AWS IAM Access Analyzer helps identify potential resource-access risks by enabling you to identify any policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your AWS environment. An external principal can be another AWS account, a root user, an IAM user or role, a federated user, an AWS service, or an anonymous user. This guide describes the AWS IAM Access Analyzer operations that you can call programmatically. For general information about Access Analyzer, see the AWS IAM Access Analyzer section of the IAM User Guide.
To start using Access Analyzer, you first need to create an analyzer.
", "operations": { "CreateAnalyzer": "Creates an analyzer for your account.
", "CreateArchiveRule": "Creates an archive rule for the specified analyzer. Archive rules automatically archive findings that meet the criteria you define when you create the rule.
", "DeleteAnalyzer": "Deletes the specified analyzer. When you delete an analyzer, Access Analyzer is disabled for the account in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.
", "DeleteArchiveRule": "Deletes the specified archive rule.
", "GetAnalyzedResource": "Retrieves information about a resource that was analyzed.
", "GetAnalyzer": "Retrieves information about the specified analyzer.
", "GetArchiveRule": "Retrieves information about an archive rule.
", "GetFinding": "Retrieves information about the specified finding.
", "ListAnalyzedResources": "Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer..
", "ListAnalyzers": "Retrieves a list of analyzers.
", "ListArchiveRules": "Retrieves a list of archive rules created for the specified analyzer.
", "ListFindings": "Retrieves a list of findings generated by the specified analyzer.
", "ListTagsForResource": "Retrieves a list of tags applied to the specified resource.
", "StartResourceScan": "Immediately starts a scan of the policies applied to the specified resource.
", "TagResource": "Adds a tag to the specified resource.
", "UntagResource": "Removes a tag from the specified resource.
", "UpdateArchiveRule": "Updates the criteria and values for the specified archive rule.
", "UpdateFindings": "Updates the status for the specified findings.
" }, "shapes": { "AccessDeniedException": { "base": "You do not have sufficient access to perform this action.
", "refs": { } }, "ActionList": { "base": null, "refs": { "AnalyzedResource$actions": "The actions that an external principal is granted permission to use by the policy that generated the finding.
", "Finding$action": "The action in the analyzed policy statement that an external principal has permission to use.
", "FindingSummary$action": "The action in the analyzed policy statement that an external principal has permission to use.
" } }, "AnalyzedResource": { "base": "Contains details about the analyzed resource.
", "refs": { "GetAnalyzedResourceResponse$resource": "An AnalyedResource object that contains information that Access Analyzer found when it analyzed the resource.
Contains the ARN of the analyzed resource.
", "refs": { "AnalyzedResourcesList$member": null } }, "AnalyzedResourcesList": { "base": null, "refs": { "ListAnalyzedResourcesResponse$analyzedResources": "A list of resources that were analyzed.
" } }, "AnalyzerArn": { "base": null, "refs": { "AnalyzerSummary$arn": "The ARN of the analyzer.
", "CreateAnalyzerResponse$arn": "The ARN of the analyzer that was created by the request.
", "GetAnalyzedResourceRequest$analyzerArn": "The ARN of the analyzer to retrieve information from.
", "GetFindingRequest$analyzerArn": "The ARN of the analyzer that generated the finding.
", "ListAnalyzedResourcesRequest$analyzerArn": "The ARN of the analyzer to retrieve a list of analyzed resources from.
", "ListFindingsRequest$analyzerArn": "The ARN of the analyzer to retrieve findings from.
", "StartResourceScanRequest$analyzerArn": "The ARN of the analyzer to use to scan the policies applied to the specified resource.
", "UpdateFindingsRequest$analyzerArn": "The ARN of the analyzer that generated the findings to update.
" } }, "AnalyzerStatus": { "base": null, "refs": { "AnalyzerSummary$status": "The status of the analyzer. An Active analyzer successfully monitors supported resources and generates new findings. The analyzer is Disabled when a user action, such as removing trusted access for IAM Access Analyzer from AWS Organizations, causes the analyzer to stop generating new findings. The status is Creating when the analyzer creation is in progress and Failed when the analyzer creation has failed.
Contains information about the analyzer.
", "refs": { "AnalyzersList$member": null, "GetAnalyzerResponse$analyzer": "An AnalyzerSummary object that contains information about the analyzer.
The analyzers retrieved.
" } }, "ArchiveRuleSummary": { "base": "Contains information about an archive rule.
", "refs": { "ArchiveRulesList$member": null, "GetArchiveRuleResponse$archiveRule": null } }, "ArchiveRulesList": { "base": null, "refs": { "ListArchiveRulesResponse$archiveRules": "A list of archive rules created for the specified analyzer.
" } }, "Boolean": { "base": null, "refs": { "AnalyzedResource$isPublic": "Indicates whether the policy that generated the finding grants public access to the resource.
", "Criterion$exists": "An \"exists\" operator to match for the filter used to create the rule.
", "Finding$isPublic": "Indicates whether the policy that generated the finding allows public access to the resource.
", "FindingSummary$isPublic": "Indicates whether the finding reports a resource that has a policy that allows public access.
" } }, "ConditionKeyMap": { "base": null, "refs": { "Finding$condition": "The condition in the analyzed policy statement that resulted in a finding.
", "FindingSummary$condition": "The condition in the analyzed policy statement that resulted in a finding.
" } }, "ConflictException": { "base": "A conflict exception error.
", "refs": { } }, "CreateAnalyzerRequest": { "base": "Creates an analyzer.
", "refs": { } }, "CreateAnalyzerResponse": { "base": "The response to the request to create an analyzer.
", "refs": { } }, "CreateArchiveRuleRequest": { "base": "Creates an archive rule.
", "refs": { } }, "Criterion": { "base": "The criteria to use in the filter that defines the archive rule.
", "refs": { "FilterCriteriaMap$value": null } }, "DeleteAnalyzerRequest": { "base": "Deletes an analyzer.
", "refs": { } }, "DeleteArchiveRuleRequest": { "base": "Deletes an archive rule.
", "refs": { } }, "FilterCriteriaMap": { "base": null, "refs": { "ArchiveRuleSummary$filter": "A filter used to define the archive rule.
", "CreateArchiveRuleRequest$filter": "The criteria for the rule.
", "InlineArchiveRule$filter": "The condition and values for a criterion.
", "ListFindingsRequest$filter": "A filter to match for the findings to return.
", "UpdateArchiveRuleRequest$filter": "A filter to match for the rules to update. Only rules that match the filter are updated.
" } }, "Finding": { "base": "Contains information about a finding.
", "refs": { "GetFindingResponse$finding": "A finding object that contains finding details.
The ID of the finding.
", "FindingIdList$member": null, "FindingSummary$id": "The ID of the finding.
", "GetFindingRequest$id": "The ID of the finding to retrieve.
" } }, "FindingIdList": { "base": null, "refs": { "UpdateFindingsRequest$ids": "The IDs of the findings to update.
" } }, "FindingSource": { "base": "The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
", "refs": { "FindingSourceList$member": null } }, "FindingSourceDetail": { "base": "Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
", "refs": { "FindingSource$detail": "Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
" } }, "FindingSourceList": { "base": null, "refs": { "Finding$sources": "The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
", "FindingSummary$sources": "The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
" } }, "FindingSourceType": { "base": null, "refs": { "FindingSource$type": "Indicates the type of access that generated the finding.
" } }, "FindingStatus": { "base": null, "refs": { "AnalyzedResource$status": "The current status of the finding generated from the analyzed resource.
", "Finding$status": "The current status of the finding.
", "FindingSummary$status": "The status of the finding.
" } }, "FindingStatusUpdate": { "base": null, "refs": { "UpdateFindingsRequest$status": "The state represents the action to take to update the finding Status. Use ARCHIVE to change an Active finding to an Archived finding. Use ACTIVE to change an Archived finding to an Active finding.
Contains information about a finding.
", "refs": { "FindingsList$member": null } }, "FindingsList": { "base": null, "refs": { "ListFindingsResponse$findings": "A list of findings retrieved from the analyzer that match the filter criteria specified, if any.
" } }, "GetAnalyzedResourceRequest": { "base": "Retrieves an analyzed resource.
", "refs": { } }, "GetAnalyzedResourceResponse": { "base": "The response to the request.
", "refs": { } }, "GetAnalyzerRequest": { "base": "Retrieves an analyzer.
", "refs": { } }, "GetAnalyzerResponse": { "base": "The response to the request.
", "refs": { } }, "GetArchiveRuleRequest": { "base": "Retrieves an archive rule.
", "refs": { } }, "GetArchiveRuleResponse": { "base": "The response to the request.
", "refs": { } }, "GetFindingRequest": { "base": "Retrieves a finding.
", "refs": { } }, "GetFindingResponse": { "base": "The response to the request.
", "refs": { } }, "InlineArchiveRule": { "base": "An criterion statement in an archive rule. Each archive rule may have multiple criteria.
", "refs": { "InlineArchiveRulesList$member": null } }, "InlineArchiveRulesList": { "base": null, "refs": { "CreateAnalyzerRequest$archiveRules": "Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.
" } }, "Integer": { "base": null, "refs": { "InternalServerException$retryAfterSeconds": "The seconds to wait to retry.
", "ListAnalyzedResourcesRequest$maxResults": "The maximum number of results to return in the response.
", "ListAnalyzersRequest$maxResults": "The maximum number of results to return in the response.
", "ListArchiveRulesRequest$maxResults": "The maximum number of results to return in the request.
", "ListFindingsRequest$maxResults": "The maximum number of results to return in the response.
", "ThrottlingException$retryAfterSeconds": "The seconds to wait to retry.
" } }, "InternalServerException": { "base": "Internal server error.
", "refs": { } }, "ListAnalyzedResourcesRequest": { "base": "Retrieves a list of resources that have been analyzed.
", "refs": { } }, "ListAnalyzedResourcesResponse": { "base": "The response to the request.
", "refs": { } }, "ListAnalyzersRequest": { "base": "Retrieves a list of analyzers.
", "refs": { } }, "ListAnalyzersResponse": { "base": "The response to the request.
", "refs": { } }, "ListArchiveRulesRequest": { "base": "Retrieves a list of archive rules created for the specified analyzer.
", "refs": { } }, "ListArchiveRulesResponse": { "base": "The response to the request.
", "refs": { } }, "ListFindingsRequest": { "base": "Retrieves a list of findings generated by the specified analyzer.
", "refs": { } }, "ListFindingsResponse": { "base": "The response to the request.
", "refs": { } }, "ListTagsForResourceRequest": { "base": "Retrieves a list of tags applied to the specified resource.
", "refs": { } }, "ListTagsForResourceResponse": { "base": "The response to the request.
", "refs": { } }, "Name": { "base": null, "refs": { "AnalyzerSummary$name": "The name of the analyzer.
", "ArchiveRuleSummary$ruleName": "The name of the archive rule.
", "CreateAnalyzerRequest$analyzerName": "The name of the analyzer to create.
", "CreateArchiveRuleRequest$analyzerName": "The name of the created analyzer.
", "CreateArchiveRuleRequest$ruleName": "The name of the rule to create.
", "DeleteAnalyzerRequest$analyzerName": "The name of the analyzer to delete.
", "DeleteArchiveRuleRequest$analyzerName": "The name of the analyzer that associated with the archive rule to delete.
", "DeleteArchiveRuleRequest$ruleName": "The name of the rule to delete.
", "GetAnalyzerRequest$analyzerName": "The name of the analyzer retrieved.
", "GetArchiveRuleRequest$analyzerName": "The name of the analyzer to retrieve rules from.
", "GetArchiveRuleRequest$ruleName": "The name of the rule to retrieve.
", "InlineArchiveRule$ruleName": "The name of the rule.
", "ListArchiveRulesRequest$analyzerName": "The name of the analyzer to retrieve rules from.
", "UpdateArchiveRuleRequest$analyzerName": "The name of the analyzer to update the archive rules for.
", "UpdateArchiveRuleRequest$ruleName": "The name of the rule to update.
" } }, "OrderBy": { "base": null, "refs": { "SortCriteria$orderBy": "The sort order, ascending or descending.
" } }, "PrincipalMap": { "base": null, "refs": { "Finding$principal": "The external principal that access to a resource within the zone of trust.
", "FindingSummary$principal": "The external principal that has access to a resource within the zone of trust.
" } }, "ReasonCode": { "base": null, "refs": { "StatusReason$code": "The reason code for the current status of the analyzer.
" } }, "ResourceArn": { "base": null, "refs": { "AnalyzedResource$resourceArn": "The ARN of the resource that was analyzed.
", "AnalyzedResourceSummary$resourceArn": "The ARN of the analyzed resource.
", "GetAnalyzedResourceRequest$resourceArn": "The ARN of the resource to retrieve information about.
", "StartResourceScanRequest$resourceArn": "The ARN of the resource to scan.
", "UpdateFindingsRequest$resourceArn": "The ARN of the resource identified in the finding.
" } }, "ResourceNotFoundException": { "base": "The specified resource could not be found.
", "refs": { } }, "ResourceType": { "base": null, "refs": { "AnalyzedResource$resourceType": "The type of the resource that was analyzed.
", "AnalyzedResourceSummary$resourceType": "The type of resource that was analyzed.
", "Finding$resourceType": "The type of the resource reported in the finding.
", "FindingSummary$resourceType": "The type of the resource that the external principal has access to.
", "ListAnalyzedResourcesRequest$resourceType": "The type of resource.
" } }, "ServiceQuotaExceededException": { "base": "Service quote met error.
", "refs": { } }, "SharedViaList": { "base": null, "refs": { "AnalyzedResource$sharedVia": "Indicates how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
" } }, "SortCriteria": { "base": "The criteria used to sort.
", "refs": { "ListFindingsRequest$sort": "The sort order for the findings returned.
" } }, "StartResourceScanRequest": { "base": "Starts a scan of the policies applied to the specified resource.
", "refs": { } }, "StatusReason": { "base": "Provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a Failed status is displayed. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.
The statusReason provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a Failed status is displayed. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.
An error message.
", "AnalyzedResource$resourceOwnerAccount": "The AWS account ID that owns the resource.
", "AnalyzedResourceSummary$resourceOwnerAccount": "The AWS account ID that owns the resource.
", "AnalyzerSummary$lastResourceAnalyzed": "The resource that was most recently analyzed by the analyzer.
", "ConditionKeyMap$key": null, "ConditionKeyMap$value": null, "ConflictException$message": null, "ConflictException$resourceId": "The ID of the resource.
", "ConflictException$resourceType": "The resource type.
", "CreateAnalyzerRequest$clientToken": "A client token.
", "CreateArchiveRuleRequest$clientToken": "A client token.
", "DeleteAnalyzerRequest$clientToken": "A client token.
", "DeleteArchiveRuleRequest$clientToken": "A client token.
", "FilterCriteriaMap$key": null, "Finding$error": "An error.
", "Finding$resource": "The resource that an external principal has access to.
", "Finding$resourceOwnerAccount": "The AWS account ID that owns the resource.
", "FindingSourceDetail$accessPointArn": "The ARN of the access point that generated the finding.
", "FindingSummary$error": "The error that resulted in an Error finding.
", "FindingSummary$resource": "The resource that the external principal has access to.
", "FindingSummary$resourceOwnerAccount": "The AWS account ID that owns the resource.
", "InternalServerException$message": null, "ListTagsForResourceRequest$resourceArn": "The ARN of the resource to retrieve tags from.
", "PrincipalMap$key": null, "PrincipalMap$value": null, "ResourceNotFoundException$message": null, "ResourceNotFoundException$resourceId": "The ID of the resource.
", "ResourceNotFoundException$resourceType": "The type of the resource.
", "ServiceQuotaExceededException$message": null, "ServiceQuotaExceededException$resourceId": "The resource ID.
", "ServiceQuotaExceededException$resourceType": "The resource type.
", "SharedViaList$member": null, "SortCriteria$attributeName": "The name of the attribute to sort on.
", "TagKeys$member": null, "TagResourceRequest$resourceArn": "The ARN of the resource to add the tag to.
", "TagsMap$key": null, "TagsMap$value": null, "ThrottlingException$message": null, "UntagResourceRequest$resourceArn": "The ARN of the resource to remove the tag from.
", "UpdateArchiveRuleRequest$clientToken": "A client token.
", "UpdateFindingsRequest$clientToken": "A client token.
", "ValidationException$message": null, "ValidationExceptionField$message": "A message about the validation exception.
", "ValidationExceptionField$name": "The name of the validation exception.
", "ValueList$member": null } }, "TagKeys": { "base": null, "refs": { "UntagResourceRequest$tagKeys": "The key for the tag to add.
" } }, "TagResourceRequest": { "base": "Adds a tag to the specified resource.
", "refs": { } }, "TagResourceResponse": { "base": "The response to the request.
", "refs": { } }, "TagsMap": { "base": null, "refs": { "AnalyzerSummary$tags": "The tags added to the analyzer.
", "CreateAnalyzerRequest$tags": "The tags to apply to the analyzer.
", "ListTagsForResourceResponse$tags": "The tags that are applied to the specified resource.
", "TagResourceRequest$tags": "The tags to add to the resource.
" } }, "ThrottlingException": { "base": "Throttling limit exceeded error.
", "refs": { } }, "Timestamp": { "base": null, "refs": { "AnalyzedResource$analyzedAt": "The time at which the resource was analyzed.
", "AnalyzedResource$createdAt": "The time at which the finding was created.
", "AnalyzedResource$updatedAt": "The time at which the finding was updated.
", "AnalyzerSummary$createdAt": "A timestamp for the time at which the analyzer was created.
", "AnalyzerSummary$lastResourceAnalyzedAt": "The time at which the most recently analyzed resource was analyzed.
", "ArchiveRuleSummary$createdAt": "The time at which the archive rule was created.
", "ArchiveRuleSummary$updatedAt": "The time at which the archive rule was last updated.
", "Finding$analyzedAt": "The time at which the resource was analyzed.
", "Finding$createdAt": "The time at which the finding was generated.
", "Finding$updatedAt": "The time at which the finding was updated.
", "FindingSummary$analyzedAt": "The time at which the resource-based policy that generated the finding was analyzed.
", "FindingSummary$createdAt": "The time at which the finding was created.
", "FindingSummary$updatedAt": "The time at which the finding was most recently updated.
" } }, "Token": { "base": null, "refs": { "ListAnalyzedResourcesRequest$nextToken": "A token used for pagination of results returned.
", "ListAnalyzedResourcesResponse$nextToken": "A token used for pagination of results returned.
", "ListAnalyzersRequest$nextToken": "A token used for pagination of results returned.
", "ListAnalyzersResponse$nextToken": "A token used for pagination of results returned.
", "ListArchiveRulesRequest$nextToken": "A token used for pagination of results returned.
", "ListArchiveRulesResponse$nextToken": "A token used for pagination of results returned.
", "ListFindingsRequest$nextToken": "A token used for pagination of results returned.
", "ListFindingsResponse$nextToken": "A token used for pagination of results returned.
" } }, "Type": { "base": null, "refs": { "AnalyzerSummary$type": "The type of analyzer, which corresponds to the zone of trust chosen for the analyzer.
", "CreateAnalyzerRequest$type": "The type of analyzer to create. Only ACCOUNT analyzers are supported. You can create only one analyzer per account per Region.
", "ListAnalyzersRequest$type": "The type of analyzer.
" } }, "UntagResourceRequest": { "base": "Removes a tag from the specified resource.
", "refs": { } }, "UntagResourceResponse": { "base": "The response to the request.
", "refs": { } }, "UpdateArchiveRuleRequest": { "base": "Updates the specified archive rule.
", "refs": { } }, "UpdateFindingsRequest": { "base": "Updates findings with the new values provided in the request.
", "refs": { } }, "ValidationException": { "base": "Validation exception error.
", "refs": { } }, "ValidationExceptionField": { "base": "Contains information about a validation exception.
", "refs": { "ValidationExceptionFieldList$member": null } }, "ValidationExceptionFieldList": { "base": null, "refs": { "ValidationException$fieldList": "A list of fields that didn't validate.
" } }, "ValidationExceptionReason": { "base": null, "refs": { "ValidationException$reason": "The reason for the exception.
" } }, "ValueList": { "base": null, "refs": { "Criterion$contains": "A \"contains\" operator to match for the filter used to create the rule.
", "Criterion$eq": "An \"equals\" operator to match for the filter used to create the rule.
", "Criterion$neq": "A \"not equals\" operator to match for the filter used to create the rule.
" } } } }