AWS::AccessAnalyzer::Analyzer
The AWS::AccessAnalyzer::Analyzer resource specifies a new analyzer. The
analyzer is an object that represents the IAM Access Analyzer feature. An analyzer is required
for Access Analyzer to become operational.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::AccessAnalyzer::Analyzer", "Properties" : { "AnalyzerConfiguration" :AnalyzerConfiguration, "AnalyzerName" :String, "ArchiveRules" :[ ArchiveRule, ... ], "Tags" :[ Tag, ... ], "Type" :String} }
YAML
Type: AWS::AccessAnalyzer::Analyzer Properties: AnalyzerConfiguration:AnalyzerConfigurationAnalyzerName:StringArchiveRules:- ArchiveRuleTags:- TagType:String
Properties
AnalyzerConfiguration-
Contains information about the configuration of an analyzer for an AWS organization or account.
Required: No
Type: AnalyzerConfiguration
Update requires: Some interruptions
AnalyzerName-
The name of the analyzer.
Required: No
Type: String
Minimum:
1Maximum:
1024Update requires: Replacement
ArchiveRules-
Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.
Required: No
Type: Array of ArchiveRule
Update requires: No interruption
-
An array of key-value pairs to apply to the analyzer. You can use the set of Unicode letters, digits, whitespace,
_,.,/,=,+, and-.For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with
aws:.For the tag value, you can specify a value that is 0 to 256 characters in length.
Required: No
Type: Array of Tag
Maximum:
50Update requires: No interruption
Type-
The type represents the zone of trust for the analyzer.
Allowed Values: ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS
Required: Yes
Type: String
Minimum:
0Maximum:
1024Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the analyzer created.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Arn-
The ARN of the analyzer that was created.
Examples
Declare an Analyzer Resource
The following example shows how to declare a IAM Access Analyzer Analyzer
resource:
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Analyzer": { "Properties": { "AnalyzerName": "DevAccountAnalyzer", "ArchiveRules": [ { "Filter": [ { "Eq": [ "123456789012" ], "Property": "principal.AWS" } ], "RuleName": "ArchiveTrustedAccountAccess" }, { "Filter": [ { "Contains": [ "arn:aws:s3:::amzn-s3-demo-logging-bucket", "arn:aws:s3:::amzn-s3-demo-website-bucket" ], "Property": "resource" } ], "RuleName": "ArchivePublicS3BucketsAccess" } ], "Tags": [ { "Key": "Kind", "Value": "Dev" } ], "Type": "ACCOUNT" }, "Type": "AWS::AccessAnalyzer::Analyzer" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Resources: Analyzer: Type: 'AWS::AccessAnalyzer::Analyzer' Properties: AnalyzerName: MyAccountAnalyzer Type: ACCOUNT Tags: - Key: Kind Value: Dev ArchiveRules: - # Archive findings for a trusted AWS account RuleName: ArchiveTrustedAccountAccess Filter: - Property: 'principal.AWS' Eq: - '123456789012' - # Archive findings for known public S3 buckets RuleName: ArchivePublicS3BucketsAccess Filter: - Property: 'resource' Contains: - 'arn:aws:s3:::amzn-s3-demo-logging-bucket' - 'arn:aws:s3:::amzn-s3-demo-website-bucket'
