Skip to content

Check Access Not Granted

accessanalyzer_check_access_not_granted R Documentation

Checks whether the specified access isn't allowed by a policy

Description

Checks whether the specified access isn't allowed by a policy.

Usage

accessanalyzer_check_access_not_granted(policyDocument, access,
  policyType)

Arguments

policyDocument

[required] The JSON policy document to use as the content for the policy.

access

[required] An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on all resources in the policy. If only resources are specified, then IAM Access Analyzer checks which actions have access to the specified resources. If both actions and resources are specified, then IAM Access Analyzer checks which of the specified actions have access to the specified resources.

policyType

[required] The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.

Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.

Value

A list with the following syntax: 

list(
  result = "PASS"|"FAIL",
  message = "string",
  reasons = list(
    list(
      description = "string",
      statementIndex = 123,
      statementId = "string"
    )
  )
)

Request syntax

svc$check_access_not_granted(
  policyDocument = "string",
  access = list(
    list(
      actions = list(
        "string"
      ),
      resources = list(
        "string"
      )
    )
  ),
  policyType = "IDENTITY_POLICY"|"RESOURCE_POLICY"
)

Examples

## Not run: 
#
svc$check_access_not_granted(
  access = list(
    list(
      actions = list(
        "s3:PutObject"
      )
    )
  ),
  policyDocument = "{"Version":"2012-10-17","Id":"123","Statement":[{"Sid":...",
  policyType = "RESOURCE_POLICY"
)

#
svc$check_access_not_granted(
  access = list(
    list(
      resources = list(
        "arn:aws:s3:::sensitive-bucket/*"
      )
    )
  ),
  policyDocument = "{"Version":"2012-10-17","Id":"123","Statement":[{"Sid":...",
  policyType = "RESOURCE_POLICY"
)

#
svc$check_access_not_granted(
  access = list(
    list(
      resources = list(
        "arn:aws:s3:::my-bucket/*"
      )
    )
  ),
  policyDocument = "{"Version":"2012-10-17","Id":"123","Statement":[{"Sid":...",
  policyType = "RESOURCE_POLICY"
)

## End(Not run)