Access Analyzer

2021/01/27 - Access Analyzer - 4 updated api methods

Changes  This release adds Secrets Manager secrets as a supported resource in IAM Access Analyzer to help you identify secrets that can be accessed from outside your account or AWS organization.

GetAnalyzedResource (updated) Link ¶
Changes (response)
{'resource': {'resourceType': {'AWS::SecretsManager::Secret'}}}

Retrieves information about a resource that was analyzed.

See also: AWS API Documentation

Request Syntax

client.get_analyzed_resource(
    analyzerArn='string',
    resourceArn='string'
)
type analyzerArn

string

param analyzerArn

[REQUIRED]

The ARN of the analyzer to retrieve information from.

type resourceArn

string

param resourceArn

[REQUIRED]

The ARN of the resource to retrieve information about.

rtype

dict

returns

Response Syntax

{
    'resource': {
        'actions': [
            'string',
        ],
        'analyzedAt': datetime(2015, 1, 1),
        'createdAt': datetime(2015, 1, 1),
        'error': 'string',
        'isPublic': True|False,
        'resourceArn': 'string',
        'resourceOwnerAccount': 'string',
        'resourceType': 'AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret',
        'sharedVia': [
            'string',
        ],
        'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    The response to the request.

    • resource (dict) --

      An AnalyedResource object that contains information that Access Analyzer found when it analyzed the resource.

      • actions (list) --

        The actions that an external principal is granted permission to use by the policy that generated the finding.

        • (string) --

      • analyzedAt (datetime) --

        The time at which the resource was analyzed.

      • createdAt (datetime) --

        The time at which the finding was created.

      • error (string) --

        An error message.

      • isPublic (boolean) --

        Indicates whether the policy that generated the finding grants public access to the resource.

      • resourceArn (string) --

        The ARN of the resource that was analyzed.

      • resourceOwnerAccount (string) --

        The AWS account ID that owns the resource.

      • resourceType (string) --

        The type of the resource that was analyzed.

      • sharedVia (list) --

        Indicates how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.

        • (string) --

      • status (string) --

        The current status of the finding generated from the analyzed resource.

      • updatedAt (datetime) --

        The time at which the finding was updated.

GetFinding (updated) Link ¶
Changes (response)
{'finding': {'resourceType': {'AWS::SecretsManager::Secret'}}}

Retrieves information about the specified finding.

See also: AWS API Documentation

Request Syntax

client.get_finding(
    analyzerArn='string',
    id='string'
)
type analyzerArn

string

param analyzerArn

[REQUIRED]

The ARN of the analyzer that generated the finding.

type id

string

param id

[REQUIRED]

The ID of the finding to retrieve.

rtype

dict

returns

Response Syntax

{
    'finding': {
        'action': [
            'string',
        ],
        'analyzedAt': datetime(2015, 1, 1),
        'condition': {
            'string': 'string'
        },
        'createdAt': datetime(2015, 1, 1),
        'error': 'string',
        'id': 'string',
        'isPublic': True|False,
        'principal': {
            'string': 'string'
        },
        'resource': 'string',
        'resourceOwnerAccount': 'string',
        'resourceType': 'AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret',
        'sources': [
            {
                'detail': {
                    'accessPointArn': 'string'
                },
                'type': 'POLICY'|'BUCKET_ACL'|'S3_ACCESS_POINT'
            },
        ],
        'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
        'updatedAt': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    The response to the request.

    • finding (dict) --

      A finding object that contains finding details.

      • action (list) --

        The action in the analyzed policy statement that an external principal has permission to use.

        • (string) --

      • analyzedAt (datetime) --

        The time at which the resource was analyzed.

      • condition (dict) --

        The condition in the analyzed policy statement that resulted in a finding.

        • (string) --

          • (string) --

      • createdAt (datetime) --

        The time at which the finding was generated.

      • error (string) --

        An error.

      • id (string) --

        The ID of the finding.

      • isPublic (boolean) --

        Indicates whether the policy that generated the finding allows public access to the resource.

      • principal (dict) --

        The external principal that access to a resource within the zone of trust.

        • (string) --

          • (string) --

      • resource (string) --

        The resource that an external principal has access to.

      • resourceOwnerAccount (string) --

        The AWS account ID that owns the resource.

      • resourceType (string) --

        The type of the resource reported in the finding.

      • sources (list) --

        The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

        • (dict) --

          The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

          • detail (dict) --

            Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.

            • accessPointArn (string) --

              The ARN of the access point that generated the finding.

          • type (string) --

            Indicates the type of access that generated the finding.

      • status (string) --

        The current status of the finding.

      • updatedAt (datetime) --

        The time at which the finding was updated.

ListAnalyzedResources (updated) Link ¶
Changes (request, response)
Request
{'resourceType': {'AWS::SecretsManager::Secret'}}
Response
{'analyzedResources': {'resourceType': {'AWS::SecretsManager::Secret'}}}

Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer..

See also: AWS API Documentation

Request Syntax

client.list_analyzed_resources(
    analyzerArn='string',
    maxResults=123,
    nextToken='string',
    resourceType='AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret'
)
type analyzerArn

string

param analyzerArn

[REQUIRED]

The ARN of the analyzer to retrieve a list of analyzed resources from.

type maxResults

integer

param maxResults

The maximum number of results to return in the response.

type nextToken

string

param nextToken

A token used for pagination of results returned.

type resourceType

string

param resourceType

The type of resource.

rtype

dict

returns

Response Syntax

{
    'analyzedResources': [
        {
            'resourceArn': 'string',
            'resourceOwnerAccount': 'string',
            'resourceType': 'AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    The response to the request.

    • analyzedResources (list) --

      A list of resources that were analyzed.

      • (dict) --

        Contains the ARN of the analyzed resource.

        • resourceArn (string) --

          The ARN of the analyzed resource.

        • resourceOwnerAccount (string) --

          The AWS account ID that owns the resource.

        • resourceType (string) --

          The type of resource that was analyzed.

    • nextToken (string) --

      A token used for pagination of results returned.

ListFindings (updated) Link ¶
Changes (response)
{'findings': {'resourceType': {'AWS::SecretsManager::Secret'}}}

Retrieves a list of findings generated by the specified analyzer.

To learn about filter keys that you can use to create an archive rule, see Access Analyzer filter keys in the IAM User Guide .

See also: AWS API Documentation

Request Syntax

client.list_findings(
    analyzerArn='string',
    filter={
        'string': {
            'contains': [
                'string',
            ],
            'eq': [
                'string',
            ],
            'exists': True|False,
            'neq': [
                'string',
            ]
        }
    },
    maxResults=123,
    nextToken='string',
    sort={
        'attributeName': 'string',
        'orderBy': 'ASC'|'DESC'
    }
)
type analyzerArn

string

param analyzerArn

[REQUIRED]

The ARN of the analyzer to retrieve findings from.

type filter

dict

param filter

A filter to match for the findings to return.

  • (string) --

    • (dict) --

      The criteria to use in the filter that defines the archive rule.

      • contains (list) --

        A "contains" operator to match for the filter used to create the rule.

        • (string) --

      • eq (list) --

        An "equals" operator to match for the filter used to create the rule.

        • (string) --

      • exists (boolean) --

        An "exists" operator to match for the filter used to create the rule.

      • neq (list) --

        A "not equals" operator to match for the filter used to create the rule.

        • (string) --

type maxResults

integer

param maxResults

The maximum number of results to return in the response.

type nextToken

string

param nextToken

A token used for pagination of results returned.

type sort

dict

param sort

The sort order for the findings returned.

  • attributeName (string) --

    The name of the attribute to sort on.

  • orderBy (string) --

    The sort order, ascending or descending.

rtype

dict

returns

Response Syntax

{
    'findings': [
        {
            'action': [
                'string',
            ],
            'analyzedAt': datetime(2015, 1, 1),
            'condition': {
                'string': 'string'
            },
            'createdAt': datetime(2015, 1, 1),
            'error': 'string',
            'id': 'string',
            'isPublic': True|False,
            'principal': {
                'string': 'string'
            },
            'resource': 'string',
            'resourceOwnerAccount': 'string',
            'resourceType': 'AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret',
            'sources': [
                {
                    'detail': {
                        'accessPointArn': 'string'
                    },
                    'type': 'POLICY'|'BUCKET_ACL'|'S3_ACCESS_POINT'
                },
            ],
            'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
            'updatedAt': datetime(2015, 1, 1)
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    The response to the request.

    • findings (list) --

      A list of findings retrieved from the analyzer that match the filter criteria specified, if any.

      • (dict) --

        Contains information about a finding.

        • action (list) --

          The action in the analyzed policy statement that an external principal has permission to use.

          • (string) --

        • analyzedAt (datetime) --

          The time at which the resource-based policy that generated the finding was analyzed.

        • condition (dict) --

          The condition in the analyzed policy statement that resulted in a finding.

          • (string) --

            • (string) --

        • createdAt (datetime) --

          The time at which the finding was created.

        • error (string) --

          The error that resulted in an Error finding.

        • id (string) --

          The ID of the finding.

        • isPublic (boolean) --

          Indicates whether the finding reports a resource that has a policy that allows public access.

        • principal (dict) --

          The external principal that has access to a resource within the zone of trust.

          • (string) --

            • (string) --

        • resource (string) --

          The resource that the external principal has access to.

        • resourceOwnerAccount (string) --

          The AWS account ID that owns the resource.

        • resourceType (string) --

          The type of the resource that the external principal has access to.

        • sources (list) --

          The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

          • (dict) --

            The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

            • detail (dict) --

              Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.

              • accessPointArn (string) --

                The ARN of the access point that generated the finding.

            • type (string) --

              Indicates the type of access that generated the finding.

        • status (string) --

          The status of the finding.

        • updatedAt (datetime) --

          The time at which the finding was most recently updated.

    • nextToken (string) --

      A token used for pagination of results returned.