Skip to content

Client

accessanalyzer R Documentation

Access Analyzer

Description

Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external or unused access, you first need to create an analyzer.

External access analyzers help identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.

Unused access analyzers help identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.

Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.

This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Identity and Access Management Access Analyzer in the IAM User Guide.

Usage

accessanalyzer(
  config = list(),
  credentials = list(),
  endpoint = NULL,
  region = NULL
)

Arguments

config

Optional configuration of credentials, endpoint, and/or region.

  • credentials:

    • creds:

      • access_key_id: AWS access key ID

      • secret_access_key: AWS secret access key

      • session_token: AWS temporary session token

    • profile: The name of a profile to use. If not given, then the default profile is used.

    • anonymous: Set anonymous credentials.

  • endpoint: The complete URL to use for the constructed client.

  • region: The AWS Region used in instantiating the client.

  • close_connection: Immediately close all HTTP connections.

  • timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

  • s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

  • sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

credentials

Optional credentials shorthand for the config parameter

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

endpoint

Optional shorthand for complete URL to use for the constructed client.

region

Optional shorthand for AWS Region used in instantiating the client.

Value

A client for the service. You can call the service's operations using syntax like svc$operation(...), where svc is the name you've assigned to the client. The available operations are listed in the Operations section.

Service syntax

svc <- accessanalyzer(
  config = list(
    credentials = list(
      creds = list(
        access_key_id = "string",
        secret_access_key = "string",
        session_token = "string"
      ),
      profile = "string",
      anonymous = "logical"
    ),
    endpoint = "string",
    region = "string",
    close_connection = "logical",
    timeout = "numeric",
    s3_force_path_style = "logical",
    sts_regional_endpoint = "string"
  ),
  credentials = list(
    creds = list(
      access_key_id = "string",
      secret_access_key = "string",
      session_token = "string"
    ),
    profile = "string",
    anonymous = "logical"
  ),
  endpoint = "string",
  region = "string"
)

Operations

apply_archive_rule
Retroactively applies the archive rule to existing findings that meet the archive rule criteria
cancel_policy_generation
Cancels the requested policy generation
check_access_not_granted
Checks whether the specified access isn't allowed by a policy
check_no_new_access
Checks whether new access is allowed for an updated policy when compared to the existing policy
check_no_public_access
Checks whether a resource policy can grant public access to the specified resource type
create_access_preview
Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions
create_analyzer
Creates an analyzer for your account
create_archive_rule
Creates an archive rule for the specified analyzer
delete_analyzer
Deletes the specified analyzer
delete_archive_rule
Deletes the specified archive rule
generate_finding_recommendation
Creates a recommendation for an unused permissions finding
get_access_preview
Retrieves information about an access preview for the specified analyzer
get_analyzed_resource
Retrieves information about a resource that was analyzed
get_analyzer
Retrieves information about the specified analyzer
get_archive_rule
Retrieves information about an archive rule
get_finding
Retrieves information about the specified finding
get_finding_recommendation
Retrieves information about a finding recommendation for the specified analyzer
get_finding_v2
Retrieves information about the specified finding
get_generated_policy
Retrieves the policy that was generated using StartPolicyGeneration
list_access_preview_findings
Retrieves a list of access preview findings generated by the specified access preview
list_access_previews
Retrieves a list of access previews for the specified analyzer
list_analyzed_resources
Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer
list_analyzers
Retrieves a list of analyzers
list_archive_rules
Retrieves a list of archive rules created for the specified analyzer
list_findings
Retrieves a list of findings generated by the specified analyzer
list_findings_v2
Retrieves a list of findings generated by the specified analyzer
list_policy_generations
Lists all of the policy generations requested in the last seven days
list_tags_for_resource
Retrieves a list of tags applied to the specified resource
start_policy_generation
Starts the policy generation request
start_resource_scan
Immediately starts a scan of the policies applied to the specified resource
tag_resource
Adds a tag to the specified resource
untag_resource
Removes a tag from the specified resource
update_archive_rule
Updates the criteria and values for the specified archive rule
update_findings
Updates the status for the specified findings
validate_policy
Requests the validation of a policy and returns a list of findings

Examples

## Not run: 
svc <- accessanalyzer()
svc$check_access_not_granted(
  access = list(
    list(
      actions = list(
        "s3:PutObject"
      )
    )
  ),
  policyDocument = "{"Version":"2012-10-17","Id":"123","Statement":[{"Sid":...",
  policyType = "RESOURCE_POLICY"
)

## End(Not run)