Configuration
Access control configuration structures for your resource. You specify the configuration as a type-value pair. You can specify only one type of access control configuration.
Contents
iamRole
The access control configuration is for an IAM role.
Type: IamRoleConfiguration (p. 112) object Required: No
kmsKey
The access control configuration is for a KMS key.
Type: KmsKeyConfiguration (p. 120) object Required: No
s3Bucket
The access control configuration is for an Amazon S3 Bucket.
Type: S3BucketConfiguration (p. 130) object Required: No
secretsManagerSecret
The access control configuration is for a Secrets Manager secret.
Type: SecretsManagerSecretConfiguration (p. 133) object Required: No
sqsQueue
The access control configuration is for an Amazon SQS queue.
Type: SqsQueueConfiguration (p. 136) object Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
Criterion
Criterion
The criteria to use in the filter that defines the archive rule.
Contents
contains
A "contains" operator to match for the filter used to create the rule.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 20 items.
Required: No eq
An "equals" operator to match for the filter used to create the rule.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 20 items.
Required: No exists
An "exists" operator to match for the filter used to create the rule.
Type: Boolean Required: No neq
A "not equals" operator to match for the filter used to create the rule.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 20 items.
Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
Finding
Finding
Contains information about a finding.
Contents
action
The action in the analyzed policy statement that an external principal has permission to use.
Type: Array of strings Required: No
analyzedAt
The time at which the resource was analyzed.
Type: Timestamp Required: Yes condition
The condition in the analyzed policy statement that resulted in a finding.
Type: String to string map Required: Yes
createdAt
The time at which the finding was generated.
Type: Timestamp
The ID of the finding.
Type: String Required: Yes isPublic
Indicates whether the policy that generated the finding allows public access to the resource.
Type: Boolean Required: No principal
The external principal that access to a resource within the zone of trust.
See Also
Type: String to string map Required: No
resource
The resource that an external principal has access to.
Type: String Required: No resourceOwnerAccount
The AWS account ID that owns the resource.
Type: String Required: Yes resourceType
The type of the resource identified in the finding.
Type: String
Valid Values: AWS::S3::Bucket | AWS::IAM::Role | AWS::SQS::Queue | AWS::Lambda::Function | AWS::Lambda::LayerVersion | AWS::KMS::Key | AWS::SecretsManager::Secret
Required: Yes sources
The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
Type: Array of FindingSource (p. 104) objects Required: No
status
The current status of the finding.
Type: String
Valid Values: ACTIVE | ARCHIVED | RESOLVED Required: Yes
updatedAt
The time at which the finding was updated.
Type: Timestamp Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
See Also
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
FindingSource
FindingSource
The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
Contents
detail
Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
Type: FindingSourceDetail (p. 105) object Required: No
type
Indicates the type of access that generated the finding.
Type: String
Valid Values: POLICY | BUCKET_ACL | S3_ACCESS_POINT Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
FindingSourceDetail
FindingSourceDetail
Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
Contents
accessPointArn
The ARN of the access point that generated the finding. The ARN format depends on whether the ARN represents an access point or a multi-region access point.
Type: String Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
FindingSummary
FindingSummary
Contains information about a finding.
Contents
action
The action in the analyzed policy statement that an external principal has permission to use.
Type: Array of strings Required: No
analyzedAt
The time at which the resource-based policy that generated the finding was analyzed.
Type: Timestamp Required: Yes condition
The condition in the analyzed policy statement that resulted in a finding.
Type: String to string map Required: Yes
createdAt
The time at which the finding was created.
Type: Timestamp Required: Yes error
The error that resulted in an Error finding.
Type: String Required: No id
The ID of the finding.
Type: String Required: Yes isPublic
Indicates whether the finding reports a resource that has a policy that allows public access.
Type: Boolean Required: No principal
The external principal that has access to a resource within the zone of trust.
See Also
Type: String to string map Required: No
resource
The resource that the external principal has access to.
Type: String Required: No resourceOwnerAccount
The AWS account ID that owns the resource.
Type: String Required: Yes resourceType
The type of the resource that the external principal has access to.
Type: String
Valid Values: AWS::S3::Bucket | AWS::IAM::Role | AWS::SQS::Queue | AWS::Lambda::Function | AWS::Lambda::LayerVersion | AWS::KMS::Key | AWS::SecretsManager::Secret
Required: Yes sources
The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
Type: Array of FindingSource (p. 104) objects Required: No
status
The status of the finding.
Type: String
Valid Values: ACTIVE | ARCHIVED | RESOLVED Required: Yes
updatedAt
The time at which the finding was most recently updated.
Type: Timestamp Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
See Also
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
GeneratedPolicy
GeneratedPolicy
Contains the text for the generated policy.
Contents
policy
The text to use as the content for the new policy. The policy is created using the CreatePolicy action.
Type: String Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
GeneratedPolicyProperties
GeneratedPolicyProperties
Contains the generated policy details.
Contents
cloudTrailProperties
Lists details about the Trail used to generated policy.
Type: CloudTrailProperties (p. 98) object Required: No
isComplete
This value is set to true if the generated policy contains all possible actions for a service that IAM Access Analyzer identified from the CloudTrail trail that you specified, and false otherwise.
Type: Boolean Required: No principalArn
The ARN of the IAM entity (user or role) for which you are generating a policy.
Type: String
Pattern: arn:[^:]*:iam::[^:]*:(role|user)/.{1,576}
Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
GeneratedPolicyResult
GeneratedPolicyResult
Contains the text for the generated policy and its details.
Contents
generatedPolicies
The text to use as the content for the new policy. The policy is created using the CreatePolicy action.
Type: Array of GeneratedPolicy (p. 109) objects Required: No
properties
A GeneratedPolicyProperties object that contains properties of the generated policy.
Type: GeneratedPolicyProperties (p. 110) object Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3