aws-cloudformation · github-actions · Aug 13, 2025
diff --git a/server/schema/resources.schema.json b/server/schema/resources.schema.json
diff --git a/server/schema/resources/aws-accessanalyzer-analyzer.json b/server/schema/resources/aws-accessanalyzer-analyzer.json
@@ -142,6 +142,69 @@
       "additionalProperties": false,
       "markdownDescription": "The criteria for an analysis rule for an analyzer.\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
     },
+    "InternalAccessAnalysisRuleCriteria": {
+      "description": "The criteria for an analysis rule for an internal access analyzer.",
+      "type": "object",
+      "properties": {
+        "AccountIds": {
+          "description": "A list of AWS account IDs to apply to the internal access analysis rule criteria. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers and cannot include the organization owner account.",
+          "type": "array",
+          "insertionOrder": false,
+          "items": {
+            "type": "string",
+            "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nUpdate requires: No interruption\n"
+          },
+          "markdownDescription": "A list of AWS account IDs to apply to the internal access analysis rule criteria. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers and cannot include the organization owner account.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+        },
+        "ResourceArns": {
+          "description": "A list of resource ARNs to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources that match these ARNs.",
+          "type": "array",
+          "insertionOrder": false,
+          "items": {
+            "type": "string",
+            "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nUpdate requires: No interruption\n"
+          },
+          "markdownDescription": "A list of resource ARNs to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources that match these ARNs.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+        },
+        "ResourceTypes": {
+          "description": "A list of resource types to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources of these types.",
+          "type": "array",
+          "insertionOrder": false,
+          "items": {
+            "type": "string",
+            "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nUpdate requires: No interruption\n"
+          },
+          "markdownDescription": "A list of resource types to apply to the internal access analysis rule criteria. The analyzer will only generate findings for resources of these types.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+        }
+      },
+      "additionalProperties": false,
+      "markdownDescription": "The criteria for an analysis rule for an internal access analyzer.\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
+    },
+    "InternalAccessConfiguration": {
+      "description": "Specifies the configuration of an internal access analyzer for an AWS organization or account. This configuration determines how the analyzer evaluates internal access within your AWS environment.",
+      "type": "object",
+      "properties": {
+        "InternalAccessAnalysisRule": {
+          "description": "Contains information about analysis rules for the internal access analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule.",
+          "type": "object",
+          "properties": {
+            "Inclusions": {
+              "description": "A list of rules for the internal access analyzer containing criteria to include in analysis. Only resources that meet the rule criteria will generate findings.",
+              "type": "array",
+              "insertionOrder": false,
+              "items": {
+                "$ref": "#/definitions/InternalAccessAnalysisRuleCriteria"
+              },
+              "markdownDescription": "A list of rules for the internal access analyzer containing criteria to include in analysis. Only resources that meet the rule criteria will generate findings.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+            }
+          },
+          "additionalProperties": false,
+          "markdownDescription": "Contains information about analysis rules for the internal access analyzer. Analysis rules determine which entities will generate findings based on the criteria you define when you create the rule.\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
+        }
+      },
+      "additionalProperties": false,
+      "markdownDescription": "Specifies the configuration of an internal access analyzer for an AWS organization or account. This configuration determines how the analyzer evaluates internal access within your AWS environment.\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
+    },
     "UnusedAccessConfiguration": {
       "description": "The Configuration for Unused Access Analyzer",
       "type": "object",
@@ -210,18 +273,21 @@
       "markdownDescription": "An array of key-value pairs to apply to this resource.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
     },
     "Type": {
-      "description": "The type of the analyzer, must be one of ACCOUNT, ORGANIZATION, ACCOUNT_UNUSED_ACCESS or ORGANIZATION_UNUSED_ACCESS",
+      "description": "The type of the analyzer, must be one of ACCOUNT, ORGANIZATION, ACCOUNT_INTERNAL_ACCESS, ORGANIZATION_INTERNAL_ACCESS, ACCOUNT_UNUSED_ACCESS and ORGANIZATION_UNUSED_ACCESS",
       "type": "string",
       "minLength": 0,
       "maxLength": 1024,
-      "markdownDescription": "The type of the analyzer, must be one of ACCOUNT, ORGANIZATION, ACCOUNT_UNUSED_ACCESS or ORGANIZATION_UNUSED_ACCESS\n\n---\n\nRequired: Yes  \nType: String  \nMaximum Length: 1024  \nUpdate requires: Replacement\n"
+      "markdownDescription": "The type of the analyzer, must be one of ACCOUNT, ORGANIZATION, ACCOUNT_INTERNAL_ACCESS, ORGANIZATION_INTERNAL_ACCESS, ACCOUNT_UNUSED_ACCESS and ORGANIZATION_UNUSED_ACCESS\n\n---\n\nRequired: Yes  \nType: String  \nMaximum Length: 1024  \nUpdate requires: Replacement\n"
     },
     "AnalyzerConfiguration": {
       "description": "The configuration for the analyzer",
       "type": "object",
       "properties": {
         "UnusedAccessConfiguration": {
           "$ref": "#/definitions/UnusedAccessConfiguration"
+        },
+        "InternalAccessConfiguration": {
+          "$ref": "#/definitions/InternalAccessConfiguration"
         }
       },
       "additionalProperties": false,

diff --git a/server/schema/resources/aws-aiops-investigationgroup.json b/server/schema/resources/aws-aiops-investigationgroup.json
@@ -0,0 +1,302 @@
+{
+  "typeName": "AWS::AIOps::InvestigationGroup",
+  "description": "Definition of AWS::AIOps::InvestigationGroup Resource Type",
+  "primaryIdentifier": [
+    "/properties/Arn"
+  ],
+  "required": [
+    "Name"
+  ],
+  "readOnlyProperties": [
+    "/properties/CreatedBy",
+    "/properties/CreatedAt",
+    "/properties/LastModifiedBy",
+    "/properties/LastModifiedAt",
+    "/properties/Arn"
+  ],
+  "createOnlyProperties": [
+    "/properties/Name",
+    "/properties/RetentionInDays"
+  ],
+  "definitions": {
+    "RoleArn": {
+      "type": "string",
+      "maxLength": 2048,
+      "minLength": 20,
+      "description": "The Investigation Role's ARN.",
+      "markdownDescription": "The Investigation Role's ARN.\n\n---\n\nRequired: No  \nType: String  \nMinimum Length: 20  \nMaximum Length: 2048  \nUpdate requires: No interruption\n"
+    },
+    "StringWithPatternAndLengthLimits": {
+      "type": "string",
+      "maxLength": 512,
+      "minLength": 1,
+      "description": "User friendly name for resources.",
+      "markdownDescription": "User friendly name for resources.\n\n---\n\nRequired: No  \nType: String  \nMinimum Length: 1  \nMaximum Length: 512  \nUpdate requires: No interruption\n"
+    },
+    "Timestamp": {
+      "type": "string",
+      "description": "The timestamp value.",
+      "markdownDescription": "The timestamp value.\n\n---\n\nRequired: No  \nType: String  \nUpdate requires: No interruption\n"
+    },
+    "InvestigationGroupArn": {
+      "type": "string",
+      "maxLength": 2048,
+      "minLength": 20,
+      "description": "The Investigation Group's ARN.",
+      "markdownDescription": "The Investigation Group's ARN.\n\n---\n\nRequired: No  \nType: String  \nMinimum Length: 20  \nMaximum Length: 2048  \nUpdate requires: No interruption\n"
+    },
+    "ChatbotNotificationChannel": {
+      "type": "object",
+      "properties": {
+        "SNSTopicArn": {
+          "type": "string",
+          "maxLength": 2048,
+          "minLength": 20,
+          "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nMinimum Length: 20  \nMaximum Length: 2048  \nUpdate requires: No interruption\n"
+        },
+        "ChatConfigurationArns": {
+          "type": "array",
+          "uniqueItems": true,
+          "insertionOrder": false,
+          "items": {
+            "type": "string",
+            "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nUpdate requires: No interruption\n"
+          },
+          "markdownDescription": "\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+        }
+      },
+      "additionalProperties": false,
+      "markdownDescription": "\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
+    },
+    "CrossAccountConfiguration": {
+      "type": "object",
+      "properties": {
+        "SourceRoleArn": {
+          "$ref": "#/definitions/RoleArn"
+        }
+      },
+      "additionalProperties": false,
+      "markdownDescription": "\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
+    },
+    "EncryptionConfigMap": {
+      "type": "object",
+      "properties": {
+        "EncryptionConfigurationType": {
+          "type": "string",
+          "maxLength": 128,
+          "minLength": 1,
+          "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nMinimum Length: 1  \nMaximum Length: 128  \nUpdate requires: No interruption\n"
+        },
+        "KmsKeyId": {
+          "type": "string",
+          "maxLength": 256,
+          "minLength": 1,
+          "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nMinimum Length: 1  \nMaximum Length: 256  \nUpdate requires: No interruption\n"
+        }
+      },
+      "additionalProperties": false,
+      "markdownDescription": "\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
+    },
+    "Tag": {
+      "type": "object",
+      "properties": {
+        "Key": {
+          "type": "string",
+          "maxLength": 128,
+          "minLength": 1,
+          "markdownDescription": "\n\n---\n\nRequired: Yes  \nType: String  \nMinimum Length: 1  \nMaximum Length: 128  \nUpdate requires: No interruption\n"
+        },
+        "Value": {
+          "type": "string",
+          "maxLength": 256,
+          "minLength": 1,
+          "markdownDescription": "\n\n---\n\nRequired: Yes  \nType: String  \nMinimum Length: 1  \nMaximum Length: 256  \nUpdate requires: No interruption\n"
+        }
+      },
+      "required": [
+        "Key",
+        "Value"
+      ],
+      "additionalProperties": false,
+      "markdownDescription": "\n\n---\n\nRequired: No  \nUpdate requires: No interruption\n"
+    }
+  },
+  "properties": {
+    "RoleArn": {
+      "$ref": "#/definitions/RoleArn"
+    },
+    "Name": {
+      "$ref": "#/definitions/StringWithPatternAndLengthLimits"
+    },
+    "CreatedBy": {
+      "$ref": "#/definitions/StringWithPatternAndLengthLimits"
+    },
+    "CreatedAt": {
+      "$ref": "#/definitions/Timestamp"
+    },
+    "LastModifiedBy": {
+      "$ref": "#/definitions/StringWithPatternAndLengthLimits"
+    },
+    "LastModifiedAt": {
+      "$ref": "#/definitions/StringWithPatternAndLengthLimits"
+    },
+    "Arn": {
+      "$ref": "#/definitions/InvestigationGroupArn"
+    },
+    "RetentionInDays": {
+      "type": "integer",
+      "description": "The number of days to retain the investigation group",
+      "markdownDescription": "The number of days to retain the investigation group\n\n---\n\nRequired: No  \nType: Integer  \nUpdate requires: Replacement\n"
+    },
+    "EncryptionConfig": {
+      "$ref": "#/definitions/EncryptionConfigMap"
+    },
+    "InvestigationGroupPolicy": {
+      "type": "string",
+      "description": "Investigation Group policy",
+      "markdownDescription": "Investigation Group policy\n\n---\n\nRequired: No  \nType: String  \nUpdate requires: No interruption\n"
+    },
+    "IsCloudTrailEventHistoryEnabled": {
+      "type": "boolean",
+      "description": "Flag to enable cloud trail history",
+      "markdownDescription": "Flag to enable cloud trail history\n\n---\n\nRequired: No  \nType: Boolean  \nUpdate requires: No interruption\n"
+    },
+    "TagKeyBoundaries": {
+      "type": "array",
+      "uniqueItems": true,
+      "insertionOrder": false,
+      "items": {
+        "type": "string",
+        "maxLength": 200,
+        "minLength": 1,
+        "markdownDescription": "\n\n---\n\nRequired: No  \nType: String  \nMinimum Length: 1  \nMaximum Length: 200  \nUpdate requires: No interruption\n"
+      },
+      "markdownDescription": "\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+    },
+    "ChatbotNotificationChannels": {
+      "description": "An array of key-value pairs of notification channels to apply to this resource.",
+      "type": "array",
+      "uniqueItems": true,
+      "insertionOrder": false,
+      "items": {
+        "$ref": "#/definitions/ChatbotNotificationChannel"
+      },
+      "markdownDescription": "An array of key-value pairs of notification channels to apply to this resource.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+    },
+    "CrossAccountConfigurations": {
+      "description": "An array of cross account configurations.",
+      "type": "array",
+      "uniqueItems": true,
+      "insertionOrder": false,
+      "items": {
+        "$ref": "#/definitions/CrossAccountConfiguration"
+      },
+      "markdownDescription": "An array of cross account configurations.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+    },
+    "Tags": {
+      "description": "An array of key-value pairs to apply to this resource.",
+      "type": "array",
+      "uniqueItems": true,
+      "insertionOrder": false,
+      "items": {
+        "$ref": "#/definitions/Tag"
+      },
+      "markdownDescription": "An array of key-value pairs to apply to this resource.\n\n---\n\nRequired: No  \nType: Array  \nUpdate requires: No interruption\n"
+    }
+  },
+  "tagging": {
+    "taggable": true,
+    "tagOnCreate": true,
+    "tagUpdatable": true,
+    "cloudFormationSystemTags": true,
+    "tagProperty": "/properties/Tags",
+    "permissions": [
+      "aiops:TagResource",
+      "aiops:UntagResource",
+      "aiops:ListTagsForResource"
+    ]
+  },
+  "handlers": {
+    "create": {
+      "permissions": [
+        "aiops:CreateInvestigationGroup",
+        "aiops:GetInvestigationGroup",
+        "aiops:GetInvestigationGroupPolicy",
+        "aiops:PutInvestigationGroupPolicy",
+        "aiops:TagResource",
+        "aiops:ListTagsForResource",
+        "iam:PassRole",
+        "kms:DescribeKey",
+        "kms:ListAliases",
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey"
+      ]
+    },
+    "read": {
+      "permissions": [
+        "aiops:GetInvestigationGroup",
+        "aiops:GetInvestigationGroupPolicy",
+        "aiops:ListTagsForResource",
+        "kms:DescribeKey",
+        "kms:ListAliases",
+        "kms:Decrypt",
+        "kms:Encrypt"
+      ]
+    },
+    "update": {
+      "permissions": [
+        "aiops:GetInvestigationGroup",
+        "aiops:UpdateInvestigationGroup",
+        "aiops:GetInvestigationGroupPolicy",
+        "aiops:PutInvestigationGroupPolicy",
+        "aiops:DeleteInvestigationGroupPolicy",
+        "aiops:TagResource",
+        "aiops:UntagResource",
+        "aiops:ListTagsForResource",
+        "iam:PassRole",
+        "kms:DescribeKey",
+        "kms:ListAliases",
+        "kms:Decrypt",
+        "kms:Encrypt",
+        "kms:GenerateDataKey"
+      ]
+    },
+    "delete": {
+      "permissions": [
+        "aiops:DeleteInvestigationGroup",
+        "aiops:GetInvestigationGroup",
+        "aiops:DeleteInvestigationGroupPolicy",
+        "aiops:GetInvestigationGroupPolicy",
+        "aiops:UntagResource",
+        "kms:DescribeKey",
+        "kms:ListAliases"
+      ]
+    },
+    "list": {
+      "permissions": [
+        "aiops:ListInvestigationGroups",
+        "kms:DescribeKey",
+        "kms:ListAliases"
+      ]
+    }
+  },
+  "additionalProperties": false,
+  "attributes": {
+    "CreatedBy": {
+      "$ref": "#/definitions/StringWithPatternAndLengthLimits"
+    },
+    "CreatedAt": {
+      "$ref": "#/definitions/Timestamp"
+    },
+    "LastModifiedBy": {
+      "$ref": "#/definitions/StringWithPatternAndLengthLimits"
+    },
+    "LastModifiedAt": {
+      "$ref": "#/definitions/StringWithPatternAndLengthLimits"
+    },
+    "Arn": {
+      "$ref": "#/definitions/InvestigationGroupArn"
+    }
+  }
+}