IAM Access Analyzer

(1)

IAM Access Analyzer

API Reference

API Version 2019-11-01

(2)

IAM Access Analyzer: API Reference

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

Welcome

AWS Identity and Access Management Access Analyzer helps identify potential resource-access risks by enabling you to identify any policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your AWS environment. An external principal can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, or an anonymous user. You can also use IAM Access Analyzer to preview and validate public and cross-account access to your resources before deploying permissions changes. This guide describes the AWS Identity and Access Management Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see AWS Identity and Access Management Access Analyzer in the IAM User Guide.

To start using IAM Access Analyzer, you ﬁrst need to create an analyzer.

This document was last published on March 6, 2022.

(11)

Actions

The following actions are supported:

• ApplyArchiveRule (p. 3)

• CancelPolicyGeneration (p. 5)

• CreateAccessPreview (p. 7)

• CreateAnalyzer (p. 11)

• CreateArchiveRule (p. 14)

• DeleteAnalyzer (p. 17)

• DeleteArchiveRule (p. 19)

• GetAccessPreview (p. 21)

• GetAnalyzedResource (p. 24)

• GetAnalyzer (p. 26)

• GetArchiveRule (p. 28)

• GetFinding (p. 31)

• GetGeneratedPolicy (p. 34)

• ListAccessPreviewFindings (p. 37)

• ListAccessPreviews (p. 41)

• ListAnalyzedResources (p. 44)

• ListAnalyzers (p. 47)

• ListArchiveRules (p. 50)

• ListFindings (p. 53)

• ListPolicyGenerations (p. 57)

• ListTagsForResource (p. 59)

• StartPolicyGeneration (p. 61)

• StartResourceScan (p. 64)

• TagResource (p. 66)

• UntagResource (p. 68)

• UpdateArchiveRule (p. 70)

• UpdateFindings (p. 73)

• ValidatePolicy (p. 76)

(12)

ApplyArchiveRule

Retroactively applies the archive rule to existing ﬁndings that meet the archive rule criteria.

Request Syntax

PUT /archive-rule HTTP/1.1 Content-type: application/json { "analyzerArn": "string", "clientToken": "string", "ruleName": "string"

}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

analyzerArn (p. 3)

The Amazon resource name (ARN) of the analyzer.

Type: String

Pattern: [^:]*:[^:]*:[^:]*:[^:]*:[^:]*:analyzer/.{1,255}

Required: Yes clientToken (p. 3) A client token.

Type: String Required: No ruleName (p. 3)

The name of the rule to apply.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 255.

Pattern: [A-Za-z][A-Za-z0-9_.-]*

Required: Yes

Response Syntax

HTTP/1.1 200

(13)

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

Errors

For information about the errors that are common to all actions, see Common Errors (p. 147).

AccessDeniedException

You do not have suﬃcient access to perform this action.

HTTP Status Code: 403 InternalServerException

Internal server error.

HTTP Status Code: 500 ResourceNotFoundException

The speciﬁed resource could not be found.

HTTP Status Code: 404 ThrottlingException

Throttling limit exceeded error.

HTTP Status Code: 429 ValidationException

Validation exception error.

HTTP Status Code: 400

CancelPolicyGeneration

Cancels the requested policy generation.

Request Syntax

PUT /policy/generation/jobId HTTP/1.1

URI Request Parameters

The request uses the following URI parameters.

jobId (p. 5)

The JobId that is returned by the StartPolicyGeneration operation. The JobId can be used with GetGeneratedPolicy to retrieve the generated policies or used with CancelPolicyGeneration to cancel the policy generation request.

Required: Yes

Request Body

The request does not have a request body.

Response Syntax

HTTP/1.1 200

Response Elements

Errors

(15)

See Also

ValidationException

CreateAccessPreview

Creates an access preview that allows you to preview IAM Access Analyzer ﬁndings for your resource before deploying resource permissions.

Request Syntax

PUT /access-preview HTTP/1.1 Content-type: application/json { "analyzerArn": "string", "clientToken": "string", "configurations": { "string" : { "iamRole": {

"trustPolicy": "string"

},

"kmsKey": { "grants": [ {

"constraints": {

"encryptionContextEquals": { "string" : "string"

},

"encryptionContextSubset": { "string" : "string"

} },

"granteePrincipal": "string", "issuingAccount": "string", "operations": [ "string" ], "retiringPrincipal": "string"

} ],

"keyPolicies": { "string" : "string"

} },

"s3Bucket": {

"accessPoints": { "string" : {

"accessPointPolicy": "string", "networkOrigin": {

"internetConfiguration": { },

"vpcConfiguration": { "vpcId": "string"

} },

"publicAccessBlock": {

"ignorePublicAcls": boolean, "restrictPublicBuckets": boolean }

} },

"bucketAclGrants": [ {

"grantee": { "id": "string", "uri": "string"

},

(17)

URI Request Parameters

"permission": "string"

} ],

"bucketPolicy": "string", "bucketPublicAccessBlock": { "ignorePublicAcls": boolean, "restrictPublicBuckets": boolean }

},

"secretsManagerSecret": { "kmsKeyId": "string", "secretPolicy": "string"

},

"sqsQueue": {

"queuePolicy": "string"

} } }}

URI Request Parameters

Request Body

The ARN of the account analyzer used to generate the access preview. You can only create an access preview for analyzers with an Account type and Active status.

Type: String

Required: Yes clientToken (p. 7) A client token.

Type: String Required: No conﬁgurations (p. 7)

Access control configuration for your resource that is used to generate the access preview. The access preview includes findings for external access allowed to the resource with the proposed access control configuration. The configuration must contain exactly one element.

Type: String to Conﬁguration (p. 99) object map Required: Yes

Response Syntax

HTTP/1.1 200

(18)

Response Elements

Content-type: application/json { "id": "string"

}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

id (p. 8)

The unique ID for the access preview.

Type: String

Pattern: [a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}

Errors

HTTP Status Code: 403 ConﬂictException

A conﬂict exception error.

HTTP Status Code: 404 ServiceQuotaExceededException

Service quote met error.

(19)

See Also

CreateAnalyzer

Creates an analyzer for your account.

Request Syntax

PUT /analyzer HTTP/1.1

Content-type: application/json { "analyzerName": "string", "archiveRules": [ {

"filter": { "string" : {

"contains": [ "string" ], "eq": [ "string" ], "exists": boolean, "neq": [ "string" ] }

},

"ruleName": "string"

} ],

"clientToken": "string", "tags": {

"string" : "string"

},

"type": "string"

}

URI Request Parameters

Request Body

analyzerName (p. 11)

The name of the analyzer to create.

Type: String

Required: Yes archiveRules (p. 11)

Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.

Type: Array of InlineArchiveRule (p. 113) objects Required: No

(21)

Response Syntax

clientToken (p. 11) A client token.

Type: String Required: No tags (p. 11)

The tags to apply to the analyzer.

Type: String to string map Required: No

type (p. 11)

The type of analyzer to create. Only ACCOUNT and ORGANIZATION analyzers are supported. You can create only one analyzer per account per Region. You can create up to 5 analyzers per organization per Region.

Type: String

Valid Values: ACCOUNT | ORGANIZATION Required: Yes

Response Syntax

HTTP/1.1 200

Content-type: application/json { "arn": "string"

}

Response Elements

arn (p. 12)

The ARN of the analyzer that was created by the request.

Type: String

Errors

(22)

See Also

CreateArchiveRule

Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule.

To learn about ﬁlter keys that you can use to create an archive rule, see IAM Access Analyzer ﬁlter keys in the IAM User Guide.

Request Syntax

PUT /analyzer/analyzerName/archive-rule HTTP/1.1 Content-type: application/json

{ "clientToken": "string", "filter": {

"string" : {

},

"ruleName": "string"

}

URI Request Parameters

The name of the created analyzer.

Required: Yes

Request Body

clientToken (p. 14) A client token.

Type: String Required: No ﬁlter (p. 14)

The criteria for the rule.

Type: String to Criterion (p. 100) object map

(24)

Response Syntax

Required: Yes ruleName (p. 14)

The name of the rule to create.

Type: String

Required: Yes

Response Syntax

HTTP/1.1 200

Response Elements

Errors

(25)

See Also

ValidationException

DeleteAnalyzer

Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.

Request Syntax

DELETE /analyzer/analyzerName?clientToken=clientToken HTTP/1.1

URI Request Parameters

The name of the analyzer to delete.

Required: Yes clientToken (p. 17)

A client token.

Request Body

Response Syntax

HTTP/1.1 200

Response Elements

Errors

(27)

See Also

DeleteArchiveRule

Deletes the speciﬁed archive rule.

Request Syntax

DELETE /analyzer/analyzerName/archive-rule/ruleName?clientToken=clientToken HTTP/1.1

URI Request Parameters

The name of the analyzer that associated with the archive rule to delete.

Required: Yes clientToken (p. 19)

A client token.

ruleName (p. 19)

The name of the rule to delete.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Response Elements

Errors

(29)

See Also

GetAccessPreview

Retrieves information about an access preview for the speciﬁed analyzer.

Request Syntax

GET /access-preview/accessPreviewId?analyzerArn=analyzerArn HTTP/1.1

URI Request Parameters

accessPreviewId (p. 21)

Required: Yes analyzerArn (p. 21)

The ARN of the analyzer used to generate the access preview.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "accessPreview": {

"analyzerArn": "string", "configurations": { "string" : { "iamRole": {

"trustPolicy": "string"

},

"kmsKey": { "grants": [ {

"constraints": {

"encryptionContextEquals": { "string" : "string"

},

"encryptionContextSubset": { "string" : "string"

} },

"granteePrincipal": "string",

(31)

Response Elements

"issuingAccount": "string", "operations": [ "string" ], "retiringPrincipal": "string"

} ],

"keyPolicies": { "string" : "string"

} },

"s3Bucket": { "accessPoints": { "string" : {

"accessPointPolicy": "string", "networkOrigin": {

"internetConfiguration": { },

"vpcConfiguration": { "vpcId": "string"

} },

"publicAccessBlock": {

"ignorePublicAcls": boolean, "restrictPublicBuckets": boolean }

} },

"bucketAclGrants": [ {

"grantee": { "id": "string", "uri": "string"

},

"permission": "string"

} ],

"bucketPolicy": "string", "bucketPublicAccessBlock": { "ignorePublicAcls": boolean, "restrictPublicBuckets": boolean }

},

"secretsManagerSecret": { "kmsKeyId": "string", "secretPolicy": "string"

},

"sqsQueue": {

"queuePolicy": "string"

} } },

"createdAt": number, "id": "string", "status": "string", "statusReason": { "code": "string"

} }}

Response Elements

(32)

Errors

accessPreview (p. 21)

An object that contains information about the access preview.

Type: AccessPreview (p. 82) object

Errors

GetAnalyzedResource

Retrieves information about a resource that was analyzed.

Request Syntax

GET /analyzed-resource?analyzerArn=analyzerArn&resourceArn=resourceArn HTTP/1.1

URI Request Parameters

The ARN of the analyzer to retrieve information from.

Required: Yes resourceArn (p. 24)

The ARN of the resource to retrieve information about.

Pattern: arn:[^:]*:[^:]*:[^:]*:[^:]*:.*

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json {

"resource": {

"actions": [ "string" ], "analyzedAt": number, "createdAt": number, "error": "string", "isPublic": boolean, "resourceArn": "string",

"resourceOwnerAccount": "string", "resourceType": "string",

"sharedVia": [ "string" ], "status": "string",

"updatedAt": number }

}

Response Elements

(34)

Errors

resource (p. 24)

An AnalyzedResource object that contains information that IAM Access Analyzer found when it analyzed the resource.

Type: AnalyzedResource (p. 91) object

Errors

GetAnalyzer

Retrieves information about the speciﬁed analyzer.

Request Syntax

GET /analyzer/analyzerName HTTP/1.1

URI Request Parameters

The name of the analyzer retrieved.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

"analyzer": { "arn": "string", "createdAt": number,

"lastResourceAnalyzed": "string", "lastResourceAnalyzedAt": number, "name": "string",

"status": "string", "statusReason": { "code": "string"

},

"tags": {

"string" : "string"

},

"type": "string"

} }

Response Elements

(36)

Errors

analyzer (p. 26)

An AnalyzerSummary object that contains information about the analyzer.

Type: AnalyzerSummary (p. 94) object

Errors

GetArchiveRule

Retrieves information about an archive rule.

To learn about ﬁlter keys that you can use to create an archive rule, see IAM Access Analyzer ﬁlter keys in the IAM User Guide.

Request Syntax

GET /analyzer/analyzerName/archive-rule/ruleName HTTP/1.1

URI Request Parameters

The name of the analyzer to retrieve rules from.

Required: Yes ruleName (p. 28)

The name of the rule to retrieve.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "archiveRule": {

"createdAt": number, "filter": {

"string" : {

},

"ruleName": "string",

(38)

Response Elements

"updatedAt": number }}

Response Elements

archiveRule (p. 28)

Contains information about an archive rule.

Type: ArchiveRuleSummary (p. 96) object

Errors

GetFinding

Retrieves information about the speciﬁed ﬁnding.

Request Syntax

GET /finding/id?analyzerArn=analyzerArn HTTP/1.1

URI Request Parameters

The ARN of the analyzer that generated the ﬁnding.

Required: Yes id (p. 31)

The ID of the ﬁnding to retrieve.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

"finding": {

"action": [ "string" ], "analyzedAt": number, "condition": {

},

"createdAt": number, "error": "string", "id": "string", "isPublic": boolean, "principal": {

},

"resource": "string",

"sources": [ {

"detail": {

"accessPointArn": "string"

(41)

Response Elements

},

"type": "string"

} ],

"status": "string", "updatedAt": number }}

Response Elements

ﬁnding (p. 31)

A finding object that contains ﬁnding details.

Type: Finding (p. 101) object

Errors

GetGeneratedPolicy

Retrieves the policy that was generated using StartPolicyGeneration.

Request Syntax

GET /policy/generation/jobId?

includeResourcePlaceholders=includeResourcePlaceholders&includeServiceLevelTemplate=includeServiceLevelTemplate HTTP/1.1

URI Request Parameters

includeResourcePlaceholders (p. 34)

The level of detail that you want to generate. You can specify whether to generate policies with placeholders for resource ARNs for actions that support resource level granularity in policies.

For example, in the resource section of a policy, you can receive a placeholder such as

"Resource":"arn:aws:s3:::${BucketName}" instead of "*".

includeServiceLevelTemplate (p. 34)

The level of detail that you want to generate. You can specify whether to generate service-level policies.

IAM Access Analyzer uses iam:servicelastaccessed to identify services that have been used recently to create this service-level template.

jobId (p. 34)

The JobId that is returned by the StartPolicyGeneration operation. The JobId can be used with GetGeneratedPolicy to retrieve the generated policies or used with CancelPolicyGeneration to cancel the policy generation request.

Required: Yes

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "generatedPolicyResult": { "generatedPolicies": [ {

"policy": "string"

} ],

"properties": {

"cloudTrailProperties": {

(44)

Response Elements

"endTime": number, "startTime": number, "trailProperties": [ {

"allRegions": boolean, "cloudTrailArn": "string", "regions": [ "string" ] }

] },

"isComplete": boolean, "principalArn": "string"

} },

"jobDetails": {

"completedOn": number, "jobError": {

"code": "string", "message": "string"

},

"jobId": "string", "startedOn": number, "status": "string"

} }

Response Elements

generatedPolicyResult (p. 34)

A GeneratedPolicyResult object that contains the generated policies and associated details.

Type: GeneratedPolicyResult (p. 111) object jobDetails (p. 34)

A GeneratedPolicyDetails object that contains details about the generated policy.

Type: JobDetails (p. 115) object

Errors

(45)

See Also

ListAccessPreviewFindings

Retrieves a list of access preview ﬁndings generated by the speciﬁed access preview.

Request Syntax

POST /access-preview/accessPreviewId HTTP/1.1 Content-type: application/json

{

"analyzerArn": "string", "filter": {

"string" : {

},

"maxResults": number, "nextToken": "string"

}

URI Request Parameters

accessPreviewId (p. 37)

Required: Yes

Request Body

The ARN of the analyzer used to generate the access.

Type: String

Required: Yes ﬁlter (p. 37)

Criteria to ﬁlter the returned ﬁndings.

Type: String to Criterion (p. 100) object map Required: No

(47)

Response Syntax

maxResults (p. 37)

The maximum number of results to return in the response.

Type: Integer Required: No nextToken (p. 37)

A token used for pagination of results returned.

Type: String Required: No

Response Syntax

HTTP/1.1 200

Content-type: application/json { "findings": [

{

"action": [ "string" ], "changeType": "string", "condition": {

},

"createdAt": number, "error": "string",

"existingFindingId": "string", "existingFindingStatus": "string", "id": "string",

"isPublic": boolean, "principal": {

},

"resource": "string",

"sources": [ {

"detail": {

"accessPointArn": "string"

},

"type": "string"

} ],

"status": "string"

} ],

"nextToken": "string"

}

Response Elements

(48)

Errors

ﬁndings (p. 38)

A list of access preview findings that match the specified filter criteria.

Type: Array of AccessPreviewFinding (p. 84) objects nextToken (p. 38)

Type: String

Errors

ListAccessPreviews

Retrieves a list of access previews for the speciﬁed analyzer.

Request Syntax

GET /access-preview?analyzerArn=analyzerArn&maxResults=maxResults&nextToken=nextToken HTTP/1.1

URI Request Parameters

The ARN of the analyzer used to generate the access preview.

Required: Yes maxResults (p. 41)

nextToken (p. 41)

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "accessPreviews": [

{

"analyzerArn": "string", "createdAt": number, "id": "string", "status": "string", "statusReason": { "code": "string"

} } ],

}

Response Elements

(51)

Errors

accessPreviews (p. 41)

A list of access previews retrieved for the analyzer.

Type: Array of AccessPreviewSummary (p. 88) objects nextToken (p. 41)

Type: String

Errors

ListAnalyzedResources

Retrieves a list of resources of the speciﬁed type that have been analyzed by the speciﬁed analyzer..

Request Syntax

POST /analyzed-resource HTTP/1.1 Content-type: application/json { "analyzerArn": "string", "maxResults": number, "nextToken": "string", "resourceType": "string"

}

URI Request Parameters

Request Body

The ARN of the analyzer to retrieve a list of analyzed resources from.

Type: String

Type: Integer Required: No nextToken (p. 44)

Type: String Required: No resourceType (p. 44)

The type of resource.

Type: String

(54)

Response Syntax

Required: No

Response Syntax

HTTP/1.1 200

Content-type: application/json { "analyzedResources": [ {

"resourceArn": "string",

"resourceOwnerAccount": "string", "resourceType": "string"

} ],

}

Response Elements

analyzedResources (p. 45)

A list of resources that were analyzed.

Type: Array of AnalyzedResourceSummary (p. 93) objects nextToken (p. 45)

Type: String

Errors

(55)

See Also

ListAnalyzers

Retrieves a list of analyzers.

Request Syntax

GET /analyzer?maxResults=maxResults&nextToken=nextToken&type=type HTTP/1.1

URI Request Parameters

type (p. 47)

The type of analyzer.

Valid Values: ACCOUNT | ORGANIZATION

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "analyzers": [

{

"arn": "string", "createdAt": number,

"lastResourceAnalyzed": "string", "lastResourceAnalyzedAt": number, "name": "string",

"status": "string", "statusReason": { "code": "string"

},

"tags": {

},

"type": "string"

} ],

}

(57)

Response Elements

analyzers (p. 47)

The analyzers retrieved.

Type: Array of AnalyzerSummary (p. 94) objects nextToken (p. 47)

Type: String

Errors

ListArchiveRules

Retrieves a list of archive rules created for the speciﬁed analyzer.

Request Syntax

GET /analyzer/analyzerName/archive-rule?maxResults=maxResults&nextToken=nextToken HTTP/1.1

URI Request Parameters

The name of the analyzer to retrieve rules from.

The maximum number of results to return in the request.

Request Body

Response Syntax

HTTP/1.1 200

Content-type: application/json { "archiveRules": [

{

"createdAt": number, "filter": {

"string" : {

},

"ruleName": "string", "updatedAt": number }

],

}

(60)

Response Elements

archiveRules (p. 50)

A list of archive rules created for the speciﬁed analyzer.

Type: Array of ArchiveRuleSummary (p. 96) objects nextToken (p. 50)

Type: String

Errors

ListFindings

Retrieves a list of ﬁndings generated by the speciﬁed analyzer.

To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide.

Request Syntax

POST /finding HTTP/1.1

Content-type: application/json { "analyzerArn": "string", "filter": {

"string" : {

},

"maxResults": number, "nextToken": "string", "sort": {

"attributeName": "string", "orderBy": "string"

}}

URI Request Parameters

Request Body

The ARN of the analyzer to retrieve ﬁndings from.

Type: String

Required: Yes ﬁlter (p. 53)

A ﬁlter to match for the ﬁndings to return.

Type: String to Criterion (p. 100) object map Required: No

IAM Access Analyzer

IAM Access Analyzer

API Reference

API Version 2019-11-01

IAM Access Analyzer: API Reference

Table of Contents

Welcome

Actions

ApplyArchiveRule

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

CancelPolicyGeneration

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

CreateAccessPreview

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

CreateAnalyzer

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

CreateArchiveRule

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

DeleteAnalyzer

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

DeleteArchiveRule

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

GetAccessPreview

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also

GetAnalyzedResource

Request Syntax

URI Request Parameters

Request Body

Response Syntax

Response Elements

Errors

See Also