Access Analyzer Update: This release adds support for policy validation and external access findings for resource control policies (RCP). IAM Access Analyzer helps you author functional and secure RCPs and awareness that a RCP may restrict external access. Updated service API, documentation, and paginators.

AWS · AWS · commit fc96be37d65a · 2024-11-13T19:08:28.000Z
diff --git a/.changes/next-release/feature-AccessAnalyzer-5b0ee32.json b/.changes/next-release/feature-AccessAnalyzer-5b0ee32.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Access Analyzer",
+    "contributor": "",
+    "description": "This release adds support for policy validation and external access findings for resource control policies (RCP). IAM Access Analyzer helps you author functional and secure RCPs and awareness that a RCP may restrict external access. Updated service API, documentation, and paginators."
+}
diff --git a/services/accessanalyzer/src/main/resources/codegen-resources/service-2.json b/services/accessanalyzer/src/main/resources/codegen-resources/service-2.json
@@ -2,6 +2,7 @@
   "version":"2.0",
   "metadata":{
     "apiVersion":"2019-11-01",
+    "auth":["aws.auth#sigv4"],
     "endpointPrefix":"access-analyzer",
     "protocol":"rest-json",
     "protocols":["rest-json"],
@@ -660,7 +661,7 @@
         },
         "resources":{
           "shape":"AccessResourcesList",
-          "documentation":"<p>A list of resources for the access permissions. Any strings that can be used as a resource in an IAM policy can be used in the list of resources to check.</p>"
+          "documentation":"<p>A list of resources for the access permissions. Any strings that can be used as an Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to check. You can only use a wildcard in the portion of the ARN that specifies the resource ID.</p>"
         }
       },
       "documentation":"<p>Contains information about actions and resources that define permissions to check against a policy.</p>"
@@ -830,6 +831,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>An access preview finding generated by the access preview.</p>"
@@ -1197,11 +1202,11 @@
         },
         "access":{
           "shape":"CheckAccessNotGrantedRequestAccessList",
-          "documentation":"<p>An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on all resources in the policy. If only resources are specified, then IAM Access Analyzer checks which actions have access to the specified resources. If both actions and resources are specified, then IAM Access Analyzer checks which of the specified actions have access to the specified resources.</p>"
+          "documentation":"<p>An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least one of the actions on any resource in the policy. If only resources are specified, then IAM Access Analyzer checks for access to perform any action on at least one of the resources. If both actions and resources are specified, IAM Access Analyzer checks for access to perform at least one of the specified actions on at least one of the specified resources.</p>"
         },
         "policyType":{
           "shape":"AccessCheckPolicyType",
-          "documentation":"<p>The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.</p> <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.</p>"
+          "documentation":"<p>The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.</p> <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets.</p>"
         }
       }
     },
@@ -1749,6 +1754,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the external access finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>Contains information about an external access finding.</p>"
@@ -1826,6 +1835,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>Contains information about a finding.</p>"
@@ -1999,6 +2012,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>Contains information about a finding.</p>"
@@ -3256,7 +3273,8 @@
       "enum":[
         "IDENTITY_POLICY",
         "RESOURCE_POLICY",
-        "SERVICE_CONTROL_POLICY"
+        "SERVICE_CONTROL_POLICY",
+        "RESOURCE_CONTROL_POLICY"
       ]
     },
     "Position":{
@@ -3453,6 +3471,14 @@
       "type":"string",
       "pattern":"arn:[^:]*:[^:]*:[^:]*:[^:]*:.*"
     },
+    "ResourceControlPolicyRestriction":{
+      "type":"string",
+      "enum":[
+        "APPLICABLE",
+        "FAILED_TO_EVALUATE_RCP",
+        "NOT_APPLICABLE"
+      ]
+    },
     "ResourceNotFoundException":{
       "type":"structure",
       "required":[
