Access Analyzer

2024/06/11 - Access Analyzer - 3 new 1 updated api methods

Changes  IAM Access Analyzer now provides policy recommendations to help resolve unused permissions for IAM roles and users. Additionally, IAM Access Analyzer now extends its custom policy checks to detect when IAM policies grant public access or access to critical resources ahead of deployments.

GetFindingRecommendation (new) Link ¶

Retrieves information about a finding recommendation for the specified analyzer.

See also: AWS API Documentation

Request Syntax

client.get_finding_recommendation(
    analyzerArn='string',
    id='string',
    maxResults=123,
    nextToken='string'
)
type analyzerArn

string

param analyzerArn

[REQUIRED]

The ARN of the analyzer used to generate the finding recommendation.

type id

string

param id

[REQUIRED]

The unique ID for the finding recommendation.

type maxResults

integer

param maxResults

The maximum number of results to return in the response.

type nextToken

string

param nextToken

A token used for pagination of results returned.

rtype

dict

returns

Response Syntax

{
    'startedAt': datetime(2015, 1, 1),
    'completedAt': datetime(2015, 1, 1),
    'nextToken': 'string',
    'error': {
        'code': 'string',
        'message': 'string'
    },
    'resourceArn': 'string',
    'recommendedSteps': [
        {
            'unusedPermissionsRecommendedStep': {
                'policyUpdatedAt': datetime(2015, 1, 1),
                'recommendedAction': 'CREATE_POLICY'|'DETACH_POLICY',
                'recommendedPolicy': 'string',
                'existingPolicyId': 'string'
            }
        },
    ],
    'recommendationType': 'UnusedPermissionRecommendation',
    'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS'
}

Response Structure

  • (dict) --

    • startedAt (datetime) --

      The time at which the retrieval of the finding recommendation was started.

    • completedAt (datetime) --

      The time at which the retrieval of the finding recommendation was completed.

    • nextToken (string) --

      A token used for pagination of results returned.

    • error (dict) --

      Detailed information about the reason that the retrieval of a recommendation for the finding failed.

      • code (string) --

        The error code for a failed retrieval of a recommendation for a finding.

      • message (string) --

        The error message for a failed retrieval of a recommendation for a finding.

    • resourceArn (string) --

      The ARN of the resource of the finding.

    • recommendedSteps (list) --

      A group of recommended steps for the finding.

      • (dict) --

        Contains information about a recommended step for an unused access analyzer finding.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: unusedPermissionsRecommendedStep. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        • unusedPermissionsRecommendedStep (dict) --

          A recommended step for an unused permissions finding.

          • policyUpdatedAt (datetime) --

            The time at which the existing policy for the unused permissions finding was last updated.

          • recommendedAction (string) --

            A recommendation of whether to create or detach a policy for an unused permissions finding.

          • recommendedPolicy (string) --

            If the recommended action for the unused permissions finding is to replace the existing policy, the contents of the recommended policy to replace the policy specified in the existingPolicyId field.

          • existingPolicyId (string) --

            If the recommended action for the unused permissions finding is to detach a policy, the ID of an existing policy to be detached.

    • recommendationType (string) --

      The type of recommendation for the finding.

    • status (string) --

      The status of the retrieval of the finding recommendation.

CheckNoPublicAccess (new) Link ¶

Checks whether a resource policy can grant public access to the specified resource type.

See also: AWS API Documentation

Request Syntax

client.check_no_public_access(
    policyDocument='string',
    resourceType='AWS::DynamoDB::Table'|'AWS::DynamoDB::Stream'|'AWS::EFS::FileSystem'|'AWS::OpenSearchService::Domain'|'AWS::Kinesis::Stream'|'AWS::Kinesis::StreamConsumer'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::S3::Bucket'|'AWS::S3::AccessPoint'|'AWS::S3Express::DirectoryBucket'|'AWS::S3::Glacier'|'AWS::S3Outposts::Bucket'|'AWS::S3Outposts::AccessPoint'|'AWS::SecretsManager::Secret'|'AWS::SNS::Topic'|'AWS::SQS::Queue'|'AWS::IAM::AssumeRolePolicyDocument'
)
type policyDocument

string

param policyDocument

[REQUIRED]

The JSON policy document to evaluate for public access.

type resourceType

string

param resourceType

[REQUIRED]

The type of resource to evaluate for public access. For example, to check for public access to Amazon S3 buckets, you can choose AWS::S3::Bucket for the resource type.

For resource types not supported as valid values, IAM Access Analyzer will return an error.

rtype

dict

returns

Response Syntax

{
    'result': 'PASS'|'FAIL',
    'message': 'string',
    'reasons': [
        {
            'description': 'string',
            'statementIndex': 123,
            'statementId': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • result (string) --

      The result of the check for public access to the specified resource type. If the result is PASS , the policy doesn't allow public access to the specified resource type. If the result is FAIL , the policy might allow public access to the specified resource type.

    • message (string) --

      The message indicating whether the specified policy allows public access to resources.

    • reasons (list) --

      A list of reasons why the specified resource policy grants public access for the resource type.

      • (dict) --

        Contains information about the reasoning why a check for access passed or failed.

        • description (string) --

          A description of the reasoning of a result of checking for access.

        • statementIndex (integer) --

          The index number of the reason statement.

        • statementId (string) --

          The identifier for the reason statement.

GenerateFindingRecommendation (new) Link ¶

Creates a recommendation for an unused permissions finding.

See also: AWS API Documentation

Request Syntax

client.generate_finding_recommendation(
    analyzerArn='string',
    id='string'
)
type analyzerArn

string

param analyzerArn

[REQUIRED]

The ARN of the analyzer used to generate the finding recommendation.

type id

string

param id

[REQUIRED]

The unique ID for the finding recommendation.

returns

None

CheckAccessNotGranted (updated) Link ¶
Changes (request)
{'access': {'resources': ['string']}}

Checks whether the specified access isn't allowed by a policy.

See also: AWS API Documentation

Request Syntax

client.check_access_not_granted(
    policyDocument='string',
    access=[
        {
            'actions': [
                'string',
            ],
            'resources': [
                'string',
            ]
        },
    ],
    policyType='IDENTITY_POLICY'|'RESOURCE_POLICY'
)
type policyDocument

string

param policyDocument

[REQUIRED]

The JSON policy document to use as the content for the policy.

type access

list

param access

[REQUIRED]

An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on all resources in the policy. If only resources are specified, then IAM Access Analyzer checks which actions have access to the specified resources. If both actions and resources are specified, then IAM Access Analyzer checks which of the specified actions have access to the specified resources.

  • (dict) --

    Contains information about actions and resources that define permissions to check against a policy.

    • actions (list) --

      A list of actions for the access permissions. Any strings that can be used as an action in an IAM policy can be used in the list of actions to check.

      • (string) --

    • resources (list) --

      A list of resources for the access permissions. Any strings that can be used as a resource in an IAM policy can be used in the list of resources to check.

      • (string) --

type policyType

string

param policyType

[REQUIRED]

The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.

Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.

rtype

dict

returns

Response Syntax

{
    'result': 'PASS'|'FAIL',
    'message': 'string',
    'reasons': [
        {
            'description': 'string',
            'statementIndex': 123,
            'statementId': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • result (string) --

      The result of the check for whether the access is allowed. If the result is PASS , the specified policy doesn't allow any of the specified permissions in the access object. If the result is FAIL , the specified policy might allow some or all of the permissions in the access object.

    • message (string) --

      The message indicating whether the specified access is allowed.

    • reasons (list) --

      A description of the reasoning of the result.

      • (dict) --

        Contains information about the reasoning why a check for access passed or failed.

        • description (string) --

          A description of the reasoning of a result of checking for access.

        • statementIndex (integer) --

          The index number of the reason statement.

        • statementId (string) --

          The identifier for the reason statement.