AccessAnalyzerClient

Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external or unused access, you first need to create an analyzer.

External access analyzers help identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.

Unused access analyzers help identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.

Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.

This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Identity and Access Management Access Analyzer  in the IAM User Guide.

Installation

NPM
npm install @aws-sdk/client-accessanalyzer
Yarn
yarn add @aws-sdk/client-accessanalyzer
pnpm
pnpm add @aws-sdk/client-accessanalyzer

AccessAnalyzerClient Operations

Command
Summary
ApplyArchiveRuleCommand

Retroactively applies the archive rule to existing findings that meet the archive rule criteria.

CancelPolicyGenerationCommand

Cancels the requested policy generation.

CheckAccessNotGrantedCommand

Checks whether the specified access isn't allowed by a policy.

CheckNoNewAccessCommand

Checks whether new access is allowed for an updated policy when compared to the existing policy.

You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples  repository on GitHub. The reference policies in this repository are meant to be passed to the existingPolicyDocument request parameter.

CheckNoPublicAccessCommand

Checks whether a resource policy can grant public access to the specified resource type.

CreateAccessPreviewCommand

Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions.

CreateAnalyzerCommand

Creates an analyzer for your account.

CreateArchiveRuleCommand

Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule.

To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys  in the IAM User Guide.

DeleteAnalyzerCommand

Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.

DeleteArchiveRuleCommand

Deletes the specified archive rule.

GenerateFindingRecommendationCommand

Creates a recommendation for an unused permissions finding.

GetAccessPreviewCommand

Retrieves information about an access preview for the specified analyzer.

GetAnalyzedResourceCommand

Retrieves information about a resource that was analyzed.

GetAnalyzerCommand

Retrieves information about the specified analyzer.

GetArchiveRuleCommand

Retrieves information about an archive rule.

To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys  in the IAM User Guide.

GetFindingCommand

Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.

GetFindingRecommendationCommand

Retrieves information about a finding recommendation for the specified analyzer.

GetFindingV2Command

Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.

GetGeneratedPolicyCommand

Retrieves the policy that was generated using StartPolicyGeneration.

ListAccessPreviewFindingsCommand

Retrieves a list of access preview findings generated by the specified access preview.

ListAccessPreviewsCommand

Retrieves a list of access previews for the specified analyzer.

ListAnalyzedResourcesCommand

Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer.

ListAnalyzersCommand

Retrieves a list of analyzers.

ListArchiveRulesCommand

Retrieves a list of archive rules created for the specified analyzer.

ListFindingsCommand

Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action.

To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys  in the IAM User Guide.

ListFindingsV2Command

Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action.

To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys  in the IAM User Guide.

ListPolicyGenerationsCommand

Lists all of the policy generations requested in the last seven days.

ListTagsForResourceCommand

Retrieves a list of tags applied to the specified resource.

StartPolicyGenerationCommand

Starts the policy generation request.

StartResourceScanCommand

Immediately starts a scan of the policies applied to the specified resource.

TagResourceCommand

Adds a tag to the specified resource.

UntagResourceCommand

Removes a tag from the specified resource.

UpdateAnalyzerCommand

Modifies the configuration of an existing analyzer.

UpdateArchiveRuleCommand

Updates the criteria and values for the specified archive rule.

UpdateFindingsCommand

Updates the status for the specified findings.

ValidatePolicyCommand

Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices.

AccessAnalyzerClient Configuration

Parameter
Type
Description
defaultsMode
Optional
DefaultsMode | Provider<DefaultsMode>
The @smithy/smithy-client#DefaultsMode that will be used to determine how certain default configuration options are resolved in the SDK.
disableHostPrefix
Optional
boolean
Disable dynamically changing the endpoint of the client based on the hostPrefix trait of an operation.
extensions
Optional
RuntimeExtension[]
Optional extensions
logger
Optional
Logger
Optional logger for logging debug/info/warn/error.
maxAttempts
Optional
number | Provider<number>
Value for how many times a request will be made at most in case of retry.
profile
Optional
string
Setting a client profile is similar to setting a value for the AWS_PROFILE environment variable. Setting a profile on a client in code only affects the single client instance, unlike AWS_PROFILE.When set, and only for environments where an AWS configuration file exists, fields configurable by this file will be retrieved from the specified profile within that file. Conflicting code configuration and environment variables will still have higher priority.For client credential resolution that involves checking the AWS configuration file, the client's profile (this value) will be used unless a different profile is set in the credential provider options.
region
Optional
string | Provider<string>
The AWS region to which this client will send requests
requestHandler
Optional
__HttpHandlerUserInput
The HTTP handler to use or its constructor options. Fetch in browser and Https in Nodejs.
retryMode
Optional
string | Provider<string>
Specifies which retry algorithm to use.
useDualstackEndpoint
Optional
boolean | Provider<boolean>
Enables IPv6/IPv4 dualstack endpoint.
useFipsEndpoint
Optional
boolean | Provider<boolean>
Enables FIPS compatible endpoints.
Additional config fields are described in the full configuration type: AccessAnalyzerClientConfig