Access Analyzer Update: This release adds support for the creation and management of IAM Access Analyzer analyzers with type organization. An analyzer with type organization continuously monitors all supported resources within the AWS organization and reports findings when they allow access from outside the organization.

AWS · AWS · commit 13860dfd1585 · 2020-03-30T18:10:31.000Z
diff --git a/.changes/next-release/feature-AccessAnalyzer-bf397d1.json b/.changes/next-release/feature-AccessAnalyzer-bf397d1.json
@@ -0,0 +1,5 @@
+{
+    "type": "feature",
+    "category": "Access Analyzer",
+    "description": "This release adds support for the creation and management of IAM Access Analyzer analyzers with type organization. An analyzer with type organization continuously monitors all supported resources within the AWS organization and reports findings when they allow access from outside the organization."
+}
diff --git a/services/accessanalyzer/src/main/resources/codegen-resources/service-2.json b/services/accessanalyzer/src/main/resources/codegen-resources/service-2.json
@@ -365,6 +365,7 @@
         "createdAt",
         "isPublic",
         "resourceArn",
+        "resourceOwnerAccount",
         "resourceType",
         "updatedAt"
       ],
@@ -393,6 +394,10 @@
           "shape":"ResourceArn",
           "documentation":"<p>The ARN of the resource that was analyzed.</p>"
         },
+        "resourceOwnerAccount":{
+          "shape":"String",
+          "documentation":"<p>The AWS account ID that owns the resource.</p>"
+        },
         "resourceType":{
           "shape":"ResourceType",
           "documentation":"<p>The type of the resource that was analyzed.</p>"
@@ -416,13 +421,18 @@
       "type":"structure",
       "required":[
         "resourceArn",
+        "resourceOwnerAccount",
         "resourceType"
       ],
       "members":{
         "resourceArn":{
           "shape":"ResourceArn",
           "documentation":"<p>The ARN of the analyzed resource.</p>"
         },
+        "resourceOwnerAccount":{
+          "shape":"String",
+          "documentation":"<p>The AWS account ID that owns the resource.</p>"
+        },
         "resourceType":{
           "shape":"ResourceType",
           "documentation":"<p>The type of resource that was analyzed.</p>"
@@ -438,12 +448,22 @@
       "type":"string",
       "pattern":"^[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:analyzer/.{1,255}$"
     },
+    "AnalyzerStatus":{
+      "type":"string",
+      "enum":[
+        "ACTIVE",
+        "CREATING",
+        "DISABLED",
+        "FAILED"
+      ]
+    },
     "AnalyzerSummary":{
       "type":"structure",
       "required":[
         "arn",
         "createdAt",
         "name",
+        "status",
         "type"
       ],
       "members":{
@@ -467,6 +487,14 @@
           "shape":"Name",
           "documentation":"<p>The name of the analyzer.</p>"
         },
+        "status":{
+          "shape":"AnalyzerStatus",
+          "documentation":"<p>The status of the analyzer. An <code>Active</code> analyzer successfully monitors supported resources and generates new findings. The analyzer is <code>Disabled</code> when a user action, such as removing trusted access for IAM Access Analyzer from AWS Organizations, causes the analyzer to stop generating new findings. The status is <code>Creating</code> when the analyzer creation is in progress and <code>Failed</code> when the analyzer creation has failed. </p>"
+        },
+        "statusReason":{
+          "shape":"StatusReason",
+          "documentation":"<p>The <code>statusReason</code> provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a <code>Failed</code> status is displayed. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.</p>"
+        },
         "tags":{
           "shape":"TagsMap",
           "documentation":"<p>The tags added to the analyzer.</p>"
@@ -702,6 +730,7 @@
         "condition",
         "createdAt",
         "id",
+        "resourceOwnerAccount",
         "resourceType",
         "status",
         "updatedAt"
@@ -743,6 +772,10 @@
           "shape":"String",
           "documentation":"<p>The resource that an external principal has access to.</p>"
         },
+        "resourceOwnerAccount":{
+          "shape":"String",
+          "documentation":"<p>The AWS account ID that owns the resource.</p>"
+        },
         "resourceType":{
           "shape":"ResourceType",
           "documentation":"<p>The type of the resource reported in the finding.</p>"
@@ -785,6 +818,7 @@
         "condition",
         "createdAt",
         "id",
+        "resourceOwnerAccount",
         "resourceType",
         "status",
         "updatedAt"
@@ -826,6 +860,10 @@
           "shape":"String",
           "documentation":"<p>The resource that the external principal has access to.</p>"
         },
+        "resourceOwnerAccount":{
+          "shape":"String",
+          "documentation":"<p>The AWS account ID that owns the resource.</p>"
+        },
         "resourceType":{
           "shape":"ResourceType",
           "documentation":"<p>The type of the resource that the external principal has access to.</p>"
@@ -1206,6 +1244,15 @@
       "key":{"shape":"String"},
       "value":{"shape":"String"}
     },
+    "ReasonCode":{
+      "type":"string",
+      "enum":[
+        "AWS_SERVICE_ACCESS_DISABLED",
+        "DELEGATED_ADMINISTRATOR_DEREGISTERED",
+        "ORGANIZATION_DELETED",
+        "SERVICE_LINKED_ROLE_CREATION_FAILED"
+      ]
+    },
     "ResourceArn":{
       "type":"string",
       "pattern":"arn:[^:]*:[^:]*:[^:]*:[^:]*:.*$"
@@ -1307,6 +1354,17 @@
       },
       "documentation":"<p>Starts a scan of the policies applied to the specified resource.</p>"
     },
+    "StatusReason":{
+      "type":"structure",
+      "required":["code"],
+      "members":{
+        "code":{
+          "shape":"ReasonCode",
+          "documentation":"<p>The reason code for the current status of the analyzer.</p>"
+        }
+      },
+      "documentation":"<p>Provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a <code>Failed</code> status is displayed. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.</p>"
+    },
     "String":{"type":"string"},
     "TagKeys":{
       "type":"list",
@@ -1369,7 +1427,10 @@
     "Token":{"type":"string"},
     "Type":{
       "type":"string",
-      "enum":["ACCOUNT"]
+      "enum":[
+        "ACCOUNT",
+        "ORGANIZATION"
+      ]
     },
     "UntagResourceRequest":{
       "type":"structure",
