Crate aws_sdk_accessanalyzer

Expand description

Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external or unused access, you first need to create an analyzer.

External access analyzers help identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.

Unused access analyzers help identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.

Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.

This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Identity and Access Management Access Analyzer in the IAM User Guide.

§Getting Started

Examples are available for many services and operations, check out the examples folder in GitHub.

The SDK provides one crate per AWS service. You must add Tokio as a dependency within your Rust project to execute asynchronous code. To add aws-sdk-accessanalyzer to your project, add the following to your Cargo.toml file:

[dependencies]
aws-config = { version = "1.1.7", features = ["behavior-version-latest"] }
aws-sdk-accessanalyzer = "1.70.0"
tokio = { version = "1", features = ["full"] }

Then in code, a client can be created with the following:

use aws_sdk_accessanalyzer as accessanalyzer;

#[::tokio::main]
async fn main() -> Result<(), accessanalyzer::Error> {
    let config = aws_config::load_from_env().await;
    let client = aws_sdk_accessanalyzer::Client::new(&config);

    // ... make some calls with the client

    Ok(())
}

See the client documentation for information on what calls can be made, and the inputs and outputs for each of those calls.

§Using the SDK

Until the SDK is released, we will be adding information about using the SDK to the Developer Guide. Feel free to suggest additional sections for the guide by opening an issue and describing what you are trying to do.

§Getting Help

GitHub discussions - For ideas, RFCs & general questions
GitHub issues - For bug reports & feature requests
Generated Docs (latest version)
Usage examples

§Crate Organization

The entry point for most customers will be Client, which exposes one method for each API offered by Access Analyzer. The return value of each of these methods is a “fluent builder”, where the different inputs for that API are added by builder-style function call chaining, followed by calling send() to get a Future that will result in either a successful output or a SdkError.

Some of these API inputs may be structs or enums to provide more complex structured information. These structs and enums live in types. There are some simpler types for representing data such as date times or binary blobs that live in primitives.

All types required to configure a client via the Config struct live in config.

The operation module has a submodule for every API, and in each submodule is the input, output, and error type for that API, as well as builders to construct each of those.

There is a top-level Error type that encompasses all the errors that the client can return. Any other error type can be converted to this Error type via the From trait.

The other modules within this crate are not required for normal usage.

Modules§

client: Client for calling Access Analyzer.
config: Configuration for Access Analyzer.
error: Common errors and error handling utilities.
meta: Information about this crate.
operation: All operations that this crate can perform.
primitives: Primitives such as Blob or DateTime used by other types.
types: Data structures used by operation inputs/outputs.

Structs§

Client: Client for Access Analyzer
Config: Configuration for a aws_sdk_accessanalyzer service client.

Enums§

Error: All possible error types for this service.

Crate aws_sdk_accessanalyzerCopy item path