AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Checks whether the specified access isn't allowed by a policy.

Note:

For .NET Core this operation is only available in asynchronous form. Please refer to CheckAccessNotGrantedAsync.

Namespace: Amazon.AccessAnalyzer
Assembly: AWSSDK.AccessAnalyzer.dll
Version: 3.x.y.z

Syntax

C# 
public abstract CheckAccessNotGrantedResponse CheckAccessNotGranted(
         CheckAccessNotGrantedRequest request
)

Parameters

request
Type: Amazon.AccessAnalyzer.Model.CheckAccessNotGrantedRequest

Container for the necessary parameters to execute the CheckAccessNotGranted service method.

Return Value


Type: CheckAccessNotGrantedResponse
The response from the CheckAccessNotGranted service method, as returned by AccessAnalyzer.

Exceptions

ExceptionCondition
AccessDeniedException You do not have sufficient access to perform this action.
InternalServerException Internal server error.
InvalidParameterException The specified parameter is invalid.
ThrottlingException Throttling limit exceeded error.
UnprocessableEntityException The specified entity could not be processed.
ValidationException Validation exception error.

Examples

Passing check. Restrictive identity policy.


var client = new AmazonAccessAnalyzerClient();
var response = client.CheckAccessNotGranted(new CheckAccessNotGrantedRequest 
{
    Access = new List<Access> {
        new Access { Actions = new List<string> {
            "s3:PutObject"
        } }
    },
    PolicyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:GetObject\",\"Resource\":\"*\"}]}",
    PolicyType = "RESOURCE_POLICY"
});

string message = response.Message;
string result = response.Result;

Passing check. Restrictive S3 Bucket resource policy.


var client = new AmazonAccessAnalyzerClient();
var response = client.CheckAccessNotGranted(new CheckAccessNotGrantedRequest 
{
    Access = new List<Access> {
        new Access { Resources = new List<string> {
            "arn:aws:s3:::sensitive-bucket/*"
        } }
    },
    PolicyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::non-sensitive-bucket/*\"}]}",
    PolicyType = "RESOURCE_POLICY"
});

string message = response.Message;
string result = response.Result;

Failing check. Permissive S3 Bucket resource policy.


var client = new AmazonAccessAnalyzerClient();
var response = client.CheckAccessNotGranted(new CheckAccessNotGrantedRequest 
{
    Access = new List<Access> {
        new Access { Resources = new List<string> {
            "arn:aws:s3:::my-bucket/*"
        } }
    },
    PolicyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}",
    PolicyType = "RESOURCE_POLICY"
});

string message = response.Message;
List<ReasonSummary> reasons = response.Reasons;
string result = response.Result;

Version Information

.NET Framework:
Supported in: 4.5 and newer, 3.5

See Also

REST API Reference for CheckAccessNotGranted Operation