2020/04/27 - Access Analyzer - 2 updated api methods
Changes This release adds support for inclusion of S3 Access Point policies in IAM Access Analyzer evaluation of S3 bucket access. IAM Access Analyzer now reports findings for buckets shared through access points and identifies the access point that permits access.
{'finding': {'sources': [{'detail': {'accessPointArn': 'string'},
'type': 'BUCKET_ACL | POLICY | S3_ACCESS_POINT'}]}}
Retrieves information about the specified finding.
See also: AWS API Documentation
Request Syntax
client.get_finding(
analyzerArn='string',
id='string'
)
string
[REQUIRED]
The ARN of the analyzer that generated the finding.
string
[REQUIRED]
The ID of the finding to retrieve.
dict
Response Syntax
{
'finding': {
'action': [
'string',
],
'analyzedAt': datetime(2015, 1, 1),
'condition': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'error': 'string',
'id': 'string',
'isPublic': True|False,
'principal': {
'string': 'string'
},
'resource': 'string',
'resourceOwnerAccount': 'string',
'resourceType': 'AWS::IAM::Role'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::S3::Bucket'|'AWS::SQS::Queue',
'sources': [
{
'detail': {
'accessPointArn': 'string'
},
'type': 'BUCKET_ACL'|'POLICY'|'S3_ACCESS_POINT'
},
],
'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
'updatedAt': datetime(2015, 1, 1)
}
}
Response Structure
(dict) --
The response to the request.
finding (dict) --
A finding object that contains finding details.
action (list) --
The action in the analyzed policy statement that an external principal has permission to use.
(string) --
analyzedAt (datetime) --
The time at which the resource was analyzed.
condition (dict) --
The condition in the analyzed policy statement that resulted in a finding.
(string) --
(string) --
createdAt (datetime) --
The time at which the finding was generated.
error (string) --
An error.
id (string) --
The ID of the finding.
isPublic (boolean) --
Indicates whether the policy that generated the finding allows public access to the resource.
principal (dict) --
The external principal that access to a resource within the zone of trust.
(string) --
(string) --
resource (string) --
The resource that an external principal has access to.
resourceOwnerAccount (string) --
The AWS account ID that owns the resource.
resourceType (string) --
The type of the resource reported in the finding.
sources (list) --
The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
(dict) --
The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
detail (dict) --
Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
accessPointArn (string) --
The ARN of the access point that generated the finding.
type (string) --
Indicates the type of access that generated the finding.
status (string) --
The current status of the finding.
updatedAt (datetime) --
The time at which the finding was updated.
{'findings': {'sources': [{'detail': {'accessPointArn': 'string'},
'type': 'BUCKET_ACL | POLICY | S3_ACCESS_POINT'}]}}
Retrieves a list of findings generated by the specified analyzer.
See also: AWS API Documentation
Request Syntax
client.list_findings(
analyzerArn='string',
filter={
'string': {
'contains': [
'string',
],
'eq': [
'string',
],
'exists': True|False,
'neq': [
'string',
]
}
},
maxResults=123,
nextToken='string',
sort={
'attributeName': 'string',
'orderBy': 'ASC'|'DESC'
}
)
string
[REQUIRED]
The ARN of the analyzer to retrieve findings from.
dict
A filter to match for the findings to return.
(string) --
(dict) --
The criteria to use in the filter that defines the archive rule.
contains (list) --
A "contains" operator to match for the filter used to create the rule.
(string) --
eq (list) --
An "equals" operator to match for the filter used to create the rule.
(string) --
exists (boolean) --
An "exists" operator to match for the filter used to create the rule.
neq (list) --
A "not equals" operator to match for the filter used to create the rule.
(string) --
integer
The maximum number of results to return in the response.
string
A token used for pagination of results returned.
dict
The sort order for the findings returned.
attributeName (string) --
The name of the attribute to sort on.
orderBy (string) --
The sort order, ascending or descending.
dict
Response Syntax
{
'findings': [
{
'action': [
'string',
],
'analyzedAt': datetime(2015, 1, 1),
'condition': {
'string': 'string'
},
'createdAt': datetime(2015, 1, 1),
'error': 'string',
'id': 'string',
'isPublic': True|False,
'principal': {
'string': 'string'
},
'resource': 'string',
'resourceOwnerAccount': 'string',
'resourceType': 'AWS::IAM::Role'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::S3::Bucket'|'AWS::SQS::Queue',
'sources': [
{
'detail': {
'accessPointArn': 'string'
},
'type': 'BUCKET_ACL'|'POLICY'|'S3_ACCESS_POINT'
},
],
'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
'updatedAt': datetime(2015, 1, 1)
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
The response to the request.
findings (list) --
A list of findings retrieved from the analyzer that match the filter criteria specified, if any.
(dict) --
Contains information about a finding.
action (list) --
The action in the analyzed policy statement that an external principal has permission to use.
(string) --
analyzedAt (datetime) --
The time at which the resource-based policy that generated the finding was analyzed.
condition (dict) --
The condition in the analyzed policy statement that resulted in a finding.
(string) --
(string) --
createdAt (datetime) --
The time at which the finding was created.
error (string) --
The error that resulted in an Error finding.
id (string) --
The ID of the finding.
isPublic (boolean) --
Indicates whether the finding reports a resource that has a policy that allows public access.
principal (dict) --
The external principal that has access to a resource within the zone of trust.
(string) --
(string) --
resource (string) --
The resource that the external principal has access to.
resourceOwnerAccount (string) --
The AWS account ID that owns the resource.
resourceType (string) --
The type of the resource that the external principal has access to.
sources (list) --
The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
(dict) --
The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
detail (dict) --
Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
accessPointArn (string) --
The ARN of the access point that generated the finding.
type (string) --
Indicates the type of access that generated the finding.
status (string) --
The status of the finding.
updatedAt (datetime) --
The time at which the finding was most recently updated.
nextToken (string) --
A token used for pagination of results returned.