AWS::AccessAnalyzer::Analyzer
The AWS::AccessAnalyzer::Analyzer
resource specifies a new analyzer. The analyzer is an object that represents the IAM Access Analyzer feature. An analyzer is required
for Access Analyzer to become operational.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::AccessAnalyzer::Analyzer", "Properties" : { "AnalyzerName" :
String
, "ArchiveRules" :[ ArchiveRule, ... ]
, "Tags" :[ Tag, ... ]
, "Type" :String
} }
YAML
Type: AWS::AccessAnalyzer::Analyzer Properties: AnalyzerName:
String
ArchiveRules:- ArchiveRule
Tags:- Tag
Type:String
Properties
AnalyzerName
-
The name of the analyzer.
Required: No
Type: String
Update requires: Replacement
ArchiveRules
-
Specifies the archive rules to add for the analyzer.
Required: No
Type: List of ArchiveRule
Update requires: No interruption
Tags
-
The tags to apply to the analyzer.
Required: No
Type: List of Tag
Update requires: No interruption
Type
-
The type represents the zone of trust for the analyzer.
Allowed Values: ACCOUNT | ORGANIZATION
Required: Yes
Type: String
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the ARN of the analyzer created.
For more information about using the Ref
function, see Ref.
Examples
Declare an Analyzer Resource
The following example shows how to declare a IAM Access Analyzer
Analyzer
resource:
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Analyzer": { "Properties": { "AnalyzerName": "DevAccountAnalyzer", "ArchiveRules": [ { "Filter": [ { "Eq": [ "123456789012" ], "Property": "principal.AWS" } ], "RuleName": "ArchiveTrustedAccountAccess" }, { "Filter": [ { "Contains": [ "arn:aws:s3:::docs-bucket", "arn:aws:s3:::clients-bucket" ], "Property": "resource" } ], "RuleName": "ArchivePublicS3BucketsAccess" } ], "Tags": [ { "Key": "Kind", "Value": "Dev" } ], "Type": "ACCOUNT" }, "Type": "AWS::AccessAnalyzer::Analyzer" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Resources: Analyzer: Type: 'AWS::AccessAnalyzer::Analyzer' Properties: AnalyzerName: MyAccountAnalyzer Type: ACCOUNT Tags: - Key: Kind Value: Dev ArchiveRules: - # Archive findings for a trusted AWS account RuleName: ArchiveTrustedAccountAccess Filter: - Property: 'principal.AWS' Eq: - '123456789012' - # Archive findings for known public S3 buckets RuleName: ArchivePublicS3BucketsAccess Filter: - Property: 'resource' Contains: - 'arn:aws:s3:::docs-bucket' - 'arn:aws:s3:::clients-bucket'