View Source aws_accessanalyzer (aws v1.0.4)
Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities.
Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external or unused access, you first need to create an analyzer.
External access analyzers help identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.
Unused access analyzers help identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.
Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.
This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Identity and Access Management Access Analyzer: https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html in the IAM User Guide.Summary
Functions
Checks whether new access is allowed for an updated policy when compared to the existing policy.
Creates an archive rule for the specified analyzer.
Deletes the specified analyzer.
Retrieves information about an archive rule.
StartPolicyGeneration
.Retrieves a list of findings generated by the specified analyzer.
Retrieves a list of findings generated by the specified analyzer.
Requests the validation of a policy and returns a list of findings.
Functions
Checks whether new access is allowed for an updated policy when compared to the existing policy.
You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples: https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples repository on GitHub. The reference policies in this repository are meant to be passed to theexistingPolicyDocument
request parameter.
Creates an archive rule for the specified analyzer.
Archive rules automatically archive new findings that meet the criteria you define when you create the rule.
To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html in the IAM User Guide.Deletes the specified analyzer.
When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.delete_archive_rule(Client, AnalyzerName, RuleName, Input0, Options0)
View Sourceget_access_preview(Client, AccessPreviewId, AnalyzerArn, QueryMap, HeadersMap)
View Sourceget_access_preview(Client, AccessPreviewId, AnalyzerArn, QueryMap, HeadersMap, Options0)
View Sourceget_analyzed_resource(Client, AnalyzerArn, ResourceArn, QueryMap, HeadersMap)
View Sourceget_analyzed_resource(Client, AnalyzerArn, ResourceArn, QueryMap, HeadersMap, Options0)
View Sourceget_analyzer(Client, AnalyzerName, QueryMap, HeadersMap, Options0)
View SourceRetrieves information about an archive rule.
To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html in the IAM User Guide.get_archive_rule(Client, AnalyzerName, RuleName, QueryMap, HeadersMap)
View Sourceget_archive_rule(Client, AnalyzerName, RuleName, QueryMap, HeadersMap, Options0)
View Sourceget_finding(Client, Id, AnalyzerArn, QueryMap, HeadersMap, Options0)
View Sourceget_finding_v2(Client, Id, AnalyzerArn, QueryMap, HeadersMap, Options0)
View SourceStartPolicyGeneration
.
get_generated_policy(Client, JobId, QueryMap, HeadersMap, Options0)
View Sourcelist_access_preview_findings(Client, AccessPreviewId, Input0, Options0)
View Sourcelist_access_previews(Client, AnalyzerArn, QueryMap, HeadersMap, Options0)
View Sourcelist_archive_rules(Client, AnalyzerName, QueryMap, HeadersMap, Options0)
View SourceRetrieves a list of findings generated by the specified analyzer.
To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html in the IAM User Guide.Retrieves a list of findings generated by the specified analyzer.
To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html in the IAM User Guide.list_tags_for_resource(Client, ResourceArn, QueryMap, HeadersMap, Options0)
View Sourceupdate_archive_rule(Client, AnalyzerName, RuleName, Input0, Options0)
View SourceRequests the validation of a policy and returns a list of findings.
The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices.