/ cloudformation-templates / node_modules / aws-cdk / node_modules / aws-sdk / clients / accessanalyzer.d.ts
accessanalyzer.d.ts
1 import {Request} from '../lib/request'; 2 import {Response} from '../lib/response'; 3 import {AWSError} from '../lib/error'; 4 import {Service} from '../lib/service'; 5 import {ServiceConfigurationOptions} from '../lib/service'; 6 import {ConfigBase as Config} from '../lib/config-base'; 7 interface Blob {} 8 declare class AccessAnalyzer extends Service { 9 /** 10 * Constructs a service object. This object has one method for each API operation. 11 */ 12 constructor(options?: AccessAnalyzer.Types.ClientConfiguration) 13 config: Config & AccessAnalyzer.Types.ClientConfiguration; 14 /** 15 * Retroactively applies the archive rule to existing findings that meet the archive rule criteria. 16 */ 17 applyArchiveRule(params: AccessAnalyzer.Types.ApplyArchiveRuleRequest, callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 18 /** 19 * Retroactively applies the archive rule to existing findings that meet the archive rule criteria. 20 */ 21 applyArchiveRule(callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 22 /** 23 * Cancels the requested policy generation. 24 */ 25 cancelPolicyGeneration(params: AccessAnalyzer.Types.CancelPolicyGenerationRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.CancelPolicyGenerationResponse) => void): Request<AccessAnalyzer.Types.CancelPolicyGenerationResponse, AWSError>; 26 /** 27 * Cancels the requested policy generation. 28 */ 29 cancelPolicyGeneration(callback?: (err: AWSError, data: AccessAnalyzer.Types.CancelPolicyGenerationResponse) => void): Request<AccessAnalyzer.Types.CancelPolicyGenerationResponse, AWSError>; 30 /** 31 * Creates an access preview that allows you to preview Access Analyzer findings for your resource before deploying resource permissions. 32 */ 33 createAccessPreview(params: AccessAnalyzer.Types.CreateAccessPreviewRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.CreateAccessPreviewResponse) => void): Request<AccessAnalyzer.Types.CreateAccessPreviewResponse, AWSError>; 34 /** 35 * Creates an access preview that allows you to preview Access Analyzer findings for your resource before deploying resource permissions. 36 */ 37 createAccessPreview(callback?: (err: AWSError, data: AccessAnalyzer.Types.CreateAccessPreviewResponse) => void): Request<AccessAnalyzer.Types.CreateAccessPreviewResponse, AWSError>; 38 /** 39 * Creates an analyzer for your account. 40 */ 41 createAnalyzer(params: AccessAnalyzer.Types.CreateAnalyzerRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.CreateAnalyzerResponse) => void): Request<AccessAnalyzer.Types.CreateAnalyzerResponse, AWSError>; 42 /** 43 * Creates an analyzer for your account. 44 */ 45 createAnalyzer(callback?: (err: AWSError, data: AccessAnalyzer.Types.CreateAnalyzerResponse) => void): Request<AccessAnalyzer.Types.CreateAnalyzerResponse, AWSError>; 46 /** 47 * Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see Access Analyzer filter keys in the IAM User Guide. 48 */ 49 createArchiveRule(params: AccessAnalyzer.Types.CreateArchiveRuleRequest, callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 50 /** 51 * Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see Access Analyzer filter keys in the IAM User Guide. 52 */ 53 createArchiveRule(callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 54 /** 55 * Deletes the specified analyzer. When you delete an analyzer, Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action. 56 */ 57 deleteAnalyzer(params: AccessAnalyzer.Types.DeleteAnalyzerRequest, callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 58 /** 59 * Deletes the specified analyzer. When you delete an analyzer, Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action. 60 */ 61 deleteAnalyzer(callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 62 /** 63 * Deletes the specified archive rule. 64 */ 65 deleteArchiveRule(params: AccessAnalyzer.Types.DeleteArchiveRuleRequest, callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 66 /** 67 * Deletes the specified archive rule. 68 */ 69 deleteArchiveRule(callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 70 /** 71 * Retrieves information about an access preview for the specified analyzer. 72 */ 73 getAccessPreview(params: AccessAnalyzer.Types.GetAccessPreviewRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.GetAccessPreviewResponse) => void): Request<AccessAnalyzer.Types.GetAccessPreviewResponse, AWSError>; 74 /** 75 * Retrieves information about an access preview for the specified analyzer. 76 */ 77 getAccessPreview(callback?: (err: AWSError, data: AccessAnalyzer.Types.GetAccessPreviewResponse) => void): Request<AccessAnalyzer.Types.GetAccessPreviewResponse, AWSError>; 78 /** 79 * Retrieves information about a resource that was analyzed. 80 */ 81 getAnalyzedResource(params: AccessAnalyzer.Types.GetAnalyzedResourceRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.GetAnalyzedResourceResponse) => void): Request<AccessAnalyzer.Types.GetAnalyzedResourceResponse, AWSError>; 82 /** 83 * Retrieves information about a resource that was analyzed. 84 */ 85 getAnalyzedResource(callback?: (err: AWSError, data: AccessAnalyzer.Types.GetAnalyzedResourceResponse) => void): Request<AccessAnalyzer.Types.GetAnalyzedResourceResponse, AWSError>; 86 /** 87 * Retrieves information about the specified analyzer. 88 */ 89 getAnalyzer(params: AccessAnalyzer.Types.GetAnalyzerRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.GetAnalyzerResponse) => void): Request<AccessAnalyzer.Types.GetAnalyzerResponse, AWSError>; 90 /** 91 * Retrieves information about the specified analyzer. 92 */ 93 getAnalyzer(callback?: (err: AWSError, data: AccessAnalyzer.Types.GetAnalyzerResponse) => void): Request<AccessAnalyzer.Types.GetAnalyzerResponse, AWSError>; 94 /** 95 * Retrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see Access Analyzer filter keys in the IAM User Guide. 96 */ 97 getArchiveRule(params: AccessAnalyzer.Types.GetArchiveRuleRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.GetArchiveRuleResponse) => void): Request<AccessAnalyzer.Types.GetArchiveRuleResponse, AWSError>; 98 /** 99 * Retrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see Access Analyzer filter keys in the IAM User Guide. 100 */ 101 getArchiveRule(callback?: (err: AWSError, data: AccessAnalyzer.Types.GetArchiveRuleResponse) => void): Request<AccessAnalyzer.Types.GetArchiveRuleResponse, AWSError>; 102 /** 103 * Retrieves information about the specified finding. 104 */ 105 getFinding(params: AccessAnalyzer.Types.GetFindingRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.GetFindingResponse) => void): Request<AccessAnalyzer.Types.GetFindingResponse, AWSError>; 106 /** 107 * Retrieves information about the specified finding. 108 */ 109 getFinding(callback?: (err: AWSError, data: AccessAnalyzer.Types.GetFindingResponse) => void): Request<AccessAnalyzer.Types.GetFindingResponse, AWSError>; 110 /** 111 * Retrieves the policy that was generated using StartPolicyGeneration. 112 */ 113 getGeneratedPolicy(params: AccessAnalyzer.Types.GetGeneratedPolicyRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.GetGeneratedPolicyResponse) => void): Request<AccessAnalyzer.Types.GetGeneratedPolicyResponse, AWSError>; 114 /** 115 * Retrieves the policy that was generated using StartPolicyGeneration. 116 */ 117 getGeneratedPolicy(callback?: (err: AWSError, data: AccessAnalyzer.Types.GetGeneratedPolicyResponse) => void): Request<AccessAnalyzer.Types.GetGeneratedPolicyResponse, AWSError>; 118 /** 119 * Retrieves a list of access preview findings generated by the specified access preview. 120 */ 121 listAccessPreviewFindings(params: AccessAnalyzer.Types.ListAccessPreviewFindingsRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAccessPreviewFindingsResponse) => void): Request<AccessAnalyzer.Types.ListAccessPreviewFindingsResponse, AWSError>; 122 /** 123 * Retrieves a list of access preview findings generated by the specified access preview. 124 */ 125 listAccessPreviewFindings(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAccessPreviewFindingsResponse) => void): Request<AccessAnalyzer.Types.ListAccessPreviewFindingsResponse, AWSError>; 126 /** 127 * Retrieves a list of access previews for the specified analyzer. 128 */ 129 listAccessPreviews(params: AccessAnalyzer.Types.ListAccessPreviewsRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAccessPreviewsResponse) => void): Request<AccessAnalyzer.Types.ListAccessPreviewsResponse, AWSError>; 130 /** 131 * Retrieves a list of access previews for the specified analyzer. 132 */ 133 listAccessPreviews(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAccessPreviewsResponse) => void): Request<AccessAnalyzer.Types.ListAccessPreviewsResponse, AWSError>; 134 /** 135 * Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer.. 136 */ 137 listAnalyzedResources(params: AccessAnalyzer.Types.ListAnalyzedResourcesRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAnalyzedResourcesResponse) => void): Request<AccessAnalyzer.Types.ListAnalyzedResourcesResponse, AWSError>; 138 /** 139 * Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer.. 140 */ 141 listAnalyzedResources(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAnalyzedResourcesResponse) => void): Request<AccessAnalyzer.Types.ListAnalyzedResourcesResponse, AWSError>; 142 /** 143 * Retrieves a list of analyzers. 144 */ 145 listAnalyzers(params: AccessAnalyzer.Types.ListAnalyzersRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAnalyzersResponse) => void): Request<AccessAnalyzer.Types.ListAnalyzersResponse, AWSError>; 146 /** 147 * Retrieves a list of analyzers. 148 */ 149 listAnalyzers(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListAnalyzersResponse) => void): Request<AccessAnalyzer.Types.ListAnalyzersResponse, AWSError>; 150 /** 151 * Retrieves a list of archive rules created for the specified analyzer. 152 */ 153 listArchiveRules(params: AccessAnalyzer.Types.ListArchiveRulesRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListArchiveRulesResponse) => void): Request<AccessAnalyzer.Types.ListArchiveRulesResponse, AWSError>; 154 /** 155 * Retrieves a list of archive rules created for the specified analyzer. 156 */ 157 listArchiveRules(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListArchiveRulesResponse) => void): Request<AccessAnalyzer.Types.ListArchiveRulesResponse, AWSError>; 158 /** 159 * Retrieves a list of findings generated by the specified analyzer. To learn about filter keys that you can use to retrieve a list of findings, see Access Analyzer filter keys in the IAM User Guide. 160 */ 161 listFindings(params: AccessAnalyzer.Types.ListFindingsRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListFindingsResponse) => void): Request<AccessAnalyzer.Types.ListFindingsResponse, AWSError>; 162 /** 163 * Retrieves a list of findings generated by the specified analyzer. To learn about filter keys that you can use to retrieve a list of findings, see Access Analyzer filter keys in the IAM User Guide. 164 */ 165 listFindings(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListFindingsResponse) => void): Request<AccessAnalyzer.Types.ListFindingsResponse, AWSError>; 166 /** 167 * Lists all of the policy generations requested in the last seven days. 168 */ 169 listPolicyGenerations(params: AccessAnalyzer.Types.ListPolicyGenerationsRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListPolicyGenerationsResponse) => void): Request<AccessAnalyzer.Types.ListPolicyGenerationsResponse, AWSError>; 170 /** 171 * Lists all of the policy generations requested in the last seven days. 172 */ 173 listPolicyGenerations(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListPolicyGenerationsResponse) => void): Request<AccessAnalyzer.Types.ListPolicyGenerationsResponse, AWSError>; 174 /** 175 * Retrieves a list of tags applied to the specified resource. 176 */ 177 listTagsForResource(params: AccessAnalyzer.Types.ListTagsForResourceRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ListTagsForResourceResponse) => void): Request<AccessAnalyzer.Types.ListTagsForResourceResponse, AWSError>; 178 /** 179 * Retrieves a list of tags applied to the specified resource. 180 */ 181 listTagsForResource(callback?: (err: AWSError, data: AccessAnalyzer.Types.ListTagsForResourceResponse) => void): Request<AccessAnalyzer.Types.ListTagsForResourceResponse, AWSError>; 182 /** 183 * Starts the policy generation request. 184 */ 185 startPolicyGeneration(params: AccessAnalyzer.Types.StartPolicyGenerationRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.StartPolicyGenerationResponse) => void): Request<AccessAnalyzer.Types.StartPolicyGenerationResponse, AWSError>; 186 /** 187 * Starts the policy generation request. 188 */ 189 startPolicyGeneration(callback?: (err: AWSError, data: AccessAnalyzer.Types.StartPolicyGenerationResponse) => void): Request<AccessAnalyzer.Types.StartPolicyGenerationResponse, AWSError>; 190 /** 191 * Immediately starts a scan of the policies applied to the specified resource. 192 */ 193 startResourceScan(params: AccessAnalyzer.Types.StartResourceScanRequest, callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 194 /** 195 * Immediately starts a scan of the policies applied to the specified resource. 196 */ 197 startResourceScan(callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 198 /** 199 * Adds a tag to the specified resource. 200 */ 201 tagResource(params: AccessAnalyzer.Types.TagResourceRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.TagResourceResponse) => void): Request<AccessAnalyzer.Types.TagResourceResponse, AWSError>; 202 /** 203 * Adds a tag to the specified resource. 204 */ 205 tagResource(callback?: (err: AWSError, data: AccessAnalyzer.Types.TagResourceResponse) => void): Request<AccessAnalyzer.Types.TagResourceResponse, AWSError>; 206 /** 207 * Removes a tag from the specified resource. 208 */ 209 untagResource(params: AccessAnalyzer.Types.UntagResourceRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.UntagResourceResponse) => void): Request<AccessAnalyzer.Types.UntagResourceResponse, AWSError>; 210 /** 211 * Removes a tag from the specified resource. 212 */ 213 untagResource(callback?: (err: AWSError, data: AccessAnalyzer.Types.UntagResourceResponse) => void): Request<AccessAnalyzer.Types.UntagResourceResponse, AWSError>; 214 /** 215 * Updates the criteria and values for the specified archive rule. 216 */ 217 updateArchiveRule(params: AccessAnalyzer.Types.UpdateArchiveRuleRequest, callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 218 /** 219 * Updates the criteria and values for the specified archive rule. 220 */ 221 updateArchiveRule(callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 222 /** 223 * Updates the status for the specified findings. 224 */ 225 updateFindings(params: AccessAnalyzer.Types.UpdateFindingsRequest, callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 226 /** 227 * Updates the status for the specified findings. 228 */ 229 updateFindings(callback?: (err: AWSError, data: {}) => void): Request<{}, AWSError>; 230 /** 231 * Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices. 232 */ 233 validatePolicy(params: AccessAnalyzer.Types.ValidatePolicyRequest, callback?: (err: AWSError, data: AccessAnalyzer.Types.ValidatePolicyResponse) => void): Request<AccessAnalyzer.Types.ValidatePolicyResponse, AWSError>; 234 /** 235 * Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices. 236 */ 237 validatePolicy(callback?: (err: AWSError, data: AccessAnalyzer.Types.ValidatePolicyResponse) => void): Request<AccessAnalyzer.Types.ValidatePolicyResponse, AWSError>; 238 } 239 declare namespace AccessAnalyzer { 240 export type AccessPointArn = string; 241 export type AccessPointPolicy = string; 242 export interface AccessPreview { 243 /** 244 * The ARN of the analyzer used to generate the access preview. 245 */ 246 analyzerArn: AnalyzerArn; 247 /** 248 * A map of resource ARNs for the proposed resource configuration. 249 */ 250 configurations: ConfigurationsMap; 251 /** 252 * The time at which the access preview was created. 253 */ 254 createdAt: Timestamp; 255 /** 256 * The unique ID for the access preview. 257 */ 258 id: AccessPreviewId; 259 /** 260 * The status of the access preview. Creating - The access preview creation is in progress. Completed - The access preview is complete. You can preview findings for external access to the resource. Failed - The access preview creation has failed. 261 */ 262 status: AccessPreviewStatus; 263 /** 264 * Provides more details about the current status of the access preview. For example, if the creation of the access preview fails, a Failed status is returned. This failure can be due to an internal issue with the analysis or due to an invalid resource configuration. 265 */ 266 statusReason?: AccessPreviewStatusReason; 267 } 268 export interface AccessPreviewFinding { 269 /** 270 * The action in the analyzed policy statement that an external principal has permission to perform. 271 */ 272 action?: ActionList; 273 /** 274 * Provides context on how the access preview finding compares to existing access identified in Access Analyzer. New - The finding is for newly-introduced access. Unchanged - The preview finding is an existing finding that would remain unchanged. Changed - The preview finding is an existing finding with a change in status. For example, a Changed finding with preview status Resolved and existing status Active indicates the existing Active finding would become Resolved as a result of the proposed permissions change. 275 */ 276 changeType: FindingChangeType; 277 /** 278 * The condition in the analyzed policy statement that resulted in a finding. 279 */ 280 condition?: ConditionKeyMap; 281 /** 282 * The time at which the access preview finding was created. 283 */ 284 createdAt: Timestamp; 285 /** 286 * An error. 287 */ 288 error?: String; 289 /** 290 * The existing ID of the finding in Access Analyzer, provided only for existing findings. 291 */ 292 existingFindingId?: FindingId; 293 /** 294 * The existing status of the finding, provided only for existing findings. 295 */ 296 existingFindingStatus?: FindingStatus; 297 /** 298 * The ID of the access preview finding. This ID uniquely identifies the element in the list of access preview findings and is not related to the finding ID in Access Analyzer. 299 */ 300 id: AccessPreviewFindingId; 301 /** 302 * Indicates whether the policy that generated the finding allows public access to the resource. 303 */ 304 isPublic?: Boolean; 305 /** 306 * The external principal that has access to a resource within the zone of trust. 307 */ 308 principal?: PrincipalMap; 309 /** 310 * The resource that an external principal has access to. This is the resource associated with the access preview. 311 */ 312 resource?: String; 313 /** 314 * The AWS account ID that owns the resource. For most AWS resources, the owning account is the account in which the resource was created. 315 */ 316 resourceOwnerAccount: String; 317 /** 318 * The type of the resource that can be accessed in the finding. 319 */ 320 resourceType: ResourceType; 321 /** 322 * The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings. 323 */ 324 sources?: FindingSourceList; 325 /** 326 * The preview status of the finding. This is what the status of the finding would be after permissions deployment. For example, a Changed finding with preview status Resolved and existing status Active indicates the existing Active finding would become Resolved as a result of the proposed permissions change. 327 */ 328 status: FindingStatus; 329 } 330 export type AccessPreviewFindingId = string; 331 export type AccessPreviewFindingsList = AccessPreviewFinding[]; 332 export type AccessPreviewId = string; 333 export type AccessPreviewStatus = "COMPLETED"|"CREATING"|"FAILED"|string; 334 export interface AccessPreviewStatusReason { 335 /** 336 * The reason code for the current status of the access preview. 337 */ 338 code: AccessPreviewStatusReasonCode; 339 } 340 export type AccessPreviewStatusReasonCode = "INTERNAL_ERROR"|"INVALID_CONFIGURATION"|string; 341 export interface AccessPreviewSummary { 342 /** 343 * The ARN of the analyzer used to generate the access preview. 344 */ 345 analyzerArn: AnalyzerArn; 346 /** 347 * The time at which the access preview was created. 348 */ 349 createdAt: Timestamp; 350 /** 351 * The unique ID for the access preview. 352 */ 353 id: AccessPreviewId; 354 /** 355 * The status of the access preview. Creating - The access preview creation is in progress. Completed - The access preview is complete and previews the findings for external access to the resource. Failed - The access preview creation has failed. 356 */ 357 status: AccessPreviewStatus; 358 statusReason?: AccessPreviewStatusReason; 359 } 360 export type AccessPreviewsList = AccessPreviewSummary[]; 361 export type AclCanonicalId = string; 362 export interface AclGrantee { 363 /** 364 * The value specified is the canonical user ID of an AWS account. 365 */ 366 id?: AclCanonicalId; 367 /** 368 * Used for granting permissions to a predefined group. 369 */ 370 uri?: AclUri; 371 } 372 export type AclPermission = "READ"|"WRITE"|"READ_ACP"|"WRITE_ACP"|"FULL_CONTROL"|string; 373 export type AclUri = string; 374 export type ActionList = String[]; 375 export interface AnalyzedResource { 376 /** 377 * The actions that an external principal is granted permission to use by the policy that generated the finding. 378 */ 379 actions?: ActionList; 380 /** 381 * The time at which the resource was analyzed. 382 */ 383 analyzedAt: Timestamp; 384 /** 385 * The time at which the finding was created. 386 */ 387 createdAt: Timestamp; 388 /** 389 * An error message. 390 */ 391 error?: String; 392 /** 393 * Indicates whether the policy that generated the finding grants public access to the resource. 394 */ 395 isPublic: Boolean; 396 /** 397 * The ARN of the resource that was analyzed. 398 */ 399 resourceArn: ResourceArn; 400 /** 401 * The AWS account ID that owns the resource. 402 */ 403 resourceOwnerAccount: String; 404 /** 405 * The type of the resource that was analyzed. 406 */ 407 resourceType: ResourceType; 408 /** 409 * Indicates how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings. 410 */ 411 sharedVia?: SharedViaList; 412 /** 413 * The current status of the finding generated from the analyzed resource. 414 */ 415 status?: FindingStatus; 416 /** 417 * The time at which the finding was updated. 418 */ 419 updatedAt: Timestamp; 420 } 421 export interface AnalyzedResourceSummary { 422 /** 423 * The ARN of the analyzed resource. 424 */ 425 resourceArn: ResourceArn; 426 /** 427 * The AWS account ID that owns the resource. 428 */ 429 resourceOwnerAccount: String; 430 /** 431 * The type of resource that was analyzed. 432 */ 433 resourceType: ResourceType; 434 } 435 export type AnalyzedResourcesList = AnalyzedResourceSummary[]; 436 export type AnalyzerArn = string; 437 export type AnalyzerStatus = "ACTIVE"|"CREATING"|"DISABLED"|"FAILED"|string; 438 export interface AnalyzerSummary { 439 /** 440 * The ARN of the analyzer. 441 */ 442 arn: AnalyzerArn; 443 /** 444 * A timestamp for the time at which the analyzer was created. 445 */ 446 createdAt: Timestamp; 447 /** 448 * The resource that was most recently analyzed by the analyzer. 449 */ 450 lastResourceAnalyzed?: String; 451 /** 452 * The time at which the most recently analyzed resource was analyzed. 453 */ 454 lastResourceAnalyzedAt?: Timestamp; 455 /** 456 * The name of the analyzer. 457 */ 458 name: Name; 459 /** 460 * The status of the analyzer. An Active analyzer successfully monitors supported resources and generates new findings. The analyzer is Disabled when a user action, such as removing trusted access for AWS IAM Access Analyzer from AWS Organizations, causes the analyzer to stop generating new findings. The status is Creating when the analyzer creation is in progress and Failed when the analyzer creation has failed. 461 */ 462 status: AnalyzerStatus; 463 /** 464 * The statusReason provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a Failed status is returned. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization. 465 */ 466 statusReason?: StatusReason; 467 /** 468 * The tags added to the analyzer. 469 */ 470 tags?: TagsMap; 471 /** 472 * The type of analyzer, which corresponds to the zone of trust chosen for the analyzer. 473 */ 474 type: Type; 475 } 476 export type AnalyzersList = AnalyzerSummary[]; 477 export interface ApplyArchiveRuleRequest { 478 /** 479 * The Amazon resource name (ARN) of the analyzer. 480 */ 481 analyzerArn: AnalyzerArn; 482 /** 483 * A client token. 484 */ 485 clientToken?: String; 486 /** 487 * The name of the rule to apply. 488 */ 489 ruleName: Name; 490 } 491 export interface ArchiveRuleSummary { 492 /** 493 * The time at which the archive rule was created. 494 */ 495 createdAt: Timestamp; 496 /** 497 * A filter used to define the archive rule. 498 */ 499 filter: FilterCriteriaMap; 500 /** 501 * The name of the archive rule. 502 */ 503 ruleName: Name; 504 /** 505 * The time at which the archive rule was last updated. 506 */ 507 updatedAt: Timestamp; 508 } 509 export type ArchiveRulesList = ArchiveRuleSummary[]; 510 export type Boolean = boolean; 511 export interface CancelPolicyGenerationRequest { 512 /** 513 * The JobId that is returned by the StartPolicyGeneration operation. The JobId can be used with GetGeneratedPolicy to retrieve the generated policies or used with CancelPolicyGeneration to cancel the policy generation request. 514 */ 515 jobId: JobId; 516 } 517 export interface CancelPolicyGenerationResponse { 518 } 519 export type CloudTrailArn = string; 520 export interface CloudTrailDetails { 521 /** 522 * The ARN of the service role that Access Analyzer uses to access your CloudTrail trail and service last accessed information. 523 */ 524 accessRole: RoleArn; 525 /** 526 * The end of the time range for which Access Analyzer reviews your CloudTrail events. Events with a timestamp after this time are not considered to generate a policy. If this is not included in the request, the default value is the current time. 527 */ 528 endTime?: Timestamp; 529 /** 530 * The start of the time range for which Access Analyzer reviews your CloudTrail events. Events with a timestamp before this time are not considered to generate a policy. 531 */ 532 startTime: Timestamp; 533 /** 534 * A Trail object that contains settings for a trail. 535 */ 536 trails: TrailList; 537 } 538 export interface CloudTrailProperties { 539 /** 540 * The end of the time range for which Access Analyzer reviews your CloudTrail events. Events with a timestamp after this time are not considered to generate a policy. If this is not included in the request, the default value is the current time. 541 */ 542 endTime: Timestamp; 543 /** 544 * The start of the time range for which Access Analyzer reviews your CloudTrail events. Events with a timestamp before this time are not considered to generate a policy. 545 */ 546 startTime: Timestamp; 547 /** 548 * A TrailProperties object that contains settings for trail properties. 549 */ 550 trailProperties: TrailPropertiesList; 551 } 552 export type ConditionKeyMap = {[key: string]: String}; 553 export interface Configuration { 554 /** 555 * The access control configuration is for an IAM role. 556 */ 557 iamRole?: IamRoleConfiguration; 558 /** 559 * The access control configuration is for a KMS key. 560 */ 561 kmsKey?: KmsKeyConfiguration; 562 /** 563 * The access control configuration is for an Amazon S3 Bucket. 564 */ 565 s3Bucket?: S3BucketConfiguration; 566 /** 567 * The access control configuration is for a Secrets Manager secret. 568 */ 569 secretsManagerSecret?: SecretsManagerSecretConfiguration; 570 /** 571 * The access control configuration is for an SQS queue. 572 */ 573 sqsQueue?: SqsQueueConfiguration; 574 } 575 export type ConfigurationsMap = {[key: string]: Configuration}; 576 export type ConfigurationsMapKey = string; 577 export interface CreateAccessPreviewRequest { 578 /** 579 * The ARN of the account analyzer used to generate the access preview. You can only create an access preview for analyzers with an Account type and Active status. 580 */ 581 analyzerArn: AnalyzerArn; 582 /** 583 * A client token. 584 */ 585 clientToken?: String; 586 /** 587 * Access control configuration for your resource that is used to generate the access preview. The access preview includes findings for external access allowed to the resource with the proposed access control configuration. The configuration must contain exactly one element. 588 */ 589 configurations: ConfigurationsMap; 590 } 591 export interface CreateAccessPreviewResponse { 592 /** 593 * The unique ID for the access preview. 594 */ 595 id: AccessPreviewId; 596 } 597 export interface CreateAnalyzerRequest { 598 /** 599 * The name of the analyzer to create. 600 */ 601 analyzerName: Name; 602 /** 603 * Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule. 604 */ 605 archiveRules?: InlineArchiveRulesList; 606 /** 607 * A client token. 608 */ 609 clientToken?: String; 610 /** 611 * The tags to apply to the analyzer. 612 */ 613 tags?: TagsMap; 614 /** 615 * The type of analyzer to create. Only ACCOUNT and ORGANIZATION analyzers are supported. You can create only one analyzer per account per Region. You can create up to 5 analyzers per organization per Region. 616 */ 617 type: Type; 618 } 619 export interface CreateAnalyzerResponse { 620 /** 621 * The ARN of the analyzer that was created by the request. 622 */ 623 arn?: AnalyzerArn; 624 } 625 export interface CreateArchiveRuleRequest { 626 /** 627 * The name of the created analyzer. 628 */ 629 analyzerName: Name; 630 /** 631 * A client token. 632 */ 633 clientToken?: String; 634 /** 635 * The criteria for the rule. 636 */ 637 filter: FilterCriteriaMap; 638 /** 639 * The name of the rule to create. 640 */ 641 ruleName: Name; 642 } 643 export interface Criterion { 644 /** 645 * A "contains" operator to match for the filter used to create the rule. 646 */ 647 contains?: ValueList; 648 /** 649 * An "equals" operator to match for the filter used to create the rule. 650 */ 651 eq?: ValueList; 652 /** 653 * An "exists" operator to match for the filter used to create the rule. 654 */ 655 exists?: Boolean; 656 /** 657 * A "not equals" operator to match for the filter used to create the rule. 658 */ 659 neq?: ValueList; 660 } 661 export interface DeleteAnalyzerRequest { 662 /** 663 * The name of the analyzer to delete. 664 */ 665 analyzerName: Name; 666 /** 667 * A client token. 668 */ 669 clientToken?: String; 670 } 671 export interface DeleteArchiveRuleRequest { 672 /** 673 * The name of the analyzer that associated with the archive rule to delete. 674 */ 675 analyzerName: Name; 676 /** 677 * A client token. 678 */ 679 clientToken?: String; 680 /** 681 * The name of the rule to delete. 682 */ 683 ruleName: Name; 684 } 685 export type FilterCriteriaMap = {[key: string]: Criterion}; 686 export interface Finding { 687 /** 688 * The action in the analyzed policy statement that an external principal has permission to use. 689 */ 690 action?: ActionList; 691 /** 692 * The time at which the resource was analyzed. 693 */ 694 analyzedAt: Timestamp; 695 /** 696 * The condition in the analyzed policy statement that resulted in a finding. 697 */ 698 condition: ConditionKeyMap; 699 /** 700 * The time at which the finding was generated. 701 */ 702 createdAt: Timestamp; 703 /** 704 * An error. 705 */ 706 error?: String; 707 /** 708 * The ID of the finding. 709 */ 710 id: FindingId; 711 /** 712 * Indicates whether the policy that generated the finding allows public access to the resource. 713 */ 714 isPublic?: Boolean; 715 /** 716 * The external principal that access to a resource within the zone of trust. 717 */ 718 principal?: PrincipalMap; 719 /** 720 * The resource that an external principal has access to. 721 */ 722 resource?: String; 723 /** 724 * The AWS account ID that owns the resource. 725 */ 726 resourceOwnerAccount: String; 727 /** 728 * The type of the resource identified in the finding. 729 */ 730 resourceType: ResourceType; 731 /** 732 * The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings. 733 */ 734 sources?: FindingSourceList; 735 /** 736 * The current status of the finding. 737 */ 738 status: FindingStatus; 739 /** 740 * The time at which the finding was updated. 741 */ 742 updatedAt: Timestamp; 743 } 744 export type FindingChangeType = "CHANGED"|"NEW"|"UNCHANGED"|string; 745 export type FindingId = string; 746 export type FindingIdList = FindingId[]; 747 export interface FindingSource { 748 /** 749 * Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings. 750 */ 751 detail?: FindingSourceDetail; 752 /** 753 * Indicates the type of access that generated the finding. 754 */ 755 type: FindingSourceType; 756 } 757 export interface FindingSourceDetail { 758 /** 759 * The ARN of the access point that generated the finding. 760 */ 761 accessPointArn?: String; 762 } 763 export type FindingSourceList = FindingSource[]; 764 export type FindingSourceType = "POLICY"|"BUCKET_ACL"|"S3_ACCESS_POINT"|string; 765 export type FindingStatus = "ACTIVE"|"ARCHIVED"|"RESOLVED"|string; 766 export type FindingStatusUpdate = "ACTIVE"|"ARCHIVED"|string; 767 export interface FindingSummary { 768 /** 769 * The action in the analyzed policy statement that an external principal has permission to use. 770 */ 771 action?: ActionList; 772 /** 773 * The time at which the resource-based policy that generated the finding was analyzed. 774 */ 775 analyzedAt: Timestamp; 776 /** 777 * The condition in the analyzed policy statement that resulted in a finding. 778 */ 779 condition: ConditionKeyMap; 780 /** 781 * The time at which the finding was created. 782 */ 783 createdAt: Timestamp; 784 /** 785 * The error that resulted in an Error finding. 786 */ 787 error?: String; 788 /** 789 * The ID of the finding. 790 */ 791 id: FindingId; 792 /** 793 * Indicates whether the finding reports a resource that has a policy that allows public access. 794 */ 795 isPublic?: Boolean; 796 /** 797 * The external principal that has access to a resource within the zone of trust. 798 */ 799 principal?: PrincipalMap; 800 /** 801 * The resource that the external principal has access to. 802 */ 803 resource?: String; 804 /** 805 * The AWS account ID that owns the resource. 806 */ 807 resourceOwnerAccount: String; 808 /** 809 * The type of the resource that the external principal has access to. 810 */ 811 resourceType: ResourceType; 812 /** 813 * The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings. 814 */ 815 sources?: FindingSourceList; 816 /** 817 * The status of the finding. 818 */ 819 status: FindingStatus; 820 /** 821 * The time at which the finding was most recently updated. 822 */ 823 updatedAt: Timestamp; 824 } 825 export type FindingsList = FindingSummary[]; 826 export interface GeneratedPolicy { 827 /** 828 * The text to use as the content for the new policy. The policy is created using the CreatePolicy action. 829 */ 830 policy: String; 831 } 832 export type GeneratedPolicyList = GeneratedPolicy[]; 833 export interface GeneratedPolicyProperties { 834 /** 835 * Lists details about the Trail used to generated policy. 836 */ 837 cloudTrailProperties?: CloudTrailProperties; 838 /** 839 * This value is set to true if the generated policy contains all possible actions for a service that Access Analyzer identified from the CloudTrail trail that you specified, and false otherwise. 840 */ 841 isComplete?: Boolean; 842 /** 843 * The ARN of the IAM entity (user or role) for which you are generating a policy. 844 */ 845 principalArn: PrincipalArn; 846 } 847 export interface GeneratedPolicyResult { 848 /** 849 * The text to use as the content for the new policy. The policy is created using the CreatePolicy action. 850 */ 851 generatedPolicies?: GeneratedPolicyList; 852 /** 853 * A GeneratedPolicyProperties object that contains properties of the generated policy. 854 */ 855 properties: GeneratedPolicyProperties; 856 } 857 export interface GetAccessPreviewRequest { 858 /** 859 * The unique ID for the access preview. 860 */ 861 accessPreviewId: AccessPreviewId; 862 /** 863 * The ARN of the analyzer used to generate the access preview. 864 */ 865 analyzerArn: AnalyzerArn; 866 } 867 export interface GetAccessPreviewResponse { 868 /** 869 * An object that contains information about the access preview. 870 */ 871 accessPreview: AccessPreview; 872 } 873 export interface GetAnalyzedResourceRequest { 874 /** 875 * The ARN of the analyzer to retrieve information from. 876 */ 877 analyzerArn: AnalyzerArn; 878 /** 879 * The ARN of the resource to retrieve information about. 880 */ 881 resourceArn: ResourceArn; 882 } 883 export interface GetAnalyzedResourceResponse { 884 /** 885 * An AnalyzedResource object that contains information that Access Analyzer found when it analyzed the resource. 886 */ 887 resource?: AnalyzedResource; 888 } 889 export interface GetAnalyzerRequest { 890 /** 891 * The name of the analyzer retrieved. 892 */ 893 analyzerName: Name; 894 } 895 export interface GetAnalyzerResponse { 896 /** 897 * An AnalyzerSummary object that contains information about the analyzer. 898 */ 899 analyzer: AnalyzerSummary; 900 } 901 export interface GetArchiveRuleRequest { 902 /** 903 * The name of the analyzer to retrieve rules from. 904 */ 905 analyzerName: Name; 906 /** 907 * The name of the rule to retrieve. 908 */ 909 ruleName: Name; 910 } 911 export interface GetArchiveRuleResponse { 912 archiveRule: ArchiveRuleSummary; 913 } 914 export interface GetFindingRequest { 915 /** 916 * The ARN of the analyzer that generated the finding. 917 */ 918 analyzerArn: AnalyzerArn; 919 /** 920 * The ID of the finding to retrieve. 921 */ 922 id: FindingId; 923 } 924 export interface GetFindingResponse { 925 /** 926 * A finding object that contains finding details. 927 */ 928 finding?: Finding; 929 } 930 export interface GetGeneratedPolicyRequest { 931 /** 932 * The level of detail that you want to generate. You can specify whether to generate policies with placeholders for resource ARNs for actions that support resource level granularity in policies. For example, in the resource section of a policy, you can receive a placeholder such as "Resource":"arn:aws:s3:::${BucketName}" instead of "*". 933 */ 934 includeResourcePlaceholders?: Boolean; 935 /** 936 * The level of detail that you want to generate. You can specify whether to generate service-level policies. Access Analyzer uses iam:servicelastaccessed to identify services that have been used recently to create this service-level template. 937 */ 938 includeServiceLevelTemplate?: Boolean; 939 /** 940 * The JobId that is returned by the StartPolicyGeneration operation. The JobId can be used with GetGeneratedPolicy to retrieve the generated policies or used with CancelPolicyGeneration to cancel the policy generation request. 941 */ 942 jobId: JobId; 943 } 944 export interface GetGeneratedPolicyResponse { 945 /** 946 * A GeneratedPolicyResult object that contains the generated policies and associated details. 947 */ 948 generatedPolicyResult: GeneratedPolicyResult; 949 /** 950 * A GeneratedPolicyDetails object that contains details about the generated policy. 951 */ 952 jobDetails: JobDetails; 953 } 954 export type GranteePrincipal = string; 955 export interface IamRoleConfiguration { 956 /** 957 * The proposed trust policy for the IAM role. 958 */ 959 trustPolicy?: IamTrustPolicy; 960 } 961 export type IamTrustPolicy = string; 962 export interface InlineArchiveRule { 963 /** 964 * The condition and values for a criterion. 965 */ 966 filter: FilterCriteriaMap; 967 /** 968 * The name of the rule. 969 */ 970 ruleName: Name; 971 } 972 export type InlineArchiveRulesList = InlineArchiveRule[]; 973 export type Integer = number; 974 export interface InternetConfiguration { 975 } 976 export type IssueCode = string; 977 export type IssuingAccount = string; 978 export interface JobDetails { 979 /** 980 * A timestamp of when the job was completed. 981 */ 982 completedOn?: Timestamp; 983 jobError?: JobError; 984 /** 985 * The JobId that is returned by the StartPolicyGeneration operation. The JobId can be used with GetGeneratedPolicy to retrieve the generated policies or used with CancelPolicyGeneration to cancel the policy generation request. 986 */ 987 jobId: JobId; 988 /** 989 * A timestamp of when the job was started. 990 */ 991 startedOn: Timestamp; 992 /** 993 * The status of the job request. 994 */ 995 status: JobStatus; 996 } 997 export interface JobError { 998 /** 999 * The job error code. 1000 */ 1001 code: JobErrorCode; 1002 /** 1003 * Specific information about the error. For example, which service quota was exceeded or which resource was not found. 1004 */ 1005 message: String; 1006 } 1007 export type JobErrorCode = "AUTHORIZATION_ERROR"|"RESOURCE_NOT_FOUND_ERROR"|"SERVICE_QUOTA_EXCEEDED_ERROR"|"SERVICE_ERROR"|string; 1008 export type JobId = string; 1009 export type JobStatus = "IN_PROGRESS"|"SUCCEEDED"|"FAILED"|"CANCELED"|string; 1010 export type KmsConstraintsKey = string; 1011 export type KmsConstraintsMap = {[key: string]: KmsConstraintsValue}; 1012 export type KmsConstraintsValue = string; 1013 export interface KmsGrantConfiguration { 1014 /** 1015 * Use this structure to propose allowing cryptographic operations in the grant only when the operation request includes the specified encryption context. 1016 */ 1017 constraints?: KmsGrantConstraints; 1018 /** 1019 * The principal that is given permission to perform the operations that the grant permits. 1020 */ 1021 granteePrincipal: GranteePrincipal; 1022 /** 1023 * The AWS account under which the grant was issued. The account is used to propose KMS grants issued by accounts other than the owner of the key. 1024 */ 1025 issuingAccount: IssuingAccount; 1026 /** 1027 * A list of operations that the grant permits. 1028 */ 1029 operations: KmsGrantOperationsList; 1030 /** 1031 * The principal that is given permission to retire the grant by using RetireGrant operation. 1032 */ 1033 retiringPrincipal?: RetiringPrincipal; 1034 } 1035 export type KmsGrantConfigurationsList = KmsGrantConfiguration[]; 1036 export interface KmsGrantConstraints { 1037 /** 1038 * A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. 1039 */ 1040 encryptionContextEquals?: KmsConstraintsMap; 1041 /** 1042 * A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. 1043 */ 1044 encryptionContextSubset?: KmsConstraintsMap; 1045 } 1046 export type KmsGrantOperation = "CreateGrant"|"Decrypt"|"DescribeKey"|"Encrypt"|"GenerateDataKey"|"GenerateDataKeyPair"|"GenerateDataKeyPairWithoutPlaintext"|"GenerateDataKeyWithoutPlaintext"|"GetPublicKey"|"ReEncryptFrom"|"ReEncryptTo"|"RetireGrant"|"Sign"|"Verify"|string; 1047 export type KmsGrantOperationsList = KmsGrantOperation[]; 1048 export interface KmsKeyConfiguration { 1049 /** 1050 * A list of proposed grant configurations for the KMS key. If the proposed grant configuration is for an existing key, the access preview uses the proposed list of grant configurations in place of the existing grants. Otherwise, the access preview uses the existing grants for the key. 1051 */ 1052 grants?: KmsGrantConfigurationsList; 1053 /** 1054 * Resource policy configuration for the KMS key. The only valid value for the name of the key policy is default. For more information, see Default key policy. 1055 */ 1056 keyPolicies?: KmsKeyPoliciesMap; 1057 } 1058 export type KmsKeyPoliciesMap = {[key: string]: KmsKeyPolicy}; 1059 export type KmsKeyPolicy = string; 1060 export type LearnMoreLink = string; 1061 export interface ListAccessPreviewFindingsRequest { 1062 /** 1063 * The unique ID for the access preview. 1064 */ 1065 accessPreviewId: AccessPreviewId; 1066 /** 1067 * The ARN of the analyzer used to generate the access. 1068 */ 1069 analyzerArn: AnalyzerArn; 1070 /** 1071 * Criteria to filter the returned findings. 1072 */ 1073 filter?: FilterCriteriaMap; 1074 /** 1075 * The maximum number of results to return in the response. 1076 */ 1077 maxResults?: Integer; 1078 /** 1079 * A token used for pagination of results returned. 1080 */ 1081 nextToken?: Token; 1082 } 1083 export interface ListAccessPreviewFindingsResponse { 1084 /** 1085 * A list of access preview findings that match the specified filter criteria. 1086 */ 1087 findings: AccessPreviewFindingsList; 1088 /** 1089 * A token used for pagination of results returned. 1090 */ 1091 nextToken?: Token; 1092 } 1093 export interface ListAccessPreviewsRequest { 1094 /** 1095 * The ARN of the analyzer used to generate the access preview. 1096 */ 1097 analyzerArn: AnalyzerArn; 1098 /** 1099 * The maximum number of results to return in the response. 1100 */ 1101 maxResults?: Integer; 1102 /** 1103 * A token used for pagination of results returned. 1104 */ 1105 nextToken?: Token; 1106 } 1107 export interface ListAccessPreviewsResponse { 1108 /** 1109 * A list of access previews retrieved for the analyzer. 1110 */ 1111 accessPreviews: AccessPreviewsList; 1112 /** 1113 * A token used for pagination of results returned. 1114 */ 1115 nextToken?: Token; 1116 } 1117 export interface ListAnalyzedResourcesRequest { 1118 /** 1119 * The ARN of the analyzer to retrieve a list of analyzed resources from. 1120 */ 1121 analyzerArn: AnalyzerArn; 1122 /** 1123 * The maximum number of results to return in the response. 1124 */ 1125 maxResults?: Integer; 1126 /** 1127 * A token used for pagination of results returned. 1128 */ 1129 nextToken?: Token; 1130 /** 1131 * The type of resource. 1132 */ 1133 resourceType?: ResourceType; 1134 } 1135 export interface ListAnalyzedResourcesResponse { 1136 /** 1137 * A list of resources that were analyzed. 1138 */ 1139 analyzedResources: AnalyzedResourcesList; 1140 /** 1141 * A token used for pagination of results returned. 1142 */ 1143 nextToken?: Token; 1144 } 1145 export interface ListAnalyzersRequest { 1146 /** 1147 * The maximum number of results to return in the response. 1148 */ 1149 maxResults?: Integer; 1150 /** 1151 * A token used for pagination of results returned. 1152 */ 1153 nextToken?: Token; 1154 /** 1155 * The type of analyzer. 1156 */ 1157 type?: Type; 1158 } 1159 export interface ListAnalyzersResponse { 1160 /** 1161 * The analyzers retrieved. 1162 */ 1163 analyzers: AnalyzersList; 1164 /** 1165 * A token used for pagination of results returned. 1166 */ 1167 nextToken?: Token; 1168 } 1169 export interface ListArchiveRulesRequest { 1170 /** 1171 * The name of the analyzer to retrieve rules from. 1172 */ 1173 analyzerName: Name; 1174 /** 1175 * The maximum number of results to return in the request. 1176 */ 1177 maxResults?: Integer; 1178 /** 1179 * A token used for pagination of results returned. 1180 */ 1181 nextToken?: Token; 1182 } 1183 export interface ListArchiveRulesResponse { 1184 /** 1185 * A list of archive rules created for the specified analyzer. 1186 */ 1187 archiveRules: ArchiveRulesList; 1188 /** 1189 * A token used for pagination of results returned. 1190 */ 1191 nextToken?: Token; 1192 } 1193 export interface ListFindingsRequest { 1194 /** 1195 * The ARN of the analyzer to retrieve findings from. 1196 */ 1197 analyzerArn: AnalyzerArn; 1198 /** 1199 * A filter to match for the findings to return. 1200 */ 1201 filter?: FilterCriteriaMap; 1202 /** 1203 * The maximum number of results to return in the response. 1204 */ 1205 maxResults?: Integer; 1206 /** 1207 * A token used for pagination of results returned. 1208 */ 1209 nextToken?: Token; 1210 /** 1211 * The sort order for the findings returned. 1212 */ 1213 sort?: SortCriteria; 1214 } 1215 export interface ListFindingsResponse { 1216 /** 1217 * A list of findings retrieved from the analyzer that match the filter criteria specified, if any. 1218 */ 1219 findings: FindingsList; 1220 /** 1221 * A token used for pagination of results returned. 1222 */ 1223 nextToken?: Token; 1224 } 1225 export interface ListPolicyGenerationsRequest { 1226 /** 1227 * The maximum number of results to return in the response. 1228 */ 1229 maxResults?: ListPolicyGenerationsRequestMaxResultsInteger; 1230 /** 1231 * A token used for pagination of results returned. 1232 */ 1233 nextToken?: Token; 1234 /** 1235 * The ARN of the IAM entity (user or role) for which you are generating a policy. Use this with ListGeneratedPolicies to filter the results to only include results for a specific principal. 1236 */ 1237 principalArn?: PrincipalArn; 1238 } 1239 export type ListPolicyGenerationsRequestMaxResultsInteger = number; 1240 export interface ListPolicyGenerationsResponse { 1241 /** 1242 * A token used for pagination of results returned. 1243 */ 1244 nextToken?: Token; 1245 /** 1246 * A PolicyGeneration object that contains details about the generated policy. 1247 */ 1248 policyGenerations: PolicyGenerationList; 1249 } 1250 export interface ListTagsForResourceRequest { 1251 /** 1252 * The ARN of the resource to retrieve tags from. 1253 */ 1254 resourceArn: String; 1255 } 1256 export interface ListTagsForResourceResponse { 1257 /** 1258 * The tags that are applied to the specified resource. 1259 */ 1260 tags?: TagsMap; 1261 } 1262 export type Locale = "DE"|"EN"|"ES"|"FR"|"IT"|"JA"|"KO"|"PT_BR"|"ZH_CN"|"ZH_TW"|string; 1263 export interface Location { 1264 /** 1265 * A path in a policy, represented as a sequence of path elements. 1266 */ 1267 path: PathElementList; 1268 /** 1269 * A span in a policy. 1270 */ 1271 span: Span; 1272 } 1273 export type LocationList = Location[]; 1274 export type Name = string; 1275 export interface NetworkOriginConfiguration { 1276 /** 1277 * The configuration for the Amazon S3 access point with an Internet origin. 1278 */ 1279 internetConfiguration?: InternetConfiguration; 1280 vpcConfiguration?: VpcConfiguration; 1281 } 1282 export type OrderBy = "ASC"|"DESC"|string; 1283 export interface PathElement { 1284 /** 1285 * Refers to an index in a JSON array. 1286 */ 1287 index?: Integer; 1288 /** 1289 * Refers to a key in a JSON object. 1290 */ 1291 key?: String; 1292 /** 1293 * Refers to a substring of a literal string in a JSON object. 1294 */ 1295 substring?: Substring; 1296 /** 1297 * Refers to the value associated with a given key in a JSON object. 1298 */ 1299 value?: String; 1300 } 1301 export type PathElementList = PathElement[]; 1302 export type PolicyDocument = string; 1303 export interface PolicyGeneration { 1304 /** 1305 * A timestamp of when the policy generation was completed. 1306 */ 1307 completedOn?: Timestamp; 1308 /** 1309 * The JobId that is returned by the StartPolicyGeneration operation. The JobId can be used with GetGeneratedPolicy to retrieve the generated policies or used with CancelPolicyGeneration to cancel the policy generation request. 1310 */ 1311 jobId: JobId; 1312 /** 1313 * The ARN of the IAM entity (user or role) for which you are generating a policy. 1314 */ 1315 principalArn: PrincipalArn; 1316 /** 1317 * A timestamp of when the policy generation started. 1318 */ 1319 startedOn: Timestamp; 1320 /** 1321 * The status of the policy generation request. 1322 */ 1323 status: JobStatus; 1324 } 1325 export interface PolicyGenerationDetails { 1326 /** 1327 * The ARN of the IAM entity (user or role) for which you are generating a policy. 1328 */ 1329 principalArn: PrincipalArn; 1330 } 1331 export type PolicyGenerationList = PolicyGeneration[]; 1332 export type PolicyName = string; 1333 export type PolicyType = "IDENTITY_POLICY"|"RESOURCE_POLICY"|"SERVICE_CONTROL_POLICY"|string; 1334 export interface Position { 1335 /** 1336 * The column of the position, starting from 0. 1337 */ 1338 column: Integer; 1339 /** 1340 * The line of the position, starting from 1. 1341 */ 1342 line: Integer; 1343 /** 1344 * The offset within the policy that corresponds to the position, starting from 0. 1345 */ 1346 offset: Integer; 1347 } 1348 export type PrincipalArn = string; 1349 export type PrincipalMap = {[key: string]: String}; 1350 export type ReasonCode = "AWS_SERVICE_ACCESS_DISABLED"|"DELEGATED_ADMINISTRATOR_DEREGISTERED"|"ORGANIZATION_DELETED"|"SERVICE_LINKED_ROLE_CREATION_FAILED"|string; 1351 export type RegionList = String[]; 1352 export type ResourceArn = string; 1353 export type ResourceType = "AWS::S3::Bucket"|"AWS::IAM::Role"|"AWS::SQS::Queue"|"AWS::Lambda::Function"|"AWS::Lambda::LayerVersion"|"AWS::KMS::Key"|"AWS::SecretsManager::Secret"|string; 1354 export type RetiringPrincipal = string; 1355 export type RoleArn = string; 1356 export interface S3AccessPointConfiguration { 1357 /** 1358 * The access point policy. 1359 */ 1360 accessPointPolicy?: AccessPointPolicy; 1361 /** 1362 * The proposed Internet and VpcConfiguration to apply to this Amazon S3 access point. If the access preview is for a new resource and neither is specified, the access preview uses Internet for the network origin. If the access preview is for an existing resource and neither is specified, the access preview uses the exiting network origin. 1363 */ 1364 networkOrigin?: NetworkOriginConfiguration; 1365 /** 1366 * The proposed S3PublicAccessBlock configuration to apply to this Amazon S3 Access Point. 1367 */ 1368 publicAccessBlock?: S3PublicAccessBlockConfiguration; 1369 } 1370 export type S3AccessPointConfigurationsMap = {[key: string]: S3AccessPointConfiguration}; 1371 export interface S3BucketAclGrantConfiguration { 1372 /** 1373 * The grantee to whom you’re assigning access rights. 1374 */ 1375 grantee: AclGrantee; 1376 /** 1377 * The permissions being granted. 1378 */ 1379 permission: AclPermission; 1380 } 1381 export type S3BucketAclGrantConfigurationsList = S3BucketAclGrantConfiguration[]; 1382 export interface S3BucketConfiguration { 1383 /** 1384 * The configuration of Amazon S3 access points for the bucket. 1385 */ 1386 accessPoints?: S3AccessPointConfigurationsMap; 1387 /** 1388 * The proposed list of ACL grants for the Amazon S3 bucket. You can propose up to 100 ACL grants per bucket. If the proposed grant configuration is for an existing bucket, the access preview uses the proposed list of grant configurations in place of the existing grants. Otherwise, the access preview uses the existing grants for the bucket. 1389 */ 1390 bucketAclGrants?: S3BucketAclGrantConfigurationsList; 1391 /** 1392 * The proposed bucket policy for the Amazon S3 bucket. 1393 */ 1394 bucketPolicy?: S3BucketPolicy; 1395 /** 1396 * The proposed block public access configuration for the Amazon S3 bucket. 1397 */ 1398 bucketPublicAccessBlock?: S3PublicAccessBlockConfiguration; 1399 } 1400 export type S3BucketPolicy = string; 1401 export interface S3PublicAccessBlockConfiguration { 1402 /** 1403 * Specifies whether Amazon S3 should ignore public ACLs for this bucket and objects in this bucket. 1404 */ 1405 ignorePublicAcls: Boolean; 1406 /** 1407 * Specifies whether Amazon S3 should restrict public bucket policies for this bucket. 1408 */ 1409 restrictPublicBuckets: Boolean; 1410 } 1411 export interface SecretsManagerSecretConfiguration { 1412 /** 1413 * The proposed ARN, key ID, or alias of the AWS KMS customer master key (CMK). 1414 */ 1415 kmsKeyId?: SecretsManagerSecretKmsId; 1416 /** 1417 * The proposed resource policy defining who can access or manage the secret. 1418 */ 1419 secretPolicy?: SecretsManagerSecretPolicy; 1420 } 1421 export type SecretsManagerSecretKmsId = string; 1422 export type SecretsManagerSecretPolicy = string; 1423 export type SharedViaList = String[]; 1424 export interface SortCriteria { 1425 /** 1426 * The name of the attribute to sort on. 1427 */ 1428 attributeName?: String; 1429 /** 1430 * The sort order, ascending or descending. 1431 */ 1432 orderBy?: OrderBy; 1433 } 1434 export interface Span { 1435 /** 1436 * The end position of the span (exclusive). 1437 */ 1438 end: Position; 1439 /** 1440 * The start position of the span (inclusive). 1441 */ 1442 start: Position; 1443 } 1444 export interface SqsQueueConfiguration { 1445 /** 1446 * The proposed resource policy for the SQS queue. 1447 */ 1448 queuePolicy?: SqsQueuePolicy; 1449 } 1450 export type SqsQueuePolicy = string; 1451 export interface StartPolicyGenerationRequest { 1452 /** 1453 * A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. Idempotency ensures that an API request completes only once. With an idempotent request, if the original request completes successfully, the subsequent retries with the same client token return the result from the original successful request and they have no additional effect. If you do not specify a client token, one is automatically generated by the AWS SDK. 1454 */ 1455 clientToken?: String; 1456 /** 1457 * A CloudTrailDetails object that contains details about a Trail that you want to analyze to generate policies. 1458 */ 1459 cloudTrailDetails?: CloudTrailDetails; 1460 /** 1461 * Contains the ARN of the IAM entity (user or role) for which you are generating a policy. 1462 */ 1463 policyGenerationDetails: PolicyGenerationDetails; 1464 } 1465 export interface StartPolicyGenerationResponse { 1466 /** 1467 * The JobId that is returned by the StartPolicyGeneration operation. The JobId can be used with GetGeneratedPolicy to retrieve the generated policies or used with CancelPolicyGeneration to cancel the policy generation request. 1468 */ 1469 jobId: JobId; 1470 } 1471 export interface StartResourceScanRequest { 1472 /** 1473 * The ARN of the analyzer to use to scan the policies applied to the specified resource. 1474 */ 1475 analyzerArn: AnalyzerArn; 1476 /** 1477 * The ARN of the resource to scan. 1478 */ 1479 resourceArn: ResourceArn; 1480 } 1481 export interface StatusReason { 1482 /** 1483 * The reason code for the current status of the analyzer. 1484 */ 1485 code: ReasonCode; 1486 } 1487 export type String = string; 1488 export interface Substring { 1489 /** 1490 * The length of the substring. 1491 */ 1492 length: Integer; 1493 /** 1494 * The start index of the substring, starting from 0. 1495 */ 1496 start: Integer; 1497 } 1498 export type TagKeys = String[]; 1499 export interface TagResourceRequest { 1500 /** 1501 * The ARN of the resource to add the tag to. 1502 */ 1503 resourceArn: String; 1504 /** 1505 * The tags to add to the resource. 1506 */ 1507 tags: TagsMap; 1508 } 1509 export interface TagResourceResponse { 1510 } 1511 export type TagsMap = {[key: string]: String}; 1512 export type Timestamp = Date; 1513 export type Token = string; 1514 export interface Trail { 1515 /** 1516 * Possible values are true or false. If set to true, Access Analyzer retrieves CloudTrail data from all regions to analyze and generate a policy. 1517 */ 1518 allRegions?: Boolean; 1519 /** 1520 * Specifies the ARN of the trail. The format of a trail ARN is arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail. 1521 */ 1522 cloudTrailArn: CloudTrailArn; 1523 /** 1524 * A list of regions to get CloudTrail data from and analyze to generate a policy. 1525 */ 1526 regions?: RegionList; 1527 } 1528 export type TrailList = Trail[]; 1529 export interface TrailProperties { 1530 /** 1531 * Possible values are true or false. If set to true, Access Analyzer retrieves CloudTrail data from all regions to analyze and generate a policy. 1532 */ 1533 allRegions?: Boolean; 1534 /** 1535 * Specifies the ARN of the trail. The format of a trail ARN is arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail. 1536 */ 1537 cloudTrailArn: CloudTrailArn; 1538 /** 1539 * A list of regions to get CloudTrail data from and analyze to generate a policy. 1540 */ 1541 regions?: RegionList; 1542 } 1543 export type TrailPropertiesList = TrailProperties[]; 1544 export type Type = "ACCOUNT"|"ORGANIZATION"|string; 1545 export interface UntagResourceRequest { 1546 /** 1547 * The ARN of the resource to remove the tag from. 1548 */ 1549 resourceArn: String; 1550 /** 1551 * The key for the tag to add. 1552 */ 1553 tagKeys: TagKeys; 1554 } 1555 export interface UntagResourceResponse { 1556 } 1557 export interface UpdateArchiveRuleRequest { 1558 /** 1559 * The name of the analyzer to update the archive rules for. 1560 */ 1561 analyzerName: Name; 1562 /** 1563 * A client token. 1564 */ 1565 clientToken?: String; 1566 /** 1567 * A filter to match for the rules to update. Only rules that match the filter are updated. 1568 */ 1569 filter: FilterCriteriaMap; 1570 /** 1571 * The name of the rule to update. 1572 */ 1573 ruleName: Name; 1574 } 1575 export interface UpdateFindingsRequest { 1576 /** 1577 * The ARN of the analyzer that generated the findings to update. 1578 */ 1579 analyzerArn: AnalyzerArn; 1580 /** 1581 * A client token. 1582 */ 1583 clientToken?: String; 1584 /** 1585 * The IDs of the findings to update. 1586 */ 1587 ids?: FindingIdList; 1588 /** 1589 * The ARN of the resource identified in the finding. 1590 */ 1591 resourceArn?: ResourceArn; 1592 /** 1593 * The state represents the action to take to update the finding Status. Use ARCHIVE to change an Active finding to an Archived finding. Use ACTIVE to change an Archived finding to an Active finding. 1594 */ 1595 status: FindingStatusUpdate; 1596 } 1597 export interface ValidatePolicyFinding { 1598 /** 1599 * A localized message that explains the finding and provides guidance on how to address it. 1600 */ 1601 findingDetails: String; 1602 /** 1603 * The impact of the finding. Security warnings report when the policy allows access that we consider overly permissive. Errors report when a part of the policy is not functional. Warnings report non-security issues when a policy does not conform to policy writing best practices. Suggestions recommend stylistic improvements in the policy that do not impact access. 1604 */ 1605 findingType: ValidatePolicyFindingType; 1606 /** 1607 * The issue code provides an identifier of the issue associated with this finding. 1608 */ 1609 issueCode: IssueCode; 1610 /** 1611 * A link to additional documentation about the type of finding. 1612 */ 1613 learnMoreLink: LearnMoreLink; 1614 /** 1615 * The list of locations in the policy document that are related to the finding. The issue code provides a summary of an issue identified by the finding. 1616 */ 1617 locations: LocationList; 1618 } 1619 export type ValidatePolicyFindingList = ValidatePolicyFinding[]; 1620 export type ValidatePolicyFindingType = "ERROR"|"SECURITY_WARNING"|"SUGGESTION"|"WARNING"|string; 1621 export interface ValidatePolicyRequest { 1622 /** 1623 * The locale to use for localizing the findings. 1624 */ 1625 locale?: Locale; 1626 /** 1627 * The maximum number of results to return in the response. 1628 */ 1629 maxResults?: Integer; 1630 /** 1631 * A token used for pagination of results returned. 1632 */ 1633 nextToken?: Token; 1634 /** 1635 * The JSON policy document to use as the content for the policy. 1636 */ 1637 policyDocument: PolicyDocument; 1638 /** 1639 * The type of policy to validate. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups. They also include service-control policies (SCPs) that are attached to an AWS organization, organizational unit (OU), or an account. Resource policies grant permissions on AWS resources. Resource policies include trust policies for IAM roles and bucket policies for S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or S3 bucket policy. 1640 */ 1641 policyType: PolicyType; 1642 } 1643 export interface ValidatePolicyResponse { 1644 /** 1645 * The list of findings in a policy returned by Access Analyzer based on its suite of policy checks. 1646 */ 1647 findings: ValidatePolicyFindingList; 1648 /** 1649 * A token used for pagination of results returned. 1650 */ 1651 nextToken?: Token; 1652 } 1653 export type ValueList = String[]; 1654 export interface VpcConfiguration { 1655 /** 1656 * If this field is specified, this access point will only allow connections from the specified VPC ID. 1657 */ 1658 vpcId: VpcId; 1659 } 1660 export type VpcId = string; 1661 /** 1662 * A string in YYYY-MM-DD format that represents the latest possible API version that can be used in this service. Specify 'latest' to use the latest possible version. 1663 */ 1664 export type apiVersion = "2019-11-01"|"latest"|string; 1665 export interface ClientApiVersions { 1666 /** 1667 * A string in YYYY-MM-DD format that represents the latest possible API version that can be used in this service. Specify 'latest' to use the latest possible version. 1668 */ 1669 apiVersion?: apiVersion; 1670 } 1671 export type ClientConfiguration = ServiceConfigurationOptions & ClientApiVersions; 1672 /** 1673 * Contains interfaces for use with the AccessAnalyzer client. 1674 */ 1675 export import Types = AccessAnalyzer; 1676 } 1677 export = AccessAnalyzer;