feat(client-accessanalyzer): This release adds support for policy val…

…idation and external access findings for resource control policies (RCP). IAM Access Analyzer helps you author functional and secure RCPs and awareness that a RCP may restrict external access. Updated service API, documentation, and paginators.
aws · Nov 13, 2024 · 8ee2e53 · 8ee2e53
1 parent 6c46bda
commit 8ee2e53
Show file tree

Hide file tree

Showing 7 changed files with 112 additions and 13 deletions.
diff --git a/clients/client-accessanalyzer/src/commands/GetFindingCommand.ts b/clients/client-accessanalyzer/src/commands/GetFindingCommand.ts
@@ -74,6 +74,7 @@ export interface GetFindingCommandOutput extends GetFindingResponse, __MetadataB
  * //         },
  * //       },
  * //     ],
+ * //     resourceControlPolicyRestriction: "STRING_VALUE",
  * //   },
  * // };
  *

diff --git a/clients/client-accessanalyzer/src/commands/GetFindingV2Command.ts b/clients/client-accessanalyzer/src/commands/GetFindingV2Command.ts
@@ -79,6 +79,7 @@ export interface GetFindingV2CommandOutput extends GetFindingV2Response, __Metad
  * //             },
  * //           },
  * //         ],
+ * //         resourceControlPolicyRestriction: "STRING_VALUE",
  * //       },
  * //       unusedPermissionDetails: { // UnusedPermissionDetails
  * //         actions: [ // UnusedActionList

diff --git a/clients/client-accessanalyzer/src/commands/ListAccessPreviewFindingsCommand.ts b/clients/client-accessanalyzer/src/commands/ListAccessPreviewFindingsCommand.ts
@@ -90,6 +90,7 @@ export interface ListAccessPreviewFindingsCommandOutput extends ListAccessPrevie
  * //           },
  * //         },
  * //       ],
+ * //       resourceControlPolicyRestriction: "STRING_VALUE",
  * //     },
  * //   ],
  * //   nextToken: "STRING_VALUE",

diff --git a/clients/client-accessanalyzer/src/commands/ListFindingsCommand.ts b/clients/client-accessanalyzer/src/commands/ListFindingsCommand.ts
@@ -95,6 +95,7 @@ export interface ListFindingsCommandOutput extends ListFindingsResponse, __Metad
  * //           },
  * //         },
  * //       ],
+ * //       resourceControlPolicyRestriction: "STRING_VALUE",
  * //     },
  * //   ],
  * //   nextToken: "STRING_VALUE",

diff --git a/clients/client-accessanalyzer/src/models/models_0.ts b/clients/client-accessanalyzer/src/models/models_0.ts
@@ -17,8 +17,10 @@ export interface Access {
   actions?: string[] | undefined;
 
   /**
-   * <p>A list of resources for the access permissions. Any strings that can be used as a
-   *          resource in an IAM policy can be used in the list of resources to check.</p>
+   * <p>A list of resources for the access permissions. Any strings that can be used as an
+   *          Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to
+   *          check. You can only use a wildcard in the portion of the ARN that specifies the resource
+   *          ID.</p>
    * @public
    */
   resources?: string[] | undefined;
@@ -891,11 +893,11 @@ export interface CheckAccessNotGrantedRequest {
 
   /**
    * <p>An access object containing the permissions that shouldn't be granted by the specified
-   *          policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on
-   *          all resources in the policy. If only resources are specified, then IAM Access Analyzer checks
-   *          which actions have access to the specified resources. If both actions and resources are
-   *          specified, then IAM Access Analyzer checks which of the specified actions have access to the
-   *          specified resources.</p>
+   *          policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least
+   *          one of the actions on any resource in the policy. If only resources are specified, then
+   *          IAM Access Analyzer checks for access to perform any action on at least one of the resources. If
+   *          both actions and resources are specified, IAM Access Analyzer checks for access to perform at
+   *          least one of the specified actions on at least one of the specified resources.</p>
    * @public
    */
   access: Access[] | undefined;
@@ -904,9 +906,7 @@ export interface CheckAccessNotGrantedRequest {
    * <p>The type of policy. Identity policies grant permissions to IAM principals. Identity
    *          policies include managed and inline policies for IAM roles, users, and groups.</p>
    *          <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust
-   *          policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic
-   *          input such as identity policy or resource policy or a specific input such as managed policy
-   *          or Amazon S3 bucket policy.</p>
+   *          policies for IAM roles and bucket policies for Amazon S3 buckets.</p>
    * @public
    */
   policyType: AccessCheckPolicyType | undefined;
@@ -2821,6 +2821,22 @@ export interface GetFindingRequest {
   id: string | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const ResourceControlPolicyRestriction = {
+  APPLICABLE: "APPLICABLE",
+  FAILED_TO_EVALUATE_RCP: "FAILED_TO_EVALUATE_RCP",
+  NOT_APPLICABLE: "NOT_APPLICABLE",
+} as const;
+
+/**
+ * @public
+ */
+export type ResourceControlPolicyRestriction =
+  (typeof ResourceControlPolicyRestriction)[keyof typeof ResourceControlPolicyRestriction];
+
 /**
  * <p>Includes details about how the access that generated the finding is granted. This is
  *          populated for Amazon S3 bucket findings.</p>
@@ -2957,6 +2973,13 @@ export interface Finding {
    * @public
    */
   sources?: FindingSource[] | undefined;
+
+  /**
+   * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+   *          resource control policy (RCP).</p>
+   * @public
+   */
+  resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 
 /**
@@ -3260,6 +3283,13 @@ export interface ExternalAccessDetails {
    * @public
    */
   sources?: FindingSource[] | undefined;
+
+  /**
+   * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+   *          resource control policy (RCP).</p>
+   * @public
+   */
+  resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 
 /**
@@ -4013,6 +4043,13 @@ export interface AccessPreviewFinding {
    * @public
    */
   sources?: FindingSource[] | undefined;
+
+  /**
+   * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+   *          resource control policy (RCP).</p>
+   * @public
+   */
+  resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 
 /**
@@ -4352,6 +4389,13 @@ export interface FindingSummary {
    * @public
    */
   sources?: FindingSource[] | undefined;
+
+  /**
+   * <p>The type of restriction applied to the finding by the resource owner with an Organizations
+   *          resource control policy (RCP).</p>
+   * @public
+   */
+  resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined;
 }
 
 /**
@@ -4866,6 +4910,7 @@ export type Locale = (typeof Locale)[keyof typeof Locale];
  */
 export const PolicyType = {
   IDENTITY_POLICY: "IDENTITY_POLICY",
+  RESOURCE_CONTROL_POLICY: "RESOURCE_CONTROL_POLICY",
   RESOURCE_POLICY: "RESOURCE_POLICY",
   SERVICE_CONTROL_POLICY: "SERVICE_CONTROL_POLICY",
 } as const;

diff --git a/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts b/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts
@@ -2051,6 +2051,7 @@ const de_AccessPreviewFinding = (output: any, context: __SerdeContext): AccessPr
     isPublic: __expectBoolean,
     principal: _json,
     resource: __expectString,
+    resourceControlPolicyRestriction: __expectString,
     resourceOwnerAccount: __expectString,
     resourceType: __expectString,
     sources: _json,
@@ -2231,6 +2232,7 @@ const de_Finding = (output: any, context: __SerdeContext): Finding => {
     isPublic: __expectBoolean,
     principal: _json,
     resource: __expectString,
+    resourceControlPolicyRestriction: __expectString,
     resourceOwnerAccount: __expectString,
     resourceType: __expectString,
     sources: _json,
@@ -2327,6 +2329,7 @@ const de_FindingSummary = (output: any, context: __SerdeContext): FindingSummary
     isPublic: __expectBoolean,
     principal: _json,
     resource: __expectString,
+    resourceControlPolicyRestriction: __expectString,
     resourceOwnerAccount: __expectString,
     resourceType: __expectString,
     sources: _json,

diff --git a/codegen/sdk-codegen/aws-models/accessanalyzer.json b/codegen/sdk-codegen/aws-models/accessanalyzer.json
@@ -19,7 +19,7 @@
           "target": "com.amazonaws.accessanalyzer#ResourcesList",
           "traits": {
             "smithy.api#default": [],
-            "smithy.api#documentation": "<p>A list of resources for the access permissions. Any strings that can be used as a\n         resource in an IAM policy can be used in the list of resources to check.</p>",
+            "smithy.api#documentation": "<p>A list of resources for the access permissions. Any strings that can be used as an\n         Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to\n         check. You can only use a wildcard in the portion of the ARN that specifies the resource\n         ID.</p>",
             "smithy.api#length": {
               "max": 100
             }
@@ -1433,6 +1433,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The sources of the finding. This indicates how the access that generated the finding is\n         granted. It is populated for Amazon S3 bucket findings.</p>"
           }
+        },
+        "resourceControlPolicyRestriction": {
+          "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of restriction applied to the finding by the resource owner with an Organizations\n         resource control policy (RCP).</p>"
+          }
         }
       },
       "traits": {
@@ -2181,7 +2187,7 @@
         "access": {
           "target": "com.amazonaws.accessanalyzer#AccessList",
           "traits": {
-            "smithy.api#documentation": "<p>An access object containing the permissions that shouldn't be granted by the specified\n         policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on\n         all resources in the policy. If only resources are specified, then IAM Access Analyzer checks\n         which actions have access to the specified resources. If both actions and resources are\n         specified, then IAM Access Analyzer checks which of the specified actions have access to the\n         specified resources.</p>",
+            "smithy.api#documentation": "<p>An access object containing the permissions that shouldn't be granted by the specified\n         policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least\n         one of the actions on any resource in the policy. If only resources are specified, then\n         IAM Access Analyzer checks for access to perform any action on at least one of the resources. If\n         both actions and resources are specified, IAM Access Analyzer checks for access to perform at\n         least one of the specified actions on at least one of the specified resources.</p>",
             "smithy.api#length": {
               "max": 1
             },
@@ -2191,7 +2197,7 @@
         "policyType": {
           "target": "com.amazonaws.accessanalyzer#AccessCheckPolicyType",
           "traits": {
-            "smithy.api#documentation": "<p>The type of policy. Identity policies grant permissions to IAM principals. Identity\n         policies include managed and inline policies for IAM roles, users, and groups.</p>\n         <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust\n         policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic\n         input such as identity policy or resource policy or a specific input such as managed policy\n         or Amazon S3 bucket policy.</p>",
+            "smithy.api#documentation": "<p>The type of policy. Identity policies grant permissions to IAM principals. Identity\n         policies include managed and inline policies for IAM roles, users, and groups.</p>\n         <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust\n         policies for IAM roles and bucket policies for Amazon S3 buckets.</p>",
             "smithy.api#required": {}
           }
         }
@@ -3258,6 +3264,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The sources of the external access finding. This indicates how the access that generated\n         the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
           }
+        },
+        "resourceControlPolicyRestriction": {
+          "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of restriction applied to the finding by the resource owner with an Organizations\n         resource control policy (RCP).</p>"
+          }
         }
       },
       "traits": {
@@ -3367,6 +3379,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The sources of the finding. This indicates how the access that generated the finding is\n         granted. It is populated for Amazon S3 bucket findings.</p>"
           }
+        },
+        "resourceControlPolicyRestriction": {
+          "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of restriction applied to the finding by the resource owner with an Organizations\n         resource control policy (RCP).</p>"
+          }
         }
       },
       "traits": {
@@ -3643,6 +3661,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The sources of the finding. This indicates how the access that generated the finding is\n         granted. It is populated for Amazon S3 bucket findings.</p>"
           }
+        },
+        "resourceControlPolicyRestriction": {
+          "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction",
+          "traits": {
+            "smithy.api#documentation": "<p>The type of restriction applied to the finding by the resource owner with an Organizations\n         resource control policy (RCP).</p>"
+          }
         }
       },
       "traits": {
@@ -6163,6 +6187,10 @@
           {
             "value": "SERVICE_CONTROL_POLICY",
             "name": "SERVICE_CONTROL_POLICY"
+          },
+          {
+            "value": "RESOURCE_CONTROL_POLICY",
+            "name": "RESOURCE_CONTROL_POLICY"
           }
         ]
       }
@@ -6470,6 +6498,25 @@
         "smithy.api#pattern": "^arn:[^:]*:[^:]*:[^:]*:[^:]*:.*$"
       }
     },
+    "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction": {
+      "type": "string",
+      "traits": {
+        "smithy.api#enum": [
+          {
+            "value": "APPLICABLE",
+            "name": "APPLICABLE"
+          },
+          {
+            "value": "FAILED_TO_EVALUATE_RCP",
+            "name": "FAILED_TO_EVALUATE_RCP"
+          },
+          {
+            "value": "NOT_APPLICABLE",
+            "name": "NOT_APPLICABLE"
+          }
+        ]
+      }
+    },
     "com.amazonaws.accessanalyzer#ResourceNotFoundException": {
       "type": "structure",
       "members": {
-Original file line number
+Diff line change
@@ Expand Up @@
      * //         },
      * //       },
      * //     ],
+     * //     resourceControlPolicyRestriction: "STRING_VALUE",
      * //   },
      * // };
      *
@@ Expand Down @@