The IAM Access Analyzer API contains several data types that various actions use. This section describes each data type in detail.
NoteThe order of each element in a data type structure is not guaranteed. Applications should not assume a particular order.
The following data types are supported:
• AccessPreview (p. 82)
• AccessPreviewFinding (p. 84)
• AccessPreviewStatusReason (p. 87)
• AccessPreviewSummary (p. 88)
• AclGrantee (p. 90)
• AnalyzedResource (p. 91)
• AnalyzedResourceSummary (p. 93)
• AnalyzerSummary (p. 94)
• ArchiveRuleSummary (p. 96)
• CloudTrailDetails (p. 97)
• CloudTrailProperties (p. 98)
• Configuration (p. 99)
• Criterion (p. 100)
• Finding (p. 101)
• FindingSource (p. 104)
• FindingSourceDetail (p. 105)
• FindingSummary (p. 106)
• GeneratedPolicy (p. 109)
• GeneratedPolicyProperties (p. 110)
• GeneratedPolicyResult (p. 111)
• IamRoleConfiguration (p. 112)
• InlineArchiveRule (p. 113)
• InternetConfiguration (p. 114)
• JobDetails (p. 115)
• JobError (p. 116)
• KmsGrantConfiguration (p. 117)
• KmsGrantConstraints (p. 119)
• KmsKeyConfiguration (p. 120)
• Location (p. 121)
• NetworkOriginConfiguration (p. 122)
• PathElement (p. 123)
• PolicyGeneration (p. 124)
• PolicyGenerationDetails (p. 126)
• Position (p. 127)
• S3AccessPointConfiguration (p. 128)
• S3BucketAclGrantConfiguration (p. 129)
• S3BucketConfiguration (p. 130)
• S3PublicAccessBlockConfiguration (p. 132)
• SecretsManagerSecretConfiguration (p. 133)
• SortCriteria (p. 134)
• Span (p. 135)
• SqsQueueConfiguration (p. 136)
• StatusReason (p. 137)
• Substring (p. 138)
• Trail (p. 139)
• TrailProperties (p. 140)
• ValidatePolicyFinding (p. 141)
• ValidationExceptionField (p. 143)
• VpcConfiguration (p. 144)
AccessPreview
AccessPreview
Contains information about an access preview.
Contents
analyzerArn
The ARN of the analyzer used to generate the access preview.
Type: String
Pattern: [^:]*:[^:]*:[^:]*:[^:]*:[^:]*:analyzer/.{1,255}
Required: Yes configurations
A map of resource ARNs for the proposed resource configuration.
Type: String to Configuration (p. 99) object map Required: Yes
createdAt
The time at which the access preview was created.
Type: Timestamp Required: Yes id
The unique ID for the access preview.
Type: String
Pattern: [a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}
Required: Yes status
The status of the access preview.
• Creating - The access preview creation is in progress.
• Completed - The access preview is complete. You can preview findings for external access to the resource.
• Failed - The access preview creation has failed.
Type: String
Valid Values: COMPLETED | CREATING | FAILED Required: Yes
statusReason
Provides more details about the current status of the access preview.
For example, if the creation of the access preview fails, a Failed status is returned. This failure can be due to an internal issue with the analysis or due to an invalid resource configuration.
See Also
Type: AccessPreviewStatusReason (p. 87) object Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
AccessPreviewFinding
AccessPreviewFinding
An access preview finding generated by the access preview.
Contents
action
The action in the analyzed policy statement that an external principal has permission to perform.
Type: Array of strings Required: No
changeType
Provides context on how the access preview finding compares to existing access identified in IAM Access Analyzer.
• New - The finding is for newly-introduced access.
• Unchanged - The preview finding is an existing finding that would remain unchanged.
• Changed - The preview finding is an existing finding with a change in status.
For example, a Changed finding with preview status Resolved and existing status Active indicates the existing Active finding would become Resolved as a result of the proposed permissions change.
Type: String
Valid Values: CHANGED | NEW | UNCHANGED Required: Yes
condition
The condition in the analyzed policy statement that resulted in a finding.
Type: String to string map Required: No
createdAt
The time at which the access preview finding was created.
Type: Timestamp
The existing ID of the finding in IAM Access Analyzer, provided only for existing findings.
Type: String
Contents
Required: No existingFindingStatus
The existing status of the finding, provided only for existing findings.
Type: String
Valid Values: ACTIVE | ARCHIVED | RESOLVED Required: No
id
The ID of the access preview finding. This ID uniquely identifies the element in the list of access preview findings and is not related to the finding ID in Access Analyzer.
Type: String Required: Yes isPublic
Indicates whether the policy that generated the finding allows public access to the resource.
Type: Boolean Required: No principal
The external principal that has access to a resource within the zone of trust.
Type: String to string map Required: No
resource
The resource that an external principal has access to. This is the resource associated with the access preview.
Type: String Required: No resourceOwnerAccount
The AWS account ID that owns the resource. For most AWS resources, the owning account is the account in which the resource was created.
Type: String Required: Yes resourceType
The type of the resource that can be accessed in the finding.
Type: String
Valid Values: AWS::S3::Bucket | AWS::IAM::Role | AWS::SQS::Queue | AWS::Lambda::Function | AWS::Lambda::LayerVersion | AWS::KMS::Key | AWS::SecretsManager::Secret
Required: Yes
See Also
sources
The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
Type: Array of FindingSource (p. 104) objects Required: No
status
The preview status of the finding. This is what the status of the finding would be after permissions deployment. For example, a Changed finding with preview status Resolved and existing status Active indicates the existing Active finding would become Resolved as a result of the proposed permissions change.
Type: String
Valid Values: ACTIVE | ARCHIVED | RESOLVED Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
AccessPreviewStatusReason
AccessPreviewStatusReason
Provides more details about the current status of the access preview. For example, if the creation of the access preview fails, a Failed status is returned. This failure can be due to an internal issue with the analysis or due to an invalid proposed resource configuration.
Contents
code
The reason code for the current status of the access preview.
Type: String
Valid Values: INTERNAL_ERROR | INVALID_CONFIGURATION Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
AccessPreviewSummary
AccessPreviewSummary
Contains a summary of information about an access preview.
Contents
analyzerArn
The ARN of the analyzer used to generate the access preview.
Type: String
Pattern: [^:]*:[^:]*:[^:]*:[^:]*:[^:]*:analyzer/.{1,255}
Required: Yes createdAt
The time at which the access preview was created.
Type: Timestamp Required: Yes id
The unique ID for the access preview.
Type: String
Pattern: [a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}
Required: Yes status
The status of the access preview.
• Creating - The access preview creation is in progress.
• Completed - The access preview is complete and previews the findings for external access to the resource.
• Failed - The access preview creation has failed.
Type: String
Valid Values: COMPLETED | CREATING | FAILED Required: Yes
statusReason
Provides more details about the current status of the access preview. For example, if the creation of the access preview fails, a Failed status is returned. This failure can be due to an internal issue with the analysis or due to an invalid proposed resource configuration.
Type: AccessPreviewStatusReason (p. 87) object Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
See Also
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
AclGrantee
AclGrantee
You specify each grantee as a type-value pair using one of these types. You can specify only one type of grantee. For more information, see PutBucketAcl.
Contents
id
The value specified is the canonical user ID of an AWS account.
Type: String Required: No uri
Used for granting permissions to a predefined group.
Type: String Required: No
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
AnalyzedResource
AnalyzedResource
Contains details about the analyzed resource.
Contents
actions
The actions that an external principal is granted permission to use by the policy that generated the finding.
Type: Array of strings Required: No
analyzedAt
The time at which the resource was analyzed.
Type: Timestamp Required: Yes createdAt
The time at which the finding was created.
Type: Timestamp Required: Yes error
An error message.
Type: String Required: No isPublic
Indicates whether the policy that generated the finding grants public access to the resource.
Type: Boolean Required: Yes resourceArn
The ARN of the resource that was analyzed.
Type: String
Pattern: arn:[^:]*:[^:]*:[^:]*:[^:]*:.*
Required: Yes resourceOwnerAccount
The AWS account ID that owns the resource.
Type: String Required: Yes
See Also
resourceType
The type of the resource that was analyzed.
Type: String
Valid Values: AWS::S3::Bucket | AWS::IAM::Role | AWS::SQS::Queue | AWS::Lambda::Function | AWS::Lambda::LayerVersion | AWS::KMS::Key | AWS::SecretsManager::Secret
Required: Yes sharedVia
Indicates how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
Type: Array of strings Required: No
status
The current status of the finding generated from the analyzed resource.
Type: String
Valid Values: ACTIVE | ARCHIVED | RESOLVED Required: No
updatedAt
The time at which the finding was updated.
Type: Timestamp Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
AnalyzedResourceSummary
AnalyzedResourceSummary
Contains the ARN of the analyzed resource.
Contents
resourceArn
The ARN of the analyzed resource.
Type: String
Pattern: arn:[^:]*:[^:]*:[^:]*:[^:]*:.*
Required: Yes resourceOwnerAccount
The AWS account ID that owns the resource.
Type: String Required: Yes resourceType
The type of resource that was analyzed.
Type: String
Valid Values: AWS::S3::Bucket | AWS::IAM::Role | AWS::SQS::Queue | AWS::Lambda::Function | AWS::Lambda::LayerVersion | AWS::KMS::Key | AWS::SecretsManager::Secret
Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
AnalyzerSummary
AnalyzerSummary
Contains information about the analyzer.
Contents
arn
The ARN of the analyzer.
Type: String
Pattern: [^:]*:[^:]*:[^:]*:[^:]*:[^:]*:analyzer/.{1,255}
Required: Yes createdAt
A timestamp for the time at which the analyzer was created.
Type: Timestamp Required: Yes lastResourceAnalyzed
The resource that was most recently analyzed by the analyzer.
Type: String Required: No lastResourceAnalyzedAt
The time at which the most recently analyzed resource was analyzed.
Type: Timestamp Required: No name
The name of the analyzer.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 255.
Pattern: [A-Za-z][A-Za-z0-9_.-]*
Required: Yes status
The status of the analyzer. An Active analyzer successfully monitors supported resources and generates new findings. The analyzer is Disabled when a user action, such as removing trusted access for AWS Identity and Access Management Access Analyzer from AWS Organizations, causes the analyzer to stop generating new findings. The status is Creating when the analyzer creation is in progress and Failed when the analyzer creation has failed.
Type: String
Valid Values: ACTIVE | CREATING | DISABLED | FAILED
See Also
Required: Yes statusReason
The statusReason provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a Failed status is returned. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.
Type: StatusReason (p. 137) object Required: No
tags
The tags added to the analyzer.
Type: String to string map Required: No
type
The type of analyzer, which corresponds to the zone of trust chosen for the analyzer.
Type: String
Valid Values: ACCOUNT | ORGANIZATION Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
ArchiveRuleSummary
ArchiveRuleSummary
Contains information about an archive rule.
Contents
createdAt
The time at which the archive rule was created.
Type: Timestamp Required: Yes filter
A filter used to define the archive rule.
Type: String to Criterion (p. 100) object map Required: Yes
ruleName
The name of the archive rule.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 255.
Pattern: [A-Za-z][A-Za-z0-9_.-]*
Required: Yes updatedAt
The time at which the archive rule was last updated.
Type: Timestamp Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
CloudTrailDetails
CloudTrailDetails
Contains information about CloudTrail access.
Contents
accessRole
The ARN of the service role that IAM Access Analyzer uses to access your CloudTrail trail and service last accessed information.
Type: String
Pattern: arn:[^:]*:iam::[^:]*:role/.{1,576}
Required: Yes endTime
The end of the time range for which IAM Access Analyzer reviews your CloudTrail events. Events with a timestamp after this time are not considered to generate a policy. If this is not included in the request, the default value is the current time.
Type: Timestamp Required: No startTime
The start of the time range for which IAM Access Analyzer reviews your CloudTrail events. Events with a timestamp before this time are not considered to generate a policy.
Type: Timestamp Required: Yes trails
A Trail object that contains settings for a trail.
Type: Array of Trail (p. 139) objects Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3
CloudTrailProperties
CloudTrailProperties
Contains information about CloudTrail access.
Contents
endTime
The end of the time range for which IAM Access Analyzer reviews your CloudTrail events. Events with a timestamp after this time are not considered to generate a policy. If this is not included in the request, the default value is the current time.
Type: Timestamp Required: Yes startTime
The start of the time range for which IAM Access Analyzer reviews your CloudTrail events. Events with a timestamp before this time are not considered to generate a policy.
Type: Timestamp Required: Yes trailProperties
A TrailProperties object that contains settings for trail properties.
Type: Array of TrailProperties (p. 140) objects Required: Yes
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
• AWS SDK for C++
• AWS SDK for Go
• AWS SDK for Java V2
• AWS SDK for Ruby V3