feat(client-accessanalyzer): IAM Access Analyzer now provides policy …

…recommendations to help resolve unused permissions for IAM roles and users. Additionally, IAM Access Analyzer now extends its custom policy checks to detect when IAM policies grant public access or access to critical resources ahead of deployments.
aws · Jun 11, 2024 · c5dc054 · c5dc054
1 parent dde3dbe
commit c5dc054
Show file tree

Hide file tree

Showing 13 changed files with 1,766 additions and 11 deletions.
diff --git a/clients/client-accessanalyzer/README.md b/clients/client-accessanalyzer/README.md
@@ -257,6 +257,14 @@ CheckNoNewAccess
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/CheckNoNewAccessCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/CheckNoNewAccessCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/CheckNoNewAccessCommandOutput/)
 
+</details>
+<details>
+<summary>
+CheckNoPublicAccess
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/CheckNoPublicAccessCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/CheckNoPublicAccessCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/CheckNoPublicAccessCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -297,6 +305,14 @@ DeleteArchiveRule
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/DeleteArchiveRuleCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/DeleteArchiveRuleCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/DeleteArchiveRuleCommandOutput/)
 
+</details>
+<details>
+<summary>
+GenerateFindingRecommendation
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/GenerateFindingRecommendationCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/GenerateFindingRecommendationCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/GenerateFindingRecommendationCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -337,6 +353,14 @@ GetFinding
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/GetFindingCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/GetFindingCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/GetFindingCommandOutput/)
 
+</details>
+<details>
+<summary>
+GetFindingRecommendation
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/accessanalyzer/command/GetFindingRecommendationCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/GetFindingRecommendationCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-accessanalyzer/Interface/GetFindingRecommendationCommandOutput/)
+
 </details>
 <details>
 <summary>

diff --git a/clients/client-accessanalyzer/src/AccessAnalyzer.ts b/clients/client-accessanalyzer/src/AccessAnalyzer.ts
@@ -23,6 +23,11 @@ import {
   CheckNoNewAccessCommandInput,
   CheckNoNewAccessCommandOutput,
 } from "./commands/CheckNoNewAccessCommand";
+import {
+  CheckNoPublicAccessCommand,
+  CheckNoPublicAccessCommandInput,
+  CheckNoPublicAccessCommandOutput,
+} from "./commands/CheckNoPublicAccessCommand";
 import {
   CreateAccessPreviewCommand,
   CreateAccessPreviewCommandInput,
@@ -48,6 +53,11 @@ import {
   DeleteArchiveRuleCommandInput,
   DeleteArchiveRuleCommandOutput,
 } from "./commands/DeleteArchiveRuleCommand";
+import {
+  GenerateFindingRecommendationCommand,
+  GenerateFindingRecommendationCommandInput,
+  GenerateFindingRecommendationCommandOutput,
+} from "./commands/GenerateFindingRecommendationCommand";
 import {
   GetAccessPreviewCommand,
   GetAccessPreviewCommandInput,
@@ -65,6 +75,11 @@ import {
   GetArchiveRuleCommandOutput,
 } from "./commands/GetArchiveRuleCommand";
 import { GetFindingCommand, GetFindingCommandInput, GetFindingCommandOutput } from "./commands/GetFindingCommand";
+import {
+  GetFindingRecommendationCommand,
+  GetFindingRecommendationCommandInput,
+  GetFindingRecommendationCommandOutput,
+} from "./commands/GetFindingRecommendationCommand";
 import {
   GetFindingV2Command,
   GetFindingV2CommandInput,
@@ -157,16 +172,19 @@ const commands = {
   CancelPolicyGenerationCommand,
   CheckAccessNotGrantedCommand,
   CheckNoNewAccessCommand,
+  CheckNoPublicAccessCommand,
   CreateAccessPreviewCommand,
   CreateAnalyzerCommand,
   CreateArchiveRuleCommand,
   DeleteAnalyzerCommand,
   DeleteArchiveRuleCommand,
+  GenerateFindingRecommendationCommand,
   GetAccessPreviewCommand,
   GetAnalyzedResourceCommand,
   GetAnalyzerCommand,
   GetArchiveRuleCommand,
   GetFindingCommand,
+  GetFindingRecommendationCommand,
   GetFindingV2Command,
   GetGeneratedPolicyCommand,
   ListAccessPreviewFindingsCommand,
@@ -256,6 +274,23 @@ export interface AccessAnalyzer {
     cb: (err: any, data?: CheckNoNewAccessCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link CheckNoPublicAccessCommand}
+   */
+  checkNoPublicAccess(
+    args: CheckNoPublicAccessCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<CheckNoPublicAccessCommandOutput>;
+  checkNoPublicAccess(
+    args: CheckNoPublicAccessCommandInput,
+    cb: (err: any, data?: CheckNoPublicAccessCommandOutput) => void
+  ): void;
+  checkNoPublicAccess(
+    args: CheckNoPublicAccessCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: CheckNoPublicAccessCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link CreateAccessPreviewCommand}
    */
@@ -335,6 +370,23 @@ export interface AccessAnalyzer {
     cb: (err: any, data?: DeleteArchiveRuleCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link GenerateFindingRecommendationCommand}
+   */
+  generateFindingRecommendation(
+    args: GenerateFindingRecommendationCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<GenerateFindingRecommendationCommandOutput>;
+  generateFindingRecommendation(
+    args: GenerateFindingRecommendationCommandInput,
+    cb: (err: any, data?: GenerateFindingRecommendationCommandOutput) => void
+  ): void;
+  generateFindingRecommendation(
+    args: GenerateFindingRecommendationCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: GenerateFindingRecommendationCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link GetAccessPreviewCommand}
    */
@@ -405,6 +457,23 @@ export interface AccessAnalyzer {
     cb: (err: any, data?: GetFindingCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link GetFindingRecommendationCommand}
+   */
+  getFindingRecommendation(
+    args: GetFindingRecommendationCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<GetFindingRecommendationCommandOutput>;
+  getFindingRecommendation(
+    args: GetFindingRecommendationCommandInput,
+    cb: (err: any, data?: GetFindingRecommendationCommandOutput) => void
+  ): void;
+  getFindingRecommendation(
+    args: GetFindingRecommendationCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: GetFindingRecommendationCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link GetFindingV2Command}
    */

diff --git a/clients/client-accessanalyzer/src/AccessAnalyzerClient.ts b/clients/client-accessanalyzer/src/AccessAnalyzerClient.ts
@@ -63,6 +63,10 @@ import {
   CheckAccessNotGrantedCommandOutput,
 } from "./commands/CheckAccessNotGrantedCommand";
 import { CheckNoNewAccessCommandInput, CheckNoNewAccessCommandOutput } from "./commands/CheckNoNewAccessCommand";
+import {
+  CheckNoPublicAccessCommandInput,
+  CheckNoPublicAccessCommandOutput,
+} from "./commands/CheckNoPublicAccessCommand";
 import {
   CreateAccessPreviewCommandInput,
   CreateAccessPreviewCommandOutput,
@@ -71,6 +75,10 @@ import { CreateAnalyzerCommandInput, CreateAnalyzerCommandOutput } from "./comma
 import { CreateArchiveRuleCommandInput, CreateArchiveRuleCommandOutput } from "./commands/CreateArchiveRuleCommand";
 import { DeleteAnalyzerCommandInput, DeleteAnalyzerCommandOutput } from "./commands/DeleteAnalyzerCommand";
 import { DeleteArchiveRuleCommandInput, DeleteArchiveRuleCommandOutput } from "./commands/DeleteArchiveRuleCommand";
+import {
+  GenerateFindingRecommendationCommandInput,
+  GenerateFindingRecommendationCommandOutput,
+} from "./commands/GenerateFindingRecommendationCommand";
 import { GetAccessPreviewCommandInput, GetAccessPreviewCommandOutput } from "./commands/GetAccessPreviewCommand";
 import {
   GetAnalyzedResourceCommandInput,
@@ -79,6 +87,10 @@ import {
 import { GetAnalyzerCommandInput, GetAnalyzerCommandOutput } from "./commands/GetAnalyzerCommand";
 import { GetArchiveRuleCommandInput, GetArchiveRuleCommandOutput } from "./commands/GetArchiveRuleCommand";
 import { GetFindingCommandInput, GetFindingCommandOutput } from "./commands/GetFindingCommand";
+import {
+  GetFindingRecommendationCommandInput,
+  GetFindingRecommendationCommandOutput,
+} from "./commands/GetFindingRecommendationCommand";
 import { GetFindingV2CommandInput, GetFindingV2CommandOutput } from "./commands/GetFindingV2Command";
 import { GetGeneratedPolicyCommandInput, GetGeneratedPolicyCommandOutput } from "./commands/GetGeneratedPolicyCommand";
 import {
@@ -131,16 +143,19 @@ export type ServiceInputTypes =
   | CancelPolicyGenerationCommandInput
   | CheckAccessNotGrantedCommandInput
   | CheckNoNewAccessCommandInput
+  | CheckNoPublicAccessCommandInput
   | CreateAccessPreviewCommandInput
   | CreateAnalyzerCommandInput
   | CreateArchiveRuleCommandInput
   | DeleteAnalyzerCommandInput
   | DeleteArchiveRuleCommandInput
+  | GenerateFindingRecommendationCommandInput
   | GetAccessPreviewCommandInput
   | GetAnalyzedResourceCommandInput
   | GetAnalyzerCommandInput
   | GetArchiveRuleCommandInput
   | GetFindingCommandInput
+  | GetFindingRecommendationCommandInput
   | GetFindingV2CommandInput
   | GetGeneratedPolicyCommandInput
   | ListAccessPreviewFindingsCommandInput
@@ -168,16 +183,19 @@ export type ServiceOutputTypes =
   | CancelPolicyGenerationCommandOutput
   | CheckAccessNotGrantedCommandOutput
   | CheckNoNewAccessCommandOutput
+  | CheckNoPublicAccessCommandOutput
   | CreateAccessPreviewCommandOutput
   | CreateAnalyzerCommandOutput
   | CreateArchiveRuleCommandOutput
   | DeleteAnalyzerCommandOutput
   | DeleteArchiveRuleCommandOutput
+  | GenerateFindingRecommendationCommandOutput
   | GetAccessPreviewCommandOutput
   | GetAnalyzedResourceCommandOutput
   | GetAnalyzerCommandOutput
   | GetArchiveRuleCommandOutput
   | GetFindingCommandOutput
+  | GetFindingRecommendationCommandOutput
   | GetFindingV2CommandOutput
   | GetGeneratedPolicyCommandOutput
   | ListAccessPreviewFindingsCommandOutput

diff --git a/clients/client-accessanalyzer/src/commands/CheckAccessNotGrantedCommand.ts b/clients/client-accessanalyzer/src/commands/CheckAccessNotGrantedCommand.ts
@@ -43,7 +43,10 @@ export interface CheckAccessNotGrantedCommandOutput extends CheckAccessNotGrante
  *   policyDocument: "STRING_VALUE", // required
  *   access: [ // AccessList // required
  *     { // Access
- *       actions: [ // ActionsList // required
+ *       actions: [ // ActionsList
+ *         "STRING_VALUE",
+ *       ],
+ *       resources: [ // ResourcesList
  *         "STRING_VALUE",
  *       ],
  *     },

diff --git a/clients/client-accessanalyzer/src/commands/CheckNoPublicAccessCommand.ts b/clients/client-accessanalyzer/src/commands/CheckNoPublicAccessCommand.ts
@@ -0,0 +1,114 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import { AccessAnalyzerClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../AccessAnalyzerClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  CheckNoPublicAccessRequest,
+  CheckNoPublicAccessRequestFilterSensitiveLog,
+  CheckNoPublicAccessResponse,
+} from "../models/models_0";
+import { de_CheckNoPublicAccessCommand, se_CheckNoPublicAccessCommand } from "../protocols/Aws_restJson1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link CheckNoPublicAccessCommand}.
+ */
+export interface CheckNoPublicAccessCommandInput extends CheckNoPublicAccessRequest {}
+/**
+ * @public
+ *
+ * The output of {@link CheckNoPublicAccessCommand}.
+ */
+export interface CheckNoPublicAccessCommandOutput extends CheckNoPublicAccessResponse, __MetadataBearer {}
+
+/**
+ * <p>Checks whether a resource policy can grant public access to the specified resource
+ *          type.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { AccessAnalyzerClient, CheckNoPublicAccessCommand } from "@aws-sdk/client-accessanalyzer"; // ES Modules import
+ * // const { AccessAnalyzerClient, CheckNoPublicAccessCommand } = require("@aws-sdk/client-accessanalyzer"); // CommonJS import
+ * const client = new AccessAnalyzerClient(config);
+ * const input = { // CheckNoPublicAccessRequest
+ *   policyDocument: "STRING_VALUE", // required
+ *   resourceType: "STRING_VALUE", // required
+ * };
+ * const command = new CheckNoPublicAccessCommand(input);
+ * const response = await client.send(command);
+ * // { // CheckNoPublicAccessResponse
+ * //   result: "STRING_VALUE",
+ * //   message: "STRING_VALUE",
+ * //   reasons: [ // ReasonSummaryList
+ * //     { // ReasonSummary
+ * //       description: "STRING_VALUE",
+ * //       statementIndex: Number("int"),
+ * //       statementId: "STRING_VALUE",
+ * //     },
+ * //   ],
+ * // };
+ *
+ * ```
+ *
+ * @param CheckNoPublicAccessCommandInput - {@link CheckNoPublicAccessCommandInput}
+ * @returns {@link CheckNoPublicAccessCommandOutput}
+ * @see {@link CheckNoPublicAccessCommandInput} for command's `input` shape.
+ * @see {@link CheckNoPublicAccessCommandOutput} for command's `response` shape.
+ * @see {@link AccessAnalyzerClientResolvedConfig | config} for AccessAnalyzerClient's `config` shape.
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You do not have sufficient access to perform this action.</p>
+ *
+ * @throws {@link InternalServerException} (server fault)
+ *  <p>Internal server error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>The specified parameter is invalid.</p>
+ *
+ * @throws {@link ThrottlingException} (client fault)
+ *  <p>Throttling limit exceeded error.</p>
+ *
+ * @throws {@link UnprocessableEntityException} (client fault)
+ *  <p>The specified entity could not be processed.</p>
+ *
+ * @throws {@link ValidationException} (client fault)
+ *  <p>Validation exception error.</p>
+ *
+ * @throws {@link AccessAnalyzerServiceException}
+ * <p>Base exception class for all service exceptions from AccessAnalyzer service.</p>
+ *
+ * @public
+ */
+export class CheckNoPublicAccessCommand extends $Command
+  .classBuilder<
+    CheckNoPublicAccessCommandInput,
+    CheckNoPublicAccessCommandOutput,
+    AccessAnalyzerClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep({
+    ...commonParams,
+  })
+  .m(function (this: any, Command: any, cs: any, config: AccessAnalyzerClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AccessAnalyzer", "CheckNoPublicAccess", {})
+  .n("AccessAnalyzerClient", "CheckNoPublicAccessCommand")
+  .f(CheckNoPublicAccessRequestFilterSensitiveLog, void 0)
+  .ser(se_CheckNoPublicAccessCommand)
+  .de(de_CheckNoPublicAccessCommand)
+  .build() {}