aws
diff --git a/‎.changes/2.1639.0.json
+27 b/‎.changes/2.1639.0.json
+27
diff --git a/‎CHANGELOG.md
+8-1 b/‎CHANGELOG.md
+8-1
diff --git a/‎README.md
+1-1 b/‎README.md
+1-1
diff --git a/‎apis/accessanalyzer-2019-11-01.examples.json
+196 b/‎apis/accessanalyzer-2019-11-01.examples.json
+196
@@ -0,0 +1,27 @@
+[
+    {
+        "type": "feature",
+        "category": "AccessAnalyzer",
+        "description": "IAM Access Analyzer now provides policy recommendations to help resolve unused permissions for IAM roles and users. Additionally, IAM Access Analyzer now extends its custom policy checks to detect when IAM policies grant public access or access to critical resources ahead of deployments."
+    },
+    {
+        "type": "feature",
+        "category": "GuardDuty",
+        "description": "Added API support for GuardDuty Malware Protection for S3."
+    },
+    {
+        "type": "feature",
+        "category": "NetworkManager",
+        "description": "This is model changes & documentation update for Service Insertion feature for AWS Cloud WAN. This feature allows insertion of AWS/3rd party security services on Cloud WAN. This allows to steer inter/intra segment traffic via security appliances and provide visibility to the route updates."
+    },
+    {
+        "type": "feature",
+        "category": "PcaConnectorScep",
+        "description": "Connector for SCEP allows you to use a managed, cloud CA to enroll mobile devices and networking gear. SCEP is a widely-adopted protocol used by mobile device management (MDM) solutions for enrolling mobile devices. With the connector, you can use AWS Private CA with popular MDM solutions."
+    },
+    {
+        "type": "feature",
+        "category": "SageMaker",
+        "description": "Introduced Scope and AuthenticationRequestExtraParams to SageMaker Workforce OIDC configuration; this allows customers to modify these options for their private Workforce IdP integration. Model Registry Cross-account model package groups are discoverable."
+    }
+]
@@ -1,7 +1,14 @@
 # Changelog for AWS SDK for JavaScript
-<!--LATEST=2.1638.0-->
+<!--LATEST=2.1639.0-->
 <!--ENTRYINSERT-->
 
+## 2.1639.0
+* feature: AccessAnalyzer: IAM Access Analyzer now provides policy recommendations to help resolve unused permissions for IAM roles and users. Additionally, IAM Access Analyzer now extends its custom policy checks to detect when IAM policies grant public access or access to critical resources ahead of deployments.
+* feature: GuardDuty: Added API support for GuardDuty Malware Protection for S3.
+* feature: NetworkManager: This is model changes & documentation update for Service Insertion feature for AWS Cloud WAN. This feature allows insertion of AWS/3rd party security services on Cloud WAN. This allows to steer inter/intra segment traffic via security appliances and provide visibility to the route updates.
+* feature: PcaConnectorScep: Connector for SCEP allows you to use a managed, cloud CA to enroll mobile devices and networking gear. SCEP is a widely-adopted protocol used by mobile device management (MDM) solutions for enrolling mobile devices. With the connector, you can use AWS Private CA with popular MDM solutions.
+* feature: SageMaker: Introduced Scope and AuthenticationRequestExtraParams to SageMaker Workforce OIDC configuration; this allows customers to modify these options for their private Workforce IdP integration. Model Registry Cross-account model package groups are discoverable.
+
 ## 2.1638.0
 * feature: ApplicationSignals: This is the initial SDK release for Amazon CloudWatch Application Signals. Amazon CloudWatch Application Signals provides curated application performance monitoring for developers to monitor and troubleshoot application health using pre-built dashboards and Service Level Objectives.
 * feature: ECS: This release introduces a new cluster configuration to support the customer-managed keys for ECS managed storage encryption.
 
@@ -64,7 +64,7 @@ require('aws-sdk/lib/maintenance_mode_message').suppress = true;
 To use the SDK in the browser, simply add the following script tag to your
 HTML pages:
 
-    <script src="https://sdk.amazonaws.com/js/aws-sdk-2.1638.0.min.js"></script>
+    <script src="https://sdk.amazonaws.com/js/aws-sdk-2.1639.0.min.js"></script>
 
 You can also build a custom browser SDK with your specified set of AWS services.
 This can allow you to reduce the SDK's size, specify different API versions of
 
@@ -1,5 +1,201 @@
 {
   "version": "1.0",
   "examples": {
+    "CheckAccessNotGranted": [
+      {
+        "input": {
+          "access": [
+            {
+              "actions": [
+                "s3:PutObject"
+              ]
+            }
+          ],
+          "policyDocument": "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:GetObject\",\"Resource\":\"*\"}]}",
+          "policyType": "RESOURCE_POLICY"
+        },
+        "output": {
+          "message": "The policy document does not grant access to perform the listed actions or resources.",
+          "result": "PASS"
+        },
+        "id": "example-1",
+        "title": "Passing check. Restrictive identity policy."
+      },
+      {
+        "input": {
+          "access": [
+            {
+              "resources": [
+                "arn:aws:s3:::sensitive-bucket/*"
+              ]
+            }
+          ],
+          "policyDocument": "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::non-sensitive-bucket/*\"}]}",
+          "policyType": "RESOURCE_POLICY"
+        },
+        "output": {
+          "message": "The policy document does not grant access to perform the listed actions or resources.",
+          "result": "PASS"
+        },
+        "id": "example-2",
+        "title": "Passing check. Restrictive S3 Bucket resource policy."
+      },
+      {
+        "input": {
+          "access": [
+            {
+              "resources": [
+                "arn:aws:s3:::my-bucket/*"
+              ]
+            }
+          ],
+          "policyDocument": "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}",
+          "policyType": "RESOURCE_POLICY"
+        },
+        "output": {
+          "message": "The policy document grants access to perform one or more of the listed actions or resources.",
+          "reasons": [
+            {
+              "description": "One or more of the listed actions or resources in the statement with sid: AllowJohnDoe.",
+              "statementId": "AllowJohnDoe",
+              "statementIndex": 0
+            }
+          ],
+          "result": "FAIL"
+        },
+        "id": "example-3",
+        "title": "Failing check. Permissive S3 Bucket resource policy."
+      }
+    ],
+    "CheckNoPublicAccess": [
+      {
+        "input": {
+          "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Bob\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:user/JohnDoe\"},\"Action\":[\"s3:GetObject\"]}]}",
+          "resourceType": "AWS::S3::Bucket"
+        },
+        "output": {
+          "message": "The resource policy does not grant public access for the given resource type.",
+          "result": "PASS"
+        },
+        "id": "example-1",
+        "title": "Passing check. S3 Bucket policy without public access."
+      },
+      {
+        "input": {
+          "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Bob\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"]}]}",
+          "resourceType": "AWS::S3::Bucket"
+        },
+        "output": {
+          "message": "The resource policy grants public access for the given resource type.",
+          "reasons": [
+            {
+              "description": "Public access granted in the following statement with sid: Bob.",
+              "statementId": "Bob",
+              "statementIndex": 0
+            }
+          ],
+          "result": "FAIL"
+        },
+        "id": "example-2",
+        "title": "Failing check. S3 Bucket policy with public access."
+      }
+    ],
+    "GenerateFindingRecommendation": [
+      {
+        "input": {
+          "analyzerArn": "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a",
+          "id": "finding-id"
+        },
+        "output": {
+        },
+        "id": "example-1",
+        "title": "Successfully started generating finding recommendation"
+      },
+      {
+        "input": {
+          "analyzerArn": "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a",
+          "id": "!"
+        },
+        "id": "example-2",
+        "title": "Failed field validation for id value"
+      }
+    ],
+    "GetFindingRecommendation": [
+      {
+        "input": {
+          "analyzerArn": "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a",
+          "id": "finding-id",
+          "maxResults": 3,
+          "nextToken": "token"
+        },
+        "output": {
+          "completedAt": "2000-01-01T00:00:01Z",
+          "recommendationType": "UnusedPermissionRecommendation",
+          "recommendedSteps": [
+            {
+              "unusedPermissionsRecommendedStep": {
+                "existingPolicyId": "policy-id",
+                "recommendedAction": "DETACH_POLICY"
+              }
+            },
+            {
+              "unusedPermissionsRecommendedStep": {
+                "existingPolicyId": "policy-id",
+                "recommendedAction": "CREATE_POLICY",
+                "recommendedPolicy": "policy-content"
+              }
+            }
+          ],
+          "resourceArn": "arn:aws:iam::111122223333:role/test",
+          "startedAt": "2000-01-01T00:00:00Z",
+          "status": "SUCCEEDED"
+        },
+        "id": "example-1",
+        "title": "Successfully fetched finding recommendation"
+      },
+      {
+        "input": {
+          "analyzerArn": "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a",
+          "id": "finding-id",
+          "maxResults": 3
+        },
+        "output": {
+          "recommendationType": "UnusedPermissionRecommendation",
+          "resourceArn": "arn:aws:iam::111122223333:role/test",
+          "startedAt": "2000-01-01T00:00:00Z",
+          "status": "IN_PROGRESS"
+        },
+        "id": "example-2",
+        "title": "In progress finding recommendation"
+      },
+      {
+        "input": {
+          "analyzerArn": "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a",
+          "id": "finding-id",
+          "maxResults": 3
+        },
+        "output": {
+          "completedAt": "2000-01-01T00:00:01Z",
+          "error": {
+            "code": "SERVICE_ERROR",
+            "message": "Service error. Please try again."
+          },
+          "recommendationType": "UnusedPermissionRecommendation",
+          "resourceArn": "arn:aws:iam::111122223333:role/test",
+          "startedAt": "2000-01-01T00:00:00Z",
+          "status": "FAILED"
+        },
+        "id": "example-3",
+        "title": "Failed finding recommendation"
+      },
+      {
+        "input": {
+          "analyzerArn": "arn:aws:access-analyzer:us-east-1:111122223333:analyzer/a",
+          "id": "!"
+        },
+        "id": "example-4",
+        "title": "Failed field validation for id value"
+      }
+    ]
   }
 }