Expand description
AWS IAM Access Analyzer helps identify potential resource-access risks by enabling you to identify any policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your AWS environment. An external principal can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, or an anonymous user. You can also use Access Analyzer to preview and validate public and cross-account access to your resources before deploying permissions changes. This guide describes the AWS IAM Access Analyzer operations that you can call programmatically. For general information about Access Analyzer, see AWS IAM Access Analyzer in the IAM User Guide.
To start using Access Analyzer, you first need to create an analyzer.
If you’re using the service, you’re probably looking for AccessAnalyzerClient and AccessAnalyzer.
Structs§
- Access
Analyzer Client - A client for the Access Analyzer API.
- Access
Preview Contains information about an access preview.
- Access
Preview Finding An access preview finding generated by the access preview.
- Access
Preview Status Reason Provides more details about the current status of the access preview. For example, if the creation of the access preview fails, a
Failedstatus is returned. This failure can be due to an internal issue with the analysis or due to an invalid proposed resource configuration.- Access
Preview Summary Contains a summary of information about an access preview.
- AclGrantee
You specify each grantee as a type-value pair using one of these types. You can specify only one type of grantee. For more information, see PutBucketAcl.
- Analyzed
Resource Contains details about the analyzed resource.
- Analyzed
Resource Summary Contains the ARN of the analyzed resource.
- Analyzer
Summary Contains information about the analyzer.
- Apply
Archive Rule Request Retroactively applies an archive rule.
- Archive
Rule Summary Contains information about an archive rule.
- Cancel
Policy Generation Request - Cancel
Policy Generation Response - Cloud
Trail Details Contains information about CloudTrail access.
- Cloud
Trail Properties Contains information about CloudTrail access.
- Configuration
Access control configuration structures for your resource. You specify the configuration as a type-value pair. You can specify only one type of access control configuration.
- Create
Access Preview Request - Create
Access Preview Response - Create
Analyzer Request Creates an analyzer.
- Create
Analyzer Response The response to the request to create an analyzer.
- Create
Archive Rule Request Creates an archive rule.
- Criterion
The criteria to use in the filter that defines the archive rule.
- Delete
Analyzer Request Deletes an analyzer.
- Delete
Archive Rule Request Deletes an archive rule.
- Finding
Contains information about a finding.
- Finding
Source The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
- Finding
Source Detail Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
- Finding
Summary Contains information about a finding.
- Generated
Policy Contains the text for the generated policy.
- Generated
Policy Properties Contains the generated policy details.
- Generated
Policy Result Contains the text for the generated policy and its details.
- GetAccess
Preview Request - GetAccess
Preview Response - GetAnalyzed
Resource Request Retrieves an analyzed resource.
- GetAnalyzed
Resource Response The response to the request.
- GetAnalyzer
Request Retrieves an analyzer.
- GetAnalyzer
Response The response to the request.
- GetArchive
Rule Request Retrieves an archive rule.
- GetArchive
Rule Response The response to the request.
- GetFinding
Request Retrieves a finding.
- GetFinding
Response The response to the request.
- GetGenerated
Policy Request - GetGenerated
Policy Response - IamRole
Configuration The proposed access control configuration for an IAM role. You can propose a configuration for a new IAM role or an existing IAM role that you own by specifying the trust policy. If the configuration is for a new IAM role, you must specify the trust policy. If the configuration is for an existing IAM role that you own and you do not propose the trust policy, the access preview uses the existing trust policy for the role. The proposed trust policy cannot be an empty string. For more information about role trust policy limits, see IAM and STS quotas.
- Inline
Archive Rule An criterion statement in an archive rule. Each archive rule may have multiple criteria.
- Internet
Configuration This configuration sets the Amazon S3 access point network origin to
Internet.- JobDetails
Contains details about the policy generation request.
- JobError
Contains the details about the policy generation error.
- KmsGrant
Configuration A proposed grant configuration for a KMS key. For more information, see CreateGrant.
- KmsGrant
Constraints Use this structure to propose allowing cryptographic operations in the grant only when the operation request includes the specified encryption context. You can specify only one type of encryption context. An empty map is treated as not specified. For more information, see GrantConstraints.
- KmsKey
Configuration Proposed access control configuration for a KMS key. You can propose a configuration for a new KMS key or an existing KMS key that you own by specifying the key policy and KMS grant configuration. If the configuration is for an existing key and you do not specify the key policy, the access preview uses the existing policy for the key. If the access preview is for a new resource and you do not specify the key policy, then the access preview uses the default key policy. The proposed key policy cannot be an empty string. For more information, see Default key policy. For more information about key policy limits, see Resource quotas.
- List
Access Preview Findings Request - List
Access Preview Findings Response - List
Access Previews Request - List
Access Previews Response - List
Analyzed Resources Request Retrieves a list of resources that have been analyzed.
- List
Analyzed Resources Response The response to the request.
- List
Analyzers Request Retrieves a list of analyzers.
- List
Analyzers Response The response to the request.
- List
Archive Rules Request Retrieves a list of archive rules created for the specified analyzer.
- List
Archive Rules Response The response to the request.
- List
Findings Request Retrieves a list of findings generated by the specified analyzer.
- List
Findings Response The response to the request.
- List
Policy Generations Request - List
Policy Generations Response - List
Tags ForResource Request Retrieves a list of tags applied to the specified resource.
- List
Tags ForResource Response The response to the request.
- Location
A location in a policy that is represented as a path through the JSON representation and a corresponding span.
- Network
Origin Configuration The proposed
InternetConfigurationorVpcConfigurationto apply to the Amazon S3 Access point. You can make the access point accessible from the internet, or you can specify that all requests made through that access point must originate from a specific virtual private cloud (VPC). You can specify only one type of network configuration. For more information, see Creating access points.- Path
Element A single element in a path through the JSON representation of a policy.
- Policy
Generation Contains details about the policy generation status and properties.
- Policy
Generation Details Contains the ARN details about the IAM entity for which the policy is generated.
- Position
A position in a policy.
- S3Access
Point Configuration The configuration for an Amazon S3 access point for the bucket. You can propose up to 10 access points per bucket. If the proposed Amazon S3 access point configuration is for an existing bucket, the access preview uses the proposed access point configuration in place of the existing access points. To propose an access point without a policy, you can provide an empty string as the access point policy. For more information, see Creating access points. For more information about access point policy limits, see Access points restrictions and limitations.
- S3Bucket
AclGrant Configuration A proposed access control list grant configuration for an Amazon S3 bucket. For more information, see How to Specify an ACL.
- S3Bucket
Configuration Proposed access control configuration for an Amazon S3 bucket. You can propose a configuration for a new Amazon S3 bucket or an existing Amazon S3 bucket that you own by specifying the Amazon S3 bucket policy, bucket ACLs, bucket BPA settings, and Amazon S3 access points attached to the bucket. If the configuration is for an existing Amazon S3 bucket and you do not specify the Amazon S3 bucket policy, the access preview uses the existing policy attached to the bucket. If the access preview is for a new resource and you do not specify the Amazon S3 bucket policy, the access preview assumes a bucket without a policy. To propose deletion of an existing bucket policy, you can specify an empty string. For more information about bucket policy limits, see Bucket Policy Examples.
- S3Public
Access Block Configuration The
PublicAccessBlockconfiguration to apply to this Amazon S3 bucket. If the proposed configuration is for an existing Amazon S3 bucket and the configuration is not specified, the access preview uses the existing setting. If the proposed configuration is for a new bucket and the configuration is not specified, the access preview usesfalse. If the proposed configuration is for a new access point and the access point BPA configuration is not specified, the access preview usestrue. For more information, see PublicAccessBlockConfiguration.- Secrets
Manager Secret Configuration The configuration for a Secrets Manager secret. For more information, see CreateSecret.
You can propose a configuration for a new secret or an existing secret that you own by specifying the secret policy and optional KMS encryption key. If the configuration is for an existing secret and you do not specify the secret policy, the access preview uses the existing policy for the secret. If the access preview is for a new resource and you do not specify the policy, the access preview assumes a secret without a policy. To propose deletion of an existing policy, you can specify an empty string. If the proposed configuration is for a new secret and you do not specify the KMS key ID, the access preview uses the default CMK of the AWS account. If you specify an empty string for the KMS key ID, the access preview uses the default CMK of the AWS account. For more information about secret policy limits, see Quotas for AWS Secrets Manager..
- Sort
Criteria The criteria used to sort.
- Span
A span in a policy. The span consists of a start position (inclusive) and end position (exclusive).
- SqsQueue
Configuration The proposed access control configuration for an SQS queue. You can propose a configuration for a new SQS queue or an existing SQS queue that you own by specifying the SQS policy. If the configuration is for an existing SQS queue and you do not specify the SQS policy, the access preview uses the existing SQS policy for the queue. If the access preview is for a new resource and you do not specify the policy, the access preview assumes an SQS queue without a policy. To propose deletion of an existing SQS queue policy, you can specify an empty string for the SQS policy. For more information about SQS policy limits, see Quotas related to policies.
- Start
Policy Generation Request - Start
Policy Generation Response - Start
Resource Scan Request Starts a scan of the policies applied to the specified resource.
- Status
Reason Provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a
Failedstatus is returned. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.- Substring
A reference to a substring of a literal string in a JSON document.
- TagResource
Request Adds a tag to the specified resource.
- TagResource
Response The response to the request.
- Trail
Contains details about the CloudTrail trail being analyzed to generate a policy.
- Trail
Properties Contains details about the CloudTrail trail being analyzed to generate a policy.
- Untag
Resource Request Removes a tag from the specified resource.
- Untag
Resource Response The response to the request.
- Update
Archive Rule Request Updates the specified archive rule.
- Update
Findings Request Updates findings with the new values provided in the request.
- Validate
Policy Finding A finding in a policy. Each finding is an actionable recommendation that can be used to improve the policy.
- Validate
Policy Request - Validate
Policy Response - Validation
Exception Field Contains information about a validation exception.
- VpcConfiguration
The proposed virtual private cloud (VPC) configuration for the Amazon S3 access point. For more information, see VpcConfiguration.
Enums§
- Apply
Archive Rule Error - Errors returned by ApplyArchiveRule
- Cancel
Policy Generation Error - Errors returned by CancelPolicyGeneration
- Create
Access Preview Error - Errors returned by CreateAccessPreview
- Create
Analyzer Error - Errors returned by CreateAnalyzer
- Create
Archive Rule Error - Errors returned by CreateArchiveRule
- Delete
Analyzer Error - Errors returned by DeleteAnalyzer
- Delete
Archive Rule Error - Errors returned by DeleteArchiveRule
- GetAccess
Preview Error - Errors returned by GetAccessPreview
- GetAnalyzed
Resource Error - Errors returned by GetAnalyzedResource
- GetAnalyzer
Error - Errors returned by GetAnalyzer
- GetArchive
Rule Error - Errors returned by GetArchiveRule
- GetFinding
Error - Errors returned by GetFinding
- GetGenerated
Policy Error - Errors returned by GetGeneratedPolicy
- List
Access Preview Findings Error - Errors returned by ListAccessPreviewFindings
- List
Access Previews Error - Errors returned by ListAccessPreviews
- List
Analyzed Resources Error - Errors returned by ListAnalyzedResources
- List
Analyzers Error - Errors returned by ListAnalyzers
- List
Archive Rules Error - Errors returned by ListArchiveRules
- List
Findings Error - Errors returned by ListFindings
- List
Policy Generations Error - Errors returned by ListPolicyGenerations
- List
Tags ForResource Error - Errors returned by ListTagsForResource
- Start
Policy Generation Error - Errors returned by StartPolicyGeneration
- Start
Resource Scan Error - Errors returned by StartResourceScan
- TagResource
Error - Errors returned by TagResource
- Untag
Resource Error - Errors returned by UntagResource
- Update
Archive Rule Error - Errors returned by UpdateArchiveRule
- Update
Findings Error - Errors returned by UpdateFindings
- Validate
Policy Error - Errors returned by ValidatePolicy
Traits§
- Access
Analyzer - Trait representing the capabilities of the Access Analyzer API. Access Analyzer clients implement this trait.