Container for the parameters to the CheckAccessNotGranted operation. Checks whether the specified access isn't allowed by a policy.
Inheritance Hierarchy
Amazon.Runtime.AmazonWebServiceRequest
Amazon.AccessAnalyzer.AmazonAccessAnalyzerRequest
Amazon.AccessAnalyzer.Model.CheckAccessNotGrantedRequest
Namespace: Amazon.AccessAnalyzer.Model
Assembly: AWSSDK.AccessAnalyzer.dll
Version: 3.x.y.z
Syntax
public class CheckAccessNotGrantedRequest : AmazonAccessAnalyzerRequest IAmazonWebServiceRequest
The CheckAccessNotGrantedRequest type exposes the following members
Constructors
| Name | Description | |
|---|---|---|
|
CheckAccessNotGrantedRequest() |
Properties
| Name | Type | Description | |
|---|---|---|---|
|
|
Access | System.Collections.Generic.List<Amazon.AccessAnalyzer.Model.Access> |
Gets and sets the property Access. An access object containing the permissions that shouldn't be granted by the specified policy. If only actions are specified, IAM Access Analyzer checks for access to peform at least one of the actions on any resource in the policy. If only resources are specified, then IAM Access Analyzer checks for access to perform any action on at least one of the resources. If both actions and resources are specified, IAM Access Analyzer checks for access to perform at least one of the specified actions on at least one of the specified resources. |
|
|
PolicyDocument | System.String |
Gets and sets the property PolicyDocument. The JSON policy document to use as the content for the policy. |
|
|
PolicyType | Amazon.AccessAnalyzer.AccessCheckPolicyType |
Gets and sets the property PolicyType. The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups. Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. |
Examples
Passing check. Restrictive identity policy.
var client = new AmazonAccessAnalyzerClient();
var response = client.CheckAccessNotGranted(new CheckAccessNotGrantedRequest
{
Access = new List<Access> {
new Access { Actions = new List<string> {
"s3:PutObject"
} }
},
PolicyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:GetObject\",\"Resource\":\"*\"}]}",
PolicyType = "RESOURCE_POLICY"
});
string message = response.Message;
string result = response.Result;
Passing check. Restrictive S3 Bucket resource policy.
var client = new AmazonAccessAnalyzerClient();
var response = client.CheckAccessNotGranted(new CheckAccessNotGrantedRequest
{
Access = new List<Access> {
new Access { Resources = new List<string> {
"arn:aws:s3:::sensitive-bucket/*"
} }
},
PolicyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::non-sensitive-bucket/*\"}]}",
PolicyType = "RESOURCE_POLICY"
});
string message = response.Message;
string result = response.Result;
Failing check. Permissive S3 Bucket resource policy.
var client = new AmazonAccessAnalyzerClient();
var response = client.CheckAccessNotGranted(new CheckAccessNotGrantedRequest
{
Access = new List<Access> {
new Access { Resources = new List<string> {
"arn:aws:s3:::my-bucket/*"
} }
},
PolicyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}",
PolicyType = "RESOURCE_POLICY"
});
string message = response.Message;
List<ReasonSummary> reasons = response.Reasons;
string result = response.Result;
Version Information
.NET:
Supported in: 8.0 and newer, Core 3.1
.NET Standard:
Supported in: 2.0
.NET Framework:
Supported in: 4.5 and newer, 3.5