AmazonAccessAnalyzerClient Class | AWS SDK for .NET V3

Implementation for accessing AccessAnalyzer

Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external or unused access, you first need to create an analyzer.

External access analyzers help identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.

Unused access analyzers help identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.

Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.

This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Identity and Access Management Access Analyzer in the IAM User Guide.

Inheritance Hierarchy

System.Object
Amazon.Runtime.AmazonServiceClient
Amazon.AccessAnalyzer.AmazonAccessAnalyzerClient

Namespace: Amazon.AccessAnalyzer
Assembly: AWSSDK.AccessAnalyzer.dll
Version: 3.x.y.z

Syntax

public class AmazonAccessAnalyzerClient : AmazonServiceClient
         IAmazonAccessAnalyzer, IAmazonService, IDisposable

The AmazonAccessAnalyzerClient type exposes the following members

Constructors

	Name	Description
	AmazonAccessAnalyzerClient()	Constructs AmazonAccessAnalyzerClient with the credentials loaded from the application's default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance. Example App.config with credentials set. <?xml version="1.0" encoding="utf-8" ?> <configuration> <appSettings> <add key="AWSProfileName" value="AWS Default"/> </appSettings> </configuration>
	AmazonAccessAnalyzerClient(RegionEndpoint)	Constructs AmazonAccessAnalyzerClient with the credentials loaded from the application's default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance. Example App.config with credentials set. <?xml version="1.0" encoding="utf-8" ?> <configuration> <appSettings> <add key="AWSProfileName" value="AWS Default"/> </appSettings> </configuration>
	AmazonAccessAnalyzerClient(AmazonAccessAnalyzerConfig)	Constructs AmazonAccessAnalyzerClient with the credentials loaded from the application's default configuration, and if unsuccessful from the Instance Profile service on an EC2 instance. Example App.config with credentials set. <?xml version="1.0" encoding="utf-8" ?> <configuration> <appSettings> <add key="AWSProfileName" value="AWS Default"/> </appSettings> </configuration>
	AmazonAccessAnalyzerClient(AWSCredentials)	Constructs AmazonAccessAnalyzerClient with AWS Credentials
	AmazonAccessAnalyzerClient(AWSCredentials, RegionEndpoint)	Constructs AmazonAccessAnalyzerClient with AWS Credentials
	AmazonAccessAnalyzerClient(AWSCredentials, AmazonAccessAnalyzerConfig)	Constructs AmazonAccessAnalyzerClient with AWS Credentials and an AmazonAccessAnalyzerClient Configuration object.
	AmazonAccessAnalyzerClient(string, string)	Constructs AmazonAccessAnalyzerClient with AWS Access Key ID and AWS Secret Key
	AmazonAccessAnalyzerClient(string, string, RegionEndpoint)	Constructs AmazonAccessAnalyzerClient with AWS Access Key ID and AWS Secret Key
	AmazonAccessAnalyzerClient(string, string, AmazonAccessAnalyzerConfig)	Constructs AmazonAccessAnalyzerClient with AWS Access Key ID, AWS Secret Key and an AmazonAccessAnalyzerClient Configuration object.
	AmazonAccessAnalyzerClient(string, string, string)	Constructs AmazonAccessAnalyzerClient with AWS Access Key ID and AWS Secret Key
	AmazonAccessAnalyzerClient(string, string, string, RegionEndpoint)	Constructs AmazonAccessAnalyzerClient with AWS Access Key ID and AWS Secret Key
	AmazonAccessAnalyzerClient(string, string, string, AmazonAccessAnalyzerConfig)	Constructs AmazonAccessAnalyzerClient with AWS Access Key ID, AWS Secret Key and an AmazonAccessAnalyzerClient Configuration object.

Properties

	Name	Type	Description
	Config	Amazon.Runtime.IClientConfig	Inherited from Amazon.Runtime.AmazonServiceClient.
	Paginators	Amazon.AccessAnalyzer.Model.IAccessAnalyzerPaginatorFactory	Paginators for the service

Methods

Note:

Asynchronous operations (methods ending with Async) in the table below are for .NET 4.5 or higher. For .NET 3.5 the SDK follows the standard naming convention of BeginMethodName and EndMethodName to indicate asynchronous operations - these method pairs are not shown in the table below.

	Name	Description
	ApplyArchiveRule(ApplyArchiveRuleRequest)	Retroactively applies the archive rule to existing findings that meet the archive rule criteria.
	ApplyArchiveRuleAsync(ApplyArchiveRuleRequest, CancellationToken)	Retroactively applies the archive rule to existing findings that meet the archive rule criteria.
	CancelPolicyGeneration(CancelPolicyGenerationRequest)	Cancels the requested policy generation.
	CancelPolicyGenerationAsync(CancelPolicyGenerationRequest, CancellationToken)	Cancels the requested policy generation.
	CheckAccessNotGranted(CheckAccessNotGrantedRequest)	Checks whether the specified access isn't allowed by a policy.
	CheckAccessNotGrantedAsync(CheckAccessNotGrantedRequest, CancellationToken)	Checks whether the specified access isn't allowed by a policy.
	CheckNoNewAccess(CheckNoNewAccessRequest)	Checks whether new access is allowed for an updated policy when compared to the existing policy. You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples repository on GitHub. The reference policies in this repository are meant to be passed to the `existingPolicyDocument` request parameter.
	CheckNoNewAccessAsync(CheckNoNewAccessRequest, CancellationToken)	Checks whether new access is allowed for an updated policy when compared to the existing policy. You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples repository on GitHub. The reference policies in this repository are meant to be passed to the `existingPolicyDocument` request parameter.
	CreateAccessPreview(CreateAccessPreviewRequest)	Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions.
	CreateAccessPreviewAsync(CreateAccessPreviewRequest, CancellationToken)	Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions.
	CreateAnalyzer(CreateAnalyzerRequest)	Creates an analyzer for your account.
	CreateAnalyzerAsync(CreateAnalyzerRequest, CancellationToken)	Creates an analyzer for your account.
	CreateArchiveRule(CreateArchiveRuleRequest)	Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide.
	CreateArchiveRuleAsync(CreateArchiveRuleRequest, CancellationToken)	Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide.
	DeleteAnalyzer(DeleteAnalyzerRequest)	Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.
	DeleteAnalyzerAsync(DeleteAnalyzerRequest, CancellationToken)	Deletes the specified analyzer. When you delete an analyzer, IAM Access Analyzer is disabled for the account or organization in the current or specific Region. All findings that were generated by the analyzer are deleted. You cannot undo this action.
	DeleteArchiveRule(DeleteArchiveRuleRequest)	Deletes the specified archive rule.
	DeleteArchiveRuleAsync(DeleteArchiveRuleRequest, CancellationToken)	Deletes the specified archive rule.
	DetermineServiceOperationEndpoint(AmazonWebServiceRequest)	Returns the endpoint that will be used for a particular request.
	Dispose()	Inherited from Amazon.Runtime.AmazonServiceClient.
	GetAccessPreview(GetAccessPreviewRequest)	Retrieves information about an access preview for the specified analyzer.
	GetAccessPreviewAsync(GetAccessPreviewRequest, CancellationToken)	Retrieves information about an access preview for the specified analyzer.
	GetAnalyzedResource(GetAnalyzedResourceRequest)	Retrieves information about a resource that was analyzed.
	GetAnalyzedResourceAsync(GetAnalyzedResourceRequest, CancellationToken)	Retrieves information about a resource that was analyzed.
	GetAnalyzer(GetAnalyzerRequest)	Retrieves information about the specified analyzer.
	GetAnalyzerAsync(GetAnalyzerRequest, CancellationToken)	Retrieves information about the specified analyzer.
	GetArchiveRule(GetArchiveRuleRequest)	Retrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide.
	GetArchiveRuleAsync(GetArchiveRuleRequest, CancellationToken)	Retrieves information about an archive rule. To learn about filter keys that you can use to create an archive rule, see IAM Access Analyzer filter keys in the IAM User Guide.
	GetFinding(GetFindingRequest)	Retrieves information about the specified finding. GetFinding and GetFindingV2 both use `access-analyzer:GetFinding` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:GetFinding` action.
	GetFindingAsync(GetFindingRequest, CancellationToken)	Retrieves information about the specified finding. GetFinding and GetFindingV2 both use `access-analyzer:GetFinding` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:GetFinding` action.
	GetFindingV2(GetFindingV2Request)	Retrieves information about the specified finding. GetFinding and GetFindingV2 both use `access-analyzer:GetFinding` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:GetFinding` action.
	GetFindingV2Async(GetFindingV2Request, CancellationToken)	Retrieves information about the specified finding. GetFinding and GetFindingV2 both use `access-analyzer:GetFinding` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:GetFinding` action.
	GetGeneratedPolicy(GetGeneratedPolicyRequest)	Retrieves the policy that was generated using `StartPolicyGeneration`.
	GetGeneratedPolicyAsync(GetGeneratedPolicyRequest, CancellationToken)	Retrieves the policy that was generated using `StartPolicyGeneration`.
	ListAccessPreviewFindings(ListAccessPreviewFindingsRequest)	Retrieves a list of access preview findings generated by the specified access preview.
	ListAccessPreviewFindingsAsync(ListAccessPreviewFindingsRequest, CancellationToken)	Retrieves a list of access preview findings generated by the specified access preview.
	ListAccessPreviews(ListAccessPreviewsRequest)	Retrieves a list of access previews for the specified analyzer.
	ListAccessPreviewsAsync(ListAccessPreviewsRequest, CancellationToken)	Retrieves a list of access previews for the specified analyzer.
	ListAnalyzedResources(ListAnalyzedResourcesRequest)	Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers.
	ListAnalyzedResourcesAsync(ListAnalyzedResourcesRequest, CancellationToken)	Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer. This action is not supported for unused access analyzers.
	ListAnalyzers(ListAnalyzersRequest)	Retrieves a list of analyzers.
	ListAnalyzersAsync(ListAnalyzersRequest, CancellationToken)	Retrieves a list of analyzers.
	ListArchiveRules(ListArchiveRulesRequest)	Retrieves a list of archive rules created for the specified analyzer.
	ListArchiveRulesAsync(ListArchiveRulesRequest, CancellationToken)	Retrieves a list of archive rules created for the specified analyzer.
	ListFindings(ListFindingsRequest)	Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use `access-analyzer:ListFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:ListFindings` action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide.
	ListFindingsAsync(ListFindingsRequest, CancellationToken)	Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use `access-analyzer:ListFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:ListFindings` action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide.
	ListFindingsV2(ListFindingsV2Request)	Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use `access-analyzer:ListFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:ListFindings` action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide.
	ListFindingsV2Async(ListFindingsV2Request, CancellationToken)	Retrieves a list of findings generated by the specified analyzer. ListFindings and ListFindingsV2 both use `access-analyzer:ListFindings` in the `Action` element of an IAM policy statement. You must have permission to perform the `access-analyzer:ListFindings` action. To learn about filter keys that you can use to retrieve a list of findings, see IAM Access Analyzer filter keys in the IAM User Guide.
	ListPolicyGenerations(ListPolicyGenerationsRequest)	Lists all of the policy generations requested in the last seven days.
	ListPolicyGenerationsAsync(ListPolicyGenerationsRequest, CancellationToken)	Lists all of the policy generations requested in the last seven days.
	ListTagsForResource(ListTagsForResourceRequest)	Retrieves a list of tags applied to the specified resource.
	ListTagsForResourceAsync(ListTagsForResourceRequest, CancellationToken)	Retrieves a list of tags applied to the specified resource.
	StartPolicyGeneration(StartPolicyGenerationRequest)	Starts the policy generation request.
	StartPolicyGenerationAsync(StartPolicyGenerationRequest, CancellationToken)	Starts the policy generation request.
	StartResourceScan(StartResourceScanRequest)	Immediately starts a scan of the policies applied to the specified resource.
	StartResourceScanAsync(StartResourceScanRequest, CancellationToken)	Immediately starts a scan of the policies applied to the specified resource.
	TagResource(TagResourceRequest)	Adds a tag to the specified resource.
	TagResourceAsync(TagResourceRequest, CancellationToken)	Adds a tag to the specified resource.
	UntagResource(UntagResourceRequest)	Removes a tag from the specified resource.
	UntagResourceAsync(UntagResourceRequest, CancellationToken)	Removes a tag from the specified resource.
	UpdateArchiveRule(UpdateArchiveRuleRequest)	Updates the criteria and values for the specified archive rule.
	UpdateArchiveRuleAsync(UpdateArchiveRuleRequest, CancellationToken)	Updates the criteria and values for the specified archive rule.
	UpdateFindings(UpdateFindingsRequest)	Updates the status for the specified findings.
	UpdateFindingsAsync(UpdateFindingsRequest, CancellationToken)	Updates the status for the specified findings.
	ValidatePolicy(ValidatePolicyRequest)	Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices.
	ValidatePolicyAsync(ValidatePolicyRequest, CancellationToken)	Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices.

Events

	Name	Description
	AfterResponseEvent	Inherited from Amazon.Runtime.AmazonServiceClient.
	BeforeRequestEvent	Inherited from Amazon.Runtime.AmazonServiceClient.
	ExceptionEvent	Inherited from Amazon.Runtime.AmazonServiceClient.

Version Information

.NET Core App:
Supported in: 3.1

.NET Standard:
Supported in: 2.0

.NET Framework:
Supported in: 4.5, 4.0, 3.5