import { type HostHeaderInputConfig, type HostHeaderResolvedConfig, type UserAgentInputConfig, type UserAgentResolvedConfig } from "@aws-sdk/core/client"; import { type DefaultsMode as __DefaultsMode, type SmithyConfiguration as __SmithyConfiguration, type SmithyResolvedConfiguration as __SmithyResolvedConfiguration, Client as __Client } from "@smithy/core/client"; import { type RegionInputConfig, type RegionResolvedConfig } from "@smithy/core/config"; import { type EndpointInputConfig, type EndpointResolvedConfig } from "@smithy/core/endpoints"; import { type HttpHandlerUserInput as __HttpHandlerUserInput } from "@smithy/core/protocols"; import { type RetryInputConfig, type RetryResolvedConfig } from "@smithy/core/retry"; import type { AwsCredentialIdentityProvider, BodyLengthCalculator as __BodyLengthCalculator, CheckOptionalClientConfig as __CheckOptionalClientConfig, ChecksumConstructor as __ChecksumConstructor, Decoder as __Decoder, Encoder as __Encoder, HashConstructor as __HashConstructor, HttpHandlerOptions as __HttpHandlerOptions, Logger as __Logger, Provider as __Provider, StreamCollector as __StreamCollector, UrlParser as __UrlParser, UserAgent as __UserAgent } from "@smithy/types"; import { type HttpAuthSchemeInputConfig, type HttpAuthSchemeResolvedConfig } from "./auth/httpAuthSchemeProvider"; import type { ApplyArchiveRuleCommandInput, ApplyArchiveRuleCommandOutput } from "./commands/ApplyArchiveRuleCommand"; import type { CancelPolicyGenerationCommandInput, CancelPolicyGenerationCommandOutput } from "./commands/CancelPolicyGenerationCommand"; import type { CheckAccessNotGrantedCommandInput, CheckAccessNotGrantedCommandOutput } from "./commands/CheckAccessNotGrantedCommand"; import type { CheckNoNewAccessCommandInput, CheckNoNewAccessCommandOutput } from "./commands/CheckNoNewAccessCommand"; import type { CheckNoPublicAccessCommandInput, CheckNoPublicAccessCommandOutput } from "./commands/CheckNoPublicAccessCommand"; import type { CreateAccessPreviewCommandInput, CreateAccessPreviewCommandOutput } from "./commands/CreateAccessPreviewCommand"; import type { CreateAnalyzerCommandInput, CreateAnalyzerCommandOutput } from "./commands/CreateAnalyzerCommand"; import type { CreateArchiveRuleCommandInput, CreateArchiveRuleCommandOutput } from "./commands/CreateArchiveRuleCommand"; import type { CreateServiceLinkedAnalyzerCommandInput, CreateServiceLinkedAnalyzerCommandOutput } from "./commands/CreateServiceLinkedAnalyzerCommand"; import type { DeleteAnalyzerCommandInput, DeleteAnalyzerCommandOutput } from "./commands/DeleteAnalyzerCommand"; import type { DeleteArchiveRuleCommandInput, DeleteArchiveRuleCommandOutput } from "./commands/DeleteArchiveRuleCommand"; import type { DeleteServiceLinkedAnalyzerCommandInput, DeleteServiceLinkedAnalyzerCommandOutput } from "./commands/DeleteServiceLinkedAnalyzerCommand"; import type { GenerateFindingRecommendationCommandInput, GenerateFindingRecommendationCommandOutput } from "./commands/GenerateFindingRecommendationCommand"; import type { GetAccessPreviewCommandInput, GetAccessPreviewCommandOutput } from "./commands/GetAccessPreviewCommand"; import type { GetAnalyzedResourceCommandInput, GetAnalyzedResourceCommandOutput } from "./commands/GetAnalyzedResourceCommand"; import type { GetAnalyzerCommandInput, GetAnalyzerCommandOutput } from "./commands/GetAnalyzerCommand"; import type { GetArchiveRuleCommandInput, GetArchiveRuleCommandOutput } from "./commands/GetArchiveRuleCommand"; import type { GetFindingCommandInput, GetFindingCommandOutput } from "./commands/GetFindingCommand"; import type { GetFindingRecommendationCommandInput, GetFindingRecommendationCommandOutput } from "./commands/GetFindingRecommendationCommand"; import type { GetFindingsStatisticsCommandInput, GetFindingsStatisticsCommandOutput } from "./commands/GetFindingsStatisticsCommand"; import type { GetFindingV2CommandInput, GetFindingV2CommandOutput } from "./commands/GetFindingV2Command"; import type { GetGeneratedPolicyCommandInput, GetGeneratedPolicyCommandOutput } from "./commands/GetGeneratedPolicyCommand"; import type { ListAccessPreviewFindingsCommandInput, ListAccessPreviewFindingsCommandOutput } from "./commands/ListAccessPreviewFindingsCommand"; import type { ListAccessPreviewsCommandInput, ListAccessPreviewsCommandOutput } from "./commands/ListAccessPreviewsCommand"; import type { ListAnalyzedResourcesCommandInput, ListAnalyzedResourcesCommandOutput } from "./commands/ListAnalyzedResourcesCommand"; import type { ListAnalyzersCommandInput, ListAnalyzersCommandOutput } from "./commands/ListAnalyzersCommand"; import type { ListArchiveRulesCommandInput, ListArchiveRulesCommandOutput } from "./commands/ListArchiveRulesCommand"; import type { ListFindingsCommandInput, ListFindingsCommandOutput } from "./commands/ListFindingsCommand"; import type { ListFindingsV2CommandInput, ListFindingsV2CommandOutput } from "./commands/ListFindingsV2Command"; import type { ListPolicyGenerationsCommandInput, ListPolicyGenerationsCommandOutput } from "./commands/ListPolicyGenerationsCommand"; import type { ListTagsForResourceCommandInput, ListTagsForResourceCommandOutput } from "./commands/ListTagsForResourceCommand"; import type { StartPolicyGenerationCommandInput, StartPolicyGenerationCommandOutput } from "./commands/StartPolicyGenerationCommand"; import type { StartResourceScanCommandInput, StartResourceScanCommandOutput } from "./commands/StartResourceScanCommand"; import type { TagResourceCommandInput, TagResourceCommandOutput } from "./commands/TagResourceCommand"; import type { UntagResourceCommandInput, UntagResourceCommandOutput } from "./commands/UntagResourceCommand"; import type { UpdateAnalyzerCommandInput, UpdateAnalyzerCommandOutput } from "./commands/UpdateAnalyzerCommand"; import type { UpdateArchiveRuleCommandInput, UpdateArchiveRuleCommandOutput } from "./commands/UpdateArchiveRuleCommand"; import type { UpdateFindingsCommandInput, UpdateFindingsCommandOutput } from "./commands/UpdateFindingsCommand"; import type { ValidatePolicyCommandInput, ValidatePolicyCommandOutput } from "./commands/ValidatePolicyCommand"; import { type ClientInputEndpointParameters, type ClientResolvedEndpointParameters, type EndpointParameters } from "./endpoint/EndpointParameters"; import { type RuntimeExtension, type RuntimeExtensionsConfig } from "./runtimeExtensions"; export { __Client }; /** * @public */ export type ServiceInputTypes = ApplyArchiveRuleCommandInput | CancelPolicyGenerationCommandInput | CheckAccessNotGrantedCommandInput | CheckNoNewAccessCommandInput | CheckNoPublicAccessCommandInput | CreateAccessPreviewCommandInput | CreateAnalyzerCommandInput | CreateArchiveRuleCommandInput | CreateServiceLinkedAnalyzerCommandInput | DeleteAnalyzerCommandInput | DeleteArchiveRuleCommandInput | DeleteServiceLinkedAnalyzerCommandInput | GenerateFindingRecommendationCommandInput | GetAccessPreviewCommandInput | GetAnalyzedResourceCommandInput | GetAnalyzerCommandInput | GetArchiveRuleCommandInput | GetFindingCommandInput | GetFindingRecommendationCommandInput | GetFindingV2CommandInput | GetFindingsStatisticsCommandInput | GetGeneratedPolicyCommandInput | ListAccessPreviewFindingsCommandInput | ListAccessPreviewsCommandInput | ListAnalyzedResourcesCommandInput | ListAnalyzersCommandInput | ListArchiveRulesCommandInput | ListFindingsCommandInput | ListFindingsV2CommandInput | ListPolicyGenerationsCommandInput | ListTagsForResourceCommandInput | StartPolicyGenerationCommandInput | StartResourceScanCommandInput | TagResourceCommandInput | UntagResourceCommandInput | UpdateAnalyzerCommandInput | UpdateArchiveRuleCommandInput | UpdateFindingsCommandInput | ValidatePolicyCommandInput; /** * @public */ export type ServiceOutputTypes = ApplyArchiveRuleCommandOutput | CancelPolicyGenerationCommandOutput | CheckAccessNotGrantedCommandOutput | CheckNoNewAccessCommandOutput | CheckNoPublicAccessCommandOutput | CreateAccessPreviewCommandOutput | CreateAnalyzerCommandOutput | CreateArchiveRuleCommandOutput | CreateServiceLinkedAnalyzerCommandOutput | DeleteAnalyzerCommandOutput | DeleteArchiveRuleCommandOutput | DeleteServiceLinkedAnalyzerCommandOutput | GenerateFindingRecommendationCommandOutput | GetAccessPreviewCommandOutput | GetAnalyzedResourceCommandOutput | GetAnalyzerCommandOutput | GetArchiveRuleCommandOutput | GetFindingCommandOutput | GetFindingRecommendationCommandOutput | GetFindingV2CommandOutput | GetFindingsStatisticsCommandOutput | GetGeneratedPolicyCommandOutput | ListAccessPreviewFindingsCommandOutput | ListAccessPreviewsCommandOutput | ListAnalyzedResourcesCommandOutput | ListAnalyzersCommandOutput | ListArchiveRulesCommandOutput | ListFindingsCommandOutput | ListFindingsV2CommandOutput | ListPolicyGenerationsCommandOutput | ListTagsForResourceCommandOutput | StartPolicyGenerationCommandOutput | StartResourceScanCommandOutput | TagResourceCommandOutput | UntagResourceCommandOutput | UpdateAnalyzerCommandOutput | UpdateArchiveRuleCommandOutput | UpdateFindingsCommandOutput | ValidatePolicyCommandOutput; /** * @public */ export interface ClientDefaults extends Partial<__SmithyConfiguration<__HttpHandlerOptions>> { /** * The HTTP handler to use or its constructor options. Fetch in browser and Https in Nodejs. */ requestHandler?: __HttpHandlerUserInput; /** * A constructor for a class implementing the {@link @smithy/types#ChecksumConstructor} interface * that computes the SHA-256 HMAC or checksum of a string or binary buffer. * @internal */ sha256?: __ChecksumConstructor | __HashConstructor; /** * The function that will be used to convert strings into HTTP endpoints. * @internal */ urlParser?: __UrlParser; /** * A function that can calculate the length of a request body. * @internal */ bodyLengthChecker?: __BodyLengthCalculator; /** * A function that converts a stream into an array of bytes. * @internal */ streamCollector?: __StreamCollector; /** * The function that will be used to convert a base64-encoded string to a byte array. * @internal */ base64Decoder?: __Decoder; /** * The function that will be used to convert binary data to a base64-encoded string. * @internal */ base64Encoder?: __Encoder; /** * The function that will be used to convert a UTF8-encoded string to a byte array. * @internal */ utf8Decoder?: __Decoder; /** * The function that will be used to convert binary data to a UTF-8 encoded string. * @internal */ utf8Encoder?: __Encoder; /** * The runtime environment. * @internal */ runtime?: string; /** * Disable dynamically changing the endpoint of the client based on the hostPrefix * trait of an operation. */ disableHostPrefix?: boolean; /** * Unique service identifier. * @internal */ serviceId?: string; /** * Enables IPv6/IPv4 dualstack endpoint. */ useDualstackEndpoint?: boolean | __Provider; /** * Enables FIPS compatible endpoints. */ useFipsEndpoint?: boolean | __Provider; /** * The AWS region to which this client will send requests */ region?: string | __Provider; /** * Setting a client profile is similar to setting a value for the * AWS_PROFILE environment variable. Setting a profile on a client * in code only affects the single client instance, unlike AWS_PROFILE. * * When set, and only for environments where an AWS configuration * file exists, fields configurable by this file will be retrieved * from the specified profile within that file. * Conflicting code configuration and environment variables will * still have higher priority. * * For client credential resolution that involves checking the AWS * configuration file, the client's profile (this value) will be * used unless a different profile is set in the credential * provider options. * */ profile?: string; /** * The provider populating default tracking information to be sent with `user-agent`, `x-amz-user-agent` header * @internal */ defaultUserAgentProvider?: __Provider<__UserAgent>; /** * Default credentials provider; Not available in browser runtime. * @deprecated * @internal */ credentialDefaultProvider?: (input: any) => AwsCredentialIdentityProvider; /** * Value for how many times a request will be made at most in case of retry. */ maxAttempts?: number | __Provider; /** * Specifies which retry algorithm to use. * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-smithy-util-retry/Enum/RETRY_MODES/ * */ retryMode?: string | __Provider; /** * Optional logger for logging debug/info/warn/error. */ logger?: __Logger; /** * Optional extensions */ extensions?: RuntimeExtension[]; /** * The {@link @smithy/smithy-client#DefaultsMode} that will be used to determine how certain default configuration options are resolved in the SDK. */ defaultsMode?: __DefaultsMode | __Provider<__DefaultsMode>; } /** * @public */ export type AccessAnalyzerClientConfigType = Partial<__SmithyConfiguration<__HttpHandlerOptions>> & ClientDefaults & UserAgentInputConfig & RetryInputConfig & RegionInputConfig & HostHeaderInputConfig & EndpointInputConfig & HttpAuthSchemeInputConfig & ClientInputEndpointParameters; /** * @public * * The configuration interface of AccessAnalyzerClient class constructor that set the region, credentials and other options. */ export interface AccessAnalyzerClientConfig extends AccessAnalyzerClientConfigType { } /** * @public */ export type AccessAnalyzerClientResolvedConfigType = __SmithyResolvedConfiguration<__HttpHandlerOptions> & Required & RuntimeExtensionsConfig & UserAgentResolvedConfig & RetryResolvedConfig & RegionResolvedConfig & HostHeaderResolvedConfig & EndpointResolvedConfig & HttpAuthSchemeResolvedConfig & ClientResolvedEndpointParameters; /** * @public * * The resolved configuration interface of AccessAnalyzerClient class. This is resolved and normalized from the {@link AccessAnalyzerClientConfig | constructor configuration interface}. */ export interface AccessAnalyzerClientResolvedConfig extends AccessAnalyzerClientResolvedConfigType { } /** *

Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external, internal, and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external, internal, or unused access, you first need to create an analyzer.

External access analyzers help you identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.

Internal access analyzers help you identify which principals within your organization or account have access to selected resources. This analysis supports implementing the principle of least privilege by ensuring that your specified resources can only be accessed by the intended principals within your organization.

Unused access analyzers help you identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.

Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.

This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Using Identity and Access Management Access Analyzer in the IAM User Guide.

* @public */ export declare class AccessAnalyzerClient extends __Client<__HttpHandlerOptions, ServiceInputTypes, ServiceOutputTypes, AccessAnalyzerClientResolvedConfig> { /** * The resolved configuration of AccessAnalyzerClient class. This is resolved and normalized from the {@link AccessAnalyzerClientConfig | constructor configuration interface}. */ readonly config: AccessAnalyzerClientResolvedConfig; constructor(...[configuration]: __CheckOptionalClientConfig); /** * Destroy underlying resources, like sockets. It's usually not necessary to do this. * However in Node.js, it's best to explicitly shut down the client's agent when it is no longer needed. * Otherwise, sockets might stay open for quite a long time before the server terminates them. */ destroy(): void; }