AccessAnalyzer / Client / get_finding_v2
get_finding_v2¶
- AccessAnalyzer.Client.get_finding_v2(**kwargs)¶
Retrieves information about the specified finding. GetFinding and GetFindingV2 both use
access-analyzer:GetFindingin theActionelement of an IAM policy statement. You must have permission to perform theaccess-analyzer:GetFindingaction.See also: AWS API Documentation
Request Syntax
response = client.get_finding_v2( analyzerArn='string', id='string', maxResults=123, nextToken='string' )
- Parameters:
analyzerArn (string) –
[REQUIRED]
The ARN of the analyzer that generated the finding.
id (string) –
[REQUIRED]
The ID of the finding to retrieve.
maxResults (integer) – The maximum number of results to return in the response.
nextToken (string) – A token used for pagination of results returned.
- Return type:
dict
- Returns:
Response Syntax
{ 'analyzedAt': datetime(2015, 1, 1), 'createdAt': datetime(2015, 1, 1), 'error': 'string', 'id': 'string', 'nextToken': 'string', 'resource': 'string', 'resourceType': 'AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret'|'AWS::EFS::FileSystem'|'AWS::EC2::Snapshot'|'AWS::ECR::Repository'|'AWS::RDS::DBSnapshot'|'AWS::RDS::DBClusterSnapshot'|'AWS::SNS::Topic'|'AWS::S3Express::DirectoryBucket'|'AWS::DynamoDB::Table'|'AWS::DynamoDB::Stream'|'AWS::IAM::User', 'resourceOwnerAccount': 'string', 'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED', 'updatedAt': datetime(2015, 1, 1), 'findingDetails': [ { 'internalAccessDetails': { 'action': [ 'string', ], 'condition': { 'string': 'string' }, 'principal': { 'string': 'string' }, 'principalOwnerAccount': 'string', 'accessType': 'INTRA_ACCOUNT'|'INTRA_ORG', 'principalType': 'IAM_ROLE'|'IAM_USER', 'sources': [ { 'type': 'POLICY'|'BUCKET_ACL'|'S3_ACCESS_POINT'|'S3_ACCESS_POINT_ACCOUNT', 'detail': { 'accessPointArn': 'string', 'accessPointAccount': 'string' } }, ], 'resourceControlPolicyRestriction': 'APPLICABLE'|'FAILED_TO_EVALUATE_RCP'|'NOT_APPLICABLE'|'APPLIED', 'serviceControlPolicyRestriction': 'APPLICABLE'|'FAILED_TO_EVALUATE_SCP'|'NOT_APPLICABLE'|'APPLIED' }, 'externalAccessDetails': { 'action': [ 'string', ], 'condition': { 'string': 'string' }, 'isPublic': True|False, 'principal': { 'string': 'string' }, 'sources': [ { 'type': 'POLICY'|'BUCKET_ACL'|'S3_ACCESS_POINT'|'S3_ACCESS_POINT_ACCOUNT', 'detail': { 'accessPointArn': 'string', 'accessPointAccount': 'string' } }, ], 'resourceControlPolicyRestriction': 'APPLICABLE'|'FAILED_TO_EVALUATE_RCP'|'NOT_APPLICABLE'|'APPLIED' }, 'unusedPermissionDetails': { 'actions': [ { 'action': 'string', 'lastAccessed': datetime(2015, 1, 1) }, ], 'serviceNamespace': 'string', 'lastAccessed': datetime(2015, 1, 1) }, 'unusedIamUserAccessKeyDetails': { 'accessKeyId': 'string', 'lastAccessed': datetime(2015, 1, 1) }, 'unusedIamRoleDetails': { 'lastAccessed': datetime(2015, 1, 1) }, 'unusedIamUserPasswordDetails': { 'lastAccessed': datetime(2015, 1, 1) } }, ], 'findingType': 'ExternalAccess'|'UnusedIAMRole'|'UnusedIAMUserAccessKey'|'UnusedIAMUserPassword'|'UnusedPermission'|'InternalAccess' }
Response Structure
(dict) –
analyzedAt (datetime) –
The time at which the resource-based policy or IAM entity that generated the finding was analyzed.
createdAt (datetime) –
The time at which the finding was created.
error (string) –
An error.
id (string) –
The ID of the finding to retrieve.
nextToken (string) –
A token used for pagination of results returned.
resource (string) –
The resource that generated the finding.
resourceType (string) –
The type of the resource identified in the finding.
resourceOwnerAccount (string) –
Tye Amazon Web Services account ID that owns the resource.
status (string) –
The status of the finding.
updatedAt (datetime) –
The time at which the finding was updated.
findingDetails (list) –
A localized message that explains the finding and provides guidance on how to address it.
(dict) –
Contains information about an external access or unused access finding. Only one parameter can be used in a
FindingDetailsobject.Note
This is a Tagged Union structure. Only one of the following top level keys will be set:
internalAccessDetails,externalAccessDetails,unusedPermissionDetails,unusedIamUserAccessKeyDetails,unusedIamRoleDetails,unusedIamUserPasswordDetails. If a client receives an unknown member it will setSDK_UNKNOWN_MEMBERas the top level key, which maps to the name or tag of the unknown member. The structure ofSDK_UNKNOWN_MEMBERis as follows:'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
internalAccessDetails (dict) –
The details for an internal access analyzer finding. This contains information about access patterns identified within your Amazon Web Services organization or account.
action (list) –
The action in the analyzed policy statement that has internal access permission to use.
(string) –
condition (dict) –
The condition in the analyzed policy statement that resulted in an internal access finding.
(string) –
(string) –
principal (dict) –
The principal that has access to a resource within the internal environment.
(string) –
(string) –
principalOwnerAccount (string) –
The Amazon Web Services account ID that owns the principal identified in the internal access finding.
accessType (string) –
The type of internal access identified in the finding. This indicates how the access is granted within your Amazon Web Services environment.
principalType (string) –
The type of principal identified in the internal access finding, such as IAM role or IAM user.
sources (list) –
The sources of the internal access finding. This indicates how the access that generated the finding is granted within your Amazon Web Services environment.
(dict) –
The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
type (string) –
Indicates the type of access that generated the finding.
detail (dict) –
Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
accessPointArn (string) –
The ARN of the access point that generated the finding. The ARN format depends on whether the ARN represents an access point or a multi-region access point.
accessPointAccount (string) –
The account of the cross-account access point that generated the finding.
resourceControlPolicyRestriction (string) –
The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).
APPLICABLE: There is an RCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. For example, ifs3:DeleteObjectis blocked by the RCP and the restriction isAPPLICABLE, thens3:DeleteObjectwould still be included in the list of actions for the finding. Only applicable to internal access findings with the account as the zone of trust.FAILED_TO_EVALUATE_RCP: There was an error evaluating the RCP.NOT_APPLICABLE: There was no RCP present in the organization. For internal access findings with the account as the zone of trust,NOT_APPLICABLEcould also indicate that there was no RCP applicable to the resource.APPLIED: An RCP is present in the organization and IAM Access Analyzer included it in the evaluation of effective permissions. For example, ifs3:DeleteObjectis blocked by the RCP and the restriction isAPPLIED, thens3:DeleteObjectwould not be included in the list of actions for the finding. Only applicable to internal access findings with the organization as the zone of trust.
serviceControlPolicyRestriction (string) –
The type of restriction applied to the finding by an Organizations service control policy (SCP).
APPLICABLE: There is an SCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. Only applicable to internal access findings with the account as the zone of trust.FAILED_TO_EVALUATE_SCP: There was an error evaluating the SCP.NOT_APPLICABLE: There was no SCP present in the organization. For internal access findings with the account as the zone of trust,NOT_APPLICABLEcould also indicate that there was no SCP applicable to the principal.APPLIED: An SCP is present in the organization and IAM Access Analyzer included it in the evaluation of effective permissions. Only applicable to internal access findings with the organization as the zone of trust.
externalAccessDetails (dict) –
The details for an external access analyzer finding.
action (list) –
The action in the analyzed policy statement that an external principal has permission to use.
(string) –
condition (dict) –
The condition in the analyzed policy statement that resulted in an external access finding.
(string) –
(string) –
isPublic (boolean) –
Specifies whether the external access finding is public.
principal (dict) –
The external principal that has access to a resource within the zone of trust.
(string) –
(string) –
sources (list) –
The sources of the external access finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
(dict) –
The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.
type (string) –
Indicates the type of access that generated the finding.
detail (dict) –
Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.
accessPointArn (string) –
The ARN of the access point that generated the finding. The ARN format depends on whether the ARN represents an access point or a multi-region access point.
accessPointAccount (string) –
The account of the cross-account access point that generated the finding.
resourceControlPolicyRestriction (string) –
The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).
APPLICABLE: There is an RCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. For example, ifs3:DeleteObjectis blocked by the RCP and the restriction isAPPLICABLE, thens3:DeleteObjectwould still be included in the list of actions for the finding.FAILED_TO_EVALUATE_RCP: There was an error evaluating the RCP.NOT_APPLICABLE: There was no RCP present in the organization, or there was no RCP applicable to the resource. For example, the resource being analyzed is an Amazon RDS snapshot and there is an RCP in the organization, but the RCP only impacts Amazon S3 buckets.APPLIED: This restriction is not currently available for external access findings.
unusedPermissionDetails (dict) –
The details for an unused access analyzer finding with an unused permission finding type.
actions (list) –
A list of unused actions for which the unused access finding was generated.
(dict) –
Contains information about an unused access finding for an action. IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details on pricing, see IAM Access Analyzer pricing.
action (string) –
The action for which the unused access finding was generated.
lastAccessed (datetime) –
The time at which the action was last accessed.
serviceNamespace (string) –
The namespace of the Amazon Web Services service that contains the unused actions.
lastAccessed (datetime) –
The time at which the permission was last accessed.
unusedIamUserAccessKeyDetails (dict) –
The details for an unused access analyzer finding with an unused IAM user access key finding type.
accessKeyId (string) –
The ID of the access key for which the unused access finding was generated.
lastAccessed (datetime) –
The time at which the access key was last accessed.
unusedIamRoleDetails (dict) –
The details for an unused access analyzer finding with an unused IAM role finding type.
lastAccessed (datetime) –
The time at which the role was last accessed.
unusedIamUserPasswordDetails (dict) –
The details for an unused access analyzer finding with an unused IAM user password finding type.
lastAccessed (datetime) –
The time at which the password was last accessed.
findingType (string) –
The type of the finding. For external access analyzers, the type is
ExternalAccess. For unused access analyzers, the type can beUnusedIAMRole,UnusedIAMUserAccessKey,UnusedIAMUserPassword, orUnusedPermission. For internal access analyzers, the type isInternalAccess.
Exceptions