Crate rusoto_accessanalyzer
source · [−]Expand description
AWS IAM Access Analyzer helps identify potential resource-access risks by enabling you to identify any policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your AWS environment. An external principal can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, or an anonymous user. You can also use Access Analyzer to preview and validate public and cross-account access to your resources before deploying permissions changes. This guide describes the AWS IAM Access Analyzer operations that you can call programmatically. For general information about Access Analyzer, see AWS IAM Access Analyzer in the IAM User Guide.
To start using Access Analyzer, you first need to create an analyzer.
If you’re using the service, you’re probably looking for AccessAnalyzerClient and AccessAnalyzer.
Structs
A client for the Access Analyzer API.
Contains information about an access preview.
An access preview finding generated by the access preview.
Provides more details about the current status of the access preview. For example, if the creation of the access preview fails, a Failed status is returned. This failure can be due to an internal issue with the analysis or due to an invalid proposed resource configuration.
Contains a summary of information about an access preview.
You specify each grantee as a type-value pair using one of these types. You can specify only one type of grantee. For more information, see PutBucketAcl.
Contains details about the analyzed resource.
Contains the ARN of the analyzed resource.
Contains information about the analyzer.
Retroactively applies an archive rule.
Contains information about an archive rule.
Contains information about CloudTrail access.
Contains information about CloudTrail access.
Access control configuration structures for your resource. You specify the configuration as a type-value pair. You can specify only one type of access control configuration.
Creates an analyzer.
The response to the request to create an analyzer.
Creates an archive rule.
The criteria to use in the filter that defines the archive rule.
Deletes an analyzer.
Deletes an archive rule.
Contains information about a finding.
The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
Contains information about a finding.
Contains the text for the generated policy.
Contains the generated policy details.
Contains the text for the generated policy and its details.
Retrieves an analyzed resource.
The response to the request.
Retrieves an analyzer.
The response to the request.
Retrieves an archive rule.
The response to the request.
Retrieves a finding.
The response to the request.
The proposed access control configuration for an IAM role. You can propose a configuration for a new IAM role or an existing IAM role that you own by specifying the trust policy. If the configuration is for a new IAM role, you must specify the trust policy. If the configuration is for an existing IAM role that you own and you do not propose the trust policy, the access preview uses the existing trust policy for the role. The proposed trust policy cannot be an empty string. For more information about role trust policy limits, see IAM and STS quotas.
An criterion statement in an archive rule. Each archive rule may have multiple criteria.
This configuration sets the Amazon S3 access point network origin to Internet.
Contains details about the policy generation request.
Contains the details about the policy generation error.
A proposed grant configuration for a KMS key. For more information, see CreateGrant.
Use this structure to propose allowing cryptographic operations in the grant only when the operation request includes the specified encryption context. You can specify only one type of encryption context. An empty map is treated as not specified. For more information, see GrantConstraints.
Proposed access control configuration for a KMS key. You can propose a configuration for a new KMS key or an existing KMS key that you own by specifying the key policy and KMS grant configuration. If the configuration is for an existing key and you do not specify the key policy, the access preview uses the existing policy for the key. If the access preview is for a new resource and you do not specify the key policy, then the access preview uses the default key policy. The proposed key policy cannot be an empty string. For more information, see Default key policy. For more information about key policy limits, see Resource quotas.
Retrieves a list of resources that have been analyzed.
The response to the request.
Retrieves a list of analyzers.
The response to the request.
Retrieves a list of archive rules created for the specified analyzer.
The response to the request.
Retrieves a list of findings generated by the specified analyzer.
The response to the request.
Retrieves a list of tags applied to the specified resource.
The response to the request.
A location in a policy that is represented as a path through the JSON representation and a corresponding span.
The proposed InternetConfiguration or VpcConfiguration to apply to the Amazon S3 Access point. You can make the access point accessible from the internet, or you can specify that all requests made through that access point must originate from a specific virtual private cloud (VPC). You can specify only one type of network configuration. For more information, see Creating access points.
A single element in a path through the JSON representation of a policy.
Contains details about the policy generation status and properties.
Contains the ARN details about the IAM entity for which the policy is generated.
A position in a policy.
The configuration for an Amazon S3 access point for the bucket. You can propose up to 10 access points per bucket. If the proposed Amazon S3 access point configuration is for an existing bucket, the access preview uses the proposed access point configuration in place of the existing access points. To propose an access point without a policy, you can provide an empty string as the access point policy. For more information, see Creating access points. For more information about access point policy limits, see Access points restrictions and limitations.
A proposed access control list grant configuration for an Amazon S3 bucket. For more information, see How to Specify an ACL.
Proposed access control configuration for an Amazon S3 bucket. You can propose a configuration for a new Amazon S3 bucket or an existing Amazon S3 bucket that you own by specifying the Amazon S3 bucket policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points attached to the bucket. If the configuration is for an existing Amazon S3 bucket and you do not specify the Amazon S3 bucket policy, the access preview uses the existing policy attached to the bucket. If the access preview is for a new resource and you do not specify the Amazon S3 bucket policy, the access preview assumes a bucket without a policy. To propose deletion of an existing bucket policy, you can specify an empty string. For more information about bucket policy limits, see Bucket Policy Examples.
The PublicAccessBlock configuration to apply to this Amazon S3 bucket. If the proposed configuration is for an existing Amazon S3 bucket and the configuration is not specified, the access preview uses the existing setting. If the proposed configuration is for a new bucket and the configuration is not specified, the access preview uses false. If the proposed configuration is for a new access point and the access point BPA configuration is not specified, the access preview uses true. For more information, see PublicAccessBlockConfiguration.
The configuration for a Secrets Manager secret. For more information, see CreateSecret.
You can propose a configuration for a new secret or an existing secret that you own by specifying the secret policy and optional KMS encryption key. If the configuration is for an existing secret and you do not specify the secret policy, the access preview uses the existing policy for the secret. If the access preview is for a new resource and you do not specify the policy, the access preview assumes a secret without a policy. To propose deletion of an existing policy, you can specify an empty string. If the proposed configuration is for a new secret and you do not specify the KMS key ID, the access preview uses the default CMK of the AWS account. If you specify an empty string for the KMS key ID, the access preview uses the default CMK of the AWS account. For more information about secret policy limits, see Quotas for AWS Secrets Manager..
The criteria used to sort.
A span in a policy. The span consists of a start position (inclusive) and end position (exclusive).
The proposed access control configuration for an SQS queue. You can propose a configuration for a new SQS queue or an existing SQS queue that you own by specifying the SQS policy. If the configuration is for an existing SQS queue and you do not specify the SQS policy, the access preview uses the existing SQS policy for the queue. If the access preview is for a new resource and you do not specify the policy, the access preview assumes an SQS queue without a policy. To propose deletion of an existing SQS queue policy, you can specify an empty string for the SQS policy. For more information about SQS policy limits, see Quotas related to policies.
Starts a scan of the policies applied to the specified resource.
Provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a Failed status is returned. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.
A reference to a substring of a literal string in a JSON document.
Adds a tag to the specified resource.
The response to the request.
Contains details about the CloudTrail trail being analyzed to generate a policy.
Contains details about the CloudTrail trail being analyzed to generate a policy.
Removes a tag from the specified resource.
The response to the request.
Updates the specified archive rule.
Updates findings with the new values provided in the request.
A finding in a policy. Each finding is an actionable recommendation that can be used to improve the policy.
Contains information about a validation exception.
The proposed virtual private cloud (VPC) configuration for the Amazon S3 access point. For more information, see VpcConfiguration.
Enums
Errors returned by ApplyArchiveRule
Errors returned by CancelPolicyGeneration
Errors returned by CreateAccessPreview
Errors returned by CreateAnalyzer
Errors returned by CreateArchiveRule
Errors returned by DeleteAnalyzer
Errors returned by DeleteArchiveRule
Errors returned by GetAccessPreview
Errors returned by GetAnalyzedResource
Errors returned by GetAnalyzer
Errors returned by GetArchiveRule
Errors returned by GetFinding
Errors returned by GetGeneratedPolicy
Errors returned by ListAccessPreviewFindings
Errors returned by ListAccessPreviews
Errors returned by ListAnalyzedResources
Errors returned by ListAnalyzers
Errors returned by ListArchiveRules
Errors returned by ListFindings
Errors returned by ListPolicyGenerations
Errors returned by ListTagsForResource
Errors returned by StartPolicyGeneration
Errors returned by StartResourceScan
Errors returned by TagResource
Errors returned by UntagResource
Errors returned by UpdateArchiveRule
Errors returned by UpdateFindings
Errors returned by ValidatePolicy
Traits
Trait representing the capabilities of the Access Analyzer API. Access Analyzer clients implement this trait.