AccessAnalyzer class

Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external, internal, and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external, internal, or unused access, you first need to create an analyzer.

External access analyzers help you identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.

Internal access analyzers help you identify which principals within your organization or account have access to selected resources. This analysis supports implementing the principle of least privilege by ensuring that your specified resources can only be accessed by the intended principals within your organization.

Unused access analyzers help you identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.

Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.

This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Using Identity and Access Management Access Analyzer in the IAM User Guide.

Constructors

AccessAnalyzer({required String region, AwsClientCredentials? credentials, AwsClientCredentialsProvider? credentialsProvider, Client? client, String? endpointUrl})

Properties

hashCode int
The hash code for this object.
no setterinherited
runtimeType Type
A representation of the runtime type of the object.
no setterinherited

Methods

applyArchiveRule({required String analyzerArn, required String ruleName, String? clientToken}) Future<void>
Retroactively applies the archive rule to existing findings that meet the archive rule criteria.
cancelPolicyGeneration({required String jobId}) Future<void>
Cancels the requested policy generation.
checkAccessNotGranted({required List<Access> access, required String policyDocument, required AccessCheckPolicyType policyType}) Future<CheckAccessNotGrantedResponse>
Checks whether the specified access isn't allowed by a policy.
checkNoNewAccess({required String existingPolicyDocument, required String newPolicyDocument, required AccessCheckPolicyType policyType}) Future<CheckNoNewAccessResponse>
Checks whether new access is allowed for an updated policy when compared to the existing policy.
checkNoPublicAccess({required String policyDocument, required AccessCheckResourceType resourceType}) Future<CheckNoPublicAccessResponse>
Checks whether a resource policy can grant public access to the specified resource type.
close() → void
Closes the internal HTTP client if none was provided at creation. If a client was passed as a constructor argument, this becomes a noop.
createAccessPreview({required String analyzerArn, required Map<String, Configuration> configurations, String? clientToken}) Future<CreateAccessPreviewResponse>
Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions.
createAnalyzer({required String analyzerName, required Type type, List<InlineArchiveRule>? archiveRules, String? clientToken, AnalyzerConfiguration? configuration, Map<String, String>? tags}) Future<CreateAnalyzerResponse>
Creates an analyzer for your account.
createArchiveRule({required String analyzerName, required Map<String, Criterion> filter, required String ruleName, String? clientToken}) Future<void>
Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule.
createServiceLinkedAnalyzer({required Type type, List<InlineArchiveRule>? archiveRules, String? clientToken, AnalyzerConfiguration? configuration}) Future<CreateServiceLinkedAnalyzerResponse>
Creates a service-linked analyzer managed by an Amazon Web Services service. This operation can only be invoked by authorized Amazon Web Services services. Direct customer invocation returns AccessDeniedException.
deleteAnalyzer({required String analyzerName, String? clientToken}) Future<void>
Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.
deleteArchiveRule({required String analyzerName, required String ruleName, String? clientToken}) Future<void>
Deletes the specified archive rule.
deleteServiceLinkedAnalyzer({required String analyzerName, String? clientToken}) Future<void>
Deletes a service-linked analyzer. This operation can be invoked by both authorized Amazon Web Services services and customers.
generateFindingRecommendation({required String analyzerArn, required String id}) Future<void>
Creates a recommendation for an unused permissions finding.
getAccessPreview({required String accessPreviewId, required String analyzerArn}) Future<GetAccessPreviewResponse>
Retrieves information about an access preview for the specified analyzer.
getAnalyzedResource({required String analyzerArn, required String resourceArn}) Future<GetAnalyzedResourceResponse>
Retrieves information about a resource that was analyzed.
getAnalyzer({required String analyzerName}) Future<GetAnalyzerResponse>
Retrieves information about the specified analyzer.
getArchiveRule({required String analyzerName, required String ruleName}) Future<GetArchiveRuleResponse>
Retrieves information about an archive rule.
getFinding({required String analyzerArn, required String id}) Future<GetFindingResponse>
Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.
getFindingRecommendation({required String analyzerArn, required String id, int? maxResults, String? nextToken}) Future<GetFindingRecommendationResponse>
Retrieves information about a finding recommendation for the specified analyzer.
getFindingsStatistics({required String analyzerArn}) Future<GetFindingsStatisticsResponse>
Retrieves a list of aggregated finding statistics for an external access or unused access analyzer.
getFindingV2({required String analyzerArn, required String id, int? maxResults, String? nextToken}) Future<GetFindingV2Response>
Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.
getGeneratedPolicy({required String jobId, bool? includeResourcePlaceholders, bool? includeServiceLevelTemplate}) Future<GetGeneratedPolicyResponse>
Retrieves the policy that was generated using StartPolicyGeneration.
listAccessPreviewFindings({required String accessPreviewId, required String analyzerArn, Map<String, Criterion>? filter, int? maxResults, String? nextToken}) Future<ListAccessPreviewFindingsResponse>
Retrieves a list of access preview findings generated by the specified access preview.
listAccessPreviews({required String analyzerArn, int? maxResults, String? nextToken}) Future<ListAccessPreviewsResponse>
Retrieves a list of access previews for the specified analyzer.
listAnalyzedResources({required String analyzerArn, int? maxResults, String? nextToken, ResourceType? resourceType}) Future<ListAnalyzedResourcesResponse>
Retrieves a list of resources of the specified type that have been analyzed by the specified analyzer.
listAnalyzers({int? maxResults, String? nextToken, Type? type}) Future<ListAnalyzersResponse>
Retrieves a list of analyzers.
listArchiveRules({required String analyzerName, int? maxResults, String? nextToken}) Future<ListArchiveRulesResponse>
Retrieves a list of archive rules created for the specified analyzer.
listFindings({required String analyzerArn, Map<String, Criterion>? filter, int? maxResults, String? nextToken, SortCriteria? sort}) Future<ListFindingsResponse>
Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action.
listFindingsV2({required String analyzerArn, Map<String, Criterion>? filter, int? maxResults, String? nextToken, SortCriteria? sort}) Future<ListFindingsV2Response>
Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use access-analyzer:ListFindings in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:ListFindings action.
listPolicyGenerations({int? maxResults, String? nextToken, String? principalArn}) Future<ListPolicyGenerationsResponse>
Lists all of the policy generations requested in the last seven days.
listTagsForResource({required String resourceArn}) Future<ListTagsForResourceResponse>
Retrieves a list of tags applied to the specified resource.
noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
startPolicyGeneration({required PolicyGenerationDetails policyGenerationDetails, String? clientToken, CloudTrailDetails? cloudTrailDetails}) Future<StartPolicyGenerationResponse>
Starts the policy generation request.
startResourceScan({required String analyzerArn, required String resourceArn, String? resourceOwnerAccount}) Future<void>
Immediately starts a scan of the policies applied to the specified resource.
tagResource({required String resourceArn, required Map<String, String> tags}) Future<void>
Adds a tag to the specified resource.
toString() String
A string representation of this object.
inherited
untagResource({required String resourceArn, required List<String> tagKeys}) Future<void>
Removes a tag from the specified resource.
updateAnalyzer({required String analyzerName, AnalyzerConfiguration? configuration}) Future<UpdateAnalyzerResponse>
Modifies the configuration of an existing analyzer.
updateArchiveRule({required String analyzerName, required Map<String, Criterion> filter, required String ruleName, String? clientToken}) Future<void>
Updates the criteria and values for the specified archive rule.
updateFindings({required String analyzerArn, required FindingStatusUpdate status, String? clientToken, List<String>? ids, String? resourceArn}) Future<void>
Updates the status for the specified findings.
validatePolicy({required String policyDocument, required PolicyType policyType, Locale? locale, int? maxResults, String? nextToken, ValidatePolicyResourceType? validatePolicyResourceType}) Future<ValidatePolicyResponse>
Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices.

Operators

operator ==(Object other) bool
The equality operator.
inherited