AWS::AccessAnalyzer::Analyzer - AWS CloudFormation

AWS::AccessAnalyzer::Analyzer

The AWS::AccessAnalyzer::Analyzer resource specifies a new analyzer. The analyzer is an object that represents the IAM Access Analyzer feature. An analyzer is required for Access Analyzer to become operational.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::AccessAnalyzer::Analyzer", "Properties" : { "AnalyzerName" : String, "ArchiveRules" : [ ArchiveRule, ... ], "Tags" : [ Tag, ... ], "Type" : String } }

YAML

Type: AWS::AccessAnalyzer::Analyzer Properties: AnalyzerName: String ArchiveRules: - ArchiveRule Tags: - Tag Type: String

Properties

AnalyzerName

The name of the analyzer.

Required: No

Type: String

Update requires: Replacement

ArchiveRules

Specifies the archive rules to add for the analyzer.

Required: No

Type: List of ArchiveRule

Update requires: No interruption

Tags

The tags to apply to the analyzer.

Required: No

Type: List of Tag

Update requires: No interruption

Type

The type represents the zone of trust for the analyzer.

Allowed Values: ACCOUNT | ORGANIZATION

Required: Yes

Type: String

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the ARN of the analyzer created.

For more information about using the Reffunction, see Ref.

Examples

Declare an Analyzer Resource

The following example shows how to declare a IAM Access Analyzer Analyzer resource:

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Analyzer": { "Properties": { "AnalyzerName": "DevAccountAnalyzer", "ArchiveRules": [ { "Filter": [ { "Eq": [ "123456789012" ], "Property": "principal.AWS" } ], "RuleName": "ArchiveTrustedAccountAccess" }, { "Filter": [ { "Contains": [ "arn:aws:s3:::docs-bucket", "arn:aws:s3:::clients-bucket" ], "Property": "resource" } ], "RuleName": "ArchivePublicS3BucketsAccess" } ], "Tags": [ { "Key": "Kind", "Value": "Dev" } ], "Type": "ACCOUNT" }, "Type": "AWS::AccessAnalyzer::Analyzer" } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: Analyzer: Type: 'AWS::AccessAnalyzer::Analyzer' Properties: AnalyzerName: MyAccountAnalyzer Type: ACCOUNT Tags: - Key: Kind Value: Dev ArchiveRules: - # Archive findings for a trusted AWS account RuleName: ArchiveTrustedAccountAccess Filter: - Property: 'principal.AWS' Eq: - '123456789012' - # Archive findings for known public S3 buckets RuleName: ArchivePublicS3BucketsAccess Filter: - Property: 'resource' Contains: - 'arn:aws:s3:::docs-bucket' - 'arn:aws:s3:::clients-bucket'