A list of resources for the access permissions. Any strings that can be used as a - * resource in an IAM policy can be used in the list of resources to check.
+ *A list of resources for the access permissions. Any strings that can be used as an + * Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to + * check. You can only use a wildcard in the portion of the ARN that specifies the resource + * ID.
* @public */ resources?: string[] | undefined; @@ -891,11 +893,11 @@ export interface CheckAccessNotGrantedRequest { /** *An access object containing the permissions that shouldn't be granted by the specified - * policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on - * all resources in the policy. If only resources are specified, then IAM Access Analyzer checks - * which actions have access to the specified resources. If both actions and resources are - * specified, then IAM Access Analyzer checks which of the specified actions have access to the - * specified resources.
+ * policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least + * one of the actions on any resource in the policy. If only resources are specified, then + * IAM Access Analyzer checks for access to perform any action on at least one of the resources. If + * both actions and resources are specified, IAM Access Analyzer checks for access to perform at + * least one of the specified actions on at least one of the specified resources. * @public */ access: Access[] | undefined; @@ -904,9 +906,7 @@ export interface CheckAccessNotGrantedRequest { *The type of policy. Identity policies grant permissions to IAM principals. Identity * policies include managed and inline policies for IAM roles, users, and groups.
*Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust - * policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic - * input such as identity policy or resource policy or a specific input such as managed policy - * or Amazon S3 bucket policy.
+ * policies for IAM roles and bucket policies for Amazon S3 buckets. * @public */ policyType: AccessCheckPolicyType | undefined; @@ -2821,6 +2821,22 @@ export interface GetFindingRequest { id: string | undefined; } +/** + * @public + * @enum + */ +export const ResourceControlPolicyRestriction = { + APPLICABLE: "APPLICABLE", + FAILED_TO_EVALUATE_RCP: "FAILED_TO_EVALUATE_RCP", + NOT_APPLICABLE: "NOT_APPLICABLE", +} as const; + +/** + * @public + */ +export type ResourceControlPolicyRestriction = + (typeof ResourceControlPolicyRestriction)[keyof typeof ResourceControlPolicyRestriction]; + /** *Includes details about how the access that generated the finding is granted. This is * populated for Amazon S3 bucket findings.
@@ -2957,6 +2973,13 @@ export interface Finding { * @public */ sources?: FindingSource[] | undefined; + + /** + *The type of restriction applied to the finding by the resource owner with an Organizations + * resource control policy (RCP).
+ * @public + */ + resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined; } /** @@ -3260,6 +3283,13 @@ export interface ExternalAccessDetails { * @public */ sources?: FindingSource[] | undefined; + + /** + *The type of restriction applied to the finding by the resource owner with an Organizations + * resource control policy (RCP).
+ * @public + */ + resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined; } /** @@ -4013,6 +4043,13 @@ export interface AccessPreviewFinding { * @public */ sources?: FindingSource[] | undefined; + + /** + *The type of restriction applied to the finding by the resource owner with an Organizations + * resource control policy (RCP).
+ * @public + */ + resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined; } /** @@ -4352,6 +4389,13 @@ export interface FindingSummary { * @public */ sources?: FindingSource[] | undefined; + + /** + *The type of restriction applied to the finding by the resource owner with an Organizations + * resource control policy (RCP).
+ * @public + */ + resourceControlPolicyRestriction?: ResourceControlPolicyRestriction | undefined; } /** @@ -4866,6 +4910,7 @@ export type Locale = (typeof Locale)[keyof typeof Locale]; */ export const PolicyType = { IDENTITY_POLICY: "IDENTITY_POLICY", + RESOURCE_CONTROL_POLICY: "RESOURCE_CONTROL_POLICY", RESOURCE_POLICY: "RESOURCE_POLICY", SERVICE_CONTROL_POLICY: "SERVICE_CONTROL_POLICY", } as const; diff --git a/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts b/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts index 76a4091edc75..b1e0c936791a 100644 --- a/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts +++ b/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts @@ -2051,6 +2051,7 @@ const de_AccessPreviewFinding = (output: any, context: __SerdeContext): AccessPr isPublic: __expectBoolean, principal: _json, resource: __expectString, + resourceControlPolicyRestriction: __expectString, resourceOwnerAccount: __expectString, resourceType: __expectString, sources: _json, @@ -2231,6 +2232,7 @@ const de_Finding = (output: any, context: __SerdeContext): Finding => { isPublic: __expectBoolean, principal: _json, resource: __expectString, + resourceControlPolicyRestriction: __expectString, resourceOwnerAccount: __expectString, resourceType: __expectString, sources: _json, @@ -2327,6 +2329,7 @@ const de_FindingSummary = (output: any, context: __SerdeContext): FindingSummary isPublic: __expectBoolean, principal: _json, resource: __expectString, + resourceControlPolicyRestriction: __expectString, resourceOwnerAccount: __expectString, resourceType: __expectString, sources: _json, diff --git a/codegen/sdk-codegen/aws-models/accessanalyzer.json b/codegen/sdk-codegen/aws-models/accessanalyzer.json index 57360988d1a4..6bfaee415f76 100644 --- a/codegen/sdk-codegen/aws-models/accessanalyzer.json +++ b/codegen/sdk-codegen/aws-models/accessanalyzer.json @@ -19,7 +19,7 @@ "target": "com.amazonaws.accessanalyzer#ResourcesList", "traits": { "smithy.api#default": [], - "smithy.api#documentation": "A list of resources for the access permissions. Any strings that can be used as a\n resource in an IAM policy can be used in the list of resources to check.
", + "smithy.api#documentation": "A list of resources for the access permissions. Any strings that can be used as an\n Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to\n check. You can only use a wildcard in the portion of the ARN that specifies the resource\n ID.
", "smithy.api#length": { "max": 100 } @@ -1433,6 +1433,12 @@ "traits": { "smithy.api#documentation": "The sources of the finding. This indicates how the access that generated the finding is\n granted. It is populated for Amazon S3 bucket findings.
" } + }, + "resourceControlPolicyRestriction": { + "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction", + "traits": { + "smithy.api#documentation": "The type of restriction applied to the finding by the resource owner with an Organizations\n resource control policy (RCP).
" + } } }, "traits": { @@ -2181,7 +2187,7 @@ "access": { "target": "com.amazonaws.accessanalyzer#AccessList", "traits": { - "smithy.api#documentation": "An access object containing the permissions that shouldn't be granted by the specified\n policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on\n all resources in the policy. If only resources are specified, then IAM Access Analyzer checks\n which actions have access to the specified resources. If both actions and resources are\n specified, then IAM Access Analyzer checks which of the specified actions have access to the\n specified resources.
", + "smithy.api#documentation": "An access object containing the permissions that shouldn't be granted by the specified\n policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least\n one of the actions on any resource in the policy. If only resources are specified, then\n IAM Access Analyzer checks for access to perform any action on at least one of the resources. If\n both actions and resources are specified, IAM Access Analyzer checks for access to perform at\n least one of the specified actions on at least one of the specified resources.
", "smithy.api#length": { "max": 1 }, @@ -2191,7 +2197,7 @@ "policyType": { "target": "com.amazonaws.accessanalyzer#AccessCheckPolicyType", "traits": { - "smithy.api#documentation": "The type of policy. Identity policies grant permissions to IAM principals. Identity\n policies include managed and inline policies for IAM roles, users, and groups.
\nResource policies grant permissions on Amazon Web Services resources. Resource policies include trust\n policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic\n input such as identity policy or resource policy or a specific input such as managed policy\n or Amazon S3 bucket policy.
", + "smithy.api#documentation": "The type of policy. Identity policies grant permissions to IAM principals. Identity\n policies include managed and inline policies for IAM roles, users, and groups.
\nResource policies grant permissions on Amazon Web Services resources. Resource policies include trust\n policies for IAM roles and bucket policies for Amazon S3 buckets.
", "smithy.api#required": {} } } @@ -3258,6 +3264,12 @@ "traits": { "smithy.api#documentation": "The sources of the external access finding. This indicates how the access that generated\n the finding is granted. It is populated for Amazon S3 bucket findings.
" } + }, + "resourceControlPolicyRestriction": { + "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction", + "traits": { + "smithy.api#documentation": "The type of restriction applied to the finding by the resource owner with an Organizations\n resource control policy (RCP).
" + } } }, "traits": { @@ -3367,6 +3379,12 @@ "traits": { "smithy.api#documentation": "The sources of the finding. This indicates how the access that generated the finding is\n granted. It is populated for Amazon S3 bucket findings.
" } + }, + "resourceControlPolicyRestriction": { + "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction", + "traits": { + "smithy.api#documentation": "The type of restriction applied to the finding by the resource owner with an Organizations\n resource control policy (RCP).
" + } } }, "traits": { @@ -3643,6 +3661,12 @@ "traits": { "smithy.api#documentation": "The sources of the finding. This indicates how the access that generated the finding is\n granted. It is populated for Amazon S3 bucket findings.
" } + }, + "resourceControlPolicyRestriction": { + "target": "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction", + "traits": { + "smithy.api#documentation": "The type of restriction applied to the finding by the resource owner with an Organizations\n resource control policy (RCP).
" + } } }, "traits": { @@ -6163,6 +6187,10 @@ { "value": "SERVICE_CONTROL_POLICY", "name": "SERVICE_CONTROL_POLICY" + }, + { + "value": "RESOURCE_CONTROL_POLICY", + "name": "RESOURCE_CONTROL_POLICY" } ] } @@ -6470,6 +6498,25 @@ "smithy.api#pattern": "^arn:[^:]*:[^:]*:[^:]*:[^:]*:.*$" } }, + "com.amazonaws.accessanalyzer#ResourceControlPolicyRestriction": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "APPLICABLE", + "name": "APPLICABLE" + }, + { + "value": "FAILED_TO_EVALUATE_RCP", + "name": "FAILED_TO_EVALUATE_RCP" + }, + { + "value": "NOT_APPLICABLE", + "name": "NOT_APPLICABLE" + } + ] + } + }, "com.amazonaws.accessanalyzer#ResourceNotFoundException": { "type": "structure", "members": {