Syntax Properties Return values Examples

AWS::AccessAnalyzer::Analyzer

The AWS::AccessAnalyzer::Analyzer resource specifies a new analyzer. The analyzer is an object that represents the IAM Access Analyzer feature. An analyzer is required for Access Analyzer to become operational.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "Type" : "AWS::AccessAnalyzer::Analyzer",
  "Properties" : {
      "AnalyzerName" : String,
      "ArchiveRules" : [ ArchiveRule, ... ],
      "Tags" : [ Tag, ... ],
      "Type" : String
    }
}

YAML


Type: AWS::AccessAnalyzer::Analyzer
Properties: 
  AnalyzerName: String
  ArchiveRules: 
    - ArchiveRule
  Tags: 
    - Tag
  Type: String

Properties

AnalyzerName

The name of the analyzer.

Required: No

Type: String

Update requires: Replacement

ArchiveRules

Specifies the archive rules to add for the analyzer.

Required: No

Type: List of ArchiveRule

Update requires: No interruption

Tags

The tags to apply to the analyzer.

Required: No

Type: List of Tag

Update requires: No interruption

Type

The type represents the zone of trust for the analyzer.

Allowed Values: ACCOUNT | ORGANIZATION

Required: Yes

Type: String

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the ARN of the analyzer created.

For more information about using the Reffunction, see Ref.

Examples

Declare an Analyzer Resource

The following example shows how to declare a IAM Access Analyzer Analyzer resource:

JSON


{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "Analyzer": {
      "Properties": {
        "AnalyzerName": "DevAccountAnalyzer",
        "ArchiveRules": [
          {
            "Filter": [
              {
                "Eq": [
                  "123456789012"
                ],
                "Property": "principal.AWS"
              }
            ],
            "RuleName": "ArchiveTrustedAccountAccess"
          },
          {
            "Filter": [
              {
                "Contains": [
                  "arn:aws:s3:::docs-bucket",
                  "arn:aws:s3:::clients-bucket"
                ],
                "Property": "resource"
              }
            ],
            "RuleName": "ArchivePublicS3BucketsAccess"
          }
        ],
        "Tags": [
          {
            "Key": "Kind",
            "Value": "Dev"
          }
        ],
        "Type": "ACCOUNT"
      },
      "Type": "AWS::AccessAnalyzer::Analyzer"
    }
  }
}

YAML


AWSTemplateFormatVersion: 2010-09-09
Resources:
  Analyzer:
    Type: 'AWS::AccessAnalyzer::Analyzer'
    Properties:
      AnalyzerName: MyAccountAnalyzer
      Type: ACCOUNT
      Tags:
        -
          Key: Kind
          Value: Dev
      ArchiveRules:
        -
          # Archive findings for a trusted AWS account
          RuleName: ArchiveTrustedAccountAccess
          Filter:
            -
              Property: 'principal.AWS'
              Eq:
                - '123456789012'
        -
          # Archive findings for known public S3 buckets
          RuleName: ArchivePublicS3BucketsAccess
          Filter:
            -
              Property: 'resource'
              Contains:
                - 'arn:aws:s3:::docs-bucket'
                - 'arn:aws:s3:::clients-bucket'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Identity and Access Management Access Analyzer

ArchiveRule