From b2df1e1941cae46ccde7f41d74229408c4d376af Mon Sep 17 00:00:00 2001 From: awstools Date: Thu, 14 Nov 2024 19:14:42 +0000 Subject: [PATCH] feat(client-accessanalyzer): Expand analyzer configuration capabilities for unused access analyzers. Unused access analyzer configurations now support the ability to exclude accounts and resource tags from analysis providing more granular control over the scope of analysis. --- clients/client-accessanalyzer/README.md | 8 + .../src/AccessAnalyzer.ts | 20 +++ .../src/AccessAnalyzerClient.ts | 3 + .../src/commands/CreateAnalyzerCommand.ts | 14 ++ .../src/commands/GetAnalyzerCommand.ts | 14 ++ .../commands/ListAnalyzedResourcesCommand.ts | 3 +- .../src/commands/ListAnalyzersCommand.ts | 14 ++ .../src/commands/UpdateAnalyzerCommand.ts | 147 ++++++++++++++++++ .../src/commands/index.ts | 1 + .../src/models/models_0.ts | 107 +++++++++++-- .../src/protocols/Aws_restJson1.ts | 67 ++++++++ .../aws-models/accessanalyzer.json | 144 ++++++++++++++++- 12 files changed, 524 insertions(+), 18 deletions(-) create mode 100644 clients/client-accessanalyzer/src/commands/UpdateAnalyzerCommand.ts diff --git a/clients/client-accessanalyzer/README.md b/clients/client-accessanalyzer/README.md index fec422425f55e..a84778e9ceb6e 100644 --- a/clients/client-accessanalyzer/README.md +++ b/clients/client-accessanalyzer/README.md @@ -481,6 +481,14 @@ UntagResource [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/UntagResourceCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/UntagResourceCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/UntagResourceCommandOutput/) + +
+ +UpdateAnalyzer + + +[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/UpdateAnalyzerCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/UpdateAnalyzerCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/UpdateAnalyzerCommandOutput/) +
diff --git a/clients/client-accessanalyzer/src/AccessAnalyzer.ts b/clients/client-accessanalyzer/src/AccessAnalyzer.ts index f1f46a846879d..3dfb54af2c3fe 100644 --- a/clients/client-accessanalyzer/src/AccessAnalyzer.ts +++ b/clients/client-accessanalyzer/src/AccessAnalyzer.ts @@ -151,6 +151,11 @@ import { UntagResourceCommandInput, UntagResourceCommandOutput, } from "./commands/UntagResourceCommand"; +import { + UpdateAnalyzerCommand, + UpdateAnalyzerCommandInput, + UpdateAnalyzerCommandOutput, +} from "./commands/UpdateAnalyzerCommand"; import { UpdateArchiveRuleCommand, UpdateArchiveRuleCommandInput, @@ -200,6 +205,7 @@ const commands = { StartResourceScanCommand, TagResourceCommand, UntagResourceCommand, + UpdateAnalyzerCommand, UpdateArchiveRuleCommand, UpdateFindingsCommand, ValidatePolicyCommand, @@ -698,6 +704,20 @@ export interface AccessAnalyzer { cb: (err: any, data?: UntagResourceCommandOutput) => void ): void; + /** + * @see {@link UpdateAnalyzerCommand} + */ + updateAnalyzer( + args: UpdateAnalyzerCommandInput, + options?: __HttpHandlerOptions + ): Promise; + updateAnalyzer(args: UpdateAnalyzerCommandInput, cb: (err: any, data?: UpdateAnalyzerCommandOutput) => void): void; + updateAnalyzer( + args: UpdateAnalyzerCommandInput, + options: __HttpHandlerOptions, + cb: (err: any, data?: UpdateAnalyzerCommandOutput) => void + ): void; + /** * @see {@link UpdateArchiveRuleCommand} */ diff --git a/clients/client-accessanalyzer/src/AccessAnalyzerClient.ts b/clients/client-accessanalyzer/src/AccessAnalyzerClient.ts index 57670346377b4..270b4957fffa7 100644 --- a/clients/client-accessanalyzer/src/AccessAnalyzerClient.ts +++ b/clients/client-accessanalyzer/src/AccessAnalyzerClient.ts @@ -121,6 +121,7 @@ import { import { StartResourceScanCommandInput, StartResourceScanCommandOutput } from "./commands/StartResourceScanCommand"; import { TagResourceCommandInput, TagResourceCommandOutput } from "./commands/TagResourceCommand"; import { UntagResourceCommandInput, UntagResourceCommandOutput } from "./commands/UntagResourceCommand"; +import { UpdateAnalyzerCommandInput, UpdateAnalyzerCommandOutput } from "./commands/UpdateAnalyzerCommand"; import { UpdateArchiveRuleCommandInput, UpdateArchiveRuleCommandOutput } from "./commands/UpdateArchiveRuleCommand"; import { UpdateFindingsCommandInput, UpdateFindingsCommandOutput } from "./commands/UpdateFindingsCommand"; import { ValidatePolicyCommandInput, ValidatePolicyCommandOutput } from "./commands/ValidatePolicyCommand"; @@ -171,6 +172,7 @@ export type ServiceInputTypes = | StartResourceScanCommandInput | TagResourceCommandInput | UntagResourceCommandInput + | UpdateAnalyzerCommandInput | UpdateArchiveRuleCommandInput | UpdateFindingsCommandInput | ValidatePolicyCommandInput; @@ -211,6 +213,7 @@ export type ServiceOutputTypes = | StartResourceScanCommandOutput | TagResourceCommandOutput | UntagResourceCommandOutput + | UpdateAnalyzerCommandOutput | UpdateArchiveRuleCommandOutput | UpdateFindingsCommandOutput | ValidatePolicyCommandOutput; diff --git a/clients/client-accessanalyzer/src/commands/CreateAnalyzerCommand.ts b/clients/client-accessanalyzer/src/commands/CreateAnalyzerCommand.ts index a5f439779d647..23e9f0b2f4e22 100644 --- a/clients/client-accessanalyzer/src/commands/CreateAnalyzerCommand.ts +++ b/clients/client-accessanalyzer/src/commands/CreateAnalyzerCommand.ts @@ -64,6 +64,20 @@ export interface CreateAnalyzerCommandOutput extends CreateAnalyzerResponse, __M * configuration: { // AnalyzerConfiguration Union: only one key present * unusedAccess: { // UnusedAccessConfiguration * unusedAccessAge: Number("int"), + * analysisRule: { // AnalysisRule + * exclusions: [ // AnalysisRuleCriteriaList + * { // AnalysisRuleCriteria + * accountIds: [ // AccountIdsList + * "STRING_VALUE", + * ], + * resourceTags: [ // TagsList + * { + * "": "STRING_VALUE", + * }, + * ], + * }, + * ], + * }, * }, * }, * }; diff --git a/clients/client-accessanalyzer/src/commands/GetAnalyzerCommand.ts b/clients/client-accessanalyzer/src/commands/GetAnalyzerCommand.ts index b02f188b0747a..211ab2f3a3684 100644 --- a/clients/client-accessanalyzer/src/commands/GetAnalyzerCommand.ts +++ b/clients/client-accessanalyzer/src/commands/GetAnalyzerCommand.ts @@ -58,6 +58,20 @@ export interface GetAnalyzerCommandOutput extends GetAnalyzerResponse, __Metadat * // configuration: { // AnalyzerConfiguration Union: only one key present * // unusedAccess: { // UnusedAccessConfiguration * // unusedAccessAge: Number("int"), + * // analysisRule: { // AnalysisRule + * // exclusions: [ // AnalysisRuleCriteriaList + * // { // AnalysisRuleCriteria + * // accountIds: [ // AccountIdsList + * // "STRING_VALUE", + * // ], + * // resourceTags: [ // TagsList + * // { + * // "": "STRING_VALUE", + * // }, + * // ], + * // }, + * // ], + * // }, * // }, * // }, * // }, diff --git a/clients/client-accessanalyzer/src/commands/ListAnalyzedResourcesCommand.ts b/clients/client-accessanalyzer/src/commands/ListAnalyzedResourcesCommand.ts index 2f9608eff7568..a060f16e2b5d6 100644 --- a/clients/client-accessanalyzer/src/commands/ListAnalyzedResourcesCommand.ts +++ b/clients/client-accessanalyzer/src/commands/ListAnalyzedResourcesCommand.ts @@ -29,8 +29,7 @@ export interface ListAnalyzedResourcesCommandOutput extends ListAnalyzedResource /** *

Retrieves a list of resources of the specified type that have been analyzed by the - * specified external access analyzer. This action is not supported for unused access - * analyzers.

+ * specified analyzer.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-accessanalyzer/src/commands/ListAnalyzersCommand.ts b/clients/client-accessanalyzer/src/commands/ListAnalyzersCommand.ts index fed3137d71ad7..d96ed145144e0 100644 --- a/clients/client-accessanalyzer/src/commands/ListAnalyzersCommand.ts +++ b/clients/client-accessanalyzer/src/commands/ListAnalyzersCommand.ts @@ -61,6 +61,20 @@ export interface ListAnalyzersCommandOutput extends ListAnalyzersResponse, __Met * // configuration: { // AnalyzerConfiguration Union: only one key present * // unusedAccess: { // UnusedAccessConfiguration * // unusedAccessAge: Number("int"), + * // analysisRule: { // AnalysisRule + * // exclusions: [ // AnalysisRuleCriteriaList + * // { // AnalysisRuleCriteria + * // accountIds: [ // AccountIdsList + * // "STRING_VALUE", + * // ], + * // resourceTags: [ // TagsList + * // { + * // "": "STRING_VALUE", + * // }, + * // ], + * // }, + * // ], + * // }, * // }, * // }, * // }, diff --git a/clients/client-accessanalyzer/src/commands/UpdateAnalyzerCommand.ts b/clients/client-accessanalyzer/src/commands/UpdateAnalyzerCommand.ts new file mode 100644 index 0000000000000..d1791e6f0572a --- /dev/null +++ b/clients/client-accessanalyzer/src/commands/UpdateAnalyzerCommand.ts @@ -0,0 +1,147 @@ +// smithy-typescript generated code +import { getEndpointPlugin } from "@smithy/middleware-endpoint"; +import { getSerdePlugin } from "@smithy/middleware-serde"; +import { Command as $Command } from "@smithy/smithy-client"; +import { MetadataBearer as __MetadataBearer } from "@smithy/types"; + +import { AccessAnalyzerClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../AccessAnalyzerClient"; +import { commonParams } from "../endpoint/EndpointParameters"; +import { UpdateAnalyzerRequest, UpdateAnalyzerResponse } from "../models/models_0"; +import { de_UpdateAnalyzerCommand, se_UpdateAnalyzerCommand } from "../protocols/Aws_restJson1"; + +/** + * @public + */ +export type { __MetadataBearer }; +export { $Command }; +/** + * @public + * + * The input for {@link UpdateAnalyzerCommand}. + */ +export interface UpdateAnalyzerCommandInput extends UpdateAnalyzerRequest {} +/** + * @public + * + * The output of {@link UpdateAnalyzerCommand}. + */ +export interface UpdateAnalyzerCommandOutput extends UpdateAnalyzerResponse, __MetadataBearer {} + +/** + *

Modifies the configuration of an existing analyzer.

+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { AccessAnalyzerClient, UpdateAnalyzerCommand } from "@aws-sdk/client-accessanalyzer"; // ES Modules import + * // const { AccessAnalyzerClient, UpdateAnalyzerCommand } = require("@aws-sdk/client-accessanalyzer"); // CommonJS import + * const client = new AccessAnalyzerClient(config); + * const input = { // UpdateAnalyzerRequest + * analyzerName: "STRING_VALUE", // required + * configuration: { // AnalyzerConfiguration Union: only one key present + * unusedAccess: { // UnusedAccessConfiguration + * unusedAccessAge: Number("int"), + * analysisRule: { // AnalysisRule + * exclusions: [ // AnalysisRuleCriteriaList + * { // AnalysisRuleCriteria + * accountIds: [ // AccountIdsList + * "STRING_VALUE", + * ], + * resourceTags: [ // TagsList + * { // TagsMap + * "": "STRING_VALUE", + * }, + * ], + * }, + * ], + * }, + * }, + * }, + * }; + * const command = new UpdateAnalyzerCommand(input); + * const response = await client.send(command); + * // { // UpdateAnalyzerResponse + * // configuration: { // AnalyzerConfiguration Union: only one key present + * // unusedAccess: { // UnusedAccessConfiguration + * // unusedAccessAge: Number("int"), + * // analysisRule: { // AnalysisRule + * // exclusions: [ // AnalysisRuleCriteriaList + * // { // AnalysisRuleCriteria + * // accountIds: [ // AccountIdsList + * // "STRING_VALUE", + * // ], + * // resourceTags: [ // TagsList + * // { // TagsMap + * // "": "STRING_VALUE", + * // }, + * // ], + * // }, + * // ], + * // }, + * // }, + * // }, + * // }; + * + * ``` + * + * @param UpdateAnalyzerCommandInput - {@link UpdateAnalyzerCommandInput} + * @returns {@link UpdateAnalyzerCommandOutput} + * @see {@link UpdateAnalyzerCommandInput} for command's `input` shape. + * @see {@link UpdateAnalyzerCommandOutput} for command's `response` shape. + * @see {@link AccessAnalyzerClientResolvedConfig | config} for AccessAnalyzerClient's `config` shape. + * + * @throws {@link AccessDeniedException} (client fault) + *

You do not have sufficient access to perform this action.

+ * + * @throws {@link ConflictException} (client fault) + *

A conflict exception error.

+ * + * @throws {@link InternalServerException} (server fault) + *

Internal server error.

+ * + * @throws {@link ResourceNotFoundException} (client fault) + *

The specified resource could not be found.

+ * + * @throws {@link ThrottlingException} (client fault) + *

Throttling limit exceeded error.

+ * + * @throws {@link ValidationException} (client fault) + *

Validation exception error.

+ * + * @throws {@link AccessAnalyzerServiceException} + *

Base exception class for all service exceptions from AccessAnalyzer service.

+ * + * @public + */ +export class UpdateAnalyzerCommand extends $Command + .classBuilder< + UpdateAnalyzerCommandInput, + UpdateAnalyzerCommandOutput, + AccessAnalyzerClientResolvedConfig, + ServiceInputTypes, + ServiceOutputTypes + >() + .ep(commonParams) + .m(function (this: any, Command: any, cs: any, config: AccessAnalyzerClientResolvedConfig, o: any) { + return [ + getSerdePlugin(config, this.serialize, this.deserialize), + getEndpointPlugin(config, Command.getEndpointParameterInstructions()), + ]; + }) + .s("AccessAnalyzer", "UpdateAnalyzer", {}) + .n("AccessAnalyzerClient", "UpdateAnalyzerCommand") + .f(void 0, void 0) + .ser(se_UpdateAnalyzerCommand) + .de(de_UpdateAnalyzerCommand) + .build() { + /** @internal type navigation helper, not in runtime. */ + protected declare static __types: { + api: { + input: UpdateAnalyzerRequest; + output: UpdateAnalyzerResponse; + }; + sdk: { + input: UpdateAnalyzerCommandInput; + output: UpdateAnalyzerCommandOutput; + }; + }; +} diff --git a/clients/client-accessanalyzer/src/commands/index.ts b/clients/client-accessanalyzer/src/commands/index.ts index d9c1e959812a2..f04e41057ef6e 100644 --- a/clients/client-accessanalyzer/src/commands/index.ts +++ b/clients/client-accessanalyzer/src/commands/index.ts @@ -31,6 +31,7 @@ export * from "./StartPolicyGenerationCommand"; export * from "./StartResourceScanCommand"; export * from "./TagResourceCommand"; export * from "./UntagResourceCommand"; +export * from "./UpdateAnalyzerCommand"; export * from "./UpdateArchiveRuleCommand"; export * from "./UpdateFindingsCommand"; export * from "./ValidatePolicyCommand"; diff --git a/clients/client-accessanalyzer/src/models/models_0.ts b/clients/client-accessanalyzer/src/models/models_0.ts index 1796ac5f6c92c..3dcb3557d27f5 100644 --- a/clients/client-accessanalyzer/src/models/models_0.ts +++ b/clients/client-accessanalyzer/src/models/models_0.ts @@ -380,7 +380,8 @@ export interface GetArchiveRuleRequest { } /** - *

Contains information about an archive rule.

+ *

Contains information about an archive rule. Archive rules automatically archive new + * findings that meet the criteria you define when you create the rule.

* @public */ export interface ArchiveRuleSummary { @@ -415,7 +416,8 @@ export interface ArchiveRuleSummary { */ export interface GetArchiveRuleResponse { /** - *

Contains information about an archive rule.

+ *

Contains information about an archive rule. Archive rules automatically archive new + * findings that meet the criteria you define when you create the rule.

* @public */ archiveRule: ArchiveRuleSummary | undefined; @@ -513,6 +515,50 @@ export interface InlineArchiveRule { filter: Record | undefined; } +/** + *

The criteria for an analysis rule for an analyzer. The criteria determine which entities + * will generate findings.

+ * @public + */ +export interface AnalysisRuleCriteria { + /** + *

A list of Amazon Web Services account IDs to apply to the analysis rule criteria. The accounts cannot + * include the organization analyzer owner account. Account IDs can only be applied to the + * analysis rule criteria for organization-level analyzers. The list cannot include more than + * 2,000 account IDs.

+ * @public + */ + accountIds?: string[] | undefined; + + /** + *

An array of key-value pairs to match for your resources. You can use the set of Unicode + * letters, digits, whitespace, _, ., /, + * =, +, and -.

+ *

For the tag key, you can specify a value that is 1 to 128 characters in length and + * cannot be prefixed with aws:.

+ *

For the tag value, you can specify a value that is 0 to 256 characters in length. If the + * specified tag value is 0 characters, the rule is applied to all principals with the + * specified tag key.

+ * @public + */ + resourceTags?: Record[] | undefined; +} + +/** + *

Contains information about analysis rules for the analyzer. Analysis rules determine + * which entities will generate findings based on the criteria you define when you create the + * rule.

+ * @public + */ +export interface AnalysisRule { + /** + *

A list of rules for the analyzer containing criteria to exclude from analysis. Entities + * that meet the rule criteria will not generate findings.

+ * @public + */ + exclusions?: AnalysisRuleCriteria[] | undefined; +} + /** *

Contains information about an unused access analyzer.

* @public @@ -522,16 +568,24 @@ export interface UnusedAccessConfiguration { *

The specified access age in days for which to generate findings for unused access. For * example, if you specify 90 days, the analyzer will generate findings for IAM entities * within the accounts of the selected organization for any access that hasn't been used in 90 - * or more days since the analyzer's last scan. You can choose a value between 1 and 180 + * or more days since the analyzer's last scan. You can choose a value between 1 and 365 * days.

* @public */ unusedAccessAge?: number | undefined; + + /** + *

Contains information about analysis rules for the analyzer. Analysis rules determine + * which entities will generate findings based on the criteria you define when you create the + * rule.

+ * @public + */ + analysisRule?: AnalysisRule | undefined; } /** - *

Contains information about the configuration of an unused access analyzer for an Amazon Web Services - * organization or account.

+ *

Contains information about the configuration of an analyzer for an Amazon Web Services organization or + * account.

* @public */ export type AnalyzerConfiguration = AnalyzerConfiguration.UnusedAccessMember | AnalyzerConfiguration.$UnknownMember; @@ -542,7 +596,7 @@ export type AnalyzerConfiguration = AnalyzerConfiguration.UnusedAccessMember | A export namespace AnalyzerConfiguration { /** *

Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or - * account. External access analyzers do not support any configuration.

+ * account.

* @public */ export interface UnusedAccessMember { @@ -602,7 +656,12 @@ export interface CreateAnalyzerRequest { archiveRules?: InlineArchiveRule[] | undefined; /** - *

An array of key-value pairs to apply to the analyzer.

+ *

An array of key-value pairs to apply to the analyzer. You can use the set of Unicode + * letters, digits, whitespace, _, ., /, + * =, +, and -.

+ *

For the tag key, you can specify a value that is 1 to 128 characters in length and + * cannot be prefixed with aws:.

+ *

For the tag value, you can specify a value that is 0 to 256 characters in length.

* @public */ tags?: Record | undefined; @@ -615,8 +674,7 @@ export interface CreateAnalyzerRequest { /** *

Specifies the configuration of the analyzer. If the analyzer is an unused access - * analyzer, the specified scope of unused access is used for the configuration. If the - * analyzer is an external access analyzer, this field is not used.

+ * analyzer, the specified scope of unused access is used for the configuration.

* @public */ configuration?: AnalyzerConfiguration | undefined; @@ -824,6 +882,36 @@ export interface ListAnalyzersResponse { nextToken?: string | undefined; } +/** + * @public + */ +export interface UpdateAnalyzerRequest { + /** + *

The name of the analyzer to modify.

+ * @public + */ + analyzerName: string | undefined; + + /** + *

Contains information about the configuration of an analyzer for an Amazon Web Services organization or + * account.

+ * @public + */ + configuration?: AnalyzerConfiguration | undefined; +} + +/** + * @public + */ +export interface UpdateAnalyzerResponse { + /** + *

Contains information about the configuration of an analyzer for an Amazon Web Services organization or + * account.

+ * @public + */ + configuration?: AnalyzerConfiguration | undefined; +} + /** *

Retroactively applies an archive rule.

* @public @@ -2698,6 +2786,7 @@ export type ResourceType = | "AWS::ECR::Repository" | "AWS::EFS::FileSystem" | "AWS::IAM::Role" + | "AWS::IAM::User" | "AWS::KMS::Key" | "AWS::Lambda::Function" | "AWS::Lambda::LayerVersion" diff --git a/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts b/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts index b1e0c936791ae..827540678b280 100644 --- a/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts +++ b/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts @@ -99,6 +99,7 @@ import { import { StartResourceScanCommandInput, StartResourceScanCommandOutput } from "../commands/StartResourceScanCommand"; import { TagResourceCommandInput, TagResourceCommandOutput } from "../commands/TagResourceCommand"; import { UntagResourceCommandInput, UntagResourceCommandOutput } from "../commands/UntagResourceCommand"; +import { UpdateAnalyzerCommandInput, UpdateAnalyzerCommandOutput } from "../commands/UpdateAnalyzerCommand"; import { UpdateArchiveRuleCommandInput, UpdateArchiveRuleCommandOutput } from "../commands/UpdateArchiveRuleCommand"; import { UpdateFindingsCommandInput, UpdateFindingsCommandOutput } from "../commands/UpdateFindingsCommand"; import { ValidatePolicyCommandInput, ValidatePolicyCommandOutput } from "../commands/ValidatePolicyCommand"; @@ -110,6 +111,8 @@ import { AccessPreviewFinding, AccessPreviewSummary, AclGrantee, + AnalysisRule, + AnalysisRuleCriteria, AnalyzedResource, AnalyzerConfiguration, AnalyzerSummary, @@ -859,6 +862,29 @@ export const se_UntagResourceCommand = async ( return b.build(); }; +/** + * serializeAws_restJson1UpdateAnalyzerCommand + */ +export const se_UpdateAnalyzerCommand = async ( + input: UpdateAnalyzerCommandInput, + context: __SerdeContext +): Promise<__HttpRequest> => { + const b = rb(input, context); + const headers: any = { + "content-type": "application/json", + }; + b.bp("/analyzer/{analyzerName}"); + b.p("analyzerName", () => input.analyzerName!, "{analyzerName}", false); + let body: any; + body = JSON.stringify( + take(input, { + configuration: (_) => _json(_), + }) + ); + b.m("PUT").h(headers).b(body); + return b.build(); +}; + /** * serializeAws_restJson1UpdateArchiveRuleCommand */ @@ -1608,6 +1634,27 @@ export const de_UntagResourceCommand = async ( return contents; }; +/** + * deserializeAws_restJson1UpdateAnalyzerCommand + */ +export const de_UpdateAnalyzerCommand = async ( + output: __HttpResponse, + context: __SerdeContext +): Promise => { + if (output.statusCode !== 200 && output.statusCode >= 300) { + return de_CommandError(output, context); + } + const contents: any = map({ + $metadata: deserializeMetadata(output), + }); + const data: Record = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body"); + const doc = take(data, { + configuration: (_) => _json(__expectUnion(_)), + }); + Object.assign(contents, doc); + return contents; +}; + /** * deserializeAws_restJson1UpdateArchiveRuleCommand */ @@ -1899,10 +1946,18 @@ const de_ValidationExceptionRes = async (parsedOutput: any, context: __SerdeCont // se_AccessList omitted. +// se_AccountIdsList omitted. + // se_AclGrantee omitted. // se_ActionsList omitted. +// se_AnalysisRule omitted. + +// se_AnalysisRuleCriteria omitted. + +// se_AnalysisRuleCriteriaList omitted. + // se_AnalyzerConfiguration omitted. /** @@ -2009,6 +2064,8 @@ const se_CloudTrailDetails = (input: CloudTrailDetails, context: __SerdeContext) // se_SqsQueueConfiguration omitted. +// se_TagsList omitted. + // se_TagsMap omitted. // se_Trail omitted. @@ -2098,10 +2155,18 @@ const de_AccessPreviewSummary = (output: any, context: __SerdeContext): AccessPr }) as any; }; +// de_AccountIdsList omitted. + // de_AclGrantee omitted. // de_ActionList omitted. +// de_AnalysisRule omitted. + +// de_AnalysisRuleCriteria omitted. + +// de_AnalysisRuleCriteriaList omitted. + /** * deserializeAws_restJson1AnalyzedResource */ @@ -2532,6 +2597,8 @@ const de_RecommendedStepList = (output: any, context: __SerdeContext): Recommend // de_Substring omitted. +// de_TagsList omitted. + // de_TagsMap omitted. // de_TrailProperties omitted. diff --git a/codegen/sdk-codegen/aws-models/accessanalyzer.json b/codegen/sdk-codegen/aws-models/accessanalyzer.json index 6bfaee415f760..09aefa180875e 100644 --- a/codegen/sdk-codegen/aws-models/accessanalyzer.json +++ b/codegen/sdk-codegen/aws-models/accessanalyzer.json @@ -1554,6 +1554,12 @@ "target": "com.amazonaws.accessanalyzer#AccessPreviewSummary" } }, + "com.amazonaws.accessanalyzer#AccountIdsList": { + "type": "list", + "member": { + "target": "smithy.api#String" + } + }, "com.amazonaws.accessanalyzer#AclCanonicalId": { "type": "string" }, @@ -1622,6 +1628,46 @@ "target": "com.amazonaws.accessanalyzer#Action" } }, + "com.amazonaws.accessanalyzer#AnalysisRule": { + "type": "structure", + "members": { + "exclusions": { + "target": "com.amazonaws.accessanalyzer#AnalysisRuleCriteriaList", + "traits": { + "smithy.api#documentation": "

A list of rules for the analyzer containing criteria to exclude from analysis. Entities\n that meet the rule criteria will not generate findings.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

Contains information about analysis rules for the analyzer. Analysis rules determine\n which entities will generate findings based on the criteria you define when you create the\n rule.

" + } + }, + "com.amazonaws.accessanalyzer#AnalysisRuleCriteria": { + "type": "structure", + "members": { + "accountIds": { + "target": "com.amazonaws.accessanalyzer#AccountIdsList", + "traits": { + "smithy.api#documentation": "

A list of Amazon Web Services account IDs to apply to the analysis rule criteria. The accounts cannot\n include the organization analyzer owner account. Account IDs can only be applied to the\n analysis rule criteria for organization-level analyzers. The list cannot include more than\n 2,000 account IDs.

" + } + }, + "resourceTags": { + "target": "com.amazonaws.accessanalyzer#TagsList", + "traits": { + "smithy.api#documentation": "

An array of key-value pairs to match for your resources. You can use the set of Unicode\n letters, digits, whitespace, _, ., /,\n =, +, and -.

\n

For the tag key, you can specify a value that is 1 to 128 characters in length and\n cannot be prefixed with aws:.

\n

For the tag value, you can specify a value that is 0 to 256 characters in length. If the\n specified tag value is 0 characters, the rule is applied to all principals with the\n specified tag key.

" + } + } + }, + "traits": { + "smithy.api#documentation": "

The criteria for an analysis rule for an analyzer. The criteria determine which entities\n will generate findings.

" + } + }, + "com.amazonaws.accessanalyzer#AnalysisRuleCriteriaList": { + "type": "list", + "member": { + "target": "com.amazonaws.accessanalyzer#AnalysisRuleCriteria" + } + }, "com.amazonaws.accessanalyzer#AnalyzedResource": { "type": "structure", "members": { @@ -1751,6 +1797,9 @@ "read": { "target": "com.amazonaws.accessanalyzer#GetAnalyzer" }, + "update": { + "target": "com.amazonaws.accessanalyzer#UpdateAnalyzer" + }, "delete": { "target": "com.amazonaws.accessanalyzer#DeleteAnalyzer" }, @@ -1781,12 +1830,12 @@ "unusedAccess": { "target": "com.amazonaws.accessanalyzer#UnusedAccessConfiguration", "traits": { - "smithy.api#documentation": "

Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or\n account. External access analyzers do not support any configuration.

" + "smithy.api#documentation": "

Specifies the configuration of an unused access analyzer for an Amazon Web Services organization or\n account.

" } } }, "traits": { - "smithy.api#documentation": "

Contains information about the configuration of an unused access analyzer for an Amazon Web Services\n organization or account.

" + "smithy.api#documentation": "

Contains information about the configuration of an analyzer for an Amazon Web Services organization or\n account.

" } }, "com.amazonaws.accessanalyzer#AnalyzerStatus": { @@ -2020,7 +2069,7 @@ } }, "traits": { - "smithy.api#documentation": "

Contains information about an archive rule.

" + "smithy.api#documentation": "

Contains information about an archive rule. Archive rules automatically archive new\n findings that meet the criteria you define when you create the rule.

" } }, "com.amazonaws.accessanalyzer#ArchiveRulesList": { @@ -2845,7 +2894,7 @@ "tags": { "target": "com.amazonaws.accessanalyzer#TagsMap", "traits": { - "smithy.api#documentation": "

An array of key-value pairs to apply to the analyzer.

" + "smithy.api#documentation": "

An array of key-value pairs to apply to the analyzer. You can use the set of Unicode\n letters, digits, whitespace, _, ., /,\n =, +, and -.

\n

For the tag key, you can specify a value that is 1 to 128 characters in length and\n cannot be prefixed with aws:.

\n

For the tag value, you can specify a value that is 0 to 256 characters in length.

" } }, "clientToken": { @@ -2858,7 +2907,7 @@ "configuration": { "target": "com.amazonaws.accessanalyzer#AnalyzerConfiguration", "traits": { - "smithy.api#documentation": "

Specifies the configuration of the analyzer. If the analyzer is an unused access\n analyzer, the specified scope of unused access is used for the configuration. If the\n analyzer is an external access analyzer, this field is not used.

" + "smithy.api#documentation": "

Specifies the configuration of the analyzer. If the analyzer is an unused access\n analyzer, the specified scope of unused access is used for the configuration.

" } } }, @@ -5369,7 +5418,7 @@ } ], "traits": { - "smithy.api#documentation": "

Retrieves a list of resources of the specified type that have been analyzed by the\n specified external access analyzer. This action is not supported for unused access\n analyzers.

", + "smithy.api#documentation": "

Retrieves a list of resources of the specified type that have been analyzed by the\n specified analyzer.

", "smithy.api#http": { "uri": "/analyzed-resource", "method": "POST", @@ -6614,6 +6663,10 @@ { "value": "AWS::DynamoDB::Stream", "name": "AWS_DYNAMODB_STREAM" + }, + { + "value": "AWS::IAM::User", + "name": "AWS_IAM_USER" } ] } @@ -7176,6 +7229,12 @@ "smithy.api#documentation": "

The response to the request.

" } }, + "com.amazonaws.accessanalyzer#TagsList": { + "type": "list", + "member": { + "target": "com.amazonaws.accessanalyzer#TagsMap" + } + }, "com.amazonaws.accessanalyzer#TagsMap": { "type": "map", "key": { @@ -7397,8 +7456,11 @@ "unusedAccessAge": { "target": "smithy.api#Integer", "traits": { - "smithy.api#documentation": "

The specified access age in days for which to generate findings for unused access. For\n example, if you specify 90 days, the analyzer will generate findings for IAM entities\n within the accounts of the selected organization for any access that hasn't been used in 90\n or more days since the analyzer's last scan. You can choose a value between 1 and 180\n days.

" + "smithy.api#documentation": "

The specified access age in days for which to generate findings for unused access. For\n example, if you specify 90 days, the analyzer will generate findings for IAM entities\n within the accounts of the selected organization for any access that hasn't been used in 90\n or more days since the analyzer's last scan. You can choose a value between 1 and 365\n days.

" } + }, + "analysisRule": { + "target": "com.amazonaws.accessanalyzer#AnalysisRule" } }, "traits": { @@ -7541,6 +7603,74 @@ "smithy.api#documentation": "

Contains information about the action to take for a policy in an unused permissions\n finding.

" } }, + "com.amazonaws.accessanalyzer#UpdateAnalyzer": { + "type": "operation", + "input": { + "target": "com.amazonaws.accessanalyzer#UpdateAnalyzerRequest" + }, + "output": { + "target": "com.amazonaws.accessanalyzer#UpdateAnalyzerResponse" + }, + "errors": [ + { + "target": "com.amazonaws.accessanalyzer#AccessDeniedException" + }, + { + "target": "com.amazonaws.accessanalyzer#ConflictException" + }, + { + "target": "com.amazonaws.accessanalyzer#InternalServerException" + }, + { + "target": "com.amazonaws.accessanalyzer#ResourceNotFoundException" + }, + { + "target": "com.amazonaws.accessanalyzer#ThrottlingException" + }, + { + "target": "com.amazonaws.accessanalyzer#ValidationException" + } + ], + "traits": { + "smithy.api#documentation": "

Modifies the configuration of an existing analyzer.

", + "smithy.api#http": { + "uri": "/analyzer/{analyzerName}", + "method": "PUT", + "code": 200 + }, + "smithy.api#idempotent": {} + } + }, + "com.amazonaws.accessanalyzer#UpdateAnalyzerRequest": { + "type": "structure", + "members": { + "analyzerName": { + "target": "com.amazonaws.accessanalyzer#Name", + "traits": { + "smithy.api#documentation": "

The name of the analyzer to modify.

", + "smithy.api#httpLabel": {}, + "smithy.api#required": {} + } + }, + "configuration": { + "target": "com.amazonaws.accessanalyzer#AnalyzerConfiguration" + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.accessanalyzer#UpdateAnalyzerResponse": { + "type": "structure", + "members": { + "configuration": { + "target": "com.amazonaws.accessanalyzer#AnalyzerConfiguration" + } + }, + "traits": { + "smithy.api#output": {} + } + }, "com.amazonaws.accessanalyzer#UpdateArchiveRule": { "type": "operation", "input": {