2024/12/02 - Amazon Elastic Compute Cloud - 11 new51 updated api methods
Changes Adds support for declarative policies that allow you to enforce desired configuration across an AWS organization through configuring account attributes. Adds support for Allowed AMIs that allows you to limit the use of AMIs in AWS accounts. Adds support for connectivity over non-HTTP protocols.
Generates an account status report. The report is generated asynchronously, and can take several hours to complete.
The report provides the current status of all attributes supported by declarative policies for the accounts within the specified scope. The scope is determined by the specified TargetId, which can represent an individual account, or all the accounts that fall under the specified organizational unit (OU) or root (the entire Amazon Web Services Organization).
The report is saved to your specified S3 bucket, using the following path structure (with the italicized placeholders representing your specific values):
s3://amzn-s3-demo-bucket/your-optional-s3-prefix/ec2_targetId_reportId_yyyyMMddThhmmZ.csv
Prerequisites for generating a report
The StartDeclarativePoliciesReport API can only be called by the management account or delegated administrators for the organization.
An S3 bucket must be available before generating the report (you can create a new one or use an existing one), and it must have an appropriate bucket policy. For a sample S3 policy, see Sample Amazon S3 policy under .
Trusted access must be enabled for the service for which the declarative policy will enforce a baseline configuration. If you use the Amazon Web Services Organizations console, this is done automatically when you enable declarative policies. The API uses the following service principal to identify the EC2 service: ec2.amazonaws.com. For more information on how to enable trusted access with the Amazon Web Services CLI and Amazon Web Services SDKs, see Using Organizations with other Amazon Web Services services in the Amazon Web Services Organizations User Guide.
Only one report per organization can be generated at a time. Attempting to generate a report while another is in progress will result in an error.
For more information, including the required IAM permissions to run this API, see Generating the account status report for declarative policies in the Amazon Web Services Organizations User Guide.
See also: AWS API Documentation
Request Syntax
client.start_declarative_policies_report(
DryRun=True|False,
S3Bucket='string',
S3Prefix='string',
TargetId='string',
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
]
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The name of the S3 bucket where the report will be saved.
string
The prefix for your S3 object.
string
[REQUIRED]
The root ID, organizational unit ID, or account ID.
Format:
For root: r-ab12
For OU: ou-ab12-cdef1234
For account: 123456789012
list
The tags to apply.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
dict
Response Syntax
{
'ReportId': 'string'
}
Response Structure
(dict) --
ReportId (string) --
The ID of the report.
Enables Allowed AMIs for your account in the specified Amazon Web Services Region. Two values are accepted:
enabled: The image criteria in your Allowed AMIs settings are applied. As a result, only AMIs matching these criteria are discoverable and can be used by your account to launch instances.
audit-mode: The image criteria in your Allowed AMIs settings are not applied. No restrictions are placed on AMI discoverability or usage. Users in your account can launch instances using any public AMI or AMI shared with your account. The purpose of audit-mode is to indicate which AMIs will be affected when Allowed AMIs is enabled. In audit-mode, each AMI displays either "ImageAllowed": true or "ImageAllowed": false to indicate whether the AMI will be discoverable and available to users in the account when Allowed AMIs is enabled.
For more information, see Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs in Amazon EC2 User Guide.
See also: AWS API Documentation
Request Syntax
client.enable_allowed_images_settings(
AllowedImagesSettingsState='enabled'|'audit-mode',
DryRun=True|False
)
string
[REQUIRED]
Specify enabled to apply the image criteria specified by the Allowed AMIs settings. Specify audit-mode so that you can check which AMIs will be allowed or not allowed by the image criteria.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'AllowedImagesSettingsState': 'enabled'|'audit-mode'
}
Response Structure
(dict) --
AllowedImagesSettingsState (string) --
Returns enabled or audit-mode if the request succeeds; otherwise, it returns an error.
Sets or replaces the criteria for Allowed AMIs.
For more information, see Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs in Amazon EC2 User Guide.
See also: AWS API Documentation
Request Syntax
client.replace_image_criteria_in_allowed_images_settings(
ImageCriteria=[
{
'ImageProviders': [
'string',
]
},
],
DryRun=True|False
)
list
The list of criteria that are evaluated to determine whether AMIs are discoverable and usable in the account in the specified Amazon Web Services Region.
(dict) --
The list of criteria that are evaluated to determine whch AMIs are discoverable and usable in the account in the specified Amazon Web Services Region. Currently, the only criteria that can be specified are AMI providers.
Up to 10 imageCriteria objects can be specified, and up to a total of 200 values for all imageProviders. For more information, see JSON configuration for the Allowed AMIs criteria in the Amazon EC2 User Guide.
ImageProviders (list) --
A list of image providers whose AMIs are discoverable and useable in the account. Up to a total of 200 values can be specified.
Possible values:
amazon: Allow AMIs created by Amazon Web Services.
aws-marketplace: Allow AMIs created by verified providers in the Amazon Web Services Marketplace.
aws-backup-vault: Allow AMIs created by Amazon Web Services Backup.
12-digit account ID: Allow AMIs created by this account. One or more account IDs can be specified.
none: Allow AMIs created by your own account only. When none is specified, no other values can be specified.
(string) --
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'ReturnValue': True|False
}
Response Structure
(dict) --
ReturnValue (boolean) --
Returns true if the request succeeds; otherwise, it returns an error.
Disables Allowed AMIs for your account in the specified Amazon Web Services Region. When set to disabled, the image criteria in your Allowed AMIs settings do not apply, and no restrictions are placed on AMI discoverability or usage. Users in your account can launch instances using any public AMI or AMI shared with your account.
For more information, see Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs in Amazon EC2 User Guide.
See also: AWS API Documentation
Request Syntax
client.disable_allowed_images_settings(
DryRun=True|False
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'AllowedImagesSettingsState': 'disabled'
}
Response Structure
(dict) --
AllowedImagesSettingsState (string) --
Returns disabled if the request succeeds; otherwise, it returns an error.
Exports the client configuration for a Verified Access instance.
See also: AWS API Documentation
Request Syntax
client.export_verified_access_instance_client_configuration(
VerifiedAccessInstanceId='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the Verified Access instance.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'Version': 'string',
'VerifiedAccessInstanceId': 'string',
'Region': 'string',
'DeviceTrustProviders': [
'jamf'|'crowdstrike'|'jumpcloud',
],
'UserTrustProvider': {
'Type': 'iam-identity-center'|'oidc',
'Scopes': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'PublicSigningKeyEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'PkceEnabled': True|False
},
'OpenVpnConfigurations': [
{
'Config': 'string',
'Routes': [
{
'Cidr': 'string'
},
]
},
]
}
Response Structure
(dict) --
Version (string) --
The version.
VerifiedAccessInstanceId (string) --
The ID of the Verified Access instance.
Region (string) --
The Region.
DeviceTrustProviders (list) --
The device trust providers.
(string) --
UserTrustProvider (dict) --
The user identity trust provider.
Type (string) --
The trust provider type.
Scopes (string) --
The set of user claims to be requested from the IdP.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
ClientSecret (string) --
The OAuth 2.0 client secret.
PkceEnabled (boolean) --
Indicates whether Proof of Key Code Exchange (PKCE) is enabled.
OpenVpnConfigurations (list) --
The Open VPN configuration.
(dict) --
Describes a set of routes.
Config (string) --
The base64-encoded Open VPN client configuration.
Routes (list) --
The routes.
(dict) --
Describes a route.
Cidr (string) --
The CIDR block.
Describes the metadata of an account status report, including the status of the report.
To view the full report, download it from the Amazon S3 bucket where it was saved. Reports are accessible only when they have the complete status. Reports with other statuses ( running, cancelled, or error) are not available in the S3 bucket. For more information about downloading objects from an S3 bucket, see Downloading objects in the Amazon Simple Storage Service User Guide.
For more information, see Generating the account status report for declarative policies in the Amazon Web Services Organizations User Guide.
See also: AWS API Documentation
Request Syntax
client.describe_declarative_policies_reports(
DryRun=True|False,
NextToken='string',
MaxResults=123,
ReportIds=[
'string',
]
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
integer
The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
list
One or more report IDs.
(string) --
dict
Response Syntax
{
'NextToken': 'string',
'Reports': [
{
'ReportId': 'string',
'S3Bucket': 'string',
'S3Prefix': 'string',
'TargetId': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1),
'Status': 'running'|'cancelled'|'complete'|'error',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
]
}
Response Structure
(dict) --
NextToken (string) --
The token to include in another request to get the next page of items. This value is null when there are no more items to return.
Reports (list) --
The report metadata.
(dict) --
Describes the metadata of the account status report.
ReportId (string) --
The ID of the report.
S3Bucket (string) --
The name of the Amazon S3 bucket where the report is located.
S3Prefix (string) --
The prefix for your S3 object.
TargetId (string) --
The root ID, organizational unit ID, or account ID.
Format:
For root: r-ab12
For OU: ou-ab12-cdef1234
For account: 123456789012
StartTime (datetime) --
The time when the report generation started.
EndTime (datetime) --
The time when the report generation ended.
Status (string) --
The current status of the report.
Tags (list) --
Any tags assigned to the report.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
Gets the targets for the specified network CIDR endpoint for Verified Access.
See also: AWS API Documentation
Request Syntax
client.get_verified_access_endpoint_targets(
VerifiedAccessEndpointId='string',
MaxResults=123,
NextToken='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the network CIDR endpoint.
integer
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VerifiedAccessEndpointTargets': [
{
'VerifiedAccessEndpointId': 'string',
'VerifiedAccessEndpointTargetIpAddress': 'string',
'VerifiedAccessEndpointTargetDns': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VerifiedAccessEndpointTargets (list) --
The Verified Access targets.
(dict) --
Describes the targets for the specified Verified Access endpoint.
VerifiedAccessEndpointId (string) --
The ID of the Verified Access endpoint.
VerifiedAccessEndpointTargetIpAddress (string) --
The IP address of the target.
VerifiedAccessEndpointTargetDns (string) --
The DNS name of the target.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
Retrieves a summary of the account status report.
To view the full report, download it from the Amazon S3 bucket where it was saved. Reports are accessible only when they have the complete status. Reports with other statuses ( running, cancelled, or error) are not available in the S3 bucket. For more information about downloading objects from an S3 bucket, see Downloading objects in the Amazon Simple Storage Service User Guide.
For more information, see Generating the account status report for declarative policies in the Amazon Web Services Organizations User Guide.
See also: AWS API Documentation
Request Syntax
client.get_declarative_policies_report_summary(
DryRun=True|False,
ReportId='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the report.
dict
Response Syntax
{
'ReportId': 'string',
'S3Bucket': 'string',
'S3Prefix': 'string',
'TargetId': 'string',
'StartTime': datetime(2015, 1, 1),
'EndTime': datetime(2015, 1, 1),
'NumberOfAccounts': 123,
'NumberOfFailedAccounts': 123,
'AttributeSummaries': [
{
'AttributeName': 'string',
'MostFrequentValue': 'string',
'NumberOfMatchedAccounts': 123,
'NumberOfUnmatchedAccounts': 123,
'RegionalSummaries': [
{
'RegionName': 'string',
'NumberOfMatchedAccounts': 123,
'NumberOfUnmatchedAccounts': 123
},
]
},
]
}
Response Structure
(dict) --
ReportId (string) --
The ID of the report.
S3Bucket (string) --
The name of the Amazon S3 bucket where the report is located.
S3Prefix (string) --
The prefix for your S3 object.
TargetId (string) --
The root ID, organizational unit ID, or account ID.
Format:
For root: r-ab12
For OU: ou-ab12-cdef1234
For account: 123456789012
StartTime (datetime) --
The time when the report generation started.
EndTime (datetime) --
The time when the report generation ended.
NumberOfAccounts (integer) --
The total number of accounts associated with the specified targetId.
NumberOfFailedAccounts (integer) --
The number of accounts where attributes could not be retrieved in any Region.
AttributeSummaries (list) --
The attributes described in the report.
(dict) --
A summary report for the attribute across all Regions.
AttributeName (string) --
The name of the attribute.
MostFrequentValue (string) --
The configuration value that is most frequently observed for the attribute.
NumberOfMatchedAccounts (integer) --
The number of accounts with the same configuration value for the attribute that is most frequently observed.
NumberOfUnmatchedAccounts (integer) --
The number of accounts with a configuration value different from the most frequently observed value for the attribute.
RegionalSummaries (list) --
The summary report for each Region for the attribute.
(dict) --
A summary report for the attribute for a Region.
RegionName (string) --
The Amazon Web Services Region.
NumberOfMatchedAccounts (integer) --
The number of accounts in the Region with the same configuration value for the attribute that is most frequently observed.
NumberOfUnmatchedAccounts (integer) --
The number of accounts in the Region with a configuration value different from the most frequently observed value for the attribute.
Gets the current state of the Allowed AMIs setting and the list of Allowed AMIs criteria at the account level in the specified Region.
For more information, see Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs in Amazon EC2 User Guide.
See also: AWS API Documentation
Request Syntax
client.get_allowed_images_settings(
DryRun=True|False
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'State': 'string',
'ImageCriteria': [
{
'ImageProviders': [
'string',
]
},
],
'ManagedBy': 'account'|'declarative-policy'
}
Response Structure
(dict) --
State (string) --
The current state of the Allowed AMIs setting at the account level in the specified Amazon Web Services Region.
Possible values:
disabled: All AMIs are allowed.
audit-mode: All AMIs are allowed, but the ImageAllowed field is set to true if the AMI would be allowed with the current list of criteria if allowed AMIs was enabled.
enabled: Only AMIs matching the image criteria are discoverable and available for use.
ImageCriteria (list) --
The list of criteria for images that are discoverable and usable in the account in the specified Amazon Web Services Region.
(dict) --
The list of criteria that are evaluated to determine whch AMIs are discoverable and usable in the account in the specified Amazon Web Services Region. Currently, the only criteria that can be specified are AMI providers.
Up to 10 imageCriteria objects can be specified, and up to a total of 200 values for all imageProviders. For more information, see JSON configuration for the Allowed AMIs criteria in the Amazon EC2 User Guide.
ImageProviders (list) --
A list of AMI providers whose AMIs are discoverable and useable in the account. Up to a total of 200 values can be specified.
Possible values:
amazon: Allow AMIs created by Amazon Web Services.
aws-marketplace: Allow AMIs created by verified providers in the Amazon Web Services Marketplace.
aws-backup-vault: Allow AMIs created by Amazon Web Services Backup.
12-digit account ID: Allow AMIs created by this account. One or more account IDs can be specified.
none: Allow AMIs created by your own account only.
(string) --
ManagedBy (string) --
The entity that manages the Allowed AMIs settings. Possible values include:
account - The Allowed AMIs settings is managed by the account.
declarative-policy - The Allowed AMIs settings is managed by a declarative policy and can't be modified by the account.
Describes the VPC resources, VPC endpoint services, Amazon Lattice services, or service networks associated with the VPC endpoint.
See also: AWS API Documentation
Request Syntax
client.describe_vpc_endpoint_associations(
DryRun=True|False,
VpcEndpointIds=[
'string',
],
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The IDs of the VPC endpoints.
(string) --
list
The filters.
vpc-endpoint-id - The ID of the VPC endpoint.
associated-resource-accessibility - The association state. When the state is accessible, it returns AVAILABLE. When the state is inaccessible, it returns PENDING or FAILED.
association-id - The ID of the VPC endpoint association.
associated-resource-id - The ID of the associated resource configuration.
service-network-arn - The Amazon Resource Name (ARN) of the associated service network. Only VPC endpoints of type service network will be returned.
resource-configuration-group-arn - The Amazon Resource Name (ARN) of the resource configuration of type GROUP.
service-network-resource-association-id - The ID of the association.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum page size.
string
The pagination token.
dict
Response Syntax
{
'VpcEndpointAssociations': [
{
'Id': 'string',
'VpcEndpointId': 'string',
'ServiceNetworkArn': 'string',
'ServiceNetworkName': 'string',
'AssociatedResourceAccessibility': 'string',
'FailureReason': 'string',
'FailureCode': 'string',
'DnsEntry': {
'DnsName': 'string',
'HostedZoneId': 'string'
},
'PrivateDnsEntry': {
'DnsName': 'string',
'HostedZoneId': 'string'
},
'AssociatedResourceArn': 'string',
'ResourceConfigurationGroupArn': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VpcEndpointAssociations (list) --
Details of the endpoint associations.
(dict) --
Describes the VPC resources, VPC endpoint services, Lattice services, or service networks associated with the VPC endpoint.
Id (string) --
The ID of the VPC endpoint association.
VpcEndpointId (string) --
The ID of the VPC endpoint.
ServiceNetworkArn (string) --
The Amazon Resource Name (ARN) of the service network.
ServiceNetworkName (string) --
The name of the service network.
AssociatedResourceAccessibility (string) --
The connectivity status of the resources associated to a VPC endpoint. The resource is accessible if the associated resource configuration is AVAILABLE, otherwise the resource is inaccessible.
FailureReason (string) --
A message related to why an VPC endpoint association failed.
FailureCode (string) --
An error code related to why an VPC endpoint association failed.
DnsEntry (dict) --
The DNS entry of the VPC endpoint association.
DnsName (string) --
The DNS name.
HostedZoneId (string) --
The ID of the private hosted zone.
PrivateDnsEntry (dict) --
The private DNS entry of the VPC endpoint association.
DnsName (string) --
The DNS name.
HostedZoneId (string) --
The ID of the private hosted zone.
AssociatedResourceArn (string) --
The Amazon Resource Name (ARN) of the associated resource.
ResourceConfigurationGroupArn (string) --
The Amazon Resource Name (ARN) of the resource configuration group.
Tags (list) --
The tags to apply to the VPC endpoint association.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
NextToken (string) --
The pagination token.
Cancels the generation of an account status report.
You can only cancel a report while it has the running status. Reports with other statuses ( complete, cancelled, or error) can't be canceled.
For more information, see Generating the account status report for declarative policies in the Amazon Web Services Organizations User Guide.
See also: AWS API Documentation
Request Syntax
client.cancel_declarative_policies_report(
DryRun=True|False,
ReportId='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The ID of the report.
dict
Response Syntax
{
'Return': True|False
}
Response Structure
(dict) --
Return (boolean) --
Is true if the request succeeds, and an error otherwise.
{'VerifiedAccessInstance': {'CidrEndpointsCustomSubDomain': {'Nameservers': ['string'],
'SubDomain': 'string'}},
'VerifiedAccessTrustProvider': {'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}}
Attaches the specified Amazon Web Services Verified Access trust provider to the specified Amazon Web Services Verified Access instance.
See also: AWS API Documentation
Request Syntax
client.attach_verified_access_trust_provider(
VerifiedAccessInstanceId='string',
VerifiedAccessTrustProviderId='string',
ClientToken='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the Verified Access instance.
string
[REQUIRED]
The ID of the Verified Access trust provider.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VerifiedAccessTrustProvider': {
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud',
'OidcOptions': {
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
'DeviceOptions': {
'TenantId': 'string',
'PublicSigningKeyUrl': 'string'
},
'PolicyReferenceName': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'NativeApplicationOidcOptions': {
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'Scope': 'string'
}
},
'VerifiedAccessInstance': {
'VerifiedAccessInstanceId': 'string',
'Description': 'string',
'VerifiedAccessTrustProviders': [
{
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud'
},
],
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'FipsEnabled': True|False,
'CidrEndpointsCustomSubDomain': {
'SubDomain': 'string',
'Nameservers': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessTrustProvider (dict) --
Details about the Verified Access trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the Amazon Web Services Verified Access trust provider.
Description (string) --
A description for the Amazon Web Services Verified Access trust provider.
TrustProviderType (string) --
The type of Verified Access trust provider.
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
OidcOptions (dict) --
The options for an OpenID Connect-compatible user-identity trust provider.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
The OpenID Connect (OIDC) scope specified.
DeviceOptions (dict) --
The options for device-identity trust provider.
TenantId (string) --
The ID of the tenant application with the device-identity provider.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
PolicyReferenceName (string) --
The identifier to be used when working with policy rules.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
NativeApplicationOidcOptions (dict) --
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
Scope (string) --
The set of user claims to be requested from the IdP.
VerifiedAccessInstance (dict) --
Details about the Verified Access instance.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
Description (string) --
A description for the Amazon Web Services Verified Access instance.
VerifiedAccessTrustProviders (list) --
The IDs of the Amazon Web Services Verified Access trust providers.
(dict) --
Condensed information about a trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the trust provider.
Description (string) --
The description of trust provider.
TrustProviderType (string) --
The type of trust provider (user- or device-based).
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
FipsEnabled (boolean) --
Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.
CidrEndpointsCustomSubDomain (dict) --
The custom subdomain.
SubDomain (string) --
The subdomain.
Nameservers (list) --
The name servers.
(string) --
{'InstanceTypeSpecifications': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
Response {'FleetCapacityReservations': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'LaunchTemplateConfigs': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}
Response {'Errors': {'LaunchTemplateAndOverrides': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}},
'Instances': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'LaunchTemplateAndOverrides': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}}
{'LaunchTemplateData': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}}
{'LaunchTemplateData': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}}
Response {'LaunchTemplateVersion': {'LaunchTemplateData': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}}}
{'CidrOptions': {'Cidr': 'string',
'PortRanges': [{'FromPort': 'integer', 'ToPort': 'integer'}],
'Protocol': 'http | https | tcp',
'SubnetIds': ['string']},
'EndpointType': {'cidr', 'rds'},
'LoadBalancerOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'NetworkInterfaceOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'RdsOptions': {'Port': 'integer',
'Protocol': 'http | https | tcp',
'RdsDbClusterArn': 'string',
'RdsDbInstanceArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': ['string']}}
Response {'VerifiedAccessEndpoint': {'CidrOptions': {'Cidr': 'string',
'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': 'http | https | tcp',
'SubnetIds': ['string']},
'EndpointType': {'cidr', 'rds'},
'LoadBalancerOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'NetworkInterfaceOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'RdsOptions': {'Port': 'integer',
'Protocol': 'http | https | tcp',
'RdsDbClusterArn': 'string',
'RdsDbInstanceArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': ['string']}}}
An Amazon Web Services Verified Access endpoint is where you define your application along with an optional endpoint-level access policy.
See also: AWS API Documentation
Request Syntax
client.create_verified_access_endpoint(
VerifiedAccessGroupId='string',
EndpointType='load-balancer'|'network-interface'|'rds'|'cidr',
AttachmentType='vpc',
DomainCertificateArn='string',
ApplicationDomain='string',
EndpointDomainPrefix='string',
SecurityGroupIds=[
'string',
],
LoadBalancerOptions={
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'LoadBalancerArn': 'string',
'SubnetIds': [
'string',
],
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
NetworkInterfaceOptions={
'NetworkInterfaceId': 'string',
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
Description='string',
PolicyDocument='string',
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
ClientToken='string',
DryRun=True|False,
SseSpecification={
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
RdsOptions={
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'RdsDbInstanceArn': 'string',
'RdsDbClusterArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': [
'string',
]
},
CidrOptions={
'Protocol': 'http'|'https'|'tcp',
'SubnetIds': [
'string',
],
'Cidr': 'string',
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
}
)
string
[REQUIRED]
The ID of the Verified Access group to associate the endpoint with.
string
[REQUIRED]
The type of Verified Access endpoint to create.
string
[REQUIRED]
The type of attachment.
string
The ARN of the public TLS/SSL certificate in Amazon Web Services Certificate Manager to associate with the endpoint. The CN in the certificate must match the DNS name your end users will use to reach your application.
string
The DNS name for users to reach your application.
string
A custom identifier that is prepended to the DNS name that is generated for the endpoint.
list
The IDs of the security groups to associate with the Verified Access endpoint. Required if AttachmentType is set to vpc.
(string) --
dict
The load balancer details. This parameter is required if the endpoint type is load-balancer.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
LoadBalancerArn (string) --
The ARN of the load balancer.
SubnetIds (list) --
The IDs of the subnets.
(string) --
PortRanges (list) --
The port ranges.
(dict) --
Describes the port range for a Verified Access endpoint.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
dict
The network interface details. This parameter is required if the endpoint type is network-interface.
NetworkInterfaceId (string) --
The ID of the network interface.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
PortRanges (list) --
The port ranges.
(dict) --
Describes the port range for a Verified Access endpoint.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
string
A description for the Verified Access endpoint.
string
The Verified Access policy document.
list
The tags to assign to the Verified Access endpoint.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
The options for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Enable or disable the use of customer managed KMS keys for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
dict
The RDS details. This parameter is required if the endpoint type is rds.
Protocol (string) --
The protocol.
Port (integer) --
The port.
RdsDbInstanceArn (string) --
The ARN of the RDS instance.
RdsDbClusterArn (string) --
The ARN of the DB cluster.
RdsDbProxyArn (string) --
The ARN of the RDS proxy.
RdsEndpoint (string) --
The RDS endpoint.
SubnetIds (list) --
The IDs of the subnets.
(string) --
dict
The CIDR options. This parameter is required if the endpoint type is cidr.
Protocol (string) --
The protocol.
SubnetIds (list) --
The IDs of the subnets.
(string) --
Cidr (string) --
The CIDR.
PortRanges (list) --
The port ranges.
(dict) --
Describes the port range for a Verified Access endpoint.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
dict
Response Syntax
{
'VerifiedAccessEndpoint': {
'VerifiedAccessInstanceId': 'string',
'VerifiedAccessGroupId': 'string',
'VerifiedAccessEndpointId': 'string',
'ApplicationDomain': 'string',
'EndpointType': 'load-balancer'|'network-interface'|'rds'|'cidr',
'AttachmentType': 'vpc',
'DomainCertificateArn': 'string',
'EndpointDomain': 'string',
'DeviceValidationDomain': 'string',
'SecurityGroupIds': [
'string',
],
'LoadBalancerOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'LoadBalancerArn': 'string',
'SubnetIds': [
'string',
],
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'NetworkInterfaceOptions': {
'NetworkInterfaceId': 'string',
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'Status': {
'Code': 'pending'|'active'|'updating'|'deleting'|'deleted',
'Message': 'string'
},
'Description': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'DeletionTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'RdsOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'RdsDbInstanceArn': 'string',
'RdsDbClusterArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': [
'string',
]
},
'CidrOptions': {
'Cidr': 'string',
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
],
'Protocol': 'http'|'https'|'tcp',
'SubnetIds': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessEndpoint (dict) --
Details about the Verified Access endpoint.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
VerifiedAccessGroupId (string) --
The ID of the Amazon Web Services Verified Access group.
VerifiedAccessEndpointId (string) --
The ID of the Amazon Web Services Verified Access endpoint.
ApplicationDomain (string) --
The DNS name for users to reach your application.
EndpointType (string) --
The type of Amazon Web Services Verified Access endpoint. Incoming application requests will be sent to an IP address, load balancer or a network interface depending on the endpoint type specified.
AttachmentType (string) --
The type of attachment used to provide connectivity between the Amazon Web Services Verified Access endpoint and the application.
DomainCertificateArn (string) --
The ARN of a public TLS/SSL certificate imported into or created with ACM.
EndpointDomain (string) --
A DNS name that is generated for the endpoint.
DeviceValidationDomain (string) --
Returned if endpoint has a device trust provider attached.
SecurityGroupIds (list) --
The IDs of the security groups for the endpoint.
(string) --
LoadBalancerOptions (dict) --
The load balancer details if creating the Amazon Web Services Verified Access endpoint as ``load-balancer``type.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
LoadBalancerArn (string) --
The ARN of the load balancer.
SubnetIds (list) --
The IDs of the subnets.
(string) --
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
NetworkInterfaceOptions (dict) --
The options for network-interface type endpoint.
NetworkInterfaceId (string) --
The ID of the network interface.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Status (dict) --
The endpoint status.
Code (string) --
The status code of the Verified Access endpoint.
Message (string) --
The status message of the Verified Access endpoint.
Description (string) --
A description for the Amazon Web Services Verified Access endpoint.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
DeletionTime (string) --
The deletion time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
RdsOptions (dict) --
The options for an RDS endpoint.
Protocol (string) --
The protocol.
Port (integer) --
The port.
RdsDbInstanceArn (string) --
The ARN of the RDS instance.
RdsDbClusterArn (string) --
The ARN of the DB cluster.
RdsDbProxyArn (string) --
The ARN of the RDS proxy.
RdsEndpoint (string) --
The RDS endpoint.
SubnetIds (list) --
The IDs of the subnets.
(string) --
CidrOptions (dict) --
The options for a CIDR endpoint.
Cidr (string) --
The CIDR.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Protocol (string) --
The protocol.
SubnetIds (list) --
The IDs of the subnets.
(string) --
{'CidrEndpointsCustomSubDomain': 'string'}
Response {'VerifiedAccessInstance': {'CidrEndpointsCustomSubDomain': {'Nameservers': ['string'],
'SubDomain': 'string'}}}
An Amazon Web Services Verified Access instance is a regional entity that evaluates application requests and grants access only when your security requirements are met.
See also: AWS API Documentation
Request Syntax
client.create_verified_access_instance(
Description='string',
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
ClientToken='string',
DryRun=True|False,
FIPSEnabled=True|False,
CidrEndpointsCustomSubDomain='string'
)
string
A description for the Verified Access instance.
list
The tags to assign to the Verified Access instance.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
boolean
Enable or disable support for Federal Information Processing Standards (FIPS) on the instance.
string
The custom subdomain.
dict
Response Syntax
{
'VerifiedAccessInstance': {
'VerifiedAccessInstanceId': 'string',
'Description': 'string',
'VerifiedAccessTrustProviders': [
{
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud'
},
],
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'FipsEnabled': True|False,
'CidrEndpointsCustomSubDomain': {
'SubDomain': 'string',
'Nameservers': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessInstance (dict) --
Details about the Verified Access instance.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
Description (string) --
A description for the Amazon Web Services Verified Access instance.
VerifiedAccessTrustProviders (list) --
The IDs of the Amazon Web Services Verified Access trust providers.
(dict) --
Condensed information about a trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the trust provider.
Description (string) --
The description of trust provider.
TrustProviderType (string) --
The type of trust provider (user- or device-based).
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
FipsEnabled (boolean) --
Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.
CidrEndpointsCustomSubDomain (dict) --
The custom subdomain.
SubDomain (string) --
The subdomain.
Nameservers (list) --
The name servers.
(string) --
{'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}
Response {'VerifiedAccessTrustProvider': {'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}}
A trust provider is a third-party entity that creates, maintains, and manages identity information for users and devices. When an application request is made, the identity information sent by the trust provider is evaluated by Verified Access before allowing or denying the application request.
See also: AWS API Documentation
Request Syntax
client.create_verified_access_trust_provider(
TrustProviderType='user'|'device',
UserTrustProviderType='iam-identity-center'|'oidc',
DeviceTrustProviderType='jamf'|'crowdstrike'|'jumpcloud',
OidcOptions={
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
DeviceOptions={
'TenantId': 'string',
'PublicSigningKeyUrl': 'string'
},
PolicyReferenceName='string',
Description='string',
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
ClientToken='string',
DryRun=True|False,
SseSpecification={
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
NativeApplicationOidcOptions={
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
}
)
string
[REQUIRED]
The type of trust provider.
string
The type of user-based trust provider. This parameter is required when the provider type is user.
string
The type of device-based trust provider. This parameter is required when the provider type is device.
dict
The options for a OpenID Connect-compatible user-identity trust provider. This parameter is required when the provider type is user.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details. Each scope returns a specific set of user attributes.
dict
The options for a device-based trust provider. This parameter is required when the provider type is device.
TenantId (string) --
The ID of the tenant application with the device-identity provider.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
string
[REQUIRED]
The identifier to be used when working with policy rules.
string
A description for the Verified Access trust provider.
list
The tags to assign to the Verified Access trust provider.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
The options for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Enable or disable the use of customer managed KMS keys for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
dict
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
ClientSecret (string) --
The OAuth 2.0 client secret.
Scope (string) --
The set of user claims to be requested from the IdP.
dict
Response Syntax
{
'VerifiedAccessTrustProvider': {
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud',
'OidcOptions': {
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
'DeviceOptions': {
'TenantId': 'string',
'PublicSigningKeyUrl': 'string'
},
'PolicyReferenceName': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'NativeApplicationOidcOptions': {
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'Scope': 'string'
}
}
}
Response Structure
(dict) --
VerifiedAccessTrustProvider (dict) --
Details about the Verified Access trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the Amazon Web Services Verified Access trust provider.
Description (string) --
A description for the Amazon Web Services Verified Access trust provider.
TrustProviderType (string) --
The type of Verified Access trust provider.
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
OidcOptions (dict) --
The options for an OpenID Connect-compatible user-identity trust provider.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
The OpenID Connect (OIDC) scope specified.
DeviceOptions (dict) --
The options for device-identity trust provider.
TenantId (string) --
The ID of the tenant application with the device-identity provider.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
PolicyReferenceName (string) --
The identifier to be used when working with policy rules.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
NativeApplicationOidcOptions (dict) --
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
Scope (string) --
The set of user claims to be requested from the IdP.
{'ResourceConfigurationArn': 'string',
'ServiceNetworkArn': 'string',
'VpcEndpointType': {'ServiceNetwork', 'Resource'}}
Response {'VpcEndpoint': {'FailureReason': 'string',
'Ipv4Prefixes': [{'IpPrefixes': ['string'],
'SubnetId': 'string'}],
'Ipv6Prefixes': [{'IpPrefixes': ['string'],
'SubnetId': 'string'}],
'ResourceConfigurationArn': 'string',
'ServiceNetworkArn': 'string',
'State': {'Partial'},
'VpcEndpointType': {'ServiceNetwork', 'Resource'}}}
Creates a VPC endpoint. A VPC endpoint provides a private connection between the specified VPC and the specified endpoint service. You can use an endpoint service provided by Amazon Web Services, an Amazon Web Services Marketplace Partner, or another Amazon Web Services account. For more information, see the Amazon Web Services PrivateLink User Guide.
See also: AWS API Documentation
Request Syntax
client.create_vpc_endpoint(
DryRun=True|False,
VpcEndpointType='Interface'|'Gateway'|'GatewayLoadBalancer'|'Resource'|'ServiceNetwork',
VpcId='string',
ServiceName='string',
PolicyDocument='string',
RouteTableIds=[
'string',
],
SubnetIds=[
'string',
],
SecurityGroupIds=[
'string',
],
IpAddressType='ipv4'|'dualstack'|'ipv6',
DnsOptions={
'DnsRecordIpType': 'ipv4'|'dualstack'|'ipv6'|'service-defined',
'PrivateDnsOnlyForInboundResolverEndpoint': True|False
},
ClientToken='string',
PrivateDnsEnabled=True|False,
TagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
SubnetConfigurations=[
{
'SubnetId': 'string',
'Ipv4': 'string',
'Ipv6': 'string'
},
],
ServiceNetworkArn='string',
ResourceConfigurationArn='string',
ServiceRegion='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
The type of endpoint.
Default: Gateway
string
[REQUIRED]
The ID of the VPC.
string
The name of the endpoint service.
string
(Interface and gateway endpoints) A policy to attach to the endpoint that controls access to the service. The policy must be in valid JSON format. If this parameter is not specified, we attach a default policy that allows full access to the service.
list
(Gateway endpoint) The route table IDs.
(string) --
list
(Interface and Gateway Load Balancer endpoints) The IDs of the subnets in which to create endpoint network interfaces. For a Gateway Load Balancer endpoint, you can specify only one subnet.
(string) --
list
(Interface endpoint) The IDs of the security groups to associate with the endpoint network interfaces. If this parameter is not specified, we use the default security group for the VPC.
(string) --
string
The IP address type for the endpoint.
dict
The DNS options for the endpoint.
DnsRecordIpType (string) --
The DNS records created for the endpoint.
PrivateDnsOnlyForInboundResolverEndpoint (boolean) --
Indicates whether to enable private DNS only for inbound endpoints. This option is available only for services that support both gateway and interface endpoints. It routes traffic that originates from the VPC to the gateway endpoint and traffic that originates from on-premises to the interface endpoint.
string
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see How to ensure idempotency.
boolean
(Interface endpoint) Indicates whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, kinesis.us-east-1.amazonaws.com), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service.
To use a private hosted zone, you must set the following VPC attributes to true: enableDnsHostnames and enableDnsSupport. Use ModifyVpcAttribute to set the VPC attributes.
Default: true
list
The tags to associate with the endpoint.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
list
The subnet configurations for the endpoint.
(dict) --
Describes the configuration of a subnet for a VPC endpoint.
SubnetId (string) --
The ID of the subnet.
Ipv4 (string) --
The IPv4 address to assign to the endpoint network interface in the subnet. You must provide an IPv4 address if the VPC endpoint supports IPv4.
If you specify an IPv4 address when modifying a VPC endpoint, we replace the existing endpoint network interface with a new endpoint network interface with this IP address. This process temporarily disconnects the subnet and the VPC endpoint.
Ipv6 (string) --
The IPv6 address to assign to the endpoint network interface in the subnet. You must provide an IPv6 address if the VPC endpoint supports IPv6.
If you specify an IPv6 address when modifying a VPC endpoint, we replace the existing endpoint network interface with a new endpoint network interface with this IP address. This process temporarily disconnects the subnet and the VPC endpoint.
string
The Amazon Resource Name (ARN) of a service network that will be associated with the VPC endpoint of type service-network.
string
The Amazon Resource Name (ARN) of a resource configuration that will be associated with the VPC endpoint of type resource.
string
The Region where the service is hosted. The default is the current Region.
dict
Response Syntax
{
'VpcEndpoint': {
'VpcEndpointId': 'string',
'VpcEndpointType': 'Interface'|'Gateway'|'GatewayLoadBalancer'|'Resource'|'ServiceNetwork',
'VpcId': 'string',
'ServiceName': 'string',
'State': 'PendingAcceptance'|'Pending'|'Available'|'Deleting'|'Deleted'|'Rejected'|'Failed'|'Expired'|'Partial',
'PolicyDocument': 'string',
'RouteTableIds': [
'string',
],
'SubnetIds': [
'string',
],
'Groups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'IpAddressType': 'ipv4'|'dualstack'|'ipv6',
'DnsOptions': {
'DnsRecordIpType': 'ipv4'|'dualstack'|'ipv6'|'service-defined',
'PrivateDnsOnlyForInboundResolverEndpoint': True|False
},
'PrivateDnsEnabled': True|False,
'RequesterManaged': True|False,
'NetworkInterfaceIds': [
'string',
],
'DnsEntries': [
{
'DnsName': 'string',
'HostedZoneId': 'string'
},
],
'CreationTimestamp': datetime(2015, 1, 1),
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'OwnerId': 'string',
'LastError': {
'Message': 'string',
'Code': 'string'
},
'Ipv4Prefixes': [
{
'SubnetId': 'string',
'IpPrefixes': [
'string',
]
},
],
'Ipv6Prefixes': [
{
'SubnetId': 'string',
'IpPrefixes': [
'string',
]
},
],
'FailureReason': 'string',
'ServiceNetworkArn': 'string',
'ResourceConfigurationArn': 'string',
'ServiceRegion': 'string'
},
'ClientToken': 'string'
}
Response Structure
(dict) --
VpcEndpoint (dict) --
Information about the endpoint.
VpcEndpointId (string) --
The ID of the endpoint.
VpcEndpointType (string) --
The type of endpoint.
VpcId (string) --
The ID of the VPC to which the endpoint is associated.
ServiceName (string) --
The name of the service to which the endpoint is associated.
State (string) --
The state of the endpoint.
PolicyDocument (string) --
The policy document associated with the endpoint, if applicable.
RouteTableIds (list) --
(Gateway endpoint) The IDs of the route tables associated with the endpoint.
(string) --
SubnetIds (list) --
(Interface endpoint) The subnets for the endpoint.
(string) --
Groups (list) --
(Interface endpoint) Information about the security groups that are associated with the network interface.
(dict) --
Describes a security group.
GroupId (string) --
The ID of the security group.
GroupName (string) --
The name of the security group.
IpAddressType (string) --
The IP address type for the endpoint.
DnsOptions (dict) --
The DNS options for the endpoint.
DnsRecordIpType (string) --
The DNS records created for the endpoint.
PrivateDnsOnlyForInboundResolverEndpoint (boolean) --
Indicates whether to enable private DNS only for inbound endpoints.
PrivateDnsEnabled (boolean) --
(Interface endpoint) Indicates whether the VPC is associated with a private hosted zone.
RequesterManaged (boolean) --
Indicates whether the endpoint is being managed by its service.
NetworkInterfaceIds (list) --
(Interface endpoint) The network interfaces for the endpoint.
(string) --
DnsEntries (list) --
(Interface endpoint) The DNS entries for the endpoint.
(dict) --
Describes a DNS entry.
DnsName (string) --
The DNS name.
HostedZoneId (string) --
The ID of the private hosted zone.
CreationTimestamp (datetime) --
The date and time that the endpoint was created.
Tags (list) --
The tags assigned to the endpoint.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the endpoint.
LastError (dict) --
The last error that occurred for endpoint.
Message (string) --
The error message for the VPC endpoint error.
Code (string) --
The error code for the VPC endpoint error.
Ipv4Prefixes (list) --
Array of IPv4 prefixes.
(dict) --
Prefixes of the subnet IP.
SubnetId (string) --
ID of the subnet.
IpPrefixes (list) --
Array of SubnetIpPrefixes objects.
(string) --
Ipv6Prefixes (list) --
Array of IPv6 prefixes.
(dict) --
Prefixes of the subnet IP.
SubnetId (string) --
ID of the subnet.
IpPrefixes (list) --
Array of SubnetIpPrefixes objects.
(string) --
FailureReason (string) --
Reason for the failure.
ServiceNetworkArn (string) --
The Amazon Resource Name (ARN) of the service network.
ResourceConfigurationArn (string) --
The Amazon Resource Name (ARN) of the resource configuration.
ServiceRegion (string) --
The Region where the service is hosted.
ClientToken (string) --
Unique, case-sensitive identifier that you provide to ensure the idempotency of the request.
{'VerifiedAccessEndpoint': {'CidrOptions': {'Cidr': 'string',
'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': 'http | https | tcp',
'SubnetIds': ['string']},
'EndpointType': {'cidr', 'rds'},
'LoadBalancerOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'NetworkInterfaceOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'RdsOptions': {'Port': 'integer',
'Protocol': 'http | https | tcp',
'RdsDbClusterArn': 'string',
'RdsDbInstanceArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': ['string']}}}
Delete an Amazon Web Services Verified Access endpoint.
See also: AWS API Documentation
Request Syntax
client.delete_verified_access_endpoint(
VerifiedAccessEndpointId='string',
ClientToken='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the Verified Access endpoint.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VerifiedAccessEndpoint': {
'VerifiedAccessInstanceId': 'string',
'VerifiedAccessGroupId': 'string',
'VerifiedAccessEndpointId': 'string',
'ApplicationDomain': 'string',
'EndpointType': 'load-balancer'|'network-interface'|'rds'|'cidr',
'AttachmentType': 'vpc',
'DomainCertificateArn': 'string',
'EndpointDomain': 'string',
'DeviceValidationDomain': 'string',
'SecurityGroupIds': [
'string',
],
'LoadBalancerOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'LoadBalancerArn': 'string',
'SubnetIds': [
'string',
],
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'NetworkInterfaceOptions': {
'NetworkInterfaceId': 'string',
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'Status': {
'Code': 'pending'|'active'|'updating'|'deleting'|'deleted',
'Message': 'string'
},
'Description': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'DeletionTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'RdsOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'RdsDbInstanceArn': 'string',
'RdsDbClusterArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': [
'string',
]
},
'CidrOptions': {
'Cidr': 'string',
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
],
'Protocol': 'http'|'https'|'tcp',
'SubnetIds': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessEndpoint (dict) --
Details about the Verified Access endpoint.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
VerifiedAccessGroupId (string) --
The ID of the Amazon Web Services Verified Access group.
VerifiedAccessEndpointId (string) --
The ID of the Amazon Web Services Verified Access endpoint.
ApplicationDomain (string) --
The DNS name for users to reach your application.
EndpointType (string) --
The type of Amazon Web Services Verified Access endpoint. Incoming application requests will be sent to an IP address, load balancer or a network interface depending on the endpoint type specified.
AttachmentType (string) --
The type of attachment used to provide connectivity between the Amazon Web Services Verified Access endpoint and the application.
DomainCertificateArn (string) --
The ARN of a public TLS/SSL certificate imported into or created with ACM.
EndpointDomain (string) --
A DNS name that is generated for the endpoint.
DeviceValidationDomain (string) --
Returned if endpoint has a device trust provider attached.
SecurityGroupIds (list) --
The IDs of the security groups for the endpoint.
(string) --
LoadBalancerOptions (dict) --
The load balancer details if creating the Amazon Web Services Verified Access endpoint as ``load-balancer``type.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
LoadBalancerArn (string) --
The ARN of the load balancer.
SubnetIds (list) --
The IDs of the subnets.
(string) --
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
NetworkInterfaceOptions (dict) --
The options for network-interface type endpoint.
NetworkInterfaceId (string) --
The ID of the network interface.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Status (dict) --
The endpoint status.
Code (string) --
The status code of the Verified Access endpoint.
Message (string) --
The status message of the Verified Access endpoint.
Description (string) --
A description for the Amazon Web Services Verified Access endpoint.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
DeletionTime (string) --
The deletion time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
RdsOptions (dict) --
The options for an RDS endpoint.
Protocol (string) --
The protocol.
Port (integer) --
The port.
RdsDbInstanceArn (string) --
The ARN of the RDS instance.
RdsDbClusterArn (string) --
The ARN of the DB cluster.
RdsDbProxyArn (string) --
The ARN of the RDS proxy.
RdsEndpoint (string) --
The RDS endpoint.
SubnetIds (list) --
The IDs of the subnets.
(string) --
CidrOptions (dict) --
The options for a CIDR endpoint.
Cidr (string) --
The CIDR.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Protocol (string) --
The protocol.
SubnetIds (list) --
The IDs of the subnets.
(string) --
{'VerifiedAccessInstance': {'CidrEndpointsCustomSubDomain': {'Nameservers': ['string'],
'SubDomain': 'string'}}}
Delete an Amazon Web Services Verified Access instance.
See also: AWS API Documentation
Request Syntax
client.delete_verified_access_instance(
VerifiedAccessInstanceId='string',
DryRun=True|False,
ClientToken='string'
)
string
[REQUIRED]
The ID of the Verified Access instance.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'VerifiedAccessInstance': {
'VerifiedAccessInstanceId': 'string',
'Description': 'string',
'VerifiedAccessTrustProviders': [
{
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud'
},
],
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'FipsEnabled': True|False,
'CidrEndpointsCustomSubDomain': {
'SubDomain': 'string',
'Nameservers': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessInstance (dict) --
Details about the Verified Access instance.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
Description (string) --
A description for the Amazon Web Services Verified Access instance.
VerifiedAccessTrustProviders (list) --
The IDs of the Amazon Web Services Verified Access trust providers.
(dict) --
Condensed information about a trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the trust provider.
Description (string) --
The description of trust provider.
TrustProviderType (string) --
The type of trust provider (user- or device-based).
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
FipsEnabled (boolean) --
Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.
CidrEndpointsCustomSubDomain (dict) --
The custom subdomain.
SubDomain (string) --
The subdomain.
Nameservers (list) --
The name servers.
(string) --
{'VerifiedAccessTrustProvider': {'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}}
Delete an Amazon Web Services Verified Access trust provider.
See also: AWS API Documentation
Request Syntax
client.delete_verified_access_trust_provider(
VerifiedAccessTrustProviderId='string',
DryRun=True|False,
ClientToken='string'
)
string
[REQUIRED]
The ID of the Verified Access trust provider.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'VerifiedAccessTrustProvider': {
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud',
'OidcOptions': {
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
'DeviceOptions': {
'TenantId': 'string',
'PublicSigningKeyUrl': 'string'
},
'PolicyReferenceName': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'NativeApplicationOidcOptions': {
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'Scope': 'string'
}
}
}
Response Structure
(dict) --
VerifiedAccessTrustProvider (dict) --
Details about the Verified Access trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the Amazon Web Services Verified Access trust provider.
Description (string) --
A description for the Amazon Web Services Verified Access trust provider.
TrustProviderType (string) --
The type of Verified Access trust provider.
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
OidcOptions (dict) --
The options for an OpenID Connect-compatible user-identity trust provider.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
The OpenID Connect (OIDC) scope specified.
DeviceOptions (dict) --
The options for device-identity trust provider.
TenantId (string) --
The ID of the tenant application with the device-identity provider.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
PolicyReferenceName (string) --
The identifier to be used when working with policy rules.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
NativeApplicationOidcOptions (dict) --
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
Scope (string) --
The set of user claims to be requested from the IdP.
{'CapacityReservationFleets': {'InstanceTypeSpecifications': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}
{'Fleets': {'Errors': {'LaunchTemplateAndOverrides': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}},
'Instances': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'LaunchTemplateAndOverrides': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}},
'LaunchTemplateConfigs': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}}
{'Images': {'ImageAllowed': 'boolean'}}
Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.
The images available to you include public images, private images that you own, and private images owned by other Amazon Web Services accounts for which you have explicit launch permissions.
Recently deregistered images appear in the returned results for a short interval and then return empty results. After all instances that reference a deregistered AMI are terminated, specifying the ID of the image will eventually return an error indicating that the AMI ID cannot be found.
When Allowed AMIs is set to enabled, only allowed images are returned in the results, with the imageAllowed field set to true for each image. In audit-mode, the imageAllowed field is set to true for images that meet the account's Allowed AMIs criteria, and false for images that don't meet the criteria. For more information, see EnableAllowedImagesSettings.
See also: AWS API Documentation
Request Syntax
client.describe_images(
ExecutableUsers=[
'string',
],
ImageIds=[
'string',
],
Owners=[
'string',
],
IncludeDeprecated=True|False,
IncludeDisabled=True|False,
MaxResults=123,
NextToken='string',
DryRun=True|False,
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
]
)
list
Scopes the images by users with explicit launch permissions. Specify an Amazon Web Services account ID, self (the sender of the request), or all (public AMIs).
If you specify an Amazon Web Services account ID that is not your own, only AMIs shared with that specific Amazon Web Services account ID are returned. However, AMIs that are shared with the account’s organization or organizational unit (OU) are not returned.
If you specify self or your own Amazon Web Services account ID, AMIs shared with your account are returned. In addition, AMIs that are shared with the organization or OU of which you are member are also returned.
If you specify all, all public AMIs are returned.
(string) --
list
The image IDs.
Default: Describes all images available to you.
(string) --
list
Scopes the results to images with the specified owners. You can specify a combination of Amazon Web Services account IDs, self, amazon, aws-backup-vault, and aws-marketplace. If you omit this parameter, the results include all images for which you have launch permissions, regardless of ownership.
(string) --
boolean
Specifies whether to include deprecated AMIs.
Default: No deprecated AMIs are included in the response.
boolean
Specifies whether to include disabled AMIs.
Default: No disabled AMIs are included in the response.
integer
The maximum number of items to return for this request. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
string
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The filters.
architecture - The image architecture ( i386 | x86_64 | arm64 | x86_64_mac | arm64_mac).
block-device-mapping.delete-on-termination - A Boolean value that indicates whether the Amazon EBS volume is deleted on instance termination.
block-device-mapping.device-name - The device name specified in the block device mapping (for example, /dev/sdh or xvdh).
block-device-mapping.snapshot-id - The ID of the snapshot used for the Amazon EBS volume.
block-device-mapping.volume-size - The volume size of the Amazon EBS volume, in GiB.
block-device-mapping.volume-type - The volume type of the Amazon EBS volume ( io1 | io2 | gp2 | gp3 | sc1 ``| ``st1 | standard).
block-device-mapping.encrypted - A Boolean that indicates whether the Amazon EBS volume is encrypted.
creation-date - The time when the image was created, in the ISO 8601 format in the UTC time zone (YYYY-MM-DDThh:mm:ss.sssZ), for example, 2021-09-29T11:04:43.305Z. You can use a wildcard ( *), for example, 2021-09-29T*, which matches an entire day.
description - The description of the image (provided during image creation).
ena-support - A Boolean that indicates whether enhanced networking with ENA is enabled.
hypervisor - The hypervisor type ( ovm | xen).
image-allowed - A Boolean that indicates whether the image meets the criteria specified for Allowed AMIs.
image-id - The ID of the image.
image-type - The image type ( machine | kernel | ramdisk).
is-public - A Boolean that indicates whether the image is public.
kernel-id - The kernel ID.
manifest-location - The location of the image manifest.
name - The name of the AMI (provided during image creation).
owner-alias - The owner alias ( amazon | aws-backup-vault | aws-marketplace). The valid aliases are defined in an Amazon-maintained list. This is not the Amazon Web Services account alias that can be set using the IAM console. We recommend that you use the Owner request parameter instead of this filter.
owner-id - The Amazon Web Services account ID of the owner. We recommend that you use the Owner request parameter instead of this filter.
platform - The platform. The only supported value is windows.
product-code - The product code.
product-code.type - The type of the product code ( marketplace).
ramdisk-id - The RAM disk ID.
root-device-name - The device name of the root device volume (for example, /dev/sda1).
root-device-type - The type of the root device volume ( ebs | instance-store).
source-image-id - The ID of the source AMI from which the AMI was created.
source-image-region - The Region of the source AMI.
source-instance-id - The ID of the instance that the AMI was created from if the AMI was created using CreateImage. This filter is applicable only if the AMI was created using CreateImage.
state - The state of the image ( available | pending | failed).
state-reason-code - The reason code for the state change.
state-reason-message - The message for the state change.
sriov-net-support - A value of simple indicates that enhanced networking with the Intel 82599 VF interface is enabled.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
virtualization-type - The virtualization type ( paravirtual | hvm).
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
dict
Response Syntax
{
'NextToken': 'string',
'Images': [
{
'PlatformDetails': 'string',
'UsageOperation': 'string',
'BlockDeviceMappings': [
{
'Ebs': {
'DeleteOnTermination': True|False,
'Iops': 123,
'SnapshotId': 'string',
'VolumeSize': 123,
'VolumeType': 'standard'|'io1'|'io2'|'gp2'|'sc1'|'st1'|'gp3',
'KmsKeyId': 'string',
'Throughput': 123,
'OutpostArn': 'string',
'Encrypted': True|False
},
'NoDevice': 'string',
'DeviceName': 'string',
'VirtualName': 'string'
},
],
'Description': 'string',
'EnaSupport': True|False,
'Hypervisor': 'ovm'|'xen',
'ImageOwnerAlias': 'string',
'Name': 'string',
'RootDeviceName': 'string',
'RootDeviceType': 'ebs'|'instance-store',
'SriovNetSupport': 'string',
'StateReason': {
'Code': 'string',
'Message': 'string'
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VirtualizationType': 'hvm'|'paravirtual',
'BootMode': 'legacy-bios'|'uefi'|'uefi-preferred',
'TpmSupport': 'v2.0',
'DeprecationTime': 'string',
'ImdsSupport': 'v2.0',
'SourceInstanceId': 'string',
'DeregistrationProtection': 'string',
'LastLaunchedTime': 'string',
'ImageAllowed': True|False,
'SourceImageId': 'string',
'SourceImageRegion': 'string',
'ImageId': 'string',
'ImageLocation': 'string',
'State': 'pending'|'available'|'invalid'|'deregistered'|'transient'|'failed'|'error'|'disabled',
'OwnerId': 'string',
'CreationDate': 'string',
'Public': True|False,
'ProductCodes': [
{
'ProductCodeId': 'string',
'ProductCodeType': 'devpay'|'marketplace'
},
],
'Architecture': 'i386'|'x86_64'|'arm64'|'x86_64_mac'|'arm64_mac',
'ImageType': 'machine'|'kernel'|'ramdisk',
'KernelId': 'string',
'RamdiskId': 'string',
'Platform': 'Windows'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The token to include in another request to get the next page of items. This value is null when there are no more items to return.
Images (list) --
Information about the images.
(dict) --
Describes an image.
PlatformDetails (string) --
The platform details associated with the billing code of the AMI. For more information, see Understand AMI billing information in the Amazon EC2 User Guide.
UsageOperation (string) --
The operation of the Amazon EC2 instance and the billing code that is associated with the AMI. usageOperation corresponds to the lineitem/Operation column on your Amazon Web Services Cost and Usage Report and in the Amazon Web Services Price List API. You can view these fields on the Instances or AMIs pages in the Amazon EC2 console, or in the responses that are returned by the DescribeImages command in the Amazon EC2 API, or the describe-images command in the CLI.
BlockDeviceMappings (list) --
Any block device mapping entries.
(dict) --
Describes a block device mapping, which defines the EBS volumes and instance store volumes to attach to an instance at launch.
Ebs (dict) --
Parameters used to automatically set up EBS volumes when the instance is launched.
DeleteOnTermination (boolean) --
Indicates whether the EBS volume is deleted on instance termination. For more information, see Preserving Amazon EBS volumes on instance termination in the Amazon EC2 User Guide.
Iops (integer) --
The number of I/O operations per second (IOPS). For gp3, io1, and io2 volumes, this represents the number of IOPS that are provisioned for the volume. For gp2 volumes, this represents the baseline performance of the volume and the rate at which the volume accumulates I/O credits for bursting.
The following are the supported values for each volume type:
gp3: 3,000 - 16,000 IOPS
io1: 100 - 64,000 IOPS
io2: 100 - 256,000 IOPS
For io2 volumes, you can achieve up to 256,000 IOPS on instances built on the Nitro System. On other instances, you can achieve performance up to 32,000 IOPS.
This parameter is required for io1 and io2 volumes. The default for gp3 volumes is 3,000 IOPS.
SnapshotId (string) --
The ID of the snapshot.
VolumeSize (integer) --
The size of the volume, in GiBs. You must specify either a snapshot ID or a volume size. If you specify a snapshot, the default is the snapshot size. You can specify a volume size that is equal to or larger than the snapshot size.
The following are the supported sizes for each volume type:
gp2 and gp3: 1 - 16,384 GiB
io1: 4 - 16,384 GiB
io2: 4 - 65,536 GiB
st1 and sc1: 125 - 16,384 GiB
standard: 1 - 1024 GiB
VolumeType (string) --
The volume type. For more information, see Amazon EBS volume types in the Amazon EBS User Guide.
KmsKeyId (string) --
Identifier (key ID, key alias, key ARN, or alias ARN) of the customer managed KMS key to use for EBS encryption.
This parameter is only supported on BlockDeviceMapping objects called by RunInstances, RequestSpotFleet, and RequestSpotInstances.
Throughput (integer) --
The throughput that the volume supports, in MiB/s.
This parameter is valid only for gp3 volumes.
Valid Range: Minimum value of 125. Maximum value of 1000.
OutpostArn (string) --
The ARN of the Outpost on which the snapshot is stored.
This parameter is not supported when using CreateImage.
Encrypted (boolean) --
Indicates whether the encryption state of an EBS volume is changed while being restored from a backing snapshot. The effect of setting the encryption state to true depends on the volume origin (new or from a snapshot), starting encryption state, ownership, and whether encryption by default is enabled. For more information, see Amazon EBS encryption in the Amazon EBS User Guide.
In no case can you remove encryption from an encrypted volume.
Encrypted volumes can only be attached to instances that support Amazon EBS encryption. For more information, see Supported instance types.
This parameter is not returned by DescribeImageAttribute.
For CreateImage and RegisterImage, whether you can include this parameter, and the allowed values differ depending on the type of block device mapping you are creating.
If you are creating a block device mapping for a new (empty) volume, you can include this parameter, and specify either true for an encrypted volume, or false for an unencrypted volume. If you omit this parameter, it defaults to false (unencrypted).
If you are creating a block device mapping from an existing encrypted or unencrypted snapshot, you must omit this parameter. If you include this parameter, the request will fail, regardless of the value that you specify.
If you are creating a block device mapping from an existing unencrypted volume, you can include this parameter, but you must specify false. If you specify true, the request will fail. In this case, we recommend that you omit the parameter.
If you are creating a block device mapping from an existing encrypted volume, you can include this parameter, and specify either true or false. However, if you specify false, the parameter is ignored and the block device mapping is always encrypted. In this case, we recommend that you omit the parameter.
NoDevice (string) --
To omit the device from the block device mapping, specify an empty string. When this property is specified, the device is removed from the block device mapping regardless of the assigned value.
DeviceName (string) --
The device name (for example, /dev/sdh or xvdh).
VirtualName (string) --
The virtual device name ( ephemeral``N). Instance store volumes are numbered starting from 0. An instance type with 2 available instance store volumes can specify mappings for ``ephemeral0 and ephemeral1. The number of available instance store volumes depends on the instance type. After you connect to the instance, you must mount the volume.
NVMe instance store volumes are automatically enumerated and assigned a device name. Including them in your block device mapping has no effect.
Constraints: For M3 instances, you must specify instance store volumes in the block device mapping for the instance. When you launch an M3 instance, we ignore any instance store volumes specified in the block device mapping for the AMI.
Description (string) --
The description of the AMI that was provided during image creation.
EnaSupport (boolean) --
Specifies whether enhanced networking with ENA is enabled.
Hypervisor (string) --
The hypervisor type of the image. Only xen is supported. ovm is not supported.
ImageOwnerAlias (string) --
The owner alias ( amazon | aws-backup-vault | aws-marketplace).
Name (string) --
The name of the AMI that was provided during image creation.
RootDeviceName (string) --
The device name of the root device volume (for example, /dev/sda1).
RootDeviceType (string) --
The type of root device used by the AMI. The AMI can use an Amazon EBS volume or an instance store volume.
SriovNetSupport (string) --
Specifies whether enhanced networking with the Intel 82599 Virtual Function interface is enabled.
StateReason (dict) --
The reason for the state change.
Code (string) --
The reason code for the state change.
Message (string) --
The message for the state change.
Server.InsufficientInstanceCapacity: There was insufficient capacity available to satisfy the launch request.
Server.InternalError: An internal error caused the instance to terminate during launch.
Server.ScheduledStop: The instance was stopped due to a scheduled retirement.
Server.SpotInstanceShutdown: The instance was stopped because the number of Spot requests with a maximum price equal to or higher than the Spot price exceeded available capacity or because of an increase in the Spot price.
Server.SpotInstanceTermination: The instance was terminated because the number of Spot requests with a maximum price equal to or higher than the Spot price exceeded available capacity or because of an increase in the Spot price.
Client.InstanceInitiatedShutdown: The instance was shut down from the operating system of the instance.
Client.InstanceTerminated: The instance was terminated or rebooted during AMI creation.
Client.InternalError: A client error caused the instance to terminate during launch.
Client.InvalidSnapshot.NotFound: The specified snapshot was not found.
Client.UserInitiatedHibernate: Hibernation was initiated on the instance.
Client.UserInitiatedShutdown: The instance was shut down using the Amazon EC2 API.
Client.VolumeLimitExceeded: The limit on the number of EBS volumes or total storage was exceeded. Decrease usage or request an increase in your account limits.
Tags (list) --
Any tags assigned to the image.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VirtualizationType (string) --
The type of virtualization of the AMI.
BootMode (string) --
The boot mode of the image. For more information, see Boot modes in the Amazon EC2 User Guide.
TpmSupport (string) --
If the image is configured for NitroTPM support, the value is v2.0. For more information, see NitroTPM in the Amazon EC2 User Guide.
DeprecationTime (string) --
The date and time to deprecate the AMI, in UTC, in the following format: YYYY-MM-DD*T*HH:MM:*SS*Z. If you specified a value for seconds, Amazon EC2 rounds the seconds to the nearest minute.
ImdsSupport (string) --
If v2.0, it indicates that IMDSv2 is specified in the AMI. Instances launched from this AMI will have HttpTokens automatically set to required so that, by default, the instance requires that IMDSv2 is used when requesting instance metadata. In addition, HttpPutResponseHopLimit is set to 2. For more information, see Configure the AMI in the Amazon EC2 User Guide.
SourceInstanceId (string) --
The ID of the instance that the AMI was created from if the AMI was created using CreateImage. This field only appears if the AMI was created using CreateImage.
DeregistrationProtection (string) --
Indicates whether deregistration protection is enabled for the AMI.
LastLaunchedTime (string) --
The date and time, in ISO 8601 date-time format, when the AMI was last used to launch an EC2 instance. When the AMI is used to launch an instance, there is a 24-hour delay before that usage is reported.
ImageAllowed (boolean) --
If true, the AMI satisfies the criteria for Allowed AMIs and can be discovered and used in the account. If false and Allowed AMIs is set to enabled, the AMI can't be discovered or used in the account. If false and Allowed AMIs is set to audit-mode, the AMI can be discovered and used in the account.
For more information, see Control the discovery and use of AMIs in Amazon EC2 with Allowed AMIs in Amazon EC2 User Guide.
SourceImageId (string) --
The ID of the source AMI from which the AMI was created.
The ID only appears if the AMI was created using CreateImage, CopyImage, or CreateRestoreImageTask. The ID does not appear if the AMI was created using any other API. For some older AMIs, the ID might not be available. For more information, see Identify the source AMI used to create a new AMI in the Amazon EC2 User Guide.
SourceImageRegion (string) --
The Region of the source AMI.
The Region only appears if the AMI was created using CreateImage, CopyImage, or CreateRestoreImageTask. The Region does not appear if the AMI was created using any other API. For some older AMIs, the Region might not be available. For more information, see Identify the source AMI used to create a new AMI in the Amazon EC2 User Guide.
ImageId (string) --
The ID of the AMI.
ImageLocation (string) --
The location of the AMI.
State (string) --
The current state of the AMI. If the state is available, the image is successfully registered and can be used to launch an instance.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the image.
CreationDate (string) --
The date and time the image was created.
Public (boolean) --
Indicates whether the image has public launch permissions. The value is true if this image has public launch permissions or false if it has only implicit and explicit launch permissions.
ProductCodes (list) --
Any product codes associated with the AMI.
(dict) --
Describes a product code.
ProductCodeId (string) --
The product code.
ProductCodeType (string) --
The type of product code.
Architecture (string) --
The architecture of the image.
ImageType (string) --
The type of image.
KernelId (string) --
The kernel associated with the image, if any. Only applicable for machine images.
RamdiskId (string) --
The RAM disk associated with the image, if any. Only applicable for machine images.
Platform (string) --
This value is set to windows for Windows AMIs; otherwise, it is blank.
{'InstanceImageMetadata': {'ImageMetadata': {'ImageAllowed': 'boolean'},
'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'InstanceTypeOfferings': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'InstanceTypes': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}
Response {'InstanceTypes': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'Reservations': {'Instances': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}
{'LaunchTemplateVersions': {'LaunchTemplateData': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}}}
{'ReservedInstances': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'ReservedInstancesModifications': {'ModificationResults': {'TargetConfiguration': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}}
{'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}
Response {'ReservedInstancesOfferings': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'SpotFleetRequestConfigs': {'SpotFleetRequestConfig': {'LaunchSpecifications': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}},
'LaunchTemplateConfigs': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}}}
{'SpotInstanceRequests': {'LaunchSpecification': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}
{'InstanceTypes': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}
Response {'SpotPriceHistory': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'Tags': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}
Describes the specified tags for your EC2 resources.
For more information about tags, see Tag your Amazon EC2 resources in the Amazon Elastic Compute Cloud User Guide.
See also: AWS API Documentation
Request Syntax
client.describe_tags(
DryRun=True|False,
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The filters.
key - The tag key.
resource-id - The ID of the resource.
resource-type - The resource type. For a list of possible values, see TagSpecification.
tag:<key> - The key/value combination of the tag. For example, specify "tag:Owner" for the filter name and "TeamA" for the filter value to find resources with the tag "Owner=TeamA".
value - The tag value.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of items to return for this request. This value can be between 5 and 1000. To get the next page of items, make another request with the token returned in the output. For more information, see Pagination.
string
The token returned from a previous paginated request. Pagination continues from the end of the items returned by the previous request.
dict
Response Syntax
{
'NextToken': 'string',
'Tags': [
{
'Key': 'string',
'ResourceId': 'string',
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token',
'Value': 'string'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The token to include in another request to get the next page of items. This value is null when there are no more items to return.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The tag key.
ResourceId (string) --
The ID of the resource.
ResourceType (string) --
The resource type.
Value (string) --
The tag value.
{'VerifiedAccessEndpoints': {'CidrOptions': {'Cidr': 'string',
'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': 'http | https | tcp',
'SubnetIds': ['string']},
'EndpointType': {'cidr', 'rds'},
'LoadBalancerOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'NetworkInterfaceOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'RdsOptions': {'Port': 'integer',
'Protocol': 'http | https | tcp',
'RdsDbClusterArn': 'string',
'RdsDbInstanceArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': ['string']}}}
Describes the specified Amazon Web Services Verified Access endpoints.
See also: AWS API Documentation
Request Syntax
client.describe_verified_access_endpoints(
VerifiedAccessEndpointIds=[
'string',
],
VerifiedAccessInstanceId='string',
VerifiedAccessGroupId='string',
MaxResults=123,
NextToken='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
DryRun=True|False
)
list
The ID of the Verified Access endpoint.
(string) --
string
The ID of the Verified Access instance.
string
The ID of the Verified Access group.
integer
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
list
One or more filters. Filter names and values are case-sensitive.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VerifiedAccessEndpoints': [
{
'VerifiedAccessInstanceId': 'string',
'VerifiedAccessGroupId': 'string',
'VerifiedAccessEndpointId': 'string',
'ApplicationDomain': 'string',
'EndpointType': 'load-balancer'|'network-interface'|'rds'|'cidr',
'AttachmentType': 'vpc',
'DomainCertificateArn': 'string',
'EndpointDomain': 'string',
'DeviceValidationDomain': 'string',
'SecurityGroupIds': [
'string',
],
'LoadBalancerOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'LoadBalancerArn': 'string',
'SubnetIds': [
'string',
],
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'NetworkInterfaceOptions': {
'NetworkInterfaceId': 'string',
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'Status': {
'Code': 'pending'|'active'|'updating'|'deleting'|'deleted',
'Message': 'string'
},
'Description': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'DeletionTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'RdsOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'RdsDbInstanceArn': 'string',
'RdsDbClusterArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': [
'string',
]
},
'CidrOptions': {
'Cidr': 'string',
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
],
'Protocol': 'http'|'https'|'tcp',
'SubnetIds': [
'string',
]
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VerifiedAccessEndpoints (list) --
Details about the Verified Access endpoints.
(dict) --
An Amazon Web Services Verified Access endpoint specifies the application that Amazon Web Services Verified Access provides access to. It must be attached to an Amazon Web Services Verified Access group. An Amazon Web Services Verified Access endpoint must also have an attached access policy before you attached it to a group.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
VerifiedAccessGroupId (string) --
The ID of the Amazon Web Services Verified Access group.
VerifiedAccessEndpointId (string) --
The ID of the Amazon Web Services Verified Access endpoint.
ApplicationDomain (string) --
The DNS name for users to reach your application.
EndpointType (string) --
The type of Amazon Web Services Verified Access endpoint. Incoming application requests will be sent to an IP address, load balancer or a network interface depending on the endpoint type specified.
AttachmentType (string) --
The type of attachment used to provide connectivity between the Amazon Web Services Verified Access endpoint and the application.
DomainCertificateArn (string) --
The ARN of a public TLS/SSL certificate imported into or created with ACM.
EndpointDomain (string) --
A DNS name that is generated for the endpoint.
DeviceValidationDomain (string) --
Returned if endpoint has a device trust provider attached.
SecurityGroupIds (list) --
The IDs of the security groups for the endpoint.
(string) --
LoadBalancerOptions (dict) --
The load balancer details if creating the Amazon Web Services Verified Access endpoint as ``load-balancer``type.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
LoadBalancerArn (string) --
The ARN of the load balancer.
SubnetIds (list) --
The IDs of the subnets.
(string) --
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
NetworkInterfaceOptions (dict) --
The options for network-interface type endpoint.
NetworkInterfaceId (string) --
The ID of the network interface.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Status (dict) --
The endpoint status.
Code (string) --
The status code of the Verified Access endpoint.
Message (string) --
The status message of the Verified Access endpoint.
Description (string) --
A description for the Amazon Web Services Verified Access endpoint.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
DeletionTime (string) --
The deletion time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
RdsOptions (dict) --
The options for an RDS endpoint.
Protocol (string) --
The protocol.
Port (integer) --
The port.
RdsDbInstanceArn (string) --
The ARN of the RDS instance.
RdsDbClusterArn (string) --
The ARN of the DB cluster.
RdsDbProxyArn (string) --
The ARN of the RDS proxy.
RdsEndpoint (string) --
The RDS endpoint.
SubnetIds (list) --
The IDs of the subnets.
(string) --
CidrOptions (dict) --
The options for a CIDR endpoint.
Cidr (string) --
The CIDR.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Protocol (string) --
The protocol.
SubnetIds (list) --
The IDs of the subnets.
(string) --
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'VerifiedAccessInstances': {'CidrEndpointsCustomSubDomain': {'Nameservers': ['string'],
'SubDomain': 'string'}}}
Describes the specified Amazon Web Services Verified Access instances.
See also: AWS API Documentation
Request Syntax
client.describe_verified_access_instances(
VerifiedAccessInstanceIds=[
'string',
],
MaxResults=123,
NextToken='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
DryRun=True|False
)
list
The IDs of the Verified Access instances.
(string) --
integer
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
list
One or more filters. Filter names and values are case-sensitive.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VerifiedAccessInstances': [
{
'VerifiedAccessInstanceId': 'string',
'Description': 'string',
'VerifiedAccessTrustProviders': [
{
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud'
},
],
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'FipsEnabled': True|False,
'CidrEndpointsCustomSubDomain': {
'SubDomain': 'string',
'Nameservers': [
'string',
]
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VerifiedAccessInstances (list) --
Details about the Verified Access instances.
(dict) --
Describes a Verified Access instance.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
Description (string) --
A description for the Amazon Web Services Verified Access instance.
VerifiedAccessTrustProviders (list) --
The IDs of the Amazon Web Services Verified Access trust providers.
(dict) --
Condensed information about a trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the trust provider.
Description (string) --
The description of trust provider.
TrustProviderType (string) --
The type of trust provider (user- or device-based).
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
FipsEnabled (boolean) --
Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.
CidrEndpointsCustomSubDomain (dict) --
The custom subdomain.
SubDomain (string) --
The subdomain.
Nameservers (list) --
The name servers.
(string) --
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'VerifiedAccessTrustProviders': {'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}}
Describes the specified Amazon Web Services Verified Access trust providers.
See also: AWS API Documentation
Request Syntax
client.describe_verified_access_trust_providers(
VerifiedAccessTrustProviderIds=[
'string',
],
MaxResults=123,
NextToken='string',
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
DryRun=True|False
)
list
The IDs of the Verified Access trust providers.
(string) --
integer
The maximum number of results to return with a single call. To retrieve the remaining results, make another call with the returned nextToken value.
string
The token for the next page of results.
list
One or more filters. Filter names and values are case-sensitive.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VerifiedAccessTrustProviders': [
{
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud',
'OidcOptions': {
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
'DeviceOptions': {
'TenantId': 'string',
'PublicSigningKeyUrl': 'string'
},
'PolicyReferenceName': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'NativeApplicationOidcOptions': {
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'Scope': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VerifiedAccessTrustProviders (list) --
Details about the Verified Access trust providers.
(dict) --
Describes a Verified Access trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the Amazon Web Services Verified Access trust provider.
Description (string) --
A description for the Amazon Web Services Verified Access trust provider.
TrustProviderType (string) --
The type of Verified Access trust provider.
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
OidcOptions (dict) --
The options for an OpenID Connect-compatible user-identity trust provider.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
The OpenID Connect (OIDC) scope specified.
DeviceOptions (dict) --
The options for device-identity trust provider.
TenantId (string) --
The ID of the tenant application with the device-identity provider.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
PolicyReferenceName (string) --
The identifier to be used when working with policy rules.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
NativeApplicationOidcOptions (dict) --
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
Scope (string) --
The set of user claims to be requested from the IdP.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'VpcBlockPublicAccessOptions': {'ExclusionsAllowed': 'allowed | not-allowed',
'ManagedBy': 'account | declarative-policy'}}
Describe VPC Block Public Access (BPA) options. VPC Block Public Access (BPA) enables you to block resources in VPCs and subnets that you own in a Region from reaching or being reached from the internet through internet gateways and egress-only internet gateways. To learn more about VPC BPA, see Block public access to VPCs and subnets in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.describe_vpc_block_public_access_options(
DryRun=True|False
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VpcBlockPublicAccessOptions': {
'AwsAccountId': 'string',
'AwsRegion': 'string',
'State': 'default-state'|'update-in-progress'|'update-complete',
'InternetGatewayBlockMode': 'off'|'block-bidirectional'|'block-ingress',
'Reason': 'string',
'LastUpdateTimestamp': datetime(2015, 1, 1),
'ManagedBy': 'account'|'declarative-policy',
'ExclusionsAllowed': 'allowed'|'not-allowed'
}
}
Response Structure
(dict) --
VpcBlockPublicAccessOptions (dict) --
Details related to the options.
AwsAccountId (string) --
An Amazon Web Services account ID.
AwsRegion (string) --
An Amazon Web Services Region.
State (string) --
The current state of VPC BPA.
InternetGatewayBlockMode (string) --
The current mode of VPC BPA.
off: VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region.
block-bidirectional: Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
block-ingress: Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
Reason (string) --
The reason for the current state.
LastUpdateTimestamp (datetime) --
The last time the VPC BPA mode was updated.
ManagedBy (string) --
The entity that manages the state of VPC BPA. Possible values include:
account - The state is managed by the account.
declarative-policy - The state is managed by a declarative policy and can't be modified by the account.
ExclusionsAllowed (string) --
Determines if exclusions are allowed. If you have enabled VPC BPA at the Organization level, exclusions may be not-allowed. Otherwise, they are allowed.
{'VpcEndpointConnections': {'VpcEndpointState': {'Partial'}}}
Describes the VPC endpoint connections to your VPC endpoint services, including any endpoints that are pending your acceptance.
See also: AWS API Documentation
Request Syntax
client.describe_vpc_endpoint_connections(
DryRun=True|False,
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The filters.
ip-address-type - The IP address type ( ipv4 | ipv6).
service-id - The ID of the service.
vpc-endpoint-owner - The ID of the Amazon Web Services account ID that owns the endpoint.
vpc-endpoint-region - The Region of the endpoint or cross-region to find endpoints for other Regions.
vpc-endpoint-state - The state of the endpoint ( pendingAcceptance | pending | available | deleting | deleted | rejected | failed).
vpc-endpoint-id - The ID of the endpoint.
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of results to return for the request in a single page. The remaining results of the initial request can be seen by sending another request with the returned NextToken value. This value can be between 5 and 1,000; if MaxResults is given a value larger than 1,000, only 1,000 results are returned.
string
The token to retrieve the next page of results.
dict
Response Syntax
{
'VpcEndpointConnections': [
{
'ServiceId': 'string',
'VpcEndpointId': 'string',
'VpcEndpointOwner': 'string',
'VpcEndpointState': 'PendingAcceptance'|'Pending'|'Available'|'Deleting'|'Deleted'|'Rejected'|'Failed'|'Expired'|'Partial',
'CreationTimestamp': datetime(2015, 1, 1),
'DnsEntries': [
{
'DnsName': 'string',
'HostedZoneId': 'string'
},
],
'NetworkLoadBalancerArns': [
'string',
],
'GatewayLoadBalancerArns': [
'string',
],
'IpAddressType': 'ipv4'|'dualstack'|'ipv6',
'VpcEndpointConnectionId': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'VpcEndpointRegion': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VpcEndpointConnections (list) --
Information about the VPC endpoint connections.
(dict) --
Describes a VPC endpoint connection to a service.
ServiceId (string) --
The ID of the service to which the endpoint is connected.
VpcEndpointId (string) --
The ID of the VPC endpoint.
VpcEndpointOwner (string) --
The ID of the Amazon Web Services account that owns the VPC endpoint.
VpcEndpointState (string) --
The state of the VPC endpoint.
CreationTimestamp (datetime) --
The date and time that the VPC endpoint was created.
DnsEntries (list) --
The DNS entries for the VPC endpoint.
(dict) --
Describes a DNS entry.
DnsName (string) --
The DNS name.
HostedZoneId (string) --
The ID of the private hosted zone.
NetworkLoadBalancerArns (list) --
The Amazon Resource Names (ARNs) of the network load balancers for the service.
(string) --
GatewayLoadBalancerArns (list) --
The Amazon Resource Names (ARNs) of the Gateway Load Balancers for the service.
(string) --
IpAddressType (string) --
The IP address type for the endpoint.
VpcEndpointConnectionId (string) --
The ID of the VPC endpoint connection.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
VpcEndpointRegion (string) --
The Region of the endpoint.
NextToken (string) --
The token to use to retrieve the next page of results. This value is null when there are no more results to return.
{'VpcEndpoints': {'FailureReason': 'string',
'Ipv4Prefixes': [{'IpPrefixes': ['string'],
'SubnetId': 'string'}],
'Ipv6Prefixes': [{'IpPrefixes': ['string'],
'SubnetId': 'string'}],
'ResourceConfigurationArn': 'string',
'ServiceNetworkArn': 'string',
'State': {'Partial'},
'VpcEndpointType': {'ServiceNetwork', 'Resource'}}}
Describes your VPC endpoints. The default is to describe all your VPC endpoints. Alternatively, you can specify specific VPC endpoint IDs or filter the results to include only the VPC endpoints that match specific criteria.
See also: AWS API Documentation
Request Syntax
client.describe_vpc_endpoints(
DryRun=True|False,
VpcEndpointIds=[
'string',
],
Filters=[
{
'Name': 'string',
'Values': [
'string',
]
},
],
MaxResults=123,
NextToken='string'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The IDs of the VPC endpoints.
(string) --
list
The filters.
ip-address-type - The IP address type ( ipv4 | ipv6).
service-name - The name of the service.
service-region - The Region of the service.
tag:<key> - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.
tag-key - The key of a tag assigned to the resource. Use this filter to find all resources assigned a tag with a specific key, regardless of the tag value.
vpc-id - The ID of the VPC in which the endpoint resides.
vpc-endpoint-id - The ID of the endpoint.
vpc-endpoint-state - The state of the endpoint ( pendingAcceptance | pending | available | deleting | deleted | rejected | failed).
vpc-endpoint-type - The type of VPC endpoint ( Interface | Gateway | GatewayLoadBalancer).
(dict) --
A filter name and value pair that is used to return a more specific list of results from a describe operation. Filters can be used to match a set of resources by specific criteria, such as tags, attributes, or IDs.
If you specify multiple filters, the filters are joined with an AND, and the request returns only results that match all of the specified filters.
Name (string) --
The name of the filter. Filter names are case-sensitive.
Values (list) --
The filter values. Filter values are case-sensitive. If you specify multiple values for a filter, the values are joined with an OR, and the request returns all results that match any of the specified values.
(string) --
integer
The maximum number of items to return for this request. The request returns a token that you can specify in a subsequent call to get the next set of results.
Constraint: If the value is greater than 1,000, we return only 1,000 items.
string
The token for the next set of items to return. (You received this token from a prior call.)
dict
Response Syntax
{
'VpcEndpoints': [
{
'VpcEndpointId': 'string',
'VpcEndpointType': 'Interface'|'Gateway'|'GatewayLoadBalancer'|'Resource'|'ServiceNetwork',
'VpcId': 'string',
'ServiceName': 'string',
'State': 'PendingAcceptance'|'Pending'|'Available'|'Deleting'|'Deleted'|'Rejected'|'Failed'|'Expired'|'Partial',
'PolicyDocument': 'string',
'RouteTableIds': [
'string',
],
'SubnetIds': [
'string',
],
'Groups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'IpAddressType': 'ipv4'|'dualstack'|'ipv6',
'DnsOptions': {
'DnsRecordIpType': 'ipv4'|'dualstack'|'ipv6'|'service-defined',
'PrivateDnsOnlyForInboundResolverEndpoint': True|False
},
'PrivateDnsEnabled': True|False,
'RequesterManaged': True|False,
'NetworkInterfaceIds': [
'string',
],
'DnsEntries': [
{
'DnsName': 'string',
'HostedZoneId': 'string'
},
],
'CreationTimestamp': datetime(2015, 1, 1),
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'OwnerId': 'string',
'LastError': {
'Message': 'string',
'Code': 'string'
},
'Ipv4Prefixes': [
{
'SubnetId': 'string',
'IpPrefixes': [
'string',
]
},
],
'Ipv6Prefixes': [
{
'SubnetId': 'string',
'IpPrefixes': [
'string',
]
},
],
'FailureReason': 'string',
'ServiceNetworkArn': 'string',
'ResourceConfigurationArn': 'string',
'ServiceRegion': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
VpcEndpoints (list) --
Information about the VPC endpoints.
(dict) --
Describes a VPC endpoint.
VpcEndpointId (string) --
The ID of the endpoint.
VpcEndpointType (string) --
The type of endpoint.
VpcId (string) --
The ID of the VPC to which the endpoint is associated.
ServiceName (string) --
The name of the service to which the endpoint is associated.
State (string) --
The state of the endpoint.
PolicyDocument (string) --
The policy document associated with the endpoint, if applicable.
RouteTableIds (list) --
(Gateway endpoint) The IDs of the route tables associated with the endpoint.
(string) --
SubnetIds (list) --
(Interface endpoint) The subnets for the endpoint.
(string) --
Groups (list) --
(Interface endpoint) Information about the security groups that are associated with the network interface.
(dict) --
Describes a security group.
GroupId (string) --
The ID of the security group.
GroupName (string) --
The name of the security group.
IpAddressType (string) --
The IP address type for the endpoint.
DnsOptions (dict) --
The DNS options for the endpoint.
DnsRecordIpType (string) --
The DNS records created for the endpoint.
PrivateDnsOnlyForInboundResolverEndpoint (boolean) --
Indicates whether to enable private DNS only for inbound endpoints.
PrivateDnsEnabled (boolean) --
(Interface endpoint) Indicates whether the VPC is associated with a private hosted zone.
RequesterManaged (boolean) --
Indicates whether the endpoint is being managed by its service.
NetworkInterfaceIds (list) --
(Interface endpoint) The network interfaces for the endpoint.
(string) --
DnsEntries (list) --
(Interface endpoint) The DNS entries for the endpoint.
(dict) --
Describes a DNS entry.
DnsName (string) --
The DNS name.
HostedZoneId (string) --
The ID of the private hosted zone.
CreationTimestamp (datetime) --
The date and time that the endpoint was created.
Tags (list) --
The tags assigned to the endpoint.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
OwnerId (string) --
The ID of the Amazon Web Services account that owns the endpoint.
LastError (dict) --
The last error that occurred for endpoint.
Message (string) --
The error message for the VPC endpoint error.
Code (string) --
The error code for the VPC endpoint error.
Ipv4Prefixes (list) --
Array of IPv4 prefixes.
(dict) --
Prefixes of the subnet IP.
SubnetId (string) --
ID of the subnet.
IpPrefixes (list) --
Array of SubnetIpPrefixes objects.
(string) --
Ipv6Prefixes (list) --
Array of IPv6 prefixes.
(dict) --
Prefixes of the subnet IP.
SubnetId (string) --
ID of the subnet.
IpPrefixes (list) --
Array of SubnetIpPrefixes objects.
(string) --
FailureReason (string) --
Reason for the failure.
ServiceNetworkArn (string) --
The Amazon Resource Name (ARN) of the service network.
ResourceConfigurationArn (string) --
The Amazon Resource Name (ARN) of the resource configuration.
ServiceRegion (string) --
The Region where the service is hosted.
NextToken (string) --
The token to use when requesting the next set of items. If there are no additional items to return, the string is empty.
{'VerifiedAccessInstance': {'CidrEndpointsCustomSubDomain': {'Nameservers': ['string'],
'SubDomain': 'string'}},
'VerifiedAccessTrustProvider': {'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}}
Detaches the specified Amazon Web Services Verified Access trust provider from the specified Amazon Web Services Verified Access instance.
See also: AWS API Documentation
Request Syntax
client.detach_verified_access_trust_provider(
VerifiedAccessInstanceId='string',
VerifiedAccessTrustProviderId='string',
ClientToken='string',
DryRun=True|False
)
string
[REQUIRED]
The ID of the Verified Access instance.
string
[REQUIRED]
The ID of the Verified Access trust provider.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'VerifiedAccessTrustProvider': {
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud',
'OidcOptions': {
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
'DeviceOptions': {
'TenantId': 'string',
'PublicSigningKeyUrl': 'string'
},
'PolicyReferenceName': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'NativeApplicationOidcOptions': {
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'Scope': 'string'
}
},
'VerifiedAccessInstance': {
'VerifiedAccessInstanceId': 'string',
'Description': 'string',
'VerifiedAccessTrustProviders': [
{
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud'
},
],
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'FipsEnabled': True|False,
'CidrEndpointsCustomSubDomain': {
'SubDomain': 'string',
'Nameservers': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessTrustProvider (dict) --
Details about the Verified Access trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the Amazon Web Services Verified Access trust provider.
Description (string) --
A description for the Amazon Web Services Verified Access trust provider.
TrustProviderType (string) --
The type of Verified Access trust provider.
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
OidcOptions (dict) --
The options for an OpenID Connect-compatible user-identity trust provider.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
The OpenID Connect (OIDC) scope specified.
DeviceOptions (dict) --
The options for device-identity trust provider.
TenantId (string) --
The ID of the tenant application with the device-identity provider.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
PolicyReferenceName (string) --
The identifier to be used when working with policy rules.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
NativeApplicationOidcOptions (dict) --
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
Scope (string) --
The set of user claims to be requested from the IdP.
VerifiedAccessInstance (dict) --
Details about the Verified Access instance.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
Description (string) --
A description for the Amazon Web Services Verified Access instance.
VerifiedAccessTrustProviders (list) --
The IDs of the Amazon Web Services Verified Access trust providers.
(dict) --
Condensed information about a trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the trust provider.
Description (string) --
The description of trust provider.
TrustProviderType (string) --
The type of trust provider (user- or device-based).
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
FipsEnabled (boolean) --
Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.
CidrEndpointsCustomSubDomain (dict) --
The custom subdomain.
SubDomain (string) --
The subdomain.
Nameservers (list) --
The name servers.
(string) --
{'ManagedBy': 'account | declarative-policy'}
Gets the current state of block public access for AMIs at the account level in the specified Amazon Web Services Region.
For more information, see Block public access to your AMIs in the Amazon EC2 User Guide.
See also: AWS API Documentation
Request Syntax
client.get_image_block_public_access_state(
DryRun=True|False
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'ImageBlockPublicAccessState': 'string',
'ManagedBy': 'account'|'declarative-policy'
}
Response Structure
(dict) --
ImageBlockPublicAccessState (string) --
The current state of block public access for AMIs at the account level in the specified Amazon Web Services Region.
Possible values:
block-new-sharing - Any attempt to publicly share your AMIs in the specified Region is blocked.
unblocked - Your AMIs in the specified Region can be publicly shared.
ManagedBy (string) --
The entity that manages the state for block public access for AMIs. Possible values include:
account - The state is managed by the account.
declarative-policy - The state is managed by a declarative policy and can't be modified by the account.
{'AccountLevel': {'ManagedBy': 'account | declarative-policy',
'ManagedExceptionMessage': 'string'}}
Gets the default instance metadata service (IMDS) settings that are set at the account level in the specified Amazon Web Services Region.
For more information, see Order of precedence for instance metadata options in the Amazon EC2 User Guide.
See also: AWS API Documentation
Request Syntax
client.get_instance_metadata_defaults(
DryRun=True|False
)
boolean
Checks whether you have the required permissions for the operation, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'AccountLevel': {
'HttpTokens': 'optional'|'required',
'HttpPutResponseHopLimit': 123,
'HttpEndpoint': 'disabled'|'enabled',
'InstanceMetadataTags': 'disabled'|'enabled',
'ManagedBy': 'account'|'declarative-policy',
'ManagedExceptionMessage': 'string'
}
}
Response Structure
(dict) --
AccountLevel (dict) --
The account-level default IMDS settings.
HttpTokens (string) --
Indicates whether IMDSv2 is required.
optional – IMDSv2 is optional, which means that you can use either IMDSv2 or IMDSv1.
required – IMDSv2 is required, which means that IMDSv1 is disabled, and you must use IMDSv2.
HttpPutResponseHopLimit (integer) --
The maximum number of hops that the metadata token can travel.
HttpEndpoint (string) --
Indicates whether the IMDS endpoint for an instance is enabled or disabled. When disabled, the instance metadata can't be accessed.
InstanceMetadataTags (string) --
Indicates whether access to instance tags from the instance metadata is enabled or disabled. For more information, see Work with instance tags using the instance metadata in the Amazon EC2 User Guide.
ManagedBy (string) --
The entity that manages the IMDS default settings. Possible values include:
account - The IMDS default settings are managed by the account.
declarative-policy - The IMDS default settings are managed by a declarative policy and can't be modified by the account.
ManagedExceptionMessage (string) --
The customized exception message that is specified in the declarative policy.
{'LaunchTemplateData': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}}
{'ManagedBy': 'account | declarative-policy'}
Retrieves the access status of your account to the EC2 serial console of all instances. By default, access to the EC2 serial console is disabled for your account. For more information, see Manage account access to the EC2 serial console in the Amazon EC2 User Guide.
See also: AWS API Documentation
Request Syntax
client.get_serial_console_access_status(
DryRun=True|False
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'SerialConsoleAccessEnabled': True|False,
'ManagedBy': 'account'|'declarative-policy'
}
Response Structure
(dict) --
SerialConsoleAccessEnabled (boolean) --
If true, access to the EC2 serial console of all instances is enabled for your account. If false, access to the EC2 serial console of all instances is disabled for your account.
ManagedBy (string) --
The entity that manages access to the serial console. Possible values include:
account - Access is managed by the account.
declarative-policy - Access is managed by a declarative policy and can't be modified by the account.
{'ManagedBy': 'account | declarative-policy'}
Gets the current state of block public access for snapshots setting for the account and Region.
For more information, see Block public access for snapshots in the Amazon EBS User Guide.
See also: AWS API Documentation
Request Syntax
client.get_snapshot_block_public_access_state(
DryRun=True|False
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
Response Syntax
{
'State': 'block-all-sharing'|'block-new-sharing'|'unblocked',
'ManagedBy': 'account'|'declarative-policy'
}
Response Structure
(dict) --
State (string) --
The current state of block public access for snapshots. Possible values include:
block-all-sharing - All public sharing of snapshots is blocked. Users in the account can't request new public sharing. Additionally, snapshots that were already publicly shared are treated as private and are not publicly available.
block-new-sharing - Only new public sharing of snapshots is blocked. Users in the account can't request new public sharing. However, snapshots that were already publicly shared, remain publicly available.
unblocked - Public sharing is not blocked. Users can publicly share snapshots.
ManagedBy (string) --
The entity that manages the state for block public access for snapshots. Possible values include:
account - The state is managed by the account.
declarative-policy - The state is managed by a declarative policy and can't be modified by the account.
{'LaunchSpecification': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'LaunchTemplateConfigs': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}
{'TargetConfigurations': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
{'LaunchTemplateConfigs': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}
{'CidrOptions': {'PortRanges': [{'FromPort': 'integer', 'ToPort': 'integer'}]},
'LoadBalancerOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'NetworkInterfaceOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'RdsOptions': {'Port': 'integer',
'RdsEndpoint': 'string',
'SubnetIds': ['string']}}
Response {'VerifiedAccessEndpoint': {'CidrOptions': {'Cidr': 'string',
'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': 'http | https | tcp',
'SubnetIds': ['string']},
'EndpointType': {'cidr', 'rds'},
'LoadBalancerOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'NetworkInterfaceOptions': {'PortRanges': [{'FromPort': 'integer',
'ToPort': 'integer'}],
'Protocol': {'tcp'}},
'RdsOptions': {'Port': 'integer',
'Protocol': 'http | https | tcp',
'RdsDbClusterArn': 'string',
'RdsDbInstanceArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': ['string']}}}
Modifies the configuration of the specified Amazon Web Services Verified Access endpoint.
See also: AWS API Documentation
Request Syntax
client.modify_verified_access_endpoint(
VerifiedAccessEndpointId='string',
VerifiedAccessGroupId='string',
LoadBalancerOptions={
'SubnetIds': [
'string',
],
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
NetworkInterfaceOptions={
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
Description='string',
ClientToken='string',
DryRun=True|False,
RdsOptions={
'SubnetIds': [
'string',
],
'Port': 123,
'RdsEndpoint': 'string'
},
CidrOptions={
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
}
)
string
[REQUIRED]
The ID of the Verified Access endpoint.
string
The ID of the Verified Access group.
dict
The load balancer details if creating the Verified Access endpoint as ``load-balancer``type.
SubnetIds (list) --
The IDs of the subnets.
(string) --
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
PortRanges (list) --
The port ranges.
(dict) --
Describes the port range for a Verified Access endpoint.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
dict
The network interface options.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
PortRanges (list) --
The port ranges.
(dict) --
Describes the port range for a Verified Access endpoint.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
string
A description for the Verified Access endpoint.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
dict
The RDS options.
SubnetIds (list) --
The IDs of the subnets.
(string) --
Port (integer) --
The port.
RdsEndpoint (string) --
The RDS endpoint.
dict
The CIDR options.
PortRanges (list) --
The port ranges.
(dict) --
Describes the port range for a Verified Access endpoint.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
dict
Response Syntax
{
'VerifiedAccessEndpoint': {
'VerifiedAccessInstanceId': 'string',
'VerifiedAccessGroupId': 'string',
'VerifiedAccessEndpointId': 'string',
'ApplicationDomain': 'string',
'EndpointType': 'load-balancer'|'network-interface'|'rds'|'cidr',
'AttachmentType': 'vpc',
'DomainCertificateArn': 'string',
'EndpointDomain': 'string',
'DeviceValidationDomain': 'string',
'SecurityGroupIds': [
'string',
],
'LoadBalancerOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'LoadBalancerArn': 'string',
'SubnetIds': [
'string',
],
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'NetworkInterfaceOptions': {
'NetworkInterfaceId': 'string',
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
]
},
'Status': {
'Code': 'pending'|'active'|'updating'|'deleting'|'deleted',
'Message': 'string'
},
'Description': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'DeletionTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'RdsOptions': {
'Protocol': 'http'|'https'|'tcp',
'Port': 123,
'RdsDbInstanceArn': 'string',
'RdsDbClusterArn': 'string',
'RdsDbProxyArn': 'string',
'RdsEndpoint': 'string',
'SubnetIds': [
'string',
]
},
'CidrOptions': {
'Cidr': 'string',
'PortRanges': [
{
'FromPort': 123,
'ToPort': 123
},
],
'Protocol': 'http'|'https'|'tcp',
'SubnetIds': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessEndpoint (dict) --
Details about the Verified Access endpoint.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
VerifiedAccessGroupId (string) --
The ID of the Amazon Web Services Verified Access group.
VerifiedAccessEndpointId (string) --
The ID of the Amazon Web Services Verified Access endpoint.
ApplicationDomain (string) --
The DNS name for users to reach your application.
EndpointType (string) --
The type of Amazon Web Services Verified Access endpoint. Incoming application requests will be sent to an IP address, load balancer or a network interface depending on the endpoint type specified.
AttachmentType (string) --
The type of attachment used to provide connectivity between the Amazon Web Services Verified Access endpoint and the application.
DomainCertificateArn (string) --
The ARN of a public TLS/SSL certificate imported into or created with ACM.
EndpointDomain (string) --
A DNS name that is generated for the endpoint.
DeviceValidationDomain (string) --
Returned if endpoint has a device trust provider attached.
SecurityGroupIds (list) --
The IDs of the security groups for the endpoint.
(string) --
LoadBalancerOptions (dict) --
The load balancer details if creating the Amazon Web Services Verified Access endpoint as ``load-balancer``type.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
LoadBalancerArn (string) --
The ARN of the load balancer.
SubnetIds (list) --
The IDs of the subnets.
(string) --
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
NetworkInterfaceOptions (dict) --
The options for network-interface type endpoint.
NetworkInterfaceId (string) --
The ID of the network interface.
Protocol (string) --
The IP protocol.
Port (integer) --
The IP port number.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Status (dict) --
The endpoint status.
Code (string) --
The status code of the Verified Access endpoint.
Message (string) --
The status message of the Verified Access endpoint.
Description (string) --
A description for the Amazon Web Services Verified Access endpoint.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
DeletionTime (string) --
The deletion time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
RdsOptions (dict) --
The options for an RDS endpoint.
Protocol (string) --
The protocol.
Port (integer) --
The port.
RdsDbInstanceArn (string) --
The ARN of the RDS instance.
RdsDbClusterArn (string) --
The ARN of the DB cluster.
RdsDbProxyArn (string) --
The ARN of the RDS proxy.
RdsEndpoint (string) --
The RDS endpoint.
SubnetIds (list) --
The IDs of the subnets.
(string) --
CidrOptions (dict) --
The options for a CIDR endpoint.
Cidr (string) --
The CIDR.
PortRanges (list) --
The port ranges.
(dict) --
Describes a port range.
FromPort (integer) --
The start of the port range.
ToPort (integer) --
The end of the port range.
Protocol (string) --
The protocol.
SubnetIds (list) --
The IDs of the subnets.
(string) --
{'CidrEndpointsCustomSubDomain': 'string'}
Response {'VerifiedAccessInstance': {'CidrEndpointsCustomSubDomain': {'Nameservers': ['string'],
'SubDomain': 'string'}}}
Modifies the configuration of the specified Amazon Web Services Verified Access instance.
See also: AWS API Documentation
Request Syntax
client.modify_verified_access_instance(
VerifiedAccessInstanceId='string',
Description='string',
DryRun=True|False,
ClientToken='string',
CidrEndpointsCustomSubDomain='string'
)
string
[REQUIRED]
The ID of the Verified Access instance.
string
A description for the Verified Access instance.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
The custom subdomain.
dict
Response Syntax
{
'VerifiedAccessInstance': {
'VerifiedAccessInstanceId': 'string',
'Description': 'string',
'VerifiedAccessTrustProviders': [
{
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud'
},
],
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'FipsEnabled': True|False,
'CidrEndpointsCustomSubDomain': {
'SubDomain': 'string',
'Nameservers': [
'string',
]
}
}
}
Response Structure
(dict) --
VerifiedAccessInstance (dict) --
Details about the Verified Access instance.
VerifiedAccessInstanceId (string) --
The ID of the Amazon Web Services Verified Access instance.
Description (string) --
A description for the Amazon Web Services Verified Access instance.
VerifiedAccessTrustProviders (list) --
The IDs of the Amazon Web Services Verified Access trust providers.
(dict) --
Condensed information about a trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the trust provider.
Description (string) --
The description of trust provider.
TrustProviderType (string) --
The type of trust provider (user- or device-based).
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
FipsEnabled (boolean) --
Indicates whether support for Federal Information Processing Standards (FIPS) is enabled on the instance.
CidrEndpointsCustomSubDomain (dict) --
The custom subdomain.
SubDomain (string) --
The subdomain.
Nameservers (list) --
The name servers.
(string) --
{'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}
Response {'VerifiedAccessTrustProvider': {'NativeApplicationOidcOptions': {'AuthorizationEndpoint': 'string',
'ClientId': 'string',
'Issuer': 'string',
'PublicSigningKeyEndpoint': 'string',
'Scope': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string'}}}
Modifies the configuration of the specified Amazon Web Services Verified Access trust provider.
See also: AWS API Documentation
Request Syntax
client.modify_verified_access_trust_provider(
VerifiedAccessTrustProviderId='string',
OidcOptions={
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
DeviceOptions={
'PublicSigningKeyUrl': 'string'
},
Description='string',
DryRun=True|False,
ClientToken='string',
SseSpecification={
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
NativeApplicationOidcOptions={
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
}
)
string
[REQUIRED]
The ID of the Verified Access trust provider.
dict
The options for an OpenID Connect-compatible user-identity trust provider.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details. Each scope returns a specific set of user attributes.
dict
The options for a device-based trust provider. This parameter is required when the provider type is device.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
string
A description for the Verified Access trust provider.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
A unique, case-sensitive token that you provide to ensure idempotency of your modification request. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
The options for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Enable or disable the use of customer managed KMS keys for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
dict
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
ClientSecret (string) --
The OAuth 2.0 client secret.
Scope (string) --
The set of user claims to be requested from the IdP.
dict
Response Syntax
{
'VerifiedAccessTrustProvider': {
'VerifiedAccessTrustProviderId': 'string',
'Description': 'string',
'TrustProviderType': 'user'|'device',
'UserTrustProviderType': 'iam-identity-center'|'oidc',
'DeviceTrustProviderType': 'jamf'|'crowdstrike'|'jumpcloud',
'OidcOptions': {
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'ClientSecret': 'string',
'Scope': 'string'
},
'DeviceOptions': {
'TenantId': 'string',
'PublicSigningKeyUrl': 'string'
},
'PolicyReferenceName': 'string',
'CreationTime': 'string',
'LastUpdatedTime': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'SseSpecification': {
'CustomerManagedKeyEnabled': True|False,
'KmsKeyArn': 'string'
},
'NativeApplicationOidcOptions': {
'PublicSigningKeyEndpoint': 'string',
'Issuer': 'string',
'AuthorizationEndpoint': 'string',
'TokenEndpoint': 'string',
'UserInfoEndpoint': 'string',
'ClientId': 'string',
'Scope': 'string'
}
}
}
Response Structure
(dict) --
VerifiedAccessTrustProvider (dict) --
Details about the Verified Access trust provider.
VerifiedAccessTrustProviderId (string) --
The ID of the Amazon Web Services Verified Access trust provider.
Description (string) --
A description for the Amazon Web Services Verified Access trust provider.
TrustProviderType (string) --
The type of Verified Access trust provider.
UserTrustProviderType (string) --
The type of user-based trust provider.
DeviceTrustProviderType (string) --
The type of device-based trust provider.
OidcOptions (dict) --
The options for an OpenID Connect-compatible user-identity trust provider.
Issuer (string) --
The OIDC issuer.
AuthorizationEndpoint (string) --
The OIDC authorization endpoint.
TokenEndpoint (string) --
The OIDC token endpoint.
UserInfoEndpoint (string) --
The OIDC user info endpoint.
ClientId (string) --
The client identifier.
ClientSecret (string) --
The client secret.
Scope (string) --
The OpenID Connect (OIDC) scope specified.
DeviceOptions (dict) --
The options for device-identity trust provider.
TenantId (string) --
The ID of the tenant application with the device-identity provider.
PublicSigningKeyUrl (string) --
The URL Amazon Web Services Verified Access will use to verify the authenticity of the device tokens.
PolicyReferenceName (string) --
The identifier to be used when working with policy rules.
CreationTime (string) --
The creation time.
LastUpdatedTime (string) --
The last updated time.
Tags (list) --
The tags.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
SseSpecification (dict) --
The options in use for server side encryption.
CustomerManagedKeyEnabled (boolean) --
Indicates whether customer managed KMS keys are in use for server side encryption.
Valid values: True | False
KmsKeyArn (string) --
The ARN of the KMS key.
NativeApplicationOidcOptions (dict) --
The OpenID Connect (OIDC) options.
PublicSigningKeyEndpoint (string) --
The public signing key endpoint.
Issuer (string) --
The OIDC issuer identifier of the IdP.
AuthorizationEndpoint (string) --
The authorization endpoint of the IdP.
TokenEndpoint (string) --
The token endpoint of the IdP.
UserInfoEndpoint (string) --
The user info endpoint of the IdP.
ClientId (string) --
The OAuth 2.0 client identifier.
Scope (string) --
The set of user claims to be requested from the IdP.
{'VpcBlockPublicAccessOptions': {'ExclusionsAllowed': 'allowed | not-allowed',
'ManagedBy': 'account | declarative-policy'}}
Modify VPC Block Public Access (BPA) options. VPC Block Public Access (BPA) enables you to block resources in VPCs and subnets that you own in a Region from reaching or being reached from the internet through internet gateways and egress-only internet gateways. To learn more about VPC BPA, see Block public access to VPCs and subnets in the Amazon VPC User Guide.
See also: AWS API Documentation
Request Syntax
client.modify_vpc_block_public_access_options(
DryRun=True|False,
InternetGatewayBlockMode='off'|'block-bidirectional'|'block-ingress'
)
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
string
[REQUIRED]
The mode of VPC BPA.
off: VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region.
block-bidirectional: Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
block-ingress: Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
dict
Response Syntax
{
'VpcBlockPublicAccessOptions': {
'AwsAccountId': 'string',
'AwsRegion': 'string',
'State': 'default-state'|'update-in-progress'|'update-complete',
'InternetGatewayBlockMode': 'off'|'block-bidirectional'|'block-ingress',
'Reason': 'string',
'LastUpdateTimestamp': datetime(2015, 1, 1),
'ManagedBy': 'account'|'declarative-policy',
'ExclusionsAllowed': 'allowed'|'not-allowed'
}
}
Response Structure
(dict) --
VpcBlockPublicAccessOptions (dict) --
Details related to the VPC Block Public Access (BPA) options.
AwsAccountId (string) --
An Amazon Web Services account ID.
AwsRegion (string) --
An Amazon Web Services Region.
State (string) --
The current state of VPC BPA.
InternetGatewayBlockMode (string) --
The current mode of VPC BPA.
off: VPC BPA is not enabled and traffic is allowed to and from internet gateways and egress-only internet gateways in this Region.
block-bidirectional: Block all traffic to and from internet gateways and egress-only internet gateways in this Region (except for excluded VPCs and subnets).
block-ingress: Block all internet traffic to the VPCs in this Region (except for VPCs or subnets which are excluded). Only traffic to and from NAT gateways and egress-only internet gateways is allowed because these gateways only allow outbound connections to be established.
Reason (string) --
The reason for the current state.
LastUpdateTimestamp (datetime) --
The last time the VPC BPA mode was updated.
ManagedBy (string) --
The entity that manages the state of VPC BPA. Possible values include:
account - The state is managed by the account.
declarative-policy - The state is managed by a declarative policy and can't be modified by the account.
ExclusionsAllowed (string) --
Determines if exclusions are allowed. If you have enabled VPC BPA at the Organization level, exclusions may be not-allowed. Otherwise, they are allowed.
{'PoolTagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}
Provisions an IPv4 or IPv6 address range for use with your Amazon Web Services resources through bring your own IP addresses (BYOIP) and creates a corresponding address pool. After the address range is provisioned, it is ready to be advertised using AdvertiseByoipCidr.
Amazon Web Services verifies that you own the address range and are authorized to advertise it. You must ensure that the address range is registered to you and that you created an RPKI ROA to authorize Amazon ASNs 16509 and 14618 to advertise the address range. For more information, see Bring your own IP addresses (BYOIP) in the Amazon EC2 User Guide.
Provisioning an address range is an asynchronous operation, so the call returns immediately, but the address range is not ready to use until its status changes from pending-provision to provisioned. To monitor the status of an address range, use DescribeByoipCidrs. To allocate an Elastic IP address from your IPv4 address pool, use AllocateAddress with either the specific address from the address pool or the ID of the address pool.
See also: AWS API Documentation
Request Syntax
client.provision_byoip_cidr(
Cidr='string',
CidrAuthorizationContext={
'Message': 'string',
'Signature': 'string'
},
PubliclyAdvertisable=True|False,
Description='string',
DryRun=True|False,
PoolTagSpecifications=[
{
'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'declarative-policies-report'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'verified-access-endpoint-target'|'ipam-external-resource-verification-token',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
],
MultiRegion=True|False,
NetworkBorderGroup='string'
)
string
[REQUIRED]
The public IPv4 or IPv6 address range, in CIDR notation. The most specific IPv4 prefix that you can specify is /24. The most specific IPv6 address range that you can bring is /48 for CIDRs that are publicly advertisable and /56 for CIDRs that are not publicly advertisable. The address range cannot overlap with another address range that you've brought to this or another Region.
dict
A signed document that proves that you are authorized to bring the specified IP address range to Amazon using BYOIP.
Message (string) -- [REQUIRED]
The plain-text authorization message for the prefix and account.
Signature (string) -- [REQUIRED]
The signed authorization message for the prefix and account.
boolean
(IPv6 only) Indicate whether the address range will be publicly advertised to the internet.
Default: true
string
A description for the address range and the address pool.
boolean
Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.
list
The tags to apply to the address pool.
(dict) --
The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.
ResourceType (string) --
The type of resource to tag on creation.
Tags (list) --
The tags to apply to the resource.
(dict) --
Describes a tag.
Key (string) --
The key of the tag.
Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.
Value (string) --
The value of the tag.
Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.
boolean
Reserved.
string
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
dict
Response Syntax
{
'ByoipCidr': {
'Cidr': 'string',
'Description': 'string',
'AsnAssociations': [
{
'Asn': 'string',
'Cidr': 'string',
'StatusMessage': 'string',
'State': 'disassociated'|'failed-disassociation'|'failed-association'|'pending-disassociation'|'pending-association'|'associated'
},
],
'StatusMessage': 'string',
'State': 'advertised'|'deprovisioned'|'failed-deprovision'|'failed-provision'|'pending-deprovision'|'pending-provision'|'provisioned'|'provisioned-not-publicly-advertisable',
'NetworkBorderGroup': 'string'
}
}
Response Structure
(dict) --
ByoipCidr (dict) --
Information about the address range.
Cidr (string) --
The address range, in CIDR notation.
Description (string) --
The description of the address range.
AsnAssociations (list) --
The BYOIP CIDR associations with ASNs.
(dict) --
An Autonomous System Number (ASN) and BYOIP CIDR association.
Asn (string) --
The association's ASN.
Cidr (string) --
The association's CIDR.
StatusMessage (string) --
The association's status message.
State (string) --
The association's state.
StatusMessage (string) --
Upon success, contains the ID of the address pool. Otherwise, contains an error message.
State (string) --
The state of the address range.
advertised: The address range is being advertised to the internet by Amazon Web Services.
deprovisioned: The address range is deprovisioned.
failed-deprovision: The request to deprovision the address range was unsuccessful. Ensure that all EIPs from the range have been deallocated and try again.
failed-provision: The request to provision the address range was unsuccessful.
pending-deprovision: You’ve submitted a request to deprovision an address range and it's pending.
pending-provision: You’ve submitted a request to provision an address range and it's pending.
provisioned: The address range is provisioned and can be advertised. The range is not currently advertised.
provisioned-not-publicly-advertisable: The address range is provisioned and cannot be advertised.
NetworkBorderGroup (string) --
If you have Local Zones enabled, you can choose a network border group for Local Zones when you provision and advertise a BYOIPv4 CIDR. Choose the network border group carefully as the EIP and the Amazon Web Services resource it is associated with must reside in the same network border group.
You can provision BYOIP address ranges to and advertise them in the following Local Zone network border groups:
us-east-1-dfw-2
us-west-2-lax-1
us-west-2-phx-2
{'SpotFleetRequestConfig': {'LaunchSpecifications': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}},
'LaunchTemplateConfigs': {'Overrides': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}},
'TagSpecifications': {'ResourceType': {'declarative-policies-report',
'verified-access-endpoint-target'}}}}
{'LaunchSpecification': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}
Response {'SpotInstanceRequests': {'LaunchSpecification': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}}
{'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}
Response {'Instances': {'InstanceType': {'i7ie.12xlarge',
'i7ie.18xlarge',
'i7ie.24xlarge',
'i7ie.2xlarge',
'i7ie.3xlarge',
'i7ie.48xlarge',
'i7ie.6xlarge',
'i7ie.large',
'i7ie.xlarge',
'i8g.12xlarge',
'i8g.16xlarge',
'i8g.24xlarge',
'i8g.2xlarge',
'i8g.4xlarge',
'i8g.8xlarge',
'i8g.large',
'i8g.metal-24xl',
'i8g.xlarge'}}}