836,17 @@ export interface ReasonSummary {
      * <p>A description of the reasoning of a result of checking for access.</p>
      * @public
      */
-    description?: string;
+    description?: string | undefined;
     /**
      * <p>The index number of the reason statement.</p>
      * @public
      */
-    statementIndex?: number;
+    statementIndex?: number | undefined;
     /**
      * <p>The identifier for the reason statement.</p>
      * @public
      */
-    statementId?: string;
+    statementId?: string | undefined;
 }
 /**
  * @public
@@ -790,17 +871,17 @@ export interface CheckAccessNotGrantedResponse {
      *          some or all of the permissions in the access object.</p>
      * @public
      */
-    result?: CheckAccessNotGrantedResult;
+    result?: CheckAccessNotGrantedResult | undefined;
     /**
      * <p>The message indicating whether the specified access is allowed.</p>
      * @public
      */
-    message?: string;
+    message?: string | undefined;
     /**
      * <p>A description of the reasoning of the result.</p>
      * @public
      */
-    reasons?: ReasonSummary[];
+    reasons?: ReasonSummary[] | undefined;
 }
 /**
  * <p>The specified parameter is invalid.</p>
@@ -875,17 +956,17 @@ export interface CheckNoNewAccessResponse {
      *          policy might allow new access.</p>
      * @public
      */
-    result?: CheckNoNewAccessResult;
+    result?: CheckNoNewAccessResult | undefined;
     /**
      * <p>The message indicating whether the updated policy allows new access.</p>
      * @public
      */
-    message?: string;
+    message?: string | undefined;
     /**
      * <p>A description of the reasoning of the result.</p>
      * @public
      */
-    reasons?: ReasonSummary[];
+    reasons?: ReasonSummary[] | undefined;
 }
 /**
  * @public
@@ -957,19 +1038,19 @@ export interface CheckNoPublicAccessResponse {
      *          specified resource type.</p>
      * @public
      */
-    result?: CheckNoPublicAccessResult;
+    result?: CheckNoPublicAccessResult | undefined;
     /**
      * <p>The message indicating whether the specified policy allows public access to
      *          resources.</p>
      * @public
      */
-    message?: string;
+    message?: string | undefined;
     /**
      * <p>A list of reasons why the specified resource policy grants public access for the
      *          resource type.</p>
      * @public
      */
-    reasons?: ReasonSummary[];
+    reasons?: ReasonSummary[] | undefined;
 }
 /**
  * <p>The proposed access control configuration for a DynamoDB stream. You can propose a
@@ -997,7 +1078,7 @@ export interface DynamodbStreamConfiguration {
      * <p>The proposed resource policy defining who can access or manage the DynamoDB stream.</p>
      * @public
      */
-    streamPolicy?: string;
+    streamPolicy?: string | undefined;
 }
 /**
  * <p>The proposed access control configuration for a DynamoDB table or index. You can propose a
@@ -1025,7 +1106,7 @@ export interface DynamodbTableConfiguration {
      * <p>The proposed resource policy defining who can access or manage the DynamoDB table.</p>
      * @public
      */
-    tablePolicy?: string;
+    tablePolicy?: string | undefined;
 }
 /**
  * <p>The proposed access control configuration for an Amazon EBS volume snapshot. You can propose
@@ -1055,7 +1136,7 @@ export interface EbsSnapshotConfiguration {
      *          </ul>
      * @public
      */
-    userIds?: string[];
+    userIds?: string[] | undefined;
     /**
      * <p>The groups that have access to the Amazon EBS volume snapshot. If the value <code>all</code>
      *          is specified, then the Amazon EBS volume snapshot is public.</p>
@@ -1077,7 +1158,7 @@ export interface EbsSnapshotConfiguration {
      *          </ul>
      * @public
      */
-    groups?: string[];
+    groups?: string[] | undefined;
     /**
      * <p>The KMS key identifier for an encrypted Amazon EBS volume snapshot. The KMS key
      *          identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.</p>
@@ -1095,7 +1176,7 @@ export interface EbsSnapshotConfiguration {
      *          </ul>
      * @public
      */
-    kmsKeyId?: string;
+    kmsKeyId?: string | undefined;
 }
 /**
  * <p>The proposed access control configuration for an Amazon ECR repository. You can propose a
@@ -1125,7 +1206,7 @@ export interface EcrRepositoryConfiguration {
      *             policy examples</a> in the <i>Amazon ECR User Guide</i>.</p>
      * @public
      */
-    repositoryPolicy?: string;
+    repositoryPolicy?: string | undefined;
 }
 /**
  * <p>The proposed access control configuration for an Amazon EFS file system. You can propose a
@@ -1154,7 +1235,7 @@ export interface EfsFileSystemConfiguration {
      *          the elements that make up a file system policy, see <a href="https://docs.aws.amazon.com/efs/latest/ug/access-control-overview.html#access-control-manage-access-intro-resource-policies">Amazon EFS Resource-based policies</a>.</p>
      * @public
      */
-    fileSystemPolicy?: string;
+    fileSystemPolicy?: string | undefined;
 }
 /**
  * <p>The proposed access control configuration for an IAM role. You can propose a
@@ -1172,7 +1253,7 @@ export interface IamRoleConfiguration {
      * <p>The proposed trust policy for the IAM role.</p>
      * @public
      */
-    trustPolicy?: string;
+    trustPolicy?: string | undefined;
 }
 /**
  * <p>Use this structure to propose allowing <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic
@@ -1190,7 +1271,7 @@ export interface KmsGrantConstraints {
      *          constraint.</p>
      * @public
      */
-    encryptionContextEquals?: Record<string, string>;
+    encryptionContextEquals?: Record<string, string> | undefined;
     /**
      * <p>A list of key-value pairs that must be included in the encryption context of the <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic
      *             operation</a> request. The grant allows the cryptographic operation only when the
@@ -1198,7 +1279,7 @@ export interface KmsGrantConstraints {
      *          constraint, although it can include additional key-value pairs.</p>
      * @public
      */
-    encryptionContextSubset?: Record<string, string>;
+    encryptionContextSubset?: Record<string, string> | undefined;
 }
 /**
  * @public
@@ -1244,7 +1325,7 @@ export interface KmsGrantConfiguration {
      * <p>The principal that is given permission to retire the grant by using <a href="https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html">RetireGrant</a> operation.</p>
      * @public
      */
-    retiringPrincipal?: string;
+    retiringPrincipal?: string | undefined;
     /**
      * <p>Use this structure to propose allowing <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations">cryptographic
      *             operations</a> in the grant only when the operation request includes the specified
@@ -1252,7 +1333,7 @@ export interface KmsGrantConfiguration {
      *          context</a>.</p>
      * @public
      */
-    constraints?: KmsGrantConstraints;
+    constraints?: KmsGrantConstraints | undefined;
     /**
      * <p> The Amazon Web Services account under which the grant was issued. The account is used to propose
      *          KMS grants issued by accounts other than the owner of the key.</p>
@@ -1280,7 +1361,7 @@ export interface KmsKeyConfiguration {
      *             policy</a>.</p>
      * @public
      */
-    keyPolicies?: Record<string, string>;
+    keyPolicies?: Record<string, string> | undefined;
     /**
      * <p>A list of proposed grant configurations for the KMS key. If the proposed grant
      *          configuration is for an existing key, the access preview uses the proposed list of grant
@@ -1288,7 +1369,7 @@ export interface KmsKeyConfiguration {
      *          existing grants for the key.</p>
      * @public
      */
-    grants?: KmsGrantConfiguration[];
+    grants?: KmsGrantConfiguration[] | undefined;
 }
 /**
  * <p>The values for a manual Amazon RDS DB cluster snapshot attribute.</p>
@@ -1356,7 +1437,7 @@ export interface RdsDbClusterSnapshotConfiguration {
      *          </p>
      * @public
      */
-    attributes?: Record<string, RdsDbClusterSnapshotAttributeValue>;
+    attributes?: Record<string, RdsDbClusterSnapshotAttributeValue> | undefined;
     /**
      * <p>The KMS key identifier for an encrypted Amazon RDS DB cluster snapshot. The KMS key
      *          identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.</p>
@@ -1374,7 +1455,7 @@ export interface RdsDbClusterSnapshotConfiguration {
      *          </ul>
      * @public
      */
-    kmsKeyId?: string;
+    kmsKeyId?: string | undefined;
 }
 /**
  * <p>The name and values of a manual Amazon RDS DB snapshot attribute. Manual DB snapshot
@@ -1442,7 +1523,7 @@ export interface RdsDbSnapshotConfiguration {
      *          value for <code>attributeName</code> for the attribute map is restore.</p>
      * @public
      */
-    attributes?: Record<string, RdsDbSnapshotAttributeValue>;
+    attributes?: Record<string, RdsDbSnapshotAttributeValue> | undefined;
     /**
      * <p>The KMS key identifier for an encrypted Amazon RDS DB snapshot. The KMS key identifier is
      *          the key ARN, key ID, alias ARN, or alias name for the KMS key.</p>
@@ -1460,7 +1541,7 @@ export interface RdsDbSnapshotConfiguration {
      *          </ul>
      * @public
      */
-    kmsKeyId?: string;
+    kmsKeyId?: string | undefined;
 }
 /**
  * <p>This configuration sets the network origin for the Amazon S3 access point or multi-region
@@ -1573,13 +1654,13 @@ export interface S3AccessPointConfiguration {
      * <p>The access point or multi-region access point policy.</p>
      * @public
      */
-    accessPointPolicy?: string;
+    accessPointPolicy?: string | undefined;
     /**
      * <p>The proposed <code>S3PublicAccessBlock</code> configuration to apply to this Amazon S3 access
      *          point or multi-region access point.</p>
      * @public
      */
-    publicAccessBlock?: S3PublicAccessBlockConfiguration;
+    publicAccessBlock?: S3PublicAccessBlockConfiguration | undefined;
     /**
      * <p>The proposed <code>Internet</code> and <code>VpcConfiguration</code> to apply to this
      *          Amazon S3 access point. <code>VpcConfiguration</code> does not apply to multi-region access
@@ -1589,7 +1670,7 @@ export interface S3AccessPointConfiguration {
      *          origin.</p>
      * @public
      */
-    networkOrigin?: NetworkOriginConfiguration;
+    networkOrigin?: NetworkOriginConfiguration | undefined;
 }
 /**
  * <p>You specify each grantee as a type-value pair using one of these types. You can specify
@@ -1685,7 +1766,7 @@ export interface S3BucketConfiguration {
      * <p>The proposed bucket policy for the Amazon S3 bucket.</p>
      * @public
      */
-    bucketPolicy?: string;
+    bucketPolicy?: string | undefined;
     /**
      * <p>The proposed list of ACL grants for the Amazon S3 bucket. You can propose up to 100 ACL
      *          grants per bucket. If the proposed grant configuration is for an existing bucket, the
@@ -1693,18 +1774,18 @@ export interface S3BucketConfiguration {
      *          grants. Otherwise, the access preview uses the existing grants for the bucket.</p>
      * @public
      */
-    bucketAclGrants?: S3BucketAclGrantConfiguration[];
+    bucketAclGrants?: S3BucketAclGrantConfiguration[] | undefined;
     /**
      * <p>The proposed block public access configuration for the Amazon S3 bucket.</p>
      * @public
      */
-    bucketPublicAccessBlock?: S3PublicAccessBlockConfiguration;
+    bucketPublicAccessBlock?: S3PublicAccessBlockConfiguration | undefined;
     /**
      * <p>The configuration of Amazon S3 access points or multi-region access points for the bucket.
      *          You can propose up to 10 new access points per bucket.</p>
      * @public
      */
-    accessPoints?: Record<string, S3AccessPointConfiguration>;
+    accessPoints?: Record<string, S3AccessPointConfiguration> | undefined;
 }
 /**
  * <p>Proposed access control configuration for an Amazon S3 directory bucket. You can propose a
@@ -1723,7 +1804,7 @@ export interface S3ExpressDirectoryBucketConfiguration {
      * <p>The proposed bucket policy for the Amazon S3 directory bucket.</p>
      * @public
      */
-    bucketPolicy?: string;
+    bucketPolicy?: string | undefined;
 }
 /**
  * <p>The configuration for a Secrets Manager secret. For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html">CreateSecret</a>.</p>
@@ -1745,12 +1826,12 @@ export interface SecretsManagerSecretConfiguration {
      * <p>The proposed ARN, key ID, or alias of the KMS key.</p>
      * @public
      */
-    kmsKeyId?: string;
+    kmsKeyId?: string | undefined;
     /**
      * <p>The proposed resource policy defining who can access or manage the secret.</p>
      * @public
      */
-    secretPolicy?: string;
+    secretPolicy?: string | undefined;
 }
 /**
  * <p>The proposed access control configuration for an Amazon SNS topic. You can propose a
@@ -1770,7 +1851,7 @@ export interface SnsTopicConfiguration {
      *             Guide</i>.</p>
      * @public
      */
-    topicPolicy?: string;
+    topicPolicy?: string | undefined;
 }
 /**
  * <p>The proposed access control configuration for an Amazon SQS queue. You can propose a
@@ -1789,7 +1870,7 @@ export interface SqsQueueConfiguration {
      * <p> The proposed resource policy for the Amazon SQS queue. </p>
      * @public
      */
-    queuePolicy?: string;
+    queuePolicy?: string | undefined;
 }
 /**
  * <p>Access control configuration structures for your resource. You specify the configuration
@@ -2158,7 +2239,7 @@ export interface CreateAccessPreviewRequest {
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * @public
@@ -2293,7 +2374,7 @@ export interface AccessPreview {
      *          invalid resource configuration.</p>
      * @public
      */
-    statusReason?: AccessPreviewStatusReason;
+    statusReason?: AccessPreviewStatusReason | undefined;
 }
 /**
  * @public
@@ -2325,7 +2406,7 @@ export interface GetAnalyzedResourceRequest {
 /**
  * @public
  */
-export type ResourceType = "AWS::DynamoDB::Stream" | "AWS::DynamoDB::Table" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::EFS::FileSystem" | "AWS::IAM::Role" | "AWS::KMS::Key" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::RDS::DBClusterSnapshot" | "AWS::RDS::DBSnapshot" | "AWS::S3::Bucket" | "AWS::S3Express::DirectoryBucket" | "AWS::SNS::Topic" | "AWS::SQS::Queue" | "AWS::SecretsManager::Secret";
+export type ResourceType = "AWS::DynamoDB::Stream" | "AWS::DynamoDB::Table" | "AWS::EC2::Snapshot" | "AWS::ECR::Repository" | "AWS::EFS::FileSystem" | "AWS::IAM::Role" | "AWS::IAM::User" | "AWS::KMS::Key" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" | "AWS::RDS::DBClusterSnapshot" | "AWS::RDS::DBSnapshot" | "AWS::S3::Bucket" | "AWS::S3Express::DirectoryBucket" | "AWS::SNS::Topic" | "AWS::SQS::Queue" | "AWS::SecretsManager::Secret";
 /**
  * @public
  */
@@ -2371,18 +2452,18 @@ export interface AnalyzedResource {
      *          generated the finding.</p>
      * @public
      */
-    actions?: string[];
+    actions?: string[] | undefined;
     /**
      * <p>Indicates how the access that generated the finding is granted. This is populated for
      *          Amazon S3 bucket findings.</p>
      * @public
      */
-    sharedVia?: string[];
+    sharedVia?: string[] | undefined;
     /**
      * <p>The current status of the finding generated from the analyzed resource.</p>
      * @public
      */
-    status?: FindingStatus;
+    status?: FindingStatus | undefined;
     /**
      * <p>The Amazon Web Services account ID that owns the resource.</p>
      * @public
@@ -2392,7 +2473,7 @@ export interface AnalyzedResource {
      * <p>An error message.</p>
      * @public
      */
-    error?: string;
+    error?: string | undefined;
 }
 /**
  * <p>The response to the request.</p>
@@ -2404,7 +2485,7 @@ export interface GetAnalyzedResourceResponse {
      *          found when it analyzed the resource.</p>
      * @public
      */
-    resource?: AnalyzedResource;
+    resource?: AnalyzedResource | undefined;
 }
 /**
  * <p>Retrieves a finding.</p>
@@ -2423,6 +2504,19 @@ export interface GetFindingRequest {
      */
     id: string | undefined;
 }
+/**
+ * @public
+ * @enum
+ */
+export declare const ResourceControlPolicyRestriction: {
+    readonly APPLICABLE: "APPLICABLE";
+    readonly FAILED_TO_EVALUATE_RCP: "FAILED_TO_EVALUATE_RCP";
+    readonly NOT_APPLICABLE: "NOT_APPLICABLE";
+};
+/**
+ * @public
+ */
+export type ResourceControlPolicyRestriction = (typeof ResourceControlPolicyRestriction)[keyof typeof ResourceControlPolicyRestriction];
 /**
  * <p>Includes details about how the access that generated the finding is granted. This is
  *          populated for Amazon S3 bucket findings.</p>
@@ -2434,12 +2528,12 @@ export interface FindingSourceDetail {
      *          whether the ARN represents an access point or a multi-region access point.</p>
      * @public
      */
-    accessPointArn?: string;
+    accessPointArn?: string | undefined;
     /**
      * <p>The account of the cross-account access point that generated the finding.</p>
      * @public
      */
-    accessPointAccount?: string;
+    accessPointAccount?: string | undefined;
 }
 /**
  * @public
@@ -2461,7 +2555,7 @@ export interface FindingSource {
      *          populated for Amazon S3 bucket findings.</p>
      * @public
      */
-    detail?: FindingSourceDetail;
+    detail?: FindingSourceDetail | undefined;
 }
 /**
  * <p>Contains information about a finding.</p>
@@ -2477,24 +2571,24 @@ export interface Finding {
      * <p>The external principal that has access to a resource within the zone of trust.</p>
      * @public
      */
-    principal?: Record<string, string>;
+    principal?: Record<string, string> | undefined;
     /**
      * <p>The action in the analyzed policy statement that an external principal has permission to
      *          use.</p>
      * @public
      */
-    action?: string[];
+    action?: string[] | undefined;
     /**
      * <p>The resource that an external principal has access to.</p>
      * @public
      */
-    resource?: string;
+    resource?: string | undefined;
     /**
      * <p>Indicates whether the policy that generated the finding allows public access to the
      *          resource.</p>
      * @public
      */
-    isPublic?: boolean;
+    isPublic?: boolean | undefined;
     /**
      * <p>The type of the resource identified in the finding.</p>
      * @public
@@ -2534,13 +2628,19 @@ export interface Finding {
      * <p>An error.</p>
      * @public
      */
-    error?: string;
+    error?: string | undefined;
     /**
      * <p>The sources of the finding. This indicates how the access that generated the finding is
      *          granted. It is populated for Amazon S3 bucket findings.</p>
      * @public
      */
-    sources?: FindingSource[];
+    sources?: FindingSource[] | undefined;
+    /**
+     * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+     *          resource control policy (RCP).</p>
+     * @public
+     */
+    resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 /**
  * <p>The response to the request.</p>
@@ -2551,7 +2651,7 @@ export interface GetFindingResponse {
      * <p>A <code>finding</code> object that contains finding details.</p>
      * @public
      */
-    finding?: Finding;
+    finding?: Finding | undefined;
 }
 /**
  * @public
@@ -2572,12 +2672,12 @@ export interface GetFindingRecommendationRequest {
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * <p>Contains information about the reason that the retrieval of a recommendation for a
@@ -2630,7 +2730,7 @@ export interface UnusedPermissionsRecommendedStep {
      *          updated.</p>
      * @public
      */
-    policyUpdatedAt?: Date;
+    policyUpdatedAt?: Date | undefined;
     /**
      * <p>A recommendation of whether to create or detach a policy for an unused permissions
      *          finding.</p>
@@ -2643,13 +2743,13 @@ export interface UnusedPermissionsRecommendedStep {
      *             <code>existingPolicyId</code> field.</p>
      * @public
      */
-    recommendedPolicy?: string;
+    recommendedPolicy?: string | undefined;
     /**
      * <p>If the recommended action for the unused permissions finding is to detach a policy, the
      *          ID of an existing policy to be detached.</p>
      * @public
      */
-    existingPolicyId?: string;
+    existingPolicyId?: string | undefined;
 }
 /**
  * <p>Contains information about a recommended step for an unused access analyzer
@@ -2708,18 +2808,18 @@ export interface GetFindingRecommendationResponse {
      * <p>The time at which the retrieval of the finding recommendation was completed.</p>
      * @public
      */
-    completedAt?: Date;
+    completedAt?: Date | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>Detailed information about the reason that the retrieval of a recommendation for the
      *          finding failed.</p>
      * @public
      */
-    error?: RecommendationError;
+    error?: RecommendationError | undefined;
     /**
      * <p>The ARN of the resource of the finding.</p>
      * @public
@@ -2729,7 +2829,7 @@ export interface GetFindingRecommendationResponse {
      * <p>A group of recommended steps for the finding.</p>
      * @public
      */
-    recommendedSteps?: RecommendedStep[];
+    recommendedSteps?: RecommendedStep[] | undefined;
     /**
      * <p>The type of recommendation for the finding.</p>
      * @public
@@ -2760,12 +2860,12 @@ export interface GetFindingV2Request {
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * <p>Contains information about an external access finding.</p>
@@ -2777,7 +2877,7 @@ export interface ExternalAccessDetails {
      *          use.</p>
      * @public
      */
-    action?: string[];
+    action?: string[] | undefined;
     /**
      * <p>The condition in the analyzed policy statement that resulted in an external access
      *          finding.</p>
@@ -2788,18 +2888,24 @@ export interface ExternalAccessDetails {
      * <p>Specifies whether the external access finding is public.</p>
      * @public
      */
-    isPublic?: boolean;
+    isPublic?: boolean | undefined;
     /**
      * <p>The external principal that has access to a resource within the zone of trust.</p>
      * @public
      */
-    principal?: Record<string, string>;
+    principal?: Record<string, string> | undefined;
     /**
      * <p>The sources of the external access finding. This indicates how the access that generated
      *          the finding is granted. It is populated for Amazon S3 bucket findings.</p>
      * @public
      */
-    sources?: FindingSource[];
+    sources?: FindingSource[] | undefined;
+    /**
+     * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+     *          resource control policy (RCP).</p>
+     * @public
+     */
+    resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 /**
  * <p>Contains information about an unused access finding for an IAM role. IAM Access Analyzer
@@ -2813,7 +2919,7 @@ export interface UnusedIamRoleDetails {
      * <p>The time at which the role was last accessed.</p>
      * @public
      */
-    lastAccessed?: Date;
+    lastAccessed?: Date | undefined;
 }
 /**
  * <p>Contains information about an unused access finding for an IAM user access key.
@@ -2832,7 +2938,7 @@ export interface UnusedIamUserAccessKeyDetails {
      * <p>The time at which the access key was last accessed.</p>
      * @public
      */
-    lastAccessed?: Date;
+    lastAccessed?: Date | undefined;
 }
 /**
  * <p>Contains information about an unused access finding for an IAM user password.
@@ -2846,7 +2952,7 @@ export interface UnusedIamUserPasswordDetails {
      * <p>The time at which the password was last accessed.</p>
      * @public
      */
-    lastAccessed?: Date;
+    lastAccessed?: Date | undefined;
 }
 /**
  * <p>Contains information about an unused access finding for an action. IAM Access Analyzer charges
@@ -2865,7 +2971,7 @@ export interface UnusedAction {
      * <p>The time at which the action was last accessed.</p>
      * @public
      */
-    lastAccessed?: Date;
+    lastAccessed?: Date | undefined;
 }
 /**
  * <p>Contains information about an unused access finding for a permission. IAM Access Analyzer
@@ -2879,7 +2985,7 @@ export interface UnusedPermissionDetails {
      * <p>A list of unused actions for which the unused access finding was generated.</p>
      * @public
      */
-    actions?: UnusedAction[];
+    actions?: UnusedAction[] | undefined;
     /**
      * <p>The namespace of the Amazon Web Services service that contains the unused actions.</p>
      * @public
@@ -2889,7 +2995,7 @@ export interface UnusedPermissionDetails {
      * <p>The time at which the permission was last accessed.</p>
      * @public
      */
-    lastAccessed?: Date;
+    lastAccessed?: Date | undefined;
 }
 /**
  * <p>Contains information about an external access or unused access finding. Only one
@@ -3020,7 +3126,7 @@ export interface GetFindingV2Response {
      * <p>An error.</p>
      * @public
      */
-    error?: string;
+    error?: string | undefined;
     /**
      * <p>The ID of the finding to retrieve.</p>
      * @public
@@ -3030,12 +3136,12 @@ export interface GetFindingV2Response {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The resource that generated the finding.</p>
      * @public
      */
-    resource?: string;
+    resource?: string | undefined;
     /**
      * <p>The type of the resource identified in the finding.</p>
      * @public
@@ -3069,7 +3175,7 @@ export interface GetFindingV2Response {
      *             <code>UnusedIAMUserPassword</code>, or <code>UnusedPermission</code>.</p>
      * @public
      */
-    findingType?: FindingType;
+    findingType?: FindingType | undefined;
 }
 /**
  * @public
@@ -3091,7 +3197,7 @@ export interface GetGeneratedPolicyRequest {
      *             <code>"Resource":"arn:aws:s3:::$\{BucketName\}"</code> instead of <code>"*"</code>.</p>
      * @public
      */
-    includeResourcePlaceholders?: boolean;
+    includeResourcePlaceholders?: boolean | undefined;
     /**
      * <p>The level of detail that you want to generate. You can specify whether to generate
      *          service-level policies. </p>
@@ -3099,7 +3205,7 @@ export interface GetGeneratedPolicyRequest {
      *          been used recently to create this service-level template.</p>
      * @public
      */
-    includeServiceLevelTemplate?: boolean;
+    includeServiceLevelTemplate?: boolean | undefined;
 }
 /**
  * <p>Contains the text for the generated policy.</p>
@@ -3128,14 +3234,14 @@ export interface TrailProperties {
      * <p>A list of regions to get CloudTrail data from and analyze to generate a policy.</p>
      * @public
      */
-    regions?: string[];
+    regions?: string[] | undefined;
     /**
      * <p>Possible values are <code>true</code> or <code>false</code>. If set to
      *          <code>true</code>, IAM Access Analyzer retrieves CloudTrail data from all regions to analyze and
      *          generate a policy.</p>
      * @public
      */
-    allRegions?: boolean;
+    allRegions?: boolean | undefined;
 }
 /**
  * <p>Contains information about CloudTrail access.</p>
@@ -3173,7 +3279,7 @@ export interface GeneratedPolicyProperties {
      *          and <code>false</code> otherwise.</p>
      * @public
      */
-    isComplete?: boolean;
+    isComplete?: boolean | undefined;
     /**
      * <p>The ARN of the IAM entity (user or role) for which you are generating a policy.</p>
      * @public
@@ -3183,7 +3289,7 @@ export interface GeneratedPolicyProperties {
      * <p>Lists details about the <code>Trail</code> used to generated policy.</p>
      * @public
      */
-    cloudTrailProperties?: CloudTrailProperties;
+    cloudTrailProperties?: CloudTrailProperties | undefined;
 }
 /**
  * <p>Contains the text for the generated policy and its details.</p>
@@ -3201,7 +3307,7 @@ export interface GeneratedPolicyResult {
      *             <a href="https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html">CreatePolicy</a> action.</p>
      * @public
      */
-    generatedPolicies?: GeneratedPolicy[];
+    generatedPolicies?: GeneratedPolicy[] | undefined;
 }
 /**
  * @public
@@ -3275,12 +3381,12 @@ export interface JobDetails {
      * <p>A timestamp of when the job was completed.</p>
      * @public
      */
-    completedOn?: Date;
+    completedOn?: Date | undefined;
     /**
      * <p>The job error for the policy generation request.</p>
      * @public
      */
-    jobError?: JobError;
+    jobError?: JobError | undefined;
 }
 /**
  * @public
@@ -3318,17 +3424,17 @@ export interface ListAccessPreviewFindingsRequest {
      * <p>Criteria to filter the returned findings.</p>
      * @public
      */
-    filter?: Record<string, Criterion>;
+    filter?: Record<string, Criterion> | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
 }
 /**
  * @public
@@ -3360,40 +3466,40 @@ export interface AccessPreviewFinding {
      *          findings.</p>
      * @public
      */
-    existingFindingId?: string;
+    existingFindingId?: string | undefined;
     /**
      * <p>The existing status of the finding, provided only for existing findings.</p>
      * @public
      */
-    existingFindingStatus?: FindingStatus;
+    existingFindingStatus?: FindingStatus | undefined;
     /**
      * <p>The external principal that has access to a resource within the zone of trust.</p>
      * @public
      */
-    principal?: Record<string, string>;
+    principal?: Record<string, string> | undefined;
     /**
      * <p>The action in the analyzed policy statement that an external principal has permission to
      *          perform.</p>
      * @public
      */
-    action?: string[];
+    action?: string[] | undefined;
     /**
      * <p>The condition in the analyzed policy statement that resulted in a finding.</p>
      * @public
      */
-    condition?: Record<string, string>;
+    condition?: Record<string, string> | undefined;
     /**
      * <p>The resource that an external principal has access to. This is the resource associated
      *          with the access preview.</p>
      * @public
      */
-    resource?: string;
+    resource?: string | undefined;
     /**
      * <p>Indicates whether the policy that generated the finding allows public access to the
      *          resource.</p>
      * @public
      */
-    isPublic?: boolean;
+    isPublic?: boolean | undefined;
     /**
      * <p>The type of the resource that can be accessed in the finding.</p>
      * @public
@@ -3448,13 +3554,19 @@ export interface AccessPreviewFinding {
      * <p>An error.</p>
      * @public
      */
-    error?: string;
+    error?: string | undefined;
     /**
      * <p>The sources of the finding. This indicates how the access that generated the finding is
      *          granted. It is populated for Amazon S3 bucket findings.</p>
      * @public
      */
-    sources?: FindingSource[];
+    sources?: FindingSource[] | undefined;
+    /**
+     * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+     *          resource control policy (RCP).</p>
+     * @public
+     */
+    resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 /**
  * @public
@@ -3469,7 +3581,7 @@ export interface ListAccessPreviewFindingsResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * @public
@@ -3485,12 +3597,12 @@ export interface ListAccessPreviewsRequest {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
 }
 /**
  * <p>Contains a summary of information about an access preview.</p>
@@ -3539,7 +3651,7 @@ export interface AccessPreviewSummary {
      *          resource configuration.</p>
      * @public
      */
-    statusReason?: AccessPreviewStatusReason;
+    statusReason?: AccessPreviewStatusReason | undefined;
 }
 /**
  * @public
@@ -3554,7 +3666,7 @@ export interface ListAccessPreviewsResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * <p>Retrieves a list of resources that have been analyzed.</p>
@@ -3571,17 +3683,17 @@ export interface ListAnalyzedResourcesRequest {
      * <p>The type of resource.</p>
      * @public
      */
-    resourceType?: ResourceType;
+    resourceType?: ResourceType | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
 }
 /**
  * <p>Contains the ARN of the analyzed resource.</p>
@@ -3618,7 +3730,7 @@ export interface ListAnalyzedResourcesResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * @public
@@ -3633,12 +3745,12 @@ export interface SortCriteria {
      * <p>The name of the attribute to sort on.</p>
      * @public
      */
-    attributeName?: string;
+    attributeName?: string | undefined;
     /**
      * <p>The sort order, ascending or descending.</p>
      * @public
      */
-    orderBy?: OrderBy;
+    orderBy?: OrderBy | undefined;
 }
 /**
  * <p>Retrieves a list of findings generated by the specified analyzer.</p>
@@ -3655,22 +3767,22 @@ export interface ListFindingsRequest {
      * <p>A filter to match for the findings to return.</p>
      * @public
      */
-    filter?: Record<string, Criterion>;
+    filter?: Record<string, Criterion> | undefined;
     /**
      * <p>The sort order for the findings returned.</p>
      * @public
      */
-    sort?: SortCriteria;
+    sort?: SortCriteria | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
 }
 /**
  * <p>Contains information about a finding.</p>
@@ -3686,24 +3798,24 @@ export interface FindingSummary {
      * <p>The external principal that has access to a resource within the zone of trust.</p>
      * @public
      */
-    principal?: Record<string, string>;
+    principal?: Record<string, string> | undefined;
     /**
      * <p>The action in the analyzed policy statement that an external principal has permission to
      *          use.</p>
      * @public
      */
-    action?: string[];
+    action?: string[] | undefined;
     /**
      * <p>The resource that the external principal has access to.</p>
      * @public
      */
-    resource?: string;
+    resource?: string | undefined;
     /**
      * <p>Indicates whether the finding reports a resource that has a policy that allows public
      *          access.</p>
      * @public
      */
-    isPublic?: boolean;
+    isPublic?: boolean | undefined;
     /**
      * <p>The type of the resource that the external principal has access to.</p>
      * @public
@@ -3744,13 +3856,19 @@ export interface FindingSummary {
      * <p>The error that resulted in an Error finding.</p>
      * @public
      */
-    error?: string;
+    error?: string | undefined;
     /**
      * <p>The sources of the finding. This indicates how the access that generated the finding is
      *          granted. It is populated for Amazon S3 bucket findings.</p>
      * @public
      */
-    sources?: FindingSource[];
+    sources?: FindingSource[] | undefined;
+    /**
+     * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+     *          resource control policy (RCP).</p>
+     * @public
+     */
+    resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 /**
  * <p>The response to the request.</p>
@@ -3767,7 +3885,7 @@ export interface ListFindingsResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * @public
@@ -3783,22 +3901,22 @@ export interface ListFindingsV2Request {
      * <p>A filter to match for the findings to return.</p>
      * @public
      */
-    filter?: Record<string, Criterion>;
+    filter?: Record<string, Criterion> | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The criteria used to sort.</p>
      * @public
      */
-    sort?: SortCriteria;
+    sort?: SortCriteria | undefined;
 }
 /**
  * <p>Contains information about a finding.</p>
@@ -3820,7 +3938,7 @@ export interface FindingSummaryV2 {
      * <p>The error that resulted in an Error finding.</p>
      * @public
      */
-    error?: string;
+    error?: string | undefined;
     /**
      * <p>The ID of the finding.</p>
      * @public
@@ -3830,7 +3948,7 @@ export interface FindingSummaryV2 {
      * <p>The resource that the external principal has access to.</p>
      * @public
      */
-    resource?: string;
+    resource?: string | undefined;
     /**
      * <p>The type of the resource that the external principal has access to.</p>
      * @public
@@ -3855,7 +3973,7 @@ export interface FindingSummaryV2 {
      * <p>The type of the external access or unused access finding.</p>
      * @public
      */
-    findingType?: FindingType;
+    findingType?: FindingType | undefined;
 }
 /**
  * @public
@@ -3871,7 +3989,7 @@ export interface ListFindingsV2Response {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * @public
@@ -3883,17 +4001,17 @@ export interface ListPolicyGenerationsRequest {
      *          for a specific principal.</p>
      * @public
      */
-    principalArn?: string;
+    principalArn?: string | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * <p>Contains details about the policy generation status and properties.</p>
@@ -3927,7 +4045,7 @@ export interface PolicyGeneration {
      * <p>A timestamp of when the policy generation was completed.</p>
      * @public
      */
-    completedOn?: Date;
+    completedOn?: Date | undefined;
 }
 /**
  * @public
@@ -3943,7 +4061,7 @@ export interface ListPolicyGenerationsResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * <p>Retrieves a list of tags applied to the specified resource.</p>
@@ -3965,7 +4083,7 @@ export interface ListTagsForResourceResponse {
      * <p>The tags that are applied to the specified resource.</p>
      * @public
      */
-    tags?: Record<string, string>;
+    tags?: Record<string, string> | undefined;
 }
 /**
  * <p>Contains details about the CloudTrail trail being analyzed to generate a policy.</p>
@@ -3982,14 +4100,14 @@ export interface Trail {
      * <p>A list of regions to get CloudTrail data from and analyze to generate a policy.</p>
      * @public
      */
-    regions?: string[];
+    regions?: string[] | undefined;
     /**
      * <p>Possible values are <code>true</code> or <code>false</code>. If set to
      *          <code>true</code>, IAM Access Analyzer retrieves CloudTrail data from all regions to analyze and
      *          generate a policy.</p>
      * @public
      */
-    allRegions?: boolean;
+    allRegions?: boolean | undefined;
 }
 /**
  * <p>Contains information about CloudTrail access.</p>
@@ -4019,7 +4137,7 @@ export interface CloudTrailDetails {
      *          included in the request, the default value is the current time.</p>
      * @public
      */
-    endTime?: Date;
+    endTime?: Date | undefined;
 }
 /**
  * <p>Contains the ARN details about the IAM entity for which the policy is
@@ -4048,7 +4166,7 @@ export interface StartPolicyGenerationRequest {
      *          that you want to analyze to generate policies.</p>
      * @public
      */
-    cloudTrailDetails?: CloudTrailDetails;
+    cloudTrailDetails?: CloudTrailDetails | undefined;
     /**
      * <p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the
      *          request. Idempotency ensures that an API request completes only once. With an idempotent
@@ -4059,7 +4177,7 @@ export interface StartPolicyGenerationRequest {
      *          SDK.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * @public
@@ -4096,7 +4214,7 @@ export interface StartResourceScanRequest {
      *          account is the account in which the resource was created.</p>
      * @public
      */
-    resourceOwnerAccount?: string;
+    resourceOwnerAccount?: string | undefined;
 }
 /**
  * <p>Adds a tag to the specified resource.</p>
@@ -4168,17 +4286,17 @@ export interface UpdateFindingsRequest {
      * <p>The IDs of the findings to update.</p>
      * @public
      */
-    ids?: string[];
+    ids?: string[] | undefined;
     /**
      * <p>The ARN of the resource identified in the finding.</p>
      * @public
      */
-    resourceArn?: string;
+    resourceArn?: string | undefined;
     /**
      * <p>A client token.</p>
      * @public
      */
-    clientToken?: string;
+    clientToken?: string | undefined;
 }
 /**
  * @public
@@ -4206,6 +4324,7 @@ export type Locale = (typeof Locale)[keyof typeof Locale];
  */
 export declare const PolicyType: {
     readonly IDENTITY_POLICY: "IDENTITY_POLICY";
+    readonly RESOURCE_CONTROL_POLICY: "RESOURCE_CONTROL_POLICY";
     readonly RESOURCE_POLICY: "RESOURCE_POLICY";
     readonly SERVICE_CONTROL_POLICY: "SERVICE_CONTROL_POLICY";
 };
@@ -4237,17 +4356,17 @@ export interface ValidatePolicyRequest {
      * <p>The locale to use for localizing the findings.</p>
      * @public
      */
-    locale?: Locale;
+    locale?: Locale | undefined;
     /**
      * <p>The maximum number of results to return in the response.</p>
      * @public
      */
-    maxResults?: number;
+    maxResults?: number | undefined;
     /**
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
     /**
      * <p>The JSON policy document to use as the content for the policy.</p>
      * @public
@@ -4277,7 +4396,7 @@ export interface ValidatePolicyRequest {
      *          will run policy checks that apply to all resource policies.</p>
      * @public
      */
-    validatePolicyResourceType?: ValidatePolicyResourceType;
+    validatePolicyResourceType?: ValidatePolicyResourceType | undefined;
 }
 /**
  * @public
@@ -4491,7 +4610,7 @@ export interface ValidatePolicyResponse {
      * <p>A token used for pagination of results returned.</p>
      * @public
      */
-    nextToken?: string;
+    nextToken?: string | undefined;
 }
 /**
  * @internal