This release adds support for policy validation and external access findings for resource control policies (RCP). IAM Access Analyzer helps you author functional and secure RCPs and awareness that a RCP may restrict external access. Updated service API, documentation, and paginators.

Author: aws-sdk-dotnet-automation

generator/ServiceModels/accessanalyzer/accessanalyzer-2019-11-01.api.json

@@ -2,6 +2,7 @@
   "version":"2.0",
   "metadata":{
     "apiVersion":"2019-11-01",
+    "auth":["aws.auth#sigv4"],
     "endpointPrefix":"access-analyzer",
     "protocol":"rest-json",
     "protocols":["rest-json"],
@@ -723,7 +724,8 @@
         "status":{"shape":"FindingStatus"},
         "resourceOwnerAccount":{"shape":"String"},
         "error":{"shape":"String"},
-        "sources":{"shape":"FindingSourceList"}
+        "sources":{"shape":"FindingSourceList"},
+        "resourceControlPolicyRestriction":{"shape":"ResourceControlPolicyRestriction"}
       }
     },
     "AccessPreviewFindingId":{"type":"string"},
@@ -1291,7 +1293,8 @@
         "condition":{"shape":"ConditionKeyMap"},
         "isPublic":{"shape":"Boolean"},
         "principal":{"shape":"PrincipalMap"},
-        "sources":{"shape":"FindingSourceList"}
+        "sources":{"shape":"FindingSourceList"},
+        "resourceControlPolicyRestriction":{"shape":"ResourceControlPolicyRestriction"}
       }
     },
     "FilterCriteriaMap":{
@@ -1325,7 +1328,8 @@
         "status":{"shape":"FindingStatus"},
         "resourceOwnerAccount":{"shape":"String"},
         "error":{"shape":"String"},
-        "sources":{"shape":"FindingSourceList"}
+        "sources":{"shape":"FindingSourceList"},
+        "resourceControlPolicyRestriction":{"shape":"ResourceControlPolicyRestriction"}
       }
     },
     "FindingChangeType":{
@@ -1425,7 +1429,8 @@
         "status":{"shape":"FindingStatus"},
         "resourceOwnerAccount":{"shape":"String"},
         "error":{"shape":"String"},
-        "sources":{"shape":"FindingSourceList"}
+        "sources":{"shape":"FindingSourceList"},
+        "resourceControlPolicyRestriction":{"shape":"ResourceControlPolicyRestriction"}
       }
     },
     "FindingSummaryV2":{
@@ -2283,7 +2288,8 @@
       "enum":[
         "IDENTITY_POLICY",
         "RESOURCE_POLICY",
-        "SERVICE_CONTROL_POLICY"
+        "SERVICE_CONTROL_POLICY",
+        "RESOURCE_CONTROL_POLICY"
       ]
     },
     "Position":{
@@ -2427,6 +2433,14 @@
       "type":"string",
       "pattern":"arn:[^:]*:[^:]*:[^:]*:[^:]*:.*"
     },
+    "ResourceControlPolicyRestriction":{
+      "type":"string",
+      "enum":[
+        "APPLICABLE",
+        "FAILED_TO_EVALUATE_RCP",
+        "NOT_APPLICABLE"
+      ]
+    },
     "ResourceNotFoundException":{
       "type":"structure",
       "required":[

generator/ServiceModels/accessanalyzer/accessanalyzer-2019-11-01.docs.json

@@ -63,7 +63,7 @@
     "AccessCheckPolicyType": {
       "base": null,
       "refs": {
-        "CheckAccessNotGrantedRequest$policyType": "<p>The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.</p> <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.</p>",
+        "CheckAccessNotGrantedRequest$policyType": "<p>The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.</p> <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets.</p>",
         "CheckNoNewAccessRequest$policyType": "<p>The type of policy to compare. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.</p> <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.</p>"
       }
     },
@@ -159,7 +159,7 @@
     "AccessResourcesList": {
       "base": null,
       "refs": {
-        "Access$resources": "<p>A list of resources for the access permissions. Any strings that can be used as a resource in an IAM policy can be used in the list of resources to check.</p>"
+        "Access$resources": "<p>A list of resources for the access permissions. Any strings that can be used as an Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to check. You can only use a wildcard in the portion of the ARN that specifies the resource ID.</p>"
       }
     },
     "AclCanonicalId": {
@@ -324,7 +324,7 @@
     "CheckAccessNotGrantedRequestAccessList": {
       "base": null,
       "refs": {
-        "CheckAccessNotGrantedRequest$access": "<p>An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on all resources in the policy. If only resources are specified, then IAM Access Analyzer checks which actions have access to the specified resources. If both actions and resources are specified, then IAM Access Analyzer checks which of the specified actions have access to the specified resources.</p>"
+        "CheckAccessNotGrantedRequest$access": "<p>An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least one of the actions on any resource in the policy. If only resources are specified, then IAM Access Analyzer checks for access to perform any action on at least one of the resources. If both actions and resources are specified, IAM Access Analyzer checks for access to perform at least one of the specified actions on at least one of the specified resources.</p>"
       }
     },
     "CheckAccessNotGrantedResponse": {
@@ -1379,6 +1379,15 @@
         "UpdateFindingsRequest$resourceArn": "<p>The ARN of the resource identified in the finding.</p>"
       }
     },
+    "ResourceControlPolicyRestriction": {
+      "base": null,
+      "refs": {
+        "AccessPreviewFinding$resourceControlPolicyRestriction": "<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>",
+        "ExternalAccessDetails$resourceControlPolicyRestriction": "<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>",
+        "Finding$resourceControlPolicyRestriction": "<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>",
+        "FindingSummary$resourceControlPolicyRestriction": "<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
+      }
+    },
     "ResourceNotFoundException": {
       "base": "<p>The specified resource could not be found.</p>",
       "refs": {

generator/ServiceModels/accessanalyzer/accessanalyzer-2019-11-01.normal.json

@@ -2,6 +2,7 @@
   "version":"2.0",
   "metadata":{
     "apiVersion":"2019-11-01",
+    "auth":["aws.auth#sigv4"],
     "endpointPrefix":"access-analyzer",
     "protocol":"rest-json",
     "protocols":["rest-json"],
@@ -660,7 +661,7 @@
         },
         "resources":{
           "shape":"AccessResourcesList",
-          "documentation":"<p>A list of resources for the access permissions. Any strings that can be used as a resource in an IAM policy can be used in the list of resources to check.</p>"
+          "documentation":"<p>A list of resources for the access permissions. Any strings that can be used as an Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to check. You can only use a wildcard in the portion of the ARN that specifies the resource ID.</p>"
         }
       },
       "documentation":"<p>Contains information about actions and resources that define permissions to check against a policy.</p>"
@@ -830,6 +831,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>An access preview finding generated by the access preview.</p>"
@@ -1197,11 +1202,11 @@
         },
         "access":{
           "shape":"CheckAccessNotGrantedRequestAccessList",
-          "documentation":"<p>An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access of the actions on all resources in the policy. If only resources are specified, then IAM Access Analyzer checks which actions have access to the specified resources. If both actions and resources are specified, then IAM Access Analyzer checks which of the specified actions have access to the specified resources.</p>"
+          "documentation":"<p>An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least one of the actions on any resource in the policy. If only resources are specified, then IAM Access Analyzer checks for access to perform any action on at least one of the resources. If both actions and resources are specified, IAM Access Analyzer checks for access to perform at least one of the specified actions on at least one of the specified resources.</p>"
         },
         "policyType":{
           "shape":"AccessCheckPolicyType",
-          "documentation":"<p>The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.</p> <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.</p>"
+          "documentation":"<p>The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.</p> <p>Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets.</p>"
         }
       }
     },
@@ -1749,6 +1754,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the external access finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>Contains information about an external access finding.</p>"
@@ -1826,6 +1835,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>Contains information about a finding.</p>"
@@ -1999,6 +2012,10 @@
         "sources":{
           "shape":"FindingSourceList",
           "documentation":"<p>The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.</p>"
+        },
+        "resourceControlPolicyRestriction":{
+          "shape":"ResourceControlPolicyRestriction",
+          "documentation":"<p>The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).</p>"
         }
       },
       "documentation":"<p>Contains information about a finding.</p>"
@@ -3256,7 +3273,8 @@
       "enum":[
         "IDENTITY_POLICY",
         "RESOURCE_POLICY",
-        "SERVICE_CONTROL_POLICY"
+        "SERVICE_CONTROL_POLICY",
+        "RESOURCE_CONTROL_POLICY"
       ]
     },
     "Position":{
@@ -3453,6 +3471,14 @@
       "type":"string",
       "pattern":"arn:[^:]*:[^:]*:[^:]*:[^:]*:.*"
     },
+    "ResourceControlPolicyRestriction":{
+      "type":"string",
+      "enum":[
+        "APPLICABLE",
+        "FAILED_TO_EVALUATE_RCP",
+        "NOT_APPLICABLE"
+      ]
+    },
     "ResourceNotFoundException":{
       "type":"structure",
       "required":[

sdk/src/Services/AccessAnalyzer/Generated/Model/Access.cs

@@ -61,8 +61,10 @@ internal bool IsSetActions()
         /// <summary>
         /// Gets and sets the property Resources. 
         /// <para>
-        /// A list of resources for the access permissions. Any strings that can be used as a
-        /// resource in an IAM policy can be used in the list of resources to check.
+        /// A list of resources for the access permissions. Any strings that can be used as an
+        /// Amazon Resource Name (ARN) in an IAM policy can be used in the list of resources to
+        /// check. You can only use a wildcard in the portion of the ARN that specifies the resource
+        /// ID.
         /// </para>
         /// </summary>
         [AWSProperty(Min=0, Max=100)]

sdk/src/Services/AccessAnalyzer/Generated/Model/AccessPreviewFinding.cs

@@ -45,6 +45,7 @@ public partial class AccessPreviewFinding
         private bool? _isPublic;
         private Dictionary<string, string> _principal = AWSConfigs.InitializeCollections ? new Dictionary<string, string>() : null;
         private string _resource;
+        private ResourceControlPolicyRestriction _resourceControlPolicyRestriction;
         private string _resourceOwnerAccount;
         private ResourceType _resourceType;
         private List<FindingSource> _sources = AWSConfigs.InitializeCollections ? new List<FindingSource>() : null;
@@ -275,6 +276,25 @@ internal bool IsSetResource()
             return this._resource != null;
         }
 
+        /// <summary>
+        /// Gets and sets the property ResourceControlPolicyRestriction. 
+        /// <para>
+        /// The type of restriction applied to the finding by the resource owner with an Organizations
+        /// resource control policy (RCP).
+        /// </para>
+        /// </summary>
+        public ResourceControlPolicyRestriction ResourceControlPolicyRestriction
+        {
+            get { return this._resourceControlPolicyRestriction; }
+            set { this._resourceControlPolicyRestriction = value; }
+        }
+
+        // Check to see if ResourceControlPolicyRestriction property is set
+        internal bool IsSetResourceControlPolicyRestriction()
+        {
+            return this._resourceControlPolicyRestriction != null;
+        }
+
         /// <summary>
         /// Gets and sets the property ResourceOwnerAccount. 
         /// <para>

sdk/src/Services/AccessAnalyzer/Generated/Model/CheckAccessNotGrantedRequest.cs

@@ -43,11 +43,12 @@ public partial class CheckAccessNotGrantedRequest : AmazonAccessAnalyzerRequest
         /// Gets and sets the property Access. 
         /// <para>
         /// An access object containing the permissions that shouldn't be granted by the specified
-        /// policy. If only actions are specified, IAM Access Analyzer checks for access of the
-        /// actions on all resources in the policy. If only resources are specified, then IAM
-        /// Access Analyzer checks which actions have access to the specified resources. If both
-        /// actions and resources are specified, then IAM Access Analyzer checks which of the
-        /// specified actions have access to the specified resources.
+        /// policy. If only actions are specified, IAM Access Analyzer checks for access to peform
+        /// at least one of the actions on any resource in the policy. If only resources are specified,
+        /// then IAM Access Analyzer checks for access to perform any action on at least one of
+        /// the resources. If both actions and resources are specified, IAM Access Analyzer checks
+        /// for access to perform at least one of the specified actions on at least one of the
+        /// specified resources.
         /// </para>
         /// </summary>
         [AWSProperty(Required=true, Min=0, Max=1)]
@@ -91,9 +92,7 @@ internal bool IsSetPolicyDocument()
         ///  
         /// <para>
         /// Resource policies grant permissions on Amazon Web Services resources. Resource policies
-        /// include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You
-        /// can provide a generic input such as identity policy or resource policy or a specific
-        /// input such as managed policy or Amazon S3 bucket policy.
+        /// include trust policies for IAM roles and bucket policies for Amazon S3 buckets.
         /// </para>
         /// </summary>
         [AWSProperty(Required=true)]

sdk/src/Services/AccessAnalyzer/Generated/Model/ExternalAccessDetails.cs

@@ -38,6 +38,7 @@ public partial class ExternalAccessDetails
         private Dictionary<string, string> _condition = AWSConfigs.InitializeCollections ? new Dictionary<string, string>() : null;
         private bool? _isPublic;
         private Dictionary<string, string> _principal = AWSConfigs.InitializeCollections ? new Dictionary<string, string>() : null;
+        private ResourceControlPolicyRestriction _resourceControlPolicyRestriction;
         private List<FindingSource> _sources = AWSConfigs.InitializeCollections ? new List<FindingSource>() : null;
 
         /// <summary>
@@ -115,6 +116,25 @@ internal bool IsSetPrincipal()
             return this._principal != null && (this._principal.Count > 0 || !AWSConfigs.InitializeCollections); 
         }
 
+        /// <summary>
+        /// Gets and sets the property ResourceControlPolicyRestriction. 
+        /// <para>
+        /// The type of restriction applied to the finding by the resource owner with an Organizations
+        /// resource control policy (RCP).
+        /// </para>
+        /// </summary>
+        public ResourceControlPolicyRestriction ResourceControlPolicyRestriction
+        {
+            get { return this._resourceControlPolicyRestriction; }
+            set { this._resourceControlPolicyRestriction = value; }
+        }
+
+        // Check to see if ResourceControlPolicyRestriction property is set
+        internal bool IsSetResourceControlPolicyRestriction()
+        {
+            return this._resourceControlPolicyRestriction != null;
+        }
+
         /// <summary>
         /// Gets and sets the property Sources. 
         /// <para>