2020/03/30 - Access Analyzer - 7 updated api methods
Changes This release adds support for the creation and management of IAM Access Analyzer analyzers with type organization. An analyzer with type organization continuously monitors all supported resources within the AWS organization and reports findings when they allow access from outside the organization.
{'type': {'ORGANIZATION'}}
Creates an analyzer for your account.
See also: AWS API Documentation
Request Syntax
client.create_analyzer(
analyzerName='string',
archiveRules=[
{
'filter': {
'string': {
'contains': [
'string',
],
'eq': [
'string',
],
'exists': True|False,
'neq': [
'string',
]
}
},
'ruleName': 'string'
},
],
clientToken='string',
tags={
'string': 'string'
},
type='ACCOUNT'|'ORGANIZATION'
)
string
[REQUIRED]
The name of the analyzer to create.
list
Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.
(dict) --
An criterion statement in an archive rule. Each archive rule may have multiple criteria.
filter (dict) -- [REQUIRED]
The condition and values for a criterion.
(string) --
(dict) --
The criteria to use in the filter that defines the archive rule.
contains (list) --
A "contains" operator to match for the filter used to create the rule.
(string) --
eq (list) --
An "equals" operator to match for the filter used to create the rule.
(string) --
exists (boolean) --
An "exists" operator to match for the filter used to create the rule.
neq (list) --
A "not equals" operator to match for the filter used to create the rule.
(string) --
ruleName (string) -- [REQUIRED]
The name of the rule.
string
A client token.
This field is autopopulated if not provided.
dict
The tags to apply to the analyzer.
(string) --
(string) --
string
[REQUIRED]
The type of analyzer to create. Only ACCOUNT analyzers are supported. You can create only one analyzer per account per Region.
dict
Response Syntax
{
'arn': 'string'
}
Response Structure
(dict) --
The response to the request to create an analyzer.
arn (string) --
The ARN of the analyzer that was created by the request.
{'resource': {'resourceOwnerAccount': 'string'}}
Retrieves information about a resource that was analyzed.
See also: AWS API Documentation
Request Syntax
client.get_analyzed_resource(
analyzerArn='string',
resourceArn='string'
)
string
[REQUIRED]
The ARN of the analyzer to retrieve information from.
string
[REQUIRED]
The ARN of the resource to retrieve information about.
dict
Response Syntax
{
'resource': {
'actions': [
'string',
],
'analyzedAt': datetime(2015, 1, 1),
'createdAt': datetime(2015, 1, 1),
'error': 'string',
'isPublic': True|False,
'resourceArn': 'string',
'resourceOwnerAccount': 'string',
'resourceType': 'AWS::IAM::Role'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::S3::Bucket'|'AWS::SQS::Queue',
'sharedVia': [
'string',
],
'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
'updatedAt': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
The response to the request.
resource (dict) --
An AnalyedResource object that contains information that Access Analyzer found when it analyzed the resource.
actions (list) --
The actions that an external principal is granted permission to use by the policy that generated the finding.
(string) --
analyzedAt (datetime) --
The time at which the resource was analyzed.
createdAt (datetime) --
The time at which the finding was created.
error (string) --
An error message.
isPublic (boolean) --
Indicates whether the policy that generated the finding grants public access to the resource.
resourceArn (string) --
The ARN of the resource that was analyzed.
resourceOwnerAccount (string) --
The AWS account ID that owns the resource.
resourceType (string) --
The type of the resource that was analyzed.
sharedVia (list) --
Indicates how the access that generated the finding is granted.
(string) --
status (string) --
The current status of the finding generated from the analyzed resource.
updatedAt (datetime) --
The time at which the finding was updated.
{'analyzer': {'status': 'ACTIVE | CREATING | DISABLED | FAILED',
'statusReason': {'code': 'AWS_SERVICE_ACCESS_DISABLED | '
'DELEGATED_ADMINISTRATOR_DEREGISTERED | '
'ORGANIZATION_DELETED | '
'SERVICE_LINKED_ROLE_CREATION_FAILED'},
'type': {'ORGANIZATION'}}}
Retrieves information about the specified analyzer.
See also: AWS API Documentation
Request Syntax
client.get_analyzer(
analyzerName='string'
)
string
[REQUIRED]
The name of the analyzer retrieved.
dict
Response Syntax
{
'analyzer': {
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'lastResourceAnalyzed': 'string',
'lastResourceAnalyzedAt': datetime(2015, 1, 1),
'name': 'string',
'status': 'ACTIVE'|'CREATING'|'DISABLED'|'FAILED',
'statusReason': {
'code': 'AWS_SERVICE_ACCESS_DISABLED'|'DELEGATED_ADMINISTRATOR_DEREGISTERED'|'ORGANIZATION_DELETED'|'SERVICE_LINKED_ROLE_CREATION_FAILED'
},
'tags': {
'string': 'string'
},
'type': 'ACCOUNT'|'ORGANIZATION'
}
}
Response Structure
(dict) --
The response to the request.
analyzer (dict) --
An AnalyzerSummary object that contains information about the analyzer.
arn (string) --
The ARN of the analyzer.
createdAt (datetime) --
A timestamp for the time at which the analyzer was created.
lastResourceAnalyzed (string) --
The resource that was most recently analyzed by the analyzer.
lastResourceAnalyzedAt (datetime) --
The time at which the most recently analyzed resource was analyzed.
name (string) --
The name of the analyzer.
status (string) --
The status of the analyzer. An Active analyzer successfully monitors supported resources and generates new findings. The analyzer is Disabled when a user action, such as removing trusted access for IAM Access Analyzer from AWS Organizations, causes the analyzer to stop generating new findings. The status is Creating when the analyzer creation is in progress and Failed when the analyzer creation has failed.
statusReason (dict) --
The statusReason provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a Failed status is displayed. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.
code (string) --
The reason code for the current status of the analyzer.
tags (dict) --
The tags added to the analyzer.
(string) --
(string) --
type (string) --
The type of analyzer, which corresponds to the zone of trust chosen for the analyzer.
{'finding': {'resourceOwnerAccount': 'string'}}
Retrieves information about the specified finding.
See also: AWS API Documentation
Request Syntax
client.get_finding(
analyzerArn='string',
id='string'
)
string
[REQUIRED]
The ARN of the analyzer that generated the finding.
string
[REQUIRED]
The ID of the finding to retrieve.
dict
Response Syntax
{
'finding': {
'action': [
'string',
],
'analyzedAt': datetime(2015, 1, 1),
'condition': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'error': 'string',
'id': 'string',
'isPublic': True|False,
'principal': {
'string': 'string'
},
'resource': 'string',
'resourceOwnerAccount': 'string',
'resourceType': 'AWS::IAM::Role'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::S3::Bucket'|'AWS::SQS::Queue',
'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
'updatedAt': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
The response to the request.
finding (dict) --
A finding object that contains finding details.
action (list) --
The action in the analyzed policy statement that an external principal has permission to use.
(string) --
analyzedAt (datetime) --
The time at which the resource was analyzed.
condition (dict) --
The condition in the analyzed policy statement that resulted in a finding.
(string) --
(string) --
createdAt (datetime) --
The time at which the finding was generated.
error (string) --
An error.
id (string) --
The ID of the finding.
isPublic (boolean) --
Indicates whether the policy that generated the finding allows public access to the resource.
principal (dict) --
The external principal that access to a resource within the zone of trust.
(string) --
(string) --
resource (string) --
The resource that an external principal has access to.
resourceOwnerAccount (string) --
The AWS account ID that owns the resource.
resourceType (string) --
The type of the resource reported in the finding.
status (string) --
The current status of the finding.
updatedAt (datetime) --
The time at which the finding was updated.
{'analyzedResources': {'resourceOwnerAccount': 'string'}}
Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer..
See also: AWS API Documentation
Request Syntax
client.list_analyzed_resources(
analyzerArn='string',
maxResults=123,
nextToken='string',
resourceType='AWS::IAM::Role'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::S3::Bucket'|'AWS::SQS::Queue'
)
string
[REQUIRED]
The ARN of the analyzer to retrieve a list of analyzed resources from.
integer
The maximum number of results to return in the response.
string
A token used for pagination of results returned.
string
The type of resource.
dict
Response Syntax
{
'analyzedResources': [
{
'resourceArn': 'string',
'resourceOwnerAccount': 'string',
'resourceType': 'AWS::IAM::Role'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::S3::Bucket'|'AWS::SQS::Queue'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The response to the request.
analyzedResources (list) --
A list of resources that were analyzed.
(dict) --
Contains the ARN of the analyzed resource.
resourceArn (string) --
The ARN of the analyzed resource.
resourceOwnerAccount (string) --
The AWS account ID that owns the resource.
resourceType (string) --
The type of resource that was analyzed.
nextToken (string) --
A token used for pagination of results returned.
{'type': {'ORGANIZATION'}}
Response {'analyzers': {'status': 'ACTIVE | CREATING | DISABLED | FAILED',
'statusReason': {'code': 'AWS_SERVICE_ACCESS_DISABLED | '
'DELEGATED_ADMINISTRATOR_DEREGISTERED '
'| ORGANIZATION_DELETED | '
'SERVICE_LINKED_ROLE_CREATION_FAILED'},
'type': {'ORGANIZATION'}}}
Retrieves a list of analyzers.
See also: AWS API Documentation
Request Syntax
client.list_analyzers(
maxResults=123,
nextToken='string',
type='ACCOUNT'|'ORGANIZATION'
)
integer
The maximum number of results to return in the response.
string
A token used for pagination of results returned.
string
The type of analyzer.
dict
Response Syntax
{
'analyzers': [
{
'arn': 'string',
'createdAt': datetime(2015, 1, 1),
'lastResourceAnalyzed': 'string',
'lastResourceAnalyzedAt': datetime(2015, 1, 1),
'name': 'string',
'status': 'ACTIVE'|'CREATING'|'DISABLED'|'FAILED',
'statusReason': {
'code': 'AWS_SERVICE_ACCESS_DISABLED'|'DELEGATED_ADMINISTRATOR_DEREGISTERED'|'ORGANIZATION_DELETED'|'SERVICE_LINKED_ROLE_CREATION_FAILED'
},
'tags': {
'string': 'string'
},
'type': 'ACCOUNT'|'ORGANIZATION'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The response to the request.
analyzers (list) --
The analyzers retrieved.
(dict) --
Contains information about the analyzer.
arn (string) --
The ARN of the analyzer.
createdAt (datetime) --
A timestamp for the time at which the analyzer was created.
lastResourceAnalyzed (string) --
The resource that was most recently analyzed by the analyzer.
lastResourceAnalyzedAt (datetime) --
The time at which the most recently analyzed resource was analyzed.
name (string) --
The name of the analyzer.
status (string) --
The status of the analyzer. An Active analyzer successfully monitors supported resources and generates new findings. The analyzer is Disabled when a user action, such as removing trusted access for IAM Access Analyzer from AWS Organizations, causes the analyzer to stop generating new findings. The status is Creating when the analyzer creation is in progress and Failed when the analyzer creation has failed.
statusReason (dict) --
The statusReason provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a Failed status is displayed. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.
code (string) --
The reason code for the current status of the analyzer.
tags (dict) --
The tags added to the analyzer.
(string) --
(string) --
type (string) --
The type of analyzer, which corresponds to the zone of trust chosen for the analyzer.
nextToken (string) --
A token used for pagination of results returned.
{'findings': {'resourceOwnerAccount': 'string'}}
Retrieves a list of findings generated by the specified analyzer.
See also: AWS API Documentation
Request Syntax
client.list_findings(
analyzerArn='string',
filter={
'string': {
'contains': [
'string',
],
'eq': [
'string',
],
'exists': True|False,
'neq': [
'string',
]
}
},
maxResults=123,
nextToken='string',
sort={
'attributeName': 'string',
'orderBy': 'ASC'|'DESC'
}
)
string
[REQUIRED]
The ARN of the analyzer to retrieve findings from.
dict
A filter to match for the findings to return.
(string) --
(dict) --
The criteria to use in the filter that defines the archive rule.
contains (list) --
A "contains" operator to match for the filter used to create the rule.
(string) --
eq (list) --
An "equals" operator to match for the filter used to create the rule.
(string) --
exists (boolean) --
An "exists" operator to match for the filter used to create the rule.
neq (list) --
A "not equals" operator to match for the filter used to create the rule.
(string) --
integer
The maximum number of results to return in the response.
string
A token used for pagination of results returned.
dict
The sort order for the findings returned.
attributeName (string) --
The name of the attribute to sort on.
orderBy (string) --
The sort order, ascending or descending.
dict
Response Syntax
{
'findings': [
{
'action': [
'string',
],
'analyzedAt': datetime(2015, 1, 1),
'condition': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'error': 'string',
'id': 'string',
'isPublic': True|False,
'principal': {
'string': 'string'
},
'resource': 'string',
'resourceOwnerAccount': 'string',
'resourceType': 'AWS::IAM::Role'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::S3::Bucket'|'AWS::SQS::Queue',
'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
'updatedAt': datetime(2015, 1, 1)
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The response to the request.
findings (list) --
A list of findings retrieved from the analyzer that match the filter criteria specified, if any.
(dict) --
Contains information about a finding.
action (list) --
The action in the analyzed policy statement that an external principal has permission to use.
(string) --
analyzedAt (datetime) --
The time at which the resource-based policy that generated the finding was analyzed.
condition (dict) --
The condition in the analyzed policy statement that resulted in a finding.
(string) --
(string) --
createdAt (datetime) --
The time at which the finding was created.
error (string) --
The error that resulted in an Error finding.
id (string) --
The ID of the finding.
isPublic (boolean) --
Indicates whether the finding reports a resource that has a policy that allows public access.
principal (dict) --
The external principal that has access to a resource within the zone of trust.
(string) --
(string) --
resource (string) --
The resource that the external principal has access to.
resourceOwnerAccount (string) --
The AWS account ID that owns the resource.
resourceType (string) --
The type of the resource that the external principal has access to.
status (string) --
The status of the finding.
updatedAt (datetime) --
The time at which the finding was most recently updated.
nextToken (string) --
A token used for pagination of results returned.