1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package types 4 5import ( 6 smithydocument "github.com/aws/smithy-go/document" 7 "time" 8) 9 10// Contains information about an access preview. 11type AccessPreview struct { 12 13 // The ARN of the analyzer used to generate the access preview. 14 // 15 // This member is required. 16 AnalyzerArn *string 17 18 // A map of resource ARNs for the proposed resource configuration. 19 // 20 // This member is required. 21 Configurations map[string]Configuration 22 23 // The time at which the access preview was created. 24 // 25 // This member is required. 26 CreatedAt *time.Time 27 28 // The unique ID for the access preview. 29 // 30 // This member is required. 31 Id *string 32 33 // The status of the access preview. 34 // 35 // * Creating - The access preview creation is 36 // in progress. 37 // 38 // * Completed - The access preview is complete. You can preview 39 // findings for external access to the resource. 40 // 41 // * Failed - The access preview 42 // creation has failed. 43 // 44 // This member is required. 45 Status AccessPreviewStatus 46 47 // Provides more details about the current status of the access preview. For 48 // example, if the creation of the access preview fails, a Failed status is 49 // returned. This failure can be due to an internal issue with the analysis or due 50 // to an invalid resource configuration. 51 StatusReason *AccessPreviewStatusReason 52 53 noSmithyDocumentSerde 54} 55 56// An access preview finding generated by the access preview. 57type AccessPreviewFinding struct { 58 59 // Provides context on how the access preview finding compares to existing access 60 // identified in IAM Access Analyzer. 61 // 62 // * New - The finding is for newly-introduced 63 // access. 64 // 65 // * Unchanged - The preview finding is an existing finding that would 66 // remain unchanged. 67 // 68 // * Changed - The preview finding is an existing finding with a 69 // change in status. 70 // 71 // For example, a Changed finding with preview status Resolved 72 // and existing status Active indicates the existing Active finding would become 73 // Resolved as a result of the proposed permissions change. 74 // 75 // This member is required. 76 ChangeType FindingChangeType 77 78 // The time at which the access preview finding was created. 79 // 80 // This member is required. 81 CreatedAt *time.Time 82 83 // The ID of the access preview finding. This ID uniquely identifies the element in 84 // the list of access preview findings and is not related to the finding ID in 85 // Access Analyzer. 86 // 87 // This member is required. 88 Id *string 89 90 // The Amazon Web Services account ID that owns the resource. For most Amazon Web 91 // Services resources, the owning account is the account in which the resource was 92 // created. 93 // 94 // This member is required. 95 ResourceOwnerAccount *string 96 97 // The type of the resource that can be accessed in the finding. 98 // 99 // This member is required. 100 ResourceType ResourceType 101 102 // The preview status of the finding. This is what the status of the finding would 103 // be after permissions deployment. For example, a Changed finding with preview 104 // status Resolved and existing status Active indicates the existing Active finding 105 // would become Resolved as a result of the proposed permissions change. 106 // 107 // This member is required. 108 Status FindingStatus 109 110 // The action in the analyzed policy statement that an external principal has 111 // permission to perform. 112 Action []string 113 114 // The condition in the analyzed policy statement that resulted in a finding. 115 Condition map[string]string 116 117 // An error. 118 Error *string 119 120 // The existing ID of the finding in IAM Access Analyzer, provided only for 121 // existing findings. 122 ExistingFindingId *string 123 124 // The existing status of the finding, provided only for existing findings. 125 ExistingFindingStatus FindingStatus 126 127 // Indicates whether the policy that generated the finding allows public access to 128 // the resource. 129 IsPublic *bool 130 131 // The external principal that has access to a resource within the zone of trust. 132 Principal map[string]string 133 134 // The resource that an external principal has access to. This is the resource 135 // associated with the access preview. 136 Resource *string 137 138 // The sources of the finding. This indicates how the access that generated the 139 // finding is granted. It is populated for Amazon S3 bucket findings. 140 Sources []FindingSource 141 142 noSmithyDocumentSerde 143} 144 145// Provides more details about the current status of the access preview. For 146// example, if the creation of the access preview fails, a Failed status is 147// returned. This failure can be due to an internal issue with the analysis or due 148// to an invalid proposed resource configuration. 149type AccessPreviewStatusReason struct { 150 151 // The reason code for the current status of the access preview. 152 // 153 // This member is required. 154 Code AccessPreviewStatusReasonCode 155 156 noSmithyDocumentSerde 157} 158 159// Contains a summary of information about an access preview. 160type AccessPreviewSummary struct { 161 162 // The ARN of the analyzer used to generate the access preview. 163 // 164 // This member is required. 165 AnalyzerArn *string 166 167 // The time at which the access preview was created. 168 // 169 // This member is required. 170 CreatedAt *time.Time 171 172 // The unique ID for the access preview. 173 // 174 // This member is required. 175 Id *string 176 177 // The status of the access preview. 178 // 179 // * Creating - The access preview creation is 180 // in progress. 181 // 182 // * Completed - The access preview is complete and previews the 183 // findings for external access to the resource. 184 // 185 // * Failed - The access preview 186 // creation has failed. 187 // 188 // This member is required. 189 Status AccessPreviewStatus 190 191 // Provides more details about the current status of the access preview. For 192 // example, if the creation of the access preview fails, a Failed status is 193 // returned. This failure can be due to an internal issue with the analysis or due 194 // to an invalid proposed resource configuration. 195 StatusReason *AccessPreviewStatusReason 196 197 noSmithyDocumentSerde 198} 199 200// You specify each grantee as a type-value pair using one of these types. You can 201// specify only one type of grantee. For more information, see PutBucketAcl 202// (https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html). 203// 204// The following types satisfy this interface: 205// AclGranteeMemberId 206// AclGranteeMemberUri 207type AclGrantee interface { 208 isAclGrantee() 209} 210 211// The value specified is the canonical user ID of an Amazon Web Services account. 212type AclGranteeMemberId struct { 213 Value string 214 215 noSmithyDocumentSerde 216} 217 218func (*AclGranteeMemberId) isAclGrantee() {} 219 220// Used for granting permissions to a predefined group. 221type AclGranteeMemberUri struct { 222 Value string 223 224 noSmithyDocumentSerde 225} 226 227func (*AclGranteeMemberUri) isAclGrantee() {} 228 229// Contains details about the analyzed resource. 230type AnalyzedResource struct { 231 232 // The time at which the resource was analyzed. 233 // 234 // This member is required. 235 AnalyzedAt *time.Time 236 237 // The time at which the finding was created. 238 // 239 // This member is required. 240 CreatedAt *time.Time 241 242 // Indicates whether the policy that generated the finding grants public access to 243 // the resource. 244 // 245 // This member is required. 246 IsPublic *bool 247 248 // The ARN of the resource that was analyzed. 249 // 250 // This member is required. 251 ResourceArn *string 252 253 // The Amazon Web Services account ID that owns the resource. 254 // 255 // This member is required. 256 ResourceOwnerAccount *string 257 258 // The type of the resource that was analyzed. 259 // 260 // This member is required. 261 ResourceType ResourceType 262 263 // The time at which the finding was updated. 264 // 265 // This member is required. 266 UpdatedAt *time.Time 267 268 // The actions that an external principal is granted permission to use by the 269 // policy that generated the finding. 270 Actions []string 271 272 // An error message. 273 Error *string 274 275 // Indicates how the access that generated the finding is granted. This is 276 // populated for Amazon S3 bucket findings. 277 SharedVia []string 278 279 // The current status of the finding generated from the analyzed resource. 280 Status FindingStatus 281 282 noSmithyDocumentSerde 283} 284 285// Contains the ARN of the analyzed resource. 286type AnalyzedResourceSummary struct { 287 288 // The ARN of the analyzed resource. 289 // 290 // This member is required. 291 ResourceArn *string 292 293 // The Amazon Web Services account ID that owns the resource. 294 // 295 // This member is required. 296 ResourceOwnerAccount *string 297 298 // The type of resource that was analyzed. 299 // 300 // This member is required. 301 ResourceType ResourceType 302 303 noSmithyDocumentSerde 304} 305 306// Contains information about the analyzer. 307type AnalyzerSummary struct { 308 309 // The ARN of the analyzer. 310 // 311 // This member is required. 312 Arn *string 313 314 // A timestamp for the time at which the analyzer was created. 315 // 316 // This member is required. 317 CreatedAt *time.Time 318 319 // The name of the analyzer. 320 // 321 // This member is required. 322 Name *string 323 324 // The status of the analyzer. An Active analyzer successfully monitors supported 325 // resources and generates new findings. The analyzer is Disabled when a user 326 // action, such as removing trusted access for Identity and Access Management 327 // Access Analyzer from Organizations, causes the analyzer to stop generating new 328 // findings. The status is Creating when the analyzer creation is in progress and 329 // Failed when the analyzer creation has failed. 330 // 331 // This member is required. 332 Status AnalyzerStatus 333 334 // The type of analyzer, which corresponds to the zone of trust chosen for the 335 // analyzer. 336 // 337 // This member is required. 338 Type Type 339 340 // The resource that was most recently analyzed by the analyzer. 341 LastResourceAnalyzed *string 342 343 // The time at which the most recently analyzed resource was analyzed. 344 LastResourceAnalyzedAt *time.Time 345 346 // The statusReason provides more details about the current status of the analyzer. 347 // For example, if the creation for the analyzer fails, a Failed status is 348 // returned. For an analyzer with organization as the type, this failure can be due 349 // to an issue with creating the service-linked roles required in the member 350 // accounts of the Amazon Web Services organization. 351 StatusReason *StatusReason 352 353 // The tags added to the analyzer. 354 Tags map[string]string 355 356 noSmithyDocumentSerde 357} 358 359// Contains information about an archive rule. 360type ArchiveRuleSummary struct { 361 362 // The time at which the archive rule was created. 363 // 364 // This member is required. 365 CreatedAt *time.Time 366 367 // A filter used to define the archive rule. 368 // 369 // This member is required. 370 Filter map[string]Criterion 371 372 // The name of the archive rule. 373 // 374 // This member is required. 375 RuleName *string 376 377 // The time at which the archive rule was last updated. 378 // 379 // This member is required. 380 UpdatedAt *time.Time 381 382 noSmithyDocumentSerde 383} 384 385// Contains information about CloudTrail access. 386type CloudTrailDetails struct { 387 388 // The ARN of the service role that IAM Access Analyzer uses to access your 389 // CloudTrail trail and service last accessed information. 390 // 391 // This member is required. 392 AccessRole *string 393 394 // The start of the time range for which IAM Access Analyzer reviews your 395 // CloudTrail events. Events with a timestamp before this time are not considered 396 // to generate a policy. 397 // 398 // This member is required. 399 StartTime *time.Time 400 401 // A Trail object that contains settings for a trail. 402 // 403 // This member is required. 404 Trails []Trail 405 406 // The end of the time range for which IAM Access Analyzer reviews your CloudTrail 407 // events. Events with a timestamp after this time are not considered to generate a 408 // policy. If this is not included in the request, the default value is the current 409 // time. 410 EndTime *time.Time 411 412 noSmithyDocumentSerde 413} 414 415// Contains information about CloudTrail access. 416type CloudTrailProperties struct { 417 418 // The end of the time range for which IAM Access Analyzer reviews your CloudTrail 419 // events. Events with a timestamp after this time are not considered to generate a 420 // policy. If this is not included in the request, the default value is the current 421 // time. 422 // 423 // This member is required. 424 EndTime *time.Time 425 426 // The start of the time range for which IAM Access Analyzer reviews your 427 // CloudTrail events. Events with a timestamp before this time are not considered 428 // to generate a policy. 429 // 430 // This member is required. 431 StartTime *time.Time 432 433 // A TrailProperties object that contains settings for trail properties. 434 // 435 // This member is required. 436 TrailProperties []TrailProperties 437 438 noSmithyDocumentSerde 439} 440 441// Access control configuration structures for your resource. You specify the 442// configuration as a type-value pair. You can specify only one type of access 443// control configuration. 444// 445// The following types satisfy this interface: 446// ConfigurationMemberIamRole 447// ConfigurationMemberKmsKey 448// ConfigurationMemberSecretsManagerSecret 449// ConfigurationMemberS3Bucket 450// ConfigurationMemberSqsQueue 451type Configuration interface { 452 isConfiguration() 453} 454 455// The access control configuration is for an IAM role. 456type ConfigurationMemberIamRole struct { 457 Value IamRoleConfiguration 458 459 noSmithyDocumentSerde 460} 461 462func (*ConfigurationMemberIamRole) isConfiguration() {} 463 464// The access control configuration is for a KMS key. 465type ConfigurationMemberKmsKey struct { 466 Value KmsKeyConfiguration 467 468 noSmithyDocumentSerde 469} 470 471func (*ConfigurationMemberKmsKey) isConfiguration() {} 472 473// The access control configuration is for a Secrets Manager secret. 474type ConfigurationMemberSecretsManagerSecret struct { 475 Value SecretsManagerSecretConfiguration 476 477 noSmithyDocumentSerde 478} 479 480func (*ConfigurationMemberSecretsManagerSecret) isConfiguration() {} 481 482// The access control configuration is for an Amazon S3 Bucket. 483type ConfigurationMemberS3Bucket struct { 484 Value S3BucketConfiguration 485 486 noSmithyDocumentSerde 487} 488 489func (*ConfigurationMemberS3Bucket) isConfiguration() {} 490 491// The access control configuration is for an Amazon SQS queue. 492type ConfigurationMemberSqsQueue struct { 493 Value SqsQueueConfiguration 494 495 noSmithyDocumentSerde 496} 497 498func (*ConfigurationMemberSqsQueue) isConfiguration() {} 499 500// The criteria to use in the filter that defines the archive rule. 501type Criterion struct { 502 503 // A "contains" operator to match for the filter used to create the rule. 504 Contains []string 505 506 // An "equals" operator to match for the filter used to create the rule. 507 Eq []string 508 509 // An "exists" operator to match for the filter used to create the rule. 510 Exists *bool 511 512 // A "not equals" operator to match for the filter used to create the rule. 513 Neq []string 514 515 noSmithyDocumentSerde 516} 517 518// Contains information about a finding. 519type Finding struct { 520 521 // The time at which the resource was analyzed. 522 // 523 // This member is required. 524 AnalyzedAt *time.Time 525 526 // The condition in the analyzed policy statement that resulted in a finding. 527 // 528 // This member is required. 529 Condition map[string]string 530 531 // The time at which the finding was generated. 532 // 533 // This member is required. 534 CreatedAt *time.Time 535 536 // The ID of the finding. 537 // 538 // This member is required. 539 Id *string 540 541 // The Amazon Web Services account ID that owns the resource. 542 // 543 // This member is required. 544 ResourceOwnerAccount *string 545 546 // The type of the resource identified in the finding. 547 // 548 // This member is required. 549 ResourceType ResourceType 550 551 // The current status of the finding. 552 // 553 // This member is required. 554 Status FindingStatus 555 556 // The time at which the finding was updated. 557 // 558 // This member is required. 559 UpdatedAt *time.Time 560 561 // The action in the analyzed policy statement that an external principal has 562 // permission to use. 563 Action []string 564 565 // An error. 566 Error *string 567 568 // Indicates whether the policy that generated the finding allows public access to 569 // the resource. 570 IsPublic *bool 571 572 // The external principal that access to a resource within the zone of trust. 573 Principal map[string]string 574 575 // The resource that an external principal has access to. 576 Resource *string 577 578 // The sources of the finding. This indicates how the access that generated the 579 // finding is granted. It is populated for Amazon S3 bucket findings. 580 Sources []FindingSource 581 582 noSmithyDocumentSerde 583} 584 585// The source of the finding. This indicates how the access that generated the 586// finding is granted. It is populated for Amazon S3 bucket findings. 587type FindingSource struct { 588 589 // Indicates the type of access that generated the finding. 590 // 591 // This member is required. 592 Type FindingSourceType 593 594 // Includes details about how the access that generated the finding is granted. 595 // This is populated for Amazon S3 bucket findings. 596 Detail *FindingSourceDetail 597 598 noSmithyDocumentSerde 599} 600 601// Includes details about how the access that generated the finding is granted. 602// This is populated for Amazon S3 bucket findings. 603type FindingSourceDetail struct { 604 605 // The ARN of the access point that generated the finding. The ARN format depends 606 // on whether the ARN represents an access point or a multi-region access point. 607 AccessPointArn *string 608 609 noSmithyDocumentSerde 610} 611 612// Contains information about a finding. 613type FindingSummary struct { 614 615 // The time at which the resource-based policy that generated the finding was 616 // analyzed. 617 // 618 // This member is required. 619 AnalyzedAt *time.Time 620 621 // The condition in the analyzed policy statement that resulted in a finding. 622 // 623 // This member is required. 624 Condition map[string]string 625 626 // The time at which the finding was created. 627 // 628 // This member is required. 629 CreatedAt *time.Time 630 631 // The ID of the finding. 632 // 633 // This member is required. 634 Id *string 635 636 // The Amazon Web Services account ID that owns the resource. 637 // 638 // This member is required. 639 ResourceOwnerAccount *string 640 641 // The type of the resource that the external principal has access to. 642 // 643 // This member is required. 644 ResourceType ResourceType 645 646 // The status of the finding. 647 // 648 // This member is required. 649 Status FindingStatus 650 651 // The time at which the finding was most recently updated. 652 // 653 // This member is required. 654 UpdatedAt *time.Time 655 656 // The action in the analyzed policy statement that an external principal has 657 // permission to use. 658 Action []string 659 660 // The error that resulted in an Error finding. 661 Error *string 662 663 // Indicates whether the finding reports a resource that has a policy that allows 664 // public access. 665 IsPublic *bool 666 667 // The external principal that has access to a resource within the zone of trust. 668 Principal map[string]string 669 670 // The resource that the external principal has access to. 671 Resource *string 672 673 // The sources of the finding. This indicates how the access that generated the 674 // finding is granted. It is populated for Amazon S3 bucket findings. 675 Sources []FindingSource 676 677 noSmithyDocumentSerde 678} 679 680// Contains the text for the generated policy. 681type GeneratedPolicy struct { 682 683 // The text to use as the content for the new policy. The policy is created using 684 // the CreatePolicy 685 // (https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html) 686 // action. 687 // 688 // This member is required. 689 Policy *string 690 691 noSmithyDocumentSerde 692} 693 694// Contains the generated policy details. 695type GeneratedPolicyProperties struct { 696 697 // The ARN of the IAM entity (user or role) for which you are generating a policy. 698 // 699 // This member is required. 700 PrincipalArn *string 701 702 // Lists details about the Trail used to generated policy. 703 CloudTrailProperties *CloudTrailProperties 704 705 // This value is set to true if the generated policy contains all possible actions 706 // for a service that IAM Access Analyzer identified from the CloudTrail trail that 707 // you specified, and false otherwise. 708 IsComplete *bool 709 710 noSmithyDocumentSerde 711} 712 713// Contains the text for the generated policy and its details. 714type GeneratedPolicyResult struct { 715 716 // A GeneratedPolicyProperties object that contains properties of the generated 717 // policy. 718 // 719 // This member is required. 720 Properties *GeneratedPolicyProperties 721 722 // The text to use as the content for the new policy. The policy is created using 723 // the CreatePolicy 724 // (https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html) 725 // action. 726 GeneratedPolicies []GeneratedPolicy 727 728 noSmithyDocumentSerde 729} 730 731// The proposed access control configuration for an IAM role. You can propose a 732// configuration for a new IAM role or an existing IAM role that you own by 733// specifying the trust policy. If the configuration is for a new IAM role, you 734// must specify the trust policy. If the configuration is for an existing IAM role 735// that you own and you do not propose the trust policy, the access preview uses 736// the existing trust policy for the role. The proposed trust policy cannot be an 737// empty string. For more information about role trust policy limits, see IAM and 738// STS quotas 739// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html). 740type IamRoleConfiguration struct { 741 742 // The proposed trust policy for the IAM role. 743 TrustPolicy *string 744 745 noSmithyDocumentSerde 746} 747 748// An criterion statement in an archive rule. Each archive rule may have multiple 749// criteria. 750type InlineArchiveRule struct { 751 752 // The condition and values for a criterion. 753 // 754 // This member is required. 755 Filter map[string]Criterion 756 757 // The name of the rule. 758 // 759 // This member is required. 760 RuleName *string 761 762 noSmithyDocumentSerde 763} 764 765// This configuration sets the network origin for the Amazon S3 access point or 766// multi-region access point to Internet. 767type InternetConfiguration struct { 768 noSmithyDocumentSerde 769} 770 771// Contains details about the policy generation request. 772type JobDetails struct { 773 774 // The JobId that is returned by the StartPolicyGeneration operation. The JobId can 775 // be used with GetGeneratedPolicy to retrieve the generated policies or used with 776 // CancelPolicyGeneration to cancel the policy generation request. 777 // 778 // This member is required. 779 JobId *string 780 781 // A timestamp of when the job was started. 782 // 783 // This member is required. 784 StartedOn *time.Time 785 786 // The status of the job request. 787 // 788 // This member is required. 789 Status JobStatus 790 791 // A timestamp of when the job was completed. 792 CompletedOn *time.Time 793 794 // The job error for the policy generation request. 795 JobError *JobError 796 797 noSmithyDocumentSerde 798} 799 800// Contains the details about the policy generation error. 801type JobError struct { 802 803 // The job error code. 804 // 805 // This member is required. 806 Code JobErrorCode 807 808 // Specific information about the error. For example, which service quota was 809 // exceeded or which resource was not found. 810 // 811 // This member is required. 812 Message *string 813 814 noSmithyDocumentSerde 815} 816 817// A proposed grant configuration for a KMS key. For more information, see 818// CreateGrant 819// (https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html). 820type KmsGrantConfiguration struct { 821 822 // The principal that is given permission to perform the operations that the grant 823 // permits. 824 // 825 // This member is required. 826 GranteePrincipal *string 827 828 // The Amazon Web Services account under which the grant was issued. The account is 829 // used to propose KMS grants issued by accounts other than the owner of the key. 830 // 831 // This member is required. 832 IssuingAccount *string 833 834 // A list of operations that the grant permits. 835 // 836 // This member is required. 837 Operations []KmsGrantOperation 838 839 // Use this structure to propose allowing cryptographic operations 840 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 841 // in the grant only when the operation request includes the specified encryption 842 // context 843 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). 844 Constraints *KmsGrantConstraints 845 846 // The principal that is given permission to retire the grant by using RetireGrant 847 // (https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) 848 // operation. 849 RetiringPrincipal *string 850 851 noSmithyDocumentSerde 852} 853 854// Use this structure to propose allowing cryptographic operations 855// (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 856// in the grant only when the operation request includes the specified encryption 857// context 858// (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). 859// You can specify only one type of encryption context. An empty map is treated as 860// not specified. For more information, see GrantConstraints 861// (https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html). 862type KmsGrantConstraints struct { 863 864 // A list of key-value pairs that must match the encryption context in the 865 // cryptographic operation 866 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 867 // request. The grant allows the operation only when the encryption context in the 868 // request is the same as the encryption context specified in this constraint. 869 EncryptionContextEquals map[string]string 870 871 // A list of key-value pairs that must be included in the encryption context of the 872 // cryptographic operation 873 // (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) 874 // request. The grant allows the cryptographic operation only when the encryption 875 // context in the request includes the key-value pairs specified in this 876 // constraint, although it can include additional key-value pairs. 877 EncryptionContextSubset map[string]string 878 879 noSmithyDocumentSerde 880} 881 882// Proposed access control configuration for a KMS key. You can propose a 883// configuration for a new KMS key or an existing KMS key that you own by 884// specifying the key policy and KMS grant configuration. If the configuration is 885// for an existing key and you do not specify the key policy, the access preview 886// uses the existing policy for the key. If the access preview is for a new 887// resource and you do not specify the key policy, then the access preview uses the 888// default key policy. The proposed key policy cannot be an empty string. For more 889// information, see Default key policy 890// (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default). 891// For more information about key policy limits, see Resource quotas 892// (https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html). 893type KmsKeyConfiguration struct { 894 895 // A list of proposed grant configurations for the KMS key. If the proposed grant 896 // configuration is for an existing key, the access preview uses the proposed list 897 // of grant configurations in place of the existing grants. Otherwise, the access 898 // preview uses the existing grants for the key. 899 Grants []KmsGrantConfiguration 900 901 // Resource policy configuration for the KMS key. The only valid value for the name 902 // of the key policy is default. For more information, see Default key policy 903 // (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default). 904 KeyPolicies map[string]string 905 906 noSmithyDocumentSerde 907} 908 909// A location in a policy that is represented as a path through the JSON 910// representation and a corresponding span. 911type Location struct { 912 913 // A path in a policy, represented as a sequence of path elements. 914 // 915 // This member is required. 916 Path []PathElement 917 918 // A span in a policy. 919 // 920 // This member is required. 921 Span *Span 922 923 noSmithyDocumentSerde 924} 925 926// The proposed InternetConfiguration or VpcConfiguration to apply to the Amazon S3 927// access point. VpcConfiguration does not apply to multi-region access points. You 928// can make the access point accessible from the internet, or you can specify that 929// all requests made through that access point must originate from a specific 930// virtual private cloud (VPC). You can specify only one type of network 931// configuration. For more information, see Creating access points 932// (https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html). 933// 934// The following types satisfy this interface: 935// NetworkOriginConfigurationMemberVpcConfiguration 936// NetworkOriginConfigurationMemberInternetConfiguration 937type NetworkOriginConfiguration interface { 938 isNetworkOriginConfiguration() 939} 940 941// The proposed virtual private cloud (VPC) configuration for the Amazon S3 access 942// point. VPC configuration does not apply to multi-region access points. For more 943// information, see VpcConfiguration 944// (https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html). 945type NetworkOriginConfigurationMemberVpcConfiguration struct { 946 Value VpcConfiguration 947 948 noSmithyDocumentSerde 949} 950 951func (*NetworkOriginConfigurationMemberVpcConfiguration) isNetworkOriginConfiguration() {} 952 953// The configuration for the Amazon S3 access point or multi-region access point 954// with an Internet origin. 955type NetworkOriginConfigurationMemberInternetConfiguration struct { 956 Value InternetConfiguration 957 958 noSmithyDocumentSerde 959} 960 961func (*NetworkOriginConfigurationMemberInternetConfiguration) isNetworkOriginConfiguration() {} 962 963// A single element in a path through the JSON representation of a policy. 964// 965// The following types satisfy this interface: 966// PathElementMemberIndex 967// PathElementMemberKey 968// PathElementMemberSubstring 969// PathElementMemberValue 970type PathElement interface { 971 isPathElement() 972} 973 974// Refers to an index in a JSON array. 975type PathElementMemberIndex struct { 976 Value int32 977 978 noSmithyDocumentSerde 979} 980 981func (*PathElementMemberIndex) isPathElement() {} 982 983// Refers to a key in a JSON object. 984type PathElementMemberKey struct { 985 Value string 986 987 noSmithyDocumentSerde 988} 989 990func (*PathElementMemberKey) isPathElement() {} 991 992// Refers to a substring of a literal string in a JSON object. 993type PathElementMemberSubstring struct { 994 Value Substring 995 996 noSmithyDocumentSerde 997} 998 999func (*PathElementMemberSubstring) isPathElement() {} 1000 1001// Refers to the value associated with a given key in a JSON object. 1002type PathElementMemberValue struct { 1003 Value string 1004 1005 noSmithyDocumentSerde 1006} 1007 1008func (*PathElementMemberValue) isPathElement() {} 1009 1010// Contains details about the policy generation status and properties. 1011type PolicyGeneration struct { 1012 1013 // The JobId that is returned by the StartPolicyGeneration operation. The JobId can 1014 // be used with GetGeneratedPolicy to retrieve the generated policies or used with 1015 // CancelPolicyGeneration to cancel the policy generation request. 1016 // 1017 // This member is required. 1018 JobId *string 1019 1020 // The ARN of the IAM entity (user or role) for which you are generating a policy. 1021 // 1022 // This member is required. 1023 PrincipalArn *string 1024 1025 // A timestamp of when the policy generation started. 1026 // 1027 // This member is required. 1028 StartedOn *time.Time 1029 1030 // The status of the policy generation request. 1031 // 1032 // This member is required. 1033 Status JobStatus 1034 1035 // A timestamp of when the policy generation was completed. 1036 CompletedOn *time.Time 1037 1038 noSmithyDocumentSerde 1039} 1040 1041// Contains the ARN details about the IAM entity for which the policy is generated. 1042type PolicyGenerationDetails struct { 1043 1044 // The ARN of the IAM entity (user or role) for which you are generating a policy. 1045 // 1046 // This member is required. 1047 PrincipalArn *string 1048 1049 noSmithyDocumentSerde 1050} 1051 1052// A position in a policy. 1053type Position struct { 1054 1055 // The column of the position, starting from 0. 1056 // 1057 // This member is required. 1058 Column *int32 1059 1060 // The line of the position, starting from 1. 1061 // 1062 // This member is required. 1063 Line *int32 1064 1065 // The offset within the policy that corresponds to the position, starting from 0. 1066 // 1067 // This member is required. 1068 Offset *int32 1069 1070 noSmithyDocumentSerde 1071} 1072 1073// The configuration for an Amazon S3 access point or multi-region access point for 1074// the bucket. You can propose up to 10 access points or multi-region access points 1075// per bucket. If the proposed Amazon S3 access point configuration is for an 1076// existing bucket, the access preview uses the proposed access point configuration 1077// in place of the existing access points. To propose an access point without a 1078// policy, you can provide an empty string as the access point policy. For more 1079// information, see Creating access points 1080// (https://docs.aws.amazon.com/https:/docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html). 1081// For more information about access point policy limits, see Access points 1082// restrictions and limitations 1083// (https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html). 1084type S3AccessPointConfiguration struct { 1085 1086 // The access point or multi-region access point policy. 1087 AccessPointPolicy *string 1088 1089 // The proposed Internet and VpcConfiguration to apply to this Amazon S3 access 1090 // point. VpcConfiguration does not apply to multi-region access points. If the 1091 // access preview is for a new resource and neither is specified, the access 1092 // preview uses Internet for the network origin. If the access preview is for an 1093 // existing resource and neither is specified, the access preview uses the exiting 1094 // network origin. 1095 NetworkOrigin NetworkOriginConfiguration 1096 1097 // The proposed S3PublicAccessBlock configuration to apply to this Amazon S3 access 1098 // point or multi-region access point. 1099 PublicAccessBlock *S3PublicAccessBlockConfiguration 1100 1101 noSmithyDocumentSerde 1102} 1103 1104// A proposed access control list grant configuration for an Amazon S3 bucket. For 1105// more information, see How to Specify an ACL 1106// (https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls). 1107type S3BucketAclGrantConfiguration struct { 1108 1109 // The grantee to whom you’re assigning access rights. 1110 // 1111 // This member is required. 1112 Grantee AclGrantee 1113 1114 // The permissions being granted. 1115 // 1116 // This member is required. 1117 Permission AclPermission 1118 1119 noSmithyDocumentSerde 1120} 1121 1122// Proposed access control configuration for an Amazon S3 bucket. You can propose a 1123// configuration for a new Amazon S3 bucket or an existing Amazon S3 bucket that 1124// you own by specifying the Amazon S3 bucket policy, bucket ACLs, bucket BPA 1125// settings, Amazon S3 access points, and multi-region access points attached to 1126// the bucket. If the configuration is for an existing Amazon S3 bucket and you do 1127// not specify the Amazon S3 bucket policy, the access preview uses the existing 1128// policy attached to the bucket. If the access preview is for a new resource and 1129// you do not specify the Amazon S3 bucket policy, the access preview assumes a 1130// bucket without a policy. To propose deletion of an existing bucket policy, you 1131// can specify an empty string. For more information about bucket policy limits, 1132// see Bucket Policy Examples 1133// (https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html). 1134type S3BucketConfiguration struct { 1135 1136 // The configuration of Amazon S3 access points or multi-region access points for 1137 // the bucket. You can propose up to 10 new access points per bucket. 1138 AccessPoints map[string]S3AccessPointConfiguration 1139 1140 // The proposed list of ACL grants for the Amazon S3 bucket. You can propose up to 1141 // 100 ACL grants per bucket. If the proposed grant configuration is for an 1142 // existing bucket, the access preview uses the proposed list of grant 1143 // configurations in place of the existing grants. Otherwise, the access preview 1144 // uses the existing grants for the bucket. 1145 BucketAclGrants []S3BucketAclGrantConfiguration 1146 1147 // The proposed bucket policy for the Amazon S3 bucket. 1148 BucketPolicy *string 1149 1150 // The proposed block public access configuration for the Amazon S3 bucket. 1151 BucketPublicAccessBlock *S3PublicAccessBlockConfiguration 1152 1153 noSmithyDocumentSerde 1154} 1155 1156// The PublicAccessBlock configuration to apply to this Amazon S3 bucket. If the 1157// proposed configuration is for an existing Amazon S3 bucket and the configuration 1158// is not specified, the access preview uses the existing setting. If the proposed 1159// configuration is for a new bucket and the configuration is not specified, the 1160// access preview uses false. If the proposed configuration is for a new access 1161// point or multi-region access point and the access point BPA configuration is not 1162// specified, the access preview uses true. For more information, see 1163// PublicAccessBlockConfiguration 1164// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html). 1165type S3PublicAccessBlockConfiguration struct { 1166 1167 // Specifies whether Amazon S3 should ignore public ACLs for this bucket and 1168 // objects in this bucket. 1169 // 1170 // This member is required. 1171 IgnorePublicAcls *bool 1172 1173 // Specifies whether Amazon S3 should restrict public bucket policies for this 1174 // bucket. 1175 // 1176 // This member is required. 1177 RestrictPublicBuckets *bool 1178 1179 noSmithyDocumentSerde 1180} 1181 1182// The configuration for a Secrets Manager secret. For more information, see 1183// CreateSecret 1184// (https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html). 1185// You can propose a configuration for a new secret or an existing secret that you 1186// own by specifying the secret policy and optional KMS encryption key. If the 1187// configuration is for an existing secret and you do not specify the secret 1188// policy, the access preview uses the existing policy for the secret. If the 1189// access preview is for a new resource and you do not specify the policy, the 1190// access preview assumes a secret without a policy. To propose deletion of an 1191// existing policy, you can specify an empty string. If the proposed configuration 1192// is for a new secret and you do not specify the KMS key ID, the access preview 1193// uses the default CMK of the Amazon Web Services account. If you specify an empty 1194// string for the KMS key ID, the access preview uses the default CMK of the Amazon 1195// Web Services account. For more information about secret policy limits, see 1196// Quotas for Secrets Manager. 1197// (https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html). 1198type SecretsManagerSecretConfiguration struct { 1199 1200 // The proposed ARN, key ID, or alias of the KMS customer master key (CMK). 1201 KmsKeyId *string 1202 1203 // The proposed resource policy defining who can access or manage the secret. 1204 SecretPolicy *string 1205 1206 noSmithyDocumentSerde 1207} 1208 1209// The criteria used to sort. 1210type SortCriteria struct { 1211 1212 // The name of the attribute to sort on. 1213 AttributeName *string 1214 1215 // The sort order, ascending or descending. 1216 OrderBy OrderBy 1217 1218 noSmithyDocumentSerde 1219} 1220 1221// A span in a policy. The span consists of a start position (inclusive) and end 1222// position (exclusive). 1223type Span struct { 1224 1225 // The end position of the span (exclusive). 1226 // 1227 // This member is required. 1228 End *Position 1229 1230 // The start position of the span (inclusive). 1231 // 1232 // This member is required. 1233 Start *Position 1234 1235 noSmithyDocumentSerde 1236} 1237 1238// The proposed access control configuration for an Amazon SQS queue. You can 1239// propose a configuration for a new Amazon SQS queue or an existing Amazon SQS 1240// queue that you own by specifying the Amazon SQS policy. If the configuration is 1241// for an existing Amazon SQS queue and you do not specify the Amazon SQS policy, 1242// the access preview uses the existing Amazon SQS policy for the queue. If the 1243// access preview is for a new resource and you do not specify the policy, the 1244// access preview assumes an Amazon SQS queue without a policy. To propose deletion 1245// of an existing Amazon SQS queue policy, you can specify an empty string for the 1246// Amazon SQS policy. For more information about Amazon SQS policy limits, see 1247// Quotas related to policies 1248// (https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html). 1249type SqsQueueConfiguration struct { 1250 1251 // The proposed resource policy for the Amazon SQS queue. 1252 QueuePolicy *string 1253 1254 noSmithyDocumentSerde 1255} 1256 1257// Provides more details about the current status of the analyzer. For example, if 1258// the creation for the analyzer fails, a Failed status is returned. For an 1259// analyzer with organization as the type, this failure can be due to an issue with 1260// creating the service-linked roles required in the member accounts of the Amazon 1261// Web Services organization. 1262type StatusReason struct { 1263 1264 // The reason code for the current status of the analyzer. 1265 // 1266 // This member is required. 1267 Code ReasonCode 1268 1269 noSmithyDocumentSerde 1270} 1271 1272// A reference to a substring of a literal string in a JSON document. 1273type Substring struct { 1274 1275 // The length of the substring. 1276 // 1277 // This member is required. 1278 Length *int32 1279 1280 // The start index of the substring, starting from 0. 1281 // 1282 // This member is required. 1283 Start *int32 1284 1285 noSmithyDocumentSerde 1286} 1287 1288// Contains details about the CloudTrail trail being analyzed to generate a policy. 1289type Trail struct { 1290 1291 // Specifies the ARN of the trail. The format of a trail ARN is 1292 // arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail. 1293 // 1294 // This member is required. 1295 CloudTrailArn *string 1296 1297 // Possible values are true or false. If set to true, IAM Access Analyzer retrieves 1298 // CloudTrail data from all regions to analyze and generate a policy. 1299 AllRegions *bool 1300 1301 // A list of regions to get CloudTrail data from and analyze to generate a policy. 1302 Regions []string 1303 1304 noSmithyDocumentSerde 1305} 1306 1307// Contains details about the CloudTrail trail being analyzed to generate a policy. 1308type TrailProperties struct { 1309 1310 // Specifies the ARN of the trail. The format of a trail ARN is 1311 // arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail. 1312 // 1313 // This member is required. 1314 CloudTrailArn *string 1315 1316 // Possible values are true or false. If set to true, IAM Access Analyzer retrieves 1317 // CloudTrail data from all regions to analyze and generate a policy. 1318 AllRegions *bool 1319 1320 // A list of regions to get CloudTrail data from and analyze to generate a policy. 1321 Regions []string 1322 1323 noSmithyDocumentSerde 1324} 1325 1326// A finding in a policy. Each finding is an actionable recommendation that can be 1327// used to improve the policy. 1328type ValidatePolicyFinding struct { 1329 1330 // A localized message that explains the finding and provides guidance on how to 1331 // address it. 1332 // 1333 // This member is required. 1334 FindingDetails *string 1335 1336 // The impact of the finding. Security warnings report when the policy allows 1337 // access that we consider overly permissive. Errors report when a part of the 1338 // policy is not functional. Warnings report non-security issues when a policy does 1339 // not conform to policy writing best practices. Suggestions recommend stylistic 1340 // improvements in the policy that do not impact access. 1341 // 1342 // This member is required. 1343 FindingType ValidatePolicyFindingType 1344 1345 // The issue code provides an identifier of the issue associated with this finding. 1346 // 1347 // This member is required. 1348 IssueCode *string 1349 1350 // A link to additional documentation about the type of finding. 1351 // 1352 // This member is required. 1353 LearnMoreLink *string 1354 1355 // The list of locations in the policy document that are related to the finding. 1356 // The issue code provides a summary of an issue identified by the finding. 1357 // 1358 // This member is required. 1359 Locations []Location 1360 1361 noSmithyDocumentSerde 1362} 1363 1364// Contains information about a validation exception. 1365type ValidationExceptionField struct { 1366 1367 // A message about the validation exception. 1368 // 1369 // This member is required. 1370 Message *string 1371 1372 // The name of the validation exception. 1373 // 1374 // This member is required. 1375 Name *string 1376 1377 noSmithyDocumentSerde 1378} 1379 1380// The proposed virtual private cloud (VPC) configuration for the Amazon S3 access 1381// point. VPC configuration does not apply to multi-region access points. For more 1382// information, see VpcConfiguration 1383// (https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html). 1384type VpcConfiguration struct { 1385 1386 // If this field is specified, this access point will only allow connections from 1387 // the specified VPC ID. 1388 // 1389 // This member is required. 1390 VpcId *string 1391 1392 noSmithyDocumentSerde 1393} 1394 1395type noSmithyDocumentSerde = smithydocument.NoSerde 1396 1397// UnknownUnionMember is returned when a union member is returned over the wire, 1398// but has an unknown tag. 1399type UnknownUnionMember struct { 1400 Tag string 1401 Value []byte 1402 1403 noSmithyDocumentSerde 1404} 1405 1406func (*UnknownUnionMember) isAclGrantee() {} 1407func (*UnknownUnionMember) isConfiguration() {} 1408func (*UnknownUnionMember) isNetworkOriginConfiguration() {} 1409func (*UnknownUnionMember) isPathElement() {} 1410