# frozen_string_literal: true

# WARNING ABOUT GENERATED CODE
#
# This file is generated. See the contributing guide for more information:
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
#
# WARNING ABOUT GENERATED CODE

module Aws::AccessAnalyzer
  module Types

    # Contains information about actions that define permissions to check
    # against a policy.
    #
    # @!attribute [rw] actions
    #   A list of actions for the access permissions.
    #   @return [Array<String>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Access AWS API Documentation
    #
    class Access < Struct.new(
      :actions)
      SENSITIVE = []
      include Aws::Structure
    end

    # You do not have sufficient access to perform this action.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessDeniedException AWS API Documentation
    #
    class AccessDeniedException < Struct.new(
      :message)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an access preview.
    #
    # @!attribute [rw] id
    #   The unique ID for the access preview.
    #   @return [String]
    #
    # @!attribute [rw] analyzer_arn
    #   The ARN of the analyzer used to generate the access preview.
    #   @return [String]
    #
    # @!attribute [rw] configurations
    #   A map of resource ARNs for the proposed resource configuration.
    #   @return [Hash<String,Types::Configuration>]
    #
    # @!attribute [rw] created_at
    #   The time at which the access preview was created.
    #   @return [Time]
    #
    # @!attribute [rw] status
    #   The status of the access preview.
    #
    #   * `Creating` - The access preview creation is in progress.
    #
    #   * `Completed` - The access preview is complete. You can preview
    #     findings for external access to the resource.
    #
    #   * `Failed` - The access preview creation has failed.
    #   @return [String]
    #
    # @!attribute [rw] status_reason
    #   Provides more details about the current status of the access
    #   preview.
    #
    #   For example, if the creation of the access preview fails, a `Failed`
    #   status is returned. This failure can be due to an internal issue
    #   with the analysis or due to an invalid resource configuration.
    #   @return [Types::AccessPreviewStatusReason]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreview AWS API Documentation
    #
    class AccessPreview < Struct.new(
      :id,
      :analyzer_arn,
      :configurations,
      :created_at,
      :status,
      :status_reason)
      SENSITIVE = []
      include Aws::Structure
    end

    # An access preview finding generated by the access preview.
    #
    # @!attribute [rw] id
    #   The ID of the access preview finding. This ID uniquely identifies
    #   the element in the list of access preview findings and is not
    #   related to the finding ID in Access Analyzer.
    #   @return [String]
    #
    # @!attribute [rw] existing_finding_id
    #   The existing ID of the finding in IAM Access Analyzer, provided only
    #   for existing findings.
    #   @return [String]
    #
    # @!attribute [rw] existing_finding_status
    #   The existing status of the finding, provided only for existing
    #   findings.
    #   @return [String]
    #
    # @!attribute [rw] principal
    #   The external principal that has access to a resource within the zone
    #   of trust.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] action
    #   The action in the analyzed policy statement that an external
    #   principal has permission to perform.
    #   @return [Array<String>]
    #
    # @!attribute [rw] condition
    #   The condition in the analyzed policy statement that resulted in a
    #   finding.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] resource
    #   The resource that an external principal has access to. This is the
    #   resource associated with the access preview.
    #   @return [String]
    #
    # @!attribute [rw] is_public
    #   Indicates whether the policy that generated the finding allows
    #   public access to the resource.
    #   @return [Boolean]
    #
    # @!attribute [rw] resource_type
    #   The type of the resource that can be accessed in the finding.
    #   @return [String]
    #
    # @!attribute [rw] created_at
    #   The time at which the access preview finding was created.
    #   @return [Time]
    #
    # @!attribute [rw] change_type
    #   Provides context on how the access preview finding compares to
    #   existing access identified in IAM Access Analyzer.
    #
    #   * `New` - The finding is for newly-introduced access.
    #
    #   * `Unchanged` - The preview finding is an existing finding that
    #     would remain unchanged.
    #
    #   * `Changed` - The preview finding is an existing finding with a
    #     change in status.
    #
    #   For example, a `Changed` finding with preview status `Resolved` and
    #   existing status `Active` indicates the existing `Active` finding
    #   would become `Resolved` as a result of the proposed permissions
    #   change.
    #   @return [String]
    #
    # @!attribute [rw] status
    #   The preview status of the finding. This is what the status of the
    #   finding would be after permissions deployment. For example, a
    #   `Changed` finding with preview status `Resolved` and existing status
    #   `Active` indicates the existing `Active` finding would become
    #   `Resolved` as a result of the proposed permissions change.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   The Amazon Web Services account ID that owns the resource. For most
    #   Amazon Web Services resources, the owning account is the account in
    #   which the resource was created.
    #   @return [String]
    #
    # @!attribute [rw] error
    #   An error.
    #   @return [String]
    #
    # @!attribute [rw] sources
    #   The sources of the finding. This indicates how the access that
    #   generated the finding is granted. It is populated for Amazon S3
    #   bucket findings.
    #   @return [Array<Types::FindingSource>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewFinding AWS API Documentation
    #
    class AccessPreviewFinding < Struct.new(
      :id,
      :existing_finding_id,
      :existing_finding_status,
      :principal,
      :action,
      :condition,
      :resource,
      :is_public,
      :resource_type,
      :created_at,
      :change_type,
      :status,
      :resource_owner_account,
      :error,
      :sources)
      SENSITIVE = []
      include Aws::Structure
    end

    # Provides more details about the current status of the access preview.
    # For example, if the creation of the access preview fails, a `Failed`
    # status is returned. This failure can be due to an internal issue with
    # the analysis or due to an invalid proposed resource configuration.
    #
    # @!attribute [rw] code
    #   The reason code for the current status of the access preview.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewStatusReason AWS API Documentation
    #
    class AccessPreviewStatusReason < Struct.new(
      :code)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains a summary of information about an access preview.
    #
    # @!attribute [rw] id
    #   The unique ID for the access preview.
    #   @return [String]
    #
    # @!attribute [rw] analyzer_arn
    #   The ARN of the analyzer used to generate the access preview.
    #   @return [String]
    #
    # @!attribute [rw] created_at
    #   The time at which the access preview was created.
    #   @return [Time]
    #
    # @!attribute [rw] status
    #   The status of the access preview.
    #
    #   * `Creating` - The access preview creation is in progress.
    #
    #   * `Completed` - The access preview is complete and previews the
    #     findings for external access to the resource.
    #
    #   * `Failed` - The access preview creation has failed.
    #   @return [String]
    #
    # @!attribute [rw] status_reason
    #   Provides more details about the current status of the access
    #   preview. For example, if the creation of the access preview fails, a
    #   `Failed` status is returned. This failure can be due to an internal
    #   issue with the analysis or due to an invalid proposed resource
    #   configuration.
    #   @return [Types::AccessPreviewStatusReason]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AccessPreviewSummary AWS API Documentation
    #
    class AccessPreviewSummary < Struct.new(
      :id,
      :analyzer_arn,
      :created_at,
      :status,
      :status_reason)
      SENSITIVE = []
      include Aws::Structure
    end

    # You specify each grantee as a type-value pair using one of these
    # types. You can specify only one type of grantee. For more information,
    # see [PutBucketAcl][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketAcl.html
    #
    # @note AclGrantee is a union - when making an API calls you must set exactly one of the members.
    #
    # @note AclGrantee is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of AclGrantee corresponding to the set member.
    #
    # @!attribute [rw] id
    #   The value specified is the canonical user ID of an Amazon Web
    #   Services account.
    #   @return [String]
    #
    # @!attribute [rw] uri
    #   Used for granting permissions to a predefined group.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AclGrantee AWS API Documentation
    #
    class AclGrantee < Struct.new(
      :id,
      :uri,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class Id < AclGrantee; end
      class Uri < AclGrantee; end
      class Unknown < AclGrantee; end
    end

    # Contains details about the analyzed resource.
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the resource that was analyzed.
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The type of the resource that was analyzed.
    #   @return [String]
    #
    # @!attribute [rw] created_at
    #   The time at which the finding was created.
    #   @return [Time]
    #
    # @!attribute [rw] analyzed_at
    #   The time at which the resource was analyzed.
    #   @return [Time]
    #
    # @!attribute [rw] updated_at
    #   The time at which the finding was updated.
    #   @return [Time]
    #
    # @!attribute [rw] is_public
    #   Indicates whether the policy that generated the finding grants
    #   public access to the resource.
    #   @return [Boolean]
    #
    # @!attribute [rw] actions
    #   The actions that an external principal is granted permission to use
    #   by the policy that generated the finding.
    #   @return [Array<String>]
    #
    # @!attribute [rw] shared_via
    #   Indicates how the access that generated the finding is granted. This
    #   is populated for Amazon S3 bucket findings.
    #   @return [Array<String>]
    #
    # @!attribute [rw] status
    #   The current status of the finding generated from the analyzed
    #   resource.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   The Amazon Web Services account ID that owns the resource.
    #   @return [String]
    #
    # @!attribute [rw] error
    #   An error message.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzedResource AWS API Documentation
    #
    class AnalyzedResource < Struct.new(
      :resource_arn,
      :resource_type,
      :created_at,
      :analyzed_at,
      :updated_at,
      :is_public,
      :actions,
      :shared_via,
      :status,
      :resource_owner_account,
      :error)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains the ARN of the analyzed resource.
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the analyzed resource.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   The Amazon Web Services account ID that owns the resource.
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The type of resource that was analyzed.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzedResourceSummary AWS API Documentation
    #
    class AnalyzedResourceSummary < Struct.new(
      :resource_arn,
      :resource_owner_account,
      :resource_type)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about the configuration of an unused access
    # analyzer for an Amazon Web Services organization or account.
    #
    # @note AnalyzerConfiguration is a union - when making an API calls you must set exactly one of the members.
    #
    # @note AnalyzerConfiguration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of AnalyzerConfiguration corresponding to the set member.
    #
    # @!attribute [rw] unused_access
    #   Specifies the configuration of an unused access analyzer for an
    #   Amazon Web Services organization or account. External access
    #   analyzers do not support any configuration.
    #   @return [Types::UnusedAccessConfiguration]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerConfiguration AWS API Documentation
    #
    class AnalyzerConfiguration < Struct.new(
      :unused_access,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class UnusedAccess < AnalyzerConfiguration; end
      class Unknown < AnalyzerConfiguration; end
    end

    # Contains information about the analyzer.
    #
    # @!attribute [rw] arn
    #   The ARN of the analyzer.
    #   @return [String]
    #
    # @!attribute [rw] name
    #   The name of the analyzer.
    #   @return [String]
    #
    # @!attribute [rw] type
    #   The type of analyzer, which corresponds to the zone of trust chosen
    #   for the analyzer.
    #   @return [String]
    #
    # @!attribute [rw] created_at
    #   A timestamp for the time at which the analyzer was created.
    #   @return [Time]
    #
    # @!attribute [rw] last_resource_analyzed
    #   The resource that was most recently analyzed by the analyzer.
    #   @return [String]
    #
    # @!attribute [rw] last_resource_analyzed_at
    #   The time at which the most recently analyzed resource was analyzed.
    #   @return [Time]
    #
    # @!attribute [rw] tags
    #   The tags added to the analyzer.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] status
    #   The status of the analyzer. An `Active` analyzer successfully
    #   monitors supported resources and generates new findings. The
    #   analyzer is `Disabled` when a user action, such as removing trusted
    #   access for Identity and Access Management Access Analyzer from
    #   Organizations, causes the analyzer to stop generating new findings.
    #   The status is `Creating` when the analyzer creation is in progress
    #   and `Failed` when the analyzer creation has failed.
    #   @return [String]
    #
    # @!attribute [rw] status_reason
    #   The `statusReason` provides more details about the current status of
    #   the analyzer. For example, if the creation for the analyzer fails, a
    #   `Failed` status is returned. For an analyzer with organization as
    #   the type, this failure can be due to an issue with creating the
    #   service-linked roles required in the member accounts of the Amazon
    #   Web Services organization.
    #   @return [Types::StatusReason]
    #
    # @!attribute [rw] configuration
    #   Specifies whether the analyzer is an external access or unused
    #   access analyzer.
    #   @return [Types::AnalyzerConfiguration]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/AnalyzerSummary AWS API Documentation
    #
    class AnalyzerSummary < Struct.new(
      :arn,
      :name,
      :type,
      :created_at,
      :last_resource_analyzed,
      :last_resource_analyzed_at,
      :tags,
      :status,
      :status_reason,
      :configuration)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retroactively applies an archive rule.
    #
    # @!attribute [rw] analyzer_arn
    #   The Amazon resource name (ARN) of the analyzer.
    #   @return [String]
    #
    # @!attribute [rw] rule_name
    #   The name of the rule to apply.
    #   @return [String]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ApplyArchiveRuleRequest AWS API Documentation
    #
    class ApplyArchiveRuleRequest < Struct.new(
      :analyzer_arn,
      :rule_name,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an archive rule.
    #
    # @!attribute [rw] rule_name
    #   The name of the archive rule.
    #   @return [String]
    #
    # @!attribute [rw] filter
    #   A filter used to define the archive rule.
    #   @return [Hash<String,Types::Criterion>]
    #
    # @!attribute [rw] created_at
    #   The time at which the archive rule was created.
    #   @return [Time]
    #
    # @!attribute [rw] updated_at
    #   The time at which the archive rule was last updated.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ArchiveRuleSummary AWS API Documentation
    #
    class ArchiveRuleSummary < Struct.new(
      :rule_name,
      :filter,
      :created_at,
      :updated_at)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] job_id
    #   The `JobId` that is returned by the `StartPolicyGeneration`
    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
    #   retrieve the generated policies or used with
    #   `CancelPolicyGeneration` to cancel the policy generation request.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationRequest AWS API Documentation
    #
    class CancelPolicyGenerationRequest < Struct.new(
      :job_id)
      SENSITIVE = []
      include Aws::Structure
    end

    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CancelPolicyGenerationResponse AWS API Documentation
    #
    class CancelPolicyGenerationResponse < Aws::EmptyStructure; end

    # @!attribute [rw] policy_document
    #   The JSON policy document to use as the content for the policy.
    #   @return [String]
    #
    # @!attribute [rw] access
    #   An access object containing the permissions that shouldn't be
    #   granted by the specified policy.
    #   @return [Array<Types::Access>]
    #
    # @!attribute [rw] policy_type
    #   The type of policy. Identity policies grant permissions to IAM
    #   principals. Identity policies include managed and inline policies
    #   for IAM roles, users, and groups.
    #
    #   Resource policies grant permissions on Amazon Web Services
    #   resources. Resource policies include trust policies for IAM roles
    #   and bucket policies for Amazon S3 buckets. You can provide a generic
    #   input such as identity policy or resource policy or a specific input
    #   such as managed policy or Amazon S3 bucket policy.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedRequest AWS API Documentation
    #
    class CheckAccessNotGrantedRequest < Struct.new(
      :policy_document,
      :access,
      :policy_type)
      SENSITIVE = [:policy_document]
      include Aws::Structure
    end

    # @!attribute [rw] result
    #   The result of the check for whether the access is allowed. If the
    #   result is `PASS`, the specified policy doesn't allow any of the
    #   specified permissions in the access object. If the result is `FAIL`,
    #   the specified policy might allow some or all of the permissions in
    #   the access object.
    #   @return [String]
    #
    # @!attribute [rw] message
    #   The message indicating whether the specified access is allowed.
    #   @return [String]
    #
    # @!attribute [rw] reasons
    #   A description of the reasoning of the result.
    #   @return [Array<Types::ReasonSummary>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckAccessNotGrantedResponse AWS API Documentation
    #
    class CheckAccessNotGrantedResponse < Struct.new(
      :result,
      :message,
      :reasons)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] new_policy_document
    #   The JSON policy document to use as the content for the updated
    #   policy.
    #   @return [String]
    #
    # @!attribute [rw] existing_policy_document
    #   The JSON policy document to use as the content for the existing
    #   policy.
    #   @return [String]
    #
    # @!attribute [rw] policy_type
    #   The type of policy to compare. Identity policies grant permissions
    #   to IAM principals. Identity policies include managed and inline
    #   policies for IAM roles, users, and groups.
    #
    #   Resource policies grant permissions on Amazon Web Services
    #   resources. Resource policies include trust policies for IAM roles
    #   and bucket policies for Amazon S3 buckets. You can provide a generic
    #   input such as identity policy or resource policy or a specific input
    #   such as managed policy or Amazon S3 bucket policy.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoNewAccessRequest AWS API Documentation
    #
    class CheckNoNewAccessRequest < Struct.new(
      :new_policy_document,
      :existing_policy_document,
      :policy_type)
      SENSITIVE = [:new_policy_document, :existing_policy_document]
      include Aws::Structure
    end

    # @!attribute [rw] result
    #   The result of the check for new access. If the result is `PASS`, no
    #   new access is allowed by the updated policy. If the result is
    #   `FAIL`, the updated policy might allow new access.
    #   @return [String]
    #
    # @!attribute [rw] message
    #   The message indicating whether the updated policy allows new access.
    #   @return [String]
    #
    # @!attribute [rw] reasons
    #   A description of the reasoning of the result.
    #   @return [Array<Types::ReasonSummary>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CheckNoNewAccessResponse AWS API Documentation
    #
    class CheckNoNewAccessResponse < Struct.new(
      :result,
      :message,
      :reasons)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about CloudTrail access.
    #
    # @!attribute [rw] trails
    #   A `Trail` object that contains settings for a trail.
    #   @return [Array<Types::Trail>]
    #
    # @!attribute [rw] access_role
    #   The ARN of the service role that IAM Access Analyzer uses to access
    #   your CloudTrail trail and service last accessed information.
    #   @return [String]
    #
    # @!attribute [rw] start_time
    #   The start of the time range for which IAM Access Analyzer reviews
    #   your CloudTrail events. Events with a timestamp before this time are
    #   not considered to generate a policy.
    #   @return [Time]
    #
    # @!attribute [rw] end_time
    #   The end of the time range for which IAM Access Analyzer reviews your
    #   CloudTrail events. Events with a timestamp after this time are not
    #   considered to generate a policy. If this is not included in the
    #   request, the default value is the current time.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailDetails AWS API Documentation
    #
    class CloudTrailDetails < Struct.new(
      :trails,
      :access_role,
      :start_time,
      :end_time)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about CloudTrail access.
    #
    # @!attribute [rw] trail_properties
    #   A `TrailProperties` object that contains settings for trail
    #   properties.
    #   @return [Array<Types::TrailProperties>]
    #
    # @!attribute [rw] start_time
    #   The start of the time range for which IAM Access Analyzer reviews
    #   your CloudTrail events. Events with a timestamp before this time are
    #   not considered to generate a policy.
    #   @return [Time]
    #
    # @!attribute [rw] end_time
    #   The end of the time range for which IAM Access Analyzer reviews your
    #   CloudTrail events. Events with a timestamp after this time are not
    #   considered to generate a policy. If this is not included in the
    #   request, the default value is the current time.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CloudTrailProperties AWS API Documentation
    #
    class CloudTrailProperties < Struct.new(
      :trail_properties,
      :start_time,
      :end_time)
      SENSITIVE = []
      include Aws::Structure
    end

    # Access control configuration structures for your resource. You specify
    # the configuration as a type-value pair. You can specify only one type
    # of access control configuration.
    #
    # @note Configuration is a union - when making an API calls you must set exactly one of the members.
    #
    # @note Configuration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of Configuration corresponding to the set member.
    #
    # @!attribute [rw] ebs_snapshot
    #   The access control configuration is for an Amazon EBS volume
    #   snapshot.
    #   @return [Types::EbsSnapshotConfiguration]
    #
    # @!attribute [rw] ecr_repository
    #   The access control configuration is for an Amazon ECR repository.
    #   @return [Types::EcrRepositoryConfiguration]
    #
    # @!attribute [rw] iam_role
    #   The access control configuration is for an IAM role.
    #   @return [Types::IamRoleConfiguration]
    #
    # @!attribute [rw] efs_file_system
    #   The access control configuration is for an Amazon EFS file system.
    #   @return [Types::EfsFileSystemConfiguration]
    #
    # @!attribute [rw] kms_key
    #   The access control configuration is for a KMS key.
    #   @return [Types::KmsKeyConfiguration]
    #
    # @!attribute [rw] rds_db_cluster_snapshot
    #   The access control configuration is for an Amazon RDS DB cluster
    #   snapshot.
    #   @return [Types::RdsDbClusterSnapshotConfiguration]
    #
    # @!attribute [rw] rds_db_snapshot
    #   The access control configuration is for an Amazon RDS DB snapshot.
    #   @return [Types::RdsDbSnapshotConfiguration]
    #
    # @!attribute [rw] secrets_manager_secret
    #   The access control configuration is for a Secrets Manager secret.
    #   @return [Types::SecretsManagerSecretConfiguration]
    #
    # @!attribute [rw] s3_bucket
    #   The access control configuration is for an Amazon S3 Bucket.
    #   @return [Types::S3BucketConfiguration]
    #
    # @!attribute [rw] sns_topic
    #   The access control configuration is for an Amazon SNS topic
    #   @return [Types::SnsTopicConfiguration]
    #
    # @!attribute [rw] sqs_queue
    #   The access control configuration is for an Amazon SQS queue.
    #   @return [Types::SqsQueueConfiguration]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Configuration AWS API Documentation
    #
    class Configuration < Struct.new(
      :ebs_snapshot,
      :ecr_repository,
      :iam_role,
      :efs_file_system,
      :kms_key,
      :rds_db_cluster_snapshot,
      :rds_db_snapshot,
      :secrets_manager_secret,
      :s3_bucket,
      :sns_topic,
      :sqs_queue,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class EbsSnapshot < Configuration; end
      class EcrRepository < Configuration; end
      class IamRole < Configuration; end
      class EfsFileSystem < Configuration; end
      class KmsKey < Configuration; end
      class RdsDbClusterSnapshot < Configuration; end
      class RdsDbSnapshot < Configuration; end
      class SecretsManagerSecret < Configuration; end
      class S3Bucket < Configuration; end
      class SnsTopic < Configuration; end
      class SqsQueue < Configuration; end
      class Unknown < Configuration; end
    end

    # A conflict exception error.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @!attribute [rw] resource_id
    #   The ID of the resource.
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The resource type.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ConflictException AWS API Documentation
    #
    class ConflictException < Struct.new(
      :message,
      :resource_id,
      :resource_type)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] analyzer_arn
    #   The [ARN of the account analyzer][1] used to generate the access
    #   preview. You can only create an access preview for analyzers with an
    #   `Account` type and `Active` status.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] configurations
    #   Access control configuration for your resource that is used to
    #   generate the access preview. The access preview includes findings
    #   for external access allowed to the resource with the proposed access
    #   control configuration. The configuration must contain exactly one
    #   element.
    #   @return [Hash<String,Types::Configuration>]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewRequest AWS API Documentation
    #
    class CreateAccessPreviewRequest < Struct.new(
      :analyzer_arn,
      :configurations,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] id
    #   The unique ID for the access preview.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAccessPreviewResponse AWS API Documentation
    #
    class CreateAccessPreviewResponse < Struct.new(
      :id)
      SENSITIVE = []
      include Aws::Structure
    end

    # Creates an analyzer.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the analyzer to create.
    #   @return [String]
    #
    # @!attribute [rw] type
    #   The type of analyzer to create. Only `ACCOUNT`, `ORGANIZATION`,
    #   `ACCOUNT_UNUSED_ACCESS`, and `ORGANIZTAION_UNUSED_ACCESS` analyzers
    #   are supported. You can create only one analyzer per account per
    #   Region. You can create up to 5 analyzers per organization per
    #   Region.
    #   @return [String]
    #
    # @!attribute [rw] archive_rules
    #   Specifies the archive rules to add for the analyzer. Archive rules
    #   automatically archive findings that meet the criteria you define for
    #   the rule.
    #   @return [Array<Types::InlineArchiveRule>]
    #
    # @!attribute [rw] tags
    #   An array of key-value pairs to apply to the analyzer.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @!attribute [rw] configuration
    #   Specifies the configuration of the analyzer. If the analyzer is an
    #   unused access analyzer, the specified scope of unused access is used
    #   for the configuration. If the analyzer is an external access
    #   analyzer, this field is not used.
    #   @return [Types::AnalyzerConfiguration]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerRequest AWS API Documentation
    #
    class CreateAnalyzerRequest < Struct.new(
      :analyzer_name,
      :type,
      :archive_rules,
      :tags,
      :client_token,
      :configuration)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request to create an analyzer.
    #
    # @!attribute [rw] arn
    #   The ARN of the analyzer that was created by the request.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateAnalyzerResponse AWS API Documentation
    #
    class CreateAnalyzerResponse < Struct.new(
      :arn)
      SENSITIVE = []
      include Aws::Structure
    end

    # Creates an archive rule.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the created analyzer.
    #   @return [String]
    #
    # @!attribute [rw] rule_name
    #   The name of the rule to create.
    #   @return [String]
    #
    # @!attribute [rw] filter
    #   The criteria for the rule.
    #   @return [Hash<String,Types::Criterion>]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/CreateArchiveRuleRequest AWS API Documentation
    #
    class CreateArchiveRuleRequest < Struct.new(
      :analyzer_name,
      :rule_name,
      :filter,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # The criteria to use in the filter that defines the archive rule. For
    # more information on available filter keys, see [IAM Access Analyzer
    # filter keys][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html
    #
    # @!attribute [rw] eq
    #   An "equals" operator to match for the filter used to create the
    #   rule.
    #   @return [Array<String>]
    #
    # @!attribute [rw] neq
    #   A "not equals" operator to match for the filter used to create the
    #   rule.
    #   @return [Array<String>]
    #
    # @!attribute [rw] contains
    #   A "contains" operator to match for the filter used to create the
    #   rule.
    #   @return [Array<String>]
    #
    # @!attribute [rw] exists
    #   An "exists" operator to match for the filter used to create the
    #   rule.
    #   @return [Boolean]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Criterion AWS API Documentation
    #
    class Criterion < Struct.new(
      :eq,
      :neq,
      :contains,
      :exists)
      SENSITIVE = []
      include Aws::Structure
    end

    # Deletes an analyzer.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the analyzer to delete.
    #   @return [String]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/DeleteAnalyzerRequest AWS API Documentation
    #
    class DeleteAnalyzerRequest < Struct.new(
      :analyzer_name,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Deletes an archive rule.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the analyzer that associated with the archive rule to
    #   delete.
    #   @return [String]
    #
    # @!attribute [rw] rule_name
    #   The name of the rule to delete.
    #   @return [String]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/DeleteArchiveRuleRequest AWS API Documentation
    #
    class DeleteArchiveRuleRequest < Struct.new(
      :analyzer_name,
      :rule_name,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed access control configuration for an Amazon EBS volume
    # snapshot. You can propose a configuration for a new Amazon EBS volume
    # snapshot or an Amazon EBS volume snapshot that you own by specifying
    # the user IDs, groups, and optional KMS encryption key. For more
    # information, see [ModifySnapshotAttribute][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html
    #
    # @!attribute [rw] user_ids
    #   The IDs of the Amazon Web Services accounts that have access to the
    #   Amazon EBS volume snapshot.
    #
    #   * If the configuration is for an existing Amazon EBS volume snapshot
    #     and you do not specify the `userIds`, then the access preview uses
    #     the existing shared `userIds` for the snapshot.
    #
    #   * If the access preview is for a new resource and you do not specify
    #     the `userIds`, then the access preview considers the snapshot
    #     without any `userIds`.
    #
    #   * To propose deletion of existing shared `accountIds`, you can
    #     specify an empty list for `userIds`.
    #   @return [Array<String>]
    #
    # @!attribute [rw] groups
    #   The groups that have access to the Amazon EBS volume snapshot. If
    #   the value `all` is specified, then the Amazon EBS volume snapshot is
    #   public.
    #
    #   * If the configuration is for an existing Amazon EBS volume snapshot
    #     and you do not specify the `groups`, then the access preview uses
    #     the existing shared `groups` for the snapshot.
    #
    #   * If the access preview is for a new resource and you do not specify
    #     the `groups`, then the access preview considers the snapshot
    #     without any `groups`.
    #
    #   * To propose deletion of existing shared `groups`, you can specify
    #     an empty list for `groups`.
    #   @return [Array<String>]
    #
    # @!attribute [rw] kms_key_id
    #   The KMS key identifier for an encrypted Amazon EBS volume snapshot.
    #   The KMS key identifier is the key ARN, key ID, alias ARN, or alias
    #   name for the KMS key.
    #
    #   * If the configuration is for an existing Amazon EBS volume snapshot
    #     and you do not specify the `kmsKeyId`, or you specify an empty
    #     string, then the access preview uses the existing `kmsKeyId` of
    #     the snapshot.
    #
    #   * If the access preview is for a new resource and you do not specify
    #     the `kmsKeyId`, the access preview considers the snapshot as
    #     unencrypted.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/EbsSnapshotConfiguration AWS API Documentation
    #
    class EbsSnapshotConfiguration < Struct.new(
      :user_ids,
      :groups,
      :kms_key_id)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed access control configuration for an Amazon ECR
    # repository. You can propose a configuration for a new Amazon ECR
    # repository or an existing Amazon ECR repository that you own by
    # specifying the Amazon ECR policy. For more information, see
    # [Repository][1].
    #
    # * If the configuration is for an existing Amazon ECR repository and
    #   you do not specify the Amazon ECR policy, then the access preview
    #   uses the existing Amazon ECR policy for the repository.
    #
    # * If the access preview is for a new resource and you do not specify
    #   the policy, then the access preview assumes an Amazon ECR repository
    #   without a policy.
    #
    # * To propose deletion of an existing Amazon ECR repository policy, you
    #   can specify an empty string for the Amazon ECR policy.
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_Repository.html
    #
    # @!attribute [rw] repository_policy
    #   The JSON repository policy text to apply to the Amazon ECR
    #   repository. For more information, see [Private repository policy
    #   examples][1] in the *Amazon ECR User Guide*.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/EcrRepositoryConfiguration AWS API Documentation
    #
    class EcrRepositoryConfiguration < Struct.new(
      :repository_policy)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed access control configuration for an Amazon EFS file
    # system. You can propose a configuration for a new Amazon EFS file
    # system or an existing Amazon EFS file system that you own by
    # specifying the Amazon EFS policy. For more information, see [Using
    # file systems in Amazon EFS][1].
    #
    # * If the configuration is for an existing Amazon EFS file system and
    #   you do not specify the Amazon EFS policy, then the access preview
    #   uses the existing Amazon EFS policy for the file system.
    #
    # * If the access preview is for a new resource and you do not specify
    #   the policy, then the access preview assumes an Amazon EFS file
    #   system without a policy.
    #
    # * To propose deletion of an existing Amazon EFS file system policy,
    #   you can specify an empty string for the Amazon EFS policy.
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/efs/latest/ug/using-fs.html
    #
    # @!attribute [rw] file_system_policy
    #   The JSON policy definition to apply to the Amazon EFS file system.
    #   For more information on the elements that make up a file system
    #   policy, see [Amazon EFS Resource-based policies][1].
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/efs/latest/ug/access-control-overview.html#access-control-manage-access-intro-resource-policies
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/EfsFileSystemConfiguration AWS API Documentation
    #
    class EfsFileSystemConfiguration < Struct.new(
      :file_system_policy)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an external access finding.
    #
    # @!attribute [rw] action
    #   The action in the analyzed policy statement that an external
    #   principal has permission to use.
    #   @return [Array<String>]
    #
    # @!attribute [rw] condition
    #   The condition in the analyzed policy statement that resulted in an
    #   external access finding.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] is_public
    #   Specifies whether the external access finding is public.
    #   @return [Boolean]
    #
    # @!attribute [rw] principal
    #   The external principal that has access to a resource within the zone
    #   of trust.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] sources
    #   The sources of the external access finding. This indicates how the
    #   access that generated the finding is granted. It is populated for
    #   Amazon S3 bucket findings.
    #   @return [Array<Types::FindingSource>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ExternalAccessDetails AWS API Documentation
    #
    class ExternalAccessDetails < Struct.new(
      :action,
      :condition,
      :is_public,
      :principal,
      :sources)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about a finding.
    #
    # @!attribute [rw] id
    #   The ID of the finding.
    #   @return [String]
    #
    # @!attribute [rw] principal
    #   The external principal that has access to a resource within the zone
    #   of trust.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] action
    #   The action in the analyzed policy statement that an external
    #   principal has permission to use.
    #   @return [Array<String>]
    #
    # @!attribute [rw] resource
    #   The resource that an external principal has access to.
    #   @return [String]
    #
    # @!attribute [rw] is_public
    #   Indicates whether the policy that generated the finding allows
    #   public access to the resource.
    #   @return [Boolean]
    #
    # @!attribute [rw] resource_type
    #   The type of the resource identified in the finding.
    #   @return [String]
    #
    # @!attribute [rw] condition
    #   The condition in the analyzed policy statement that resulted in a
    #   finding.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] created_at
    #   The time at which the finding was generated.
    #   @return [Time]
    #
    # @!attribute [rw] analyzed_at
    #   The time at which the resource was analyzed.
    #   @return [Time]
    #
    # @!attribute [rw] updated_at
    #   The time at which the finding was updated.
    #   @return [Time]
    #
    # @!attribute [rw] status
    #   The current status of the finding.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   The Amazon Web Services account ID that owns the resource.
    #   @return [String]
    #
    # @!attribute [rw] error
    #   An error.
    #   @return [String]
    #
    # @!attribute [rw] sources
    #   The sources of the finding. This indicates how the access that
    #   generated the finding is granted. It is populated for Amazon S3
    #   bucket findings.
    #   @return [Array<Types::FindingSource>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Finding AWS API Documentation
    #
    class Finding < Struct.new(
      :id,
      :principal,
      :action,
      :resource,
      :is_public,
      :resource_type,
      :condition,
      :created_at,
      :analyzed_at,
      :updated_at,
      :status,
      :resource_owner_account,
      :error,
      :sources)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an external access or unused access
    # finding. Only one parameter can be used in a `FindingDetails` object.
    #
    # @note FindingDetails is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of FindingDetails corresponding to the set member.
    #
    # @!attribute [rw] external_access_details
    #   The details for an external access analyzer finding.
    #   @return [Types::ExternalAccessDetails]
    #
    # @!attribute [rw] unused_permission_details
    #   The details for an unused access analyzer finding with an unused
    #   permission finding type.
    #   @return [Types::UnusedPermissionDetails]
    #
    # @!attribute [rw] unused_iam_user_access_key_details
    #   The details for an unused access analyzer finding with an unused IAM
    #   user access key finding type.
    #   @return [Types::UnusedIamUserAccessKeyDetails]
    #
    # @!attribute [rw] unused_iam_role_details
    #   The details for an unused access analyzer finding with an unused IAM
    #   role finding type.
    #   @return [Types::UnusedIamRoleDetails]
    #
    # @!attribute [rw] unused_iam_user_password_details
    #   The details for an unused access analyzer finding with an unused IAM
    #   user password finding type.
    #   @return [Types::UnusedIamUserPasswordDetails]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingDetails AWS API Documentation
    #
    class FindingDetails < Struct.new(
      :external_access_details,
      :unused_permission_details,
      :unused_iam_user_access_key_details,
      :unused_iam_role_details,
      :unused_iam_user_password_details,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class ExternalAccessDetails < FindingDetails; end
      class UnusedPermissionDetails < FindingDetails; end
      class UnusedIamUserAccessKeyDetails < FindingDetails; end
      class UnusedIamRoleDetails < FindingDetails; end
      class UnusedIamUserPasswordDetails < FindingDetails; end
      class Unknown < FindingDetails; end
    end

    # The source of the finding. This indicates how the access that
    # generated the finding is granted. It is populated for Amazon S3 bucket
    # findings.
    #
    # @!attribute [rw] type
    #   Indicates the type of access that generated the finding.
    #   @return [String]
    #
    # @!attribute [rw] detail
    #   Includes details about how the access that generated the finding is
    #   granted. This is populated for Amazon S3 bucket findings.
    #   @return [Types::FindingSourceDetail]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSource AWS API Documentation
    #
    class FindingSource < Struct.new(
      :type,
      :detail)
      SENSITIVE = []
      include Aws::Structure
    end

    # Includes details about how the access that generated the finding is
    # granted. This is populated for Amazon S3 bucket findings.
    #
    # @!attribute [rw] access_point_arn
    #   The ARN of the access point that generated the finding. The ARN
    #   format depends on whether the ARN represents an access point or a
    #   multi-region access point.
    #   @return [String]
    #
    # @!attribute [rw] access_point_account
    #   The account of the cross-account access point that generated the
    #   finding.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSourceDetail AWS API Documentation
    #
    class FindingSourceDetail < Struct.new(
      :access_point_arn,
      :access_point_account)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about a finding.
    #
    # @!attribute [rw] id
    #   The ID of the finding.
    #   @return [String]
    #
    # @!attribute [rw] principal
    #   The external principal that has access to a resource within the zone
    #   of trust.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] action
    #   The action in the analyzed policy statement that an external
    #   principal has permission to use.
    #   @return [Array<String>]
    #
    # @!attribute [rw] resource
    #   The resource that the external principal has access to.
    #   @return [String]
    #
    # @!attribute [rw] is_public
    #   Indicates whether the finding reports a resource that has a policy
    #   that allows public access.
    #   @return [Boolean]
    #
    # @!attribute [rw] resource_type
    #   The type of the resource that the external principal has access to.
    #   @return [String]
    #
    # @!attribute [rw] condition
    #   The condition in the analyzed policy statement that resulted in a
    #   finding.
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] created_at
    #   The time at which the finding was created.
    #   @return [Time]
    #
    # @!attribute [rw] analyzed_at
    #   The time at which the resource-based policy that generated the
    #   finding was analyzed.
    #   @return [Time]
    #
    # @!attribute [rw] updated_at
    #   The time at which the finding was most recently updated.
    #   @return [Time]
    #
    # @!attribute [rw] status
    #   The status of the finding.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   The Amazon Web Services account ID that owns the resource.
    #   @return [String]
    #
    # @!attribute [rw] error
    #   The error that resulted in an Error finding.
    #   @return [String]
    #
    # @!attribute [rw] sources
    #   The sources of the finding. This indicates how the access that
    #   generated the finding is granted. It is populated for Amazon S3
    #   bucket findings.
    #   @return [Array<Types::FindingSource>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSummary AWS API Documentation
    #
    class FindingSummary < Struct.new(
      :id,
      :principal,
      :action,
      :resource,
      :is_public,
      :resource_type,
      :condition,
      :created_at,
      :analyzed_at,
      :updated_at,
      :status,
      :resource_owner_account,
      :error,
      :sources)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about a finding.
    #
    # @!attribute [rw] analyzed_at
    #   The time at which the resource-based policy or IAM entity that
    #   generated the finding was analyzed.
    #   @return [Time]
    #
    # @!attribute [rw] created_at
    #   The time at which the finding was created.
    #   @return [Time]
    #
    # @!attribute [rw] error
    #   The error that resulted in an Error finding.
    #   @return [String]
    #
    # @!attribute [rw] id
    #   The ID of the finding.
    #   @return [String]
    #
    # @!attribute [rw] resource
    #   The resource that the external principal has access to.
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The type of the resource that the external principal has access to.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   The Amazon Web Services account ID that owns the resource.
    #   @return [String]
    #
    # @!attribute [rw] status
    #   The status of the finding.
    #   @return [String]
    #
    # @!attribute [rw] updated_at
    #   The time at which the finding was most recently updated.
    #   @return [Time]
    #
    # @!attribute [rw] finding_type
    #   The type of the external access or unused access finding.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/FindingSummaryV2 AWS API Documentation
    #
    class FindingSummaryV2 < Struct.new(
      :analyzed_at,
      :created_at,
      :error,
      :id,
      :resource,
      :resource_type,
      :resource_owner_account,
      :status,
      :updated_at,
      :finding_type)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains the text for the generated policy.
    #
    # @!attribute [rw] policy
    #   The text to use as the content for the new policy. The policy is
    #   created using the [CreatePolicy][1] action.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicy AWS API Documentation
    #
    class GeneratedPolicy < Struct.new(
      :policy)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains the generated policy details.
    #
    # @!attribute [rw] is_complete
    #   This value is set to `true` if the generated policy contains all
    #   possible actions for a service that IAM Access Analyzer identified
    #   from the CloudTrail trail that you specified, and `false` otherwise.
    #   @return [Boolean]
    #
    # @!attribute [rw] principal_arn
    #   The ARN of the IAM entity (user or role) for which you are
    #   generating a policy.
    #   @return [String]
    #
    # @!attribute [rw] cloud_trail_properties
    #   Lists details about the `Trail` used to generated policy.
    #   @return [Types::CloudTrailProperties]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyProperties AWS API Documentation
    #
    class GeneratedPolicyProperties < Struct.new(
      :is_complete,
      :principal_arn,
      :cloud_trail_properties)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains the text for the generated policy and its details.
    #
    # @!attribute [rw] properties
    #   A `GeneratedPolicyProperties` object that contains properties of the
    #   generated policy.
    #   @return [Types::GeneratedPolicyProperties]
    #
    # @!attribute [rw] generated_policies
    #   The text to use as the content for the new policy. The policy is
    #   created using the [CreatePolicy][1] action.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
    #   @return [Array<Types::GeneratedPolicy>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GeneratedPolicyResult AWS API Documentation
    #
    class GeneratedPolicyResult < Struct.new(
      :properties,
      :generated_policies)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] access_preview_id
    #   The unique ID for the access preview.
    #   @return [String]
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] used to generate the access preview.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewRequest AWS API Documentation
    #
    class GetAccessPreviewRequest < Struct.new(
      :access_preview_id,
      :analyzer_arn)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] access_preview
    #   An object that contains information about the access preview.
    #   @return [Types::AccessPreview]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAccessPreviewResponse AWS API Documentation
    #
    class GetAccessPreviewResponse < Struct.new(
      :access_preview)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves an analyzed resource.
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] to retrieve information from.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the resource to retrieve information about.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceRequest AWS API Documentation
    #
    class GetAnalyzedResourceRequest < Struct.new(
      :analyzer_arn,
      :resource_arn)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] resource
    #   An `AnalyzedResource` object that contains information that IAM
    #   Access Analyzer found when it analyzed the resource.
    #   @return [Types::AnalyzedResource]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzedResourceResponse AWS API Documentation
    #
    class GetAnalyzedResourceResponse < Struct.new(
      :resource)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves an analyzer.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the analyzer retrieved.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzerRequest AWS API Documentation
    #
    class GetAnalyzerRequest < Struct.new(
      :analyzer_name)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] analyzer
    #   An `AnalyzerSummary` object that contains information about the
    #   analyzer.
    #   @return [Types::AnalyzerSummary]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetAnalyzerResponse AWS API Documentation
    #
    class GetAnalyzerResponse < Struct.new(
      :analyzer)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves an archive rule.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the analyzer to retrieve rules from.
    #   @return [String]
    #
    # @!attribute [rw] rule_name
    #   The name of the rule to retrieve.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetArchiveRuleRequest AWS API Documentation
    #
    class GetArchiveRuleRequest < Struct.new(
      :analyzer_name,
      :rule_name)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] archive_rule
    #   Contains information about an archive rule.
    #   @return [Types::ArchiveRuleSummary]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetArchiveRuleResponse AWS API Documentation
    #
    class GetArchiveRuleResponse < Struct.new(
      :archive_rule)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves a finding.
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] that generated the finding.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] id
    #   The ID of the finding to retrieve.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingRequest AWS API Documentation
    #
    class GetFindingRequest < Struct.new(
      :analyzer_arn,
      :id)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] finding
    #   A `finding` object that contains finding details.
    #   @return [Types::Finding]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingResponse AWS API Documentation
    #
    class GetFindingResponse < Struct.new(
      :finding)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] that generated the finding.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] id
    #   The ID of the finding to retrieve.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingV2Request AWS API Documentation
    #
    class GetFindingV2Request < Struct.new(
      :analyzer_arn,
      :id,
      :max_results,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] analyzed_at
    #   The time at which the resource-based policy or IAM entity that
    #   generated the finding was analyzed.
    #   @return [Time]
    #
    # @!attribute [rw] created_at
    #   The time at which the finding was created.
    #   @return [Time]
    #
    # @!attribute [rw] error
    #   An error.
    #   @return [String]
    #
    # @!attribute [rw] id
    #   The ID of the finding to retrieve.
    #   @return [String]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] resource
    #   The resource that generated the finding.
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The type of the resource identified in the finding.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   Tye Amazon Web Services account ID that owns the resource.
    #   @return [String]
    #
    # @!attribute [rw] status
    #   The status of the finding.
    #   @return [String]
    #
    # @!attribute [rw] updated_at
    #   The time at which the finding was updated.
    #   @return [Time]
    #
    # @!attribute [rw] finding_details
    #   A localized message that explains the finding and provides guidance
    #   on how to address it.
    #   @return [Array<Types::FindingDetails>]
    #
    # @!attribute [rw] finding_type
    #   The type of the finding. For external access analyzers, the type is
    #   `ExternalAccess`. For unused access analyzers, the type can be
    #   `UnusedIAMRole`, `UnusedIAMUserAccessKey`, `UnusedIAMUserPassword`,
    #   or `UnusedPermission`.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetFindingV2Response AWS API Documentation
    #
    class GetFindingV2Response < Struct.new(
      :analyzed_at,
      :created_at,
      :error,
      :id,
      :next_token,
      :resource,
      :resource_type,
      :resource_owner_account,
      :status,
      :updated_at,
      :finding_details,
      :finding_type)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] job_id
    #   The `JobId` that is returned by the `StartPolicyGeneration`
    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
    #   retrieve the generated policies or used with
    #   `CancelPolicyGeneration` to cancel the policy generation request.
    #   @return [String]
    #
    # @!attribute [rw] include_resource_placeholders
    #   The level of detail that you want to generate. You can specify
    #   whether to generate policies with placeholders for resource ARNs for
    #   actions that support resource level granularity in policies.
    #
    #   For example, in the resource section of a policy, you can receive a
    #   placeholder such as `"Resource":"arn:aws:s3:::$\{BucketName\}"`
    #   instead of `"*"`.
    #   @return [Boolean]
    #
    # @!attribute [rw] include_service_level_template
    #   The level of detail that you want to generate. You can specify
    #   whether to generate service-level policies.
    #
    #   IAM Access Analyzer uses `iam:servicelastaccessed` to identify
    #   services that have been used recently to create this service-level
    #   template.
    #   @return [Boolean]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyRequest AWS API Documentation
    #
    class GetGeneratedPolicyRequest < Struct.new(
      :job_id,
      :include_resource_placeholders,
      :include_service_level_template)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] job_details
    #   A `GeneratedPolicyDetails` object that contains details about the
    #   generated policy.
    #   @return [Types::JobDetails]
    #
    # @!attribute [rw] generated_policy_result
    #   A `GeneratedPolicyResult` object that contains the generated
    #   policies and associated details.
    #   @return [Types::GeneratedPolicyResult]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/GetGeneratedPolicyResponse AWS API Documentation
    #
    class GetGeneratedPolicyResponse < Struct.new(
      :job_details,
      :generated_policy_result)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed access control configuration for an IAM role. You can
    # propose a configuration for a new IAM role or an existing IAM role
    # that you own by specifying the trust policy. If the configuration is
    # for a new IAM role, you must specify the trust policy. If the
    # configuration is for an existing IAM role that you own and you do not
    # propose the trust policy, the access preview uses the existing trust
    # policy for the role. The proposed trust policy cannot be an empty
    # string. For more information about role trust policy limits, see [IAM
    # and STS quotas][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
    #
    # @!attribute [rw] trust_policy
    #   The proposed trust policy for the IAM role.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/IamRoleConfiguration AWS API Documentation
    #
    class IamRoleConfiguration < Struct.new(
      :trust_policy)
      SENSITIVE = []
      include Aws::Structure
    end

    # An criterion statement in an archive rule. Each archive rule may have
    # multiple criteria.
    #
    # @!attribute [rw] rule_name
    #   The name of the rule.
    #   @return [String]
    #
    # @!attribute [rw] filter
    #   The condition and values for a criterion.
    #   @return [Hash<String,Types::Criterion>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InlineArchiveRule AWS API Documentation
    #
    class InlineArchiveRule < Struct.new(
      :rule_name,
      :filter)
      SENSITIVE = []
      include Aws::Structure
    end

    # Internal server error.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @!attribute [rw] retry_after_seconds
    #   The seconds to wait to retry.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternalServerException AWS API Documentation
    #
    class InternalServerException < Struct.new(
      :message,
      :retry_after_seconds)
      SENSITIVE = []
      include Aws::Structure
    end

    # This configuration sets the network origin for the Amazon S3 access
    # point or multi-region access point to `Internet`.
    #
    # @api private
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InternetConfiguration AWS API Documentation
    #
    class InternetConfiguration < Aws::EmptyStructure; end

    # The specified parameter is invalid.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/InvalidParameterException AWS API Documentation
    #
    class InvalidParameterException < Struct.new(
      :message)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains details about the policy generation request.
    #
    # @!attribute [rw] job_id
    #   The `JobId` that is returned by the `StartPolicyGeneration`
    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
    #   retrieve the generated policies or used with
    #   `CancelPolicyGeneration` to cancel the policy generation request.
    #   @return [String]
    #
    # @!attribute [rw] status
    #   The status of the job request.
    #   @return [String]
    #
    # @!attribute [rw] started_on
    #   A timestamp of when the job was started.
    #   @return [Time]
    #
    # @!attribute [rw] completed_on
    #   A timestamp of when the job was completed.
    #   @return [Time]
    #
    # @!attribute [rw] job_error
    #   The job error for the policy generation request.
    #   @return [Types::JobError]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobDetails AWS API Documentation
    #
    class JobDetails < Struct.new(
      :job_id,
      :status,
      :started_on,
      :completed_on,
      :job_error)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains the details about the policy generation error.
    #
    # @!attribute [rw] code
    #   The job error code.
    #   @return [String]
    #
    # @!attribute [rw] message
    #   Specific information about the error. For example, which service
    #   quota was exceeded or which resource was not found.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/JobError AWS API Documentation
    #
    class JobError < Struct.new(
      :code,
      :message)
      SENSITIVE = []
      include Aws::Structure
    end

    # A proposed grant configuration for a KMS key. For more information,
    # see [CreateGrant][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html
    #
    # @!attribute [rw] operations
    #   A list of operations that the grant permits.
    #   @return [Array<String>]
    #
    # @!attribute [rw] grantee_principal
    #   The principal that is given permission to perform the operations
    #   that the grant permits.
    #   @return [String]
    #
    # @!attribute [rw] retiring_principal
    #   The principal that is given permission to retire the grant by using
    #   [RetireGrant][1] operation.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html
    #   @return [String]
    #
    # @!attribute [rw] constraints
    #   Use this structure to propose allowing [cryptographic operations][1]
    #   in the grant only when the operation request includes the specified
    #   [encryption context][2].
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
    #   @return [Types::KmsGrantConstraints]
    #
    # @!attribute [rw] issuing_account
    #   The Amazon Web Services account under which the grant was issued.
    #   The account is used to propose KMS grants issued by accounts other
    #   than the owner of the key.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConfiguration AWS API Documentation
    #
    class KmsGrantConfiguration < Struct.new(
      :operations,
      :grantee_principal,
      :retiring_principal,
      :constraints,
      :issuing_account)
      SENSITIVE = []
      include Aws::Structure
    end

    # Use this structure to propose allowing [cryptographic operations][1]
    # in the grant only when the operation request includes the specified
    # [encryption context][2]. You can specify only one type of encryption
    # context. An empty map is treated as not specified. For more
    # information, see [GrantConstraints][3].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context
    # [3]: https://docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html
    #
    # @!attribute [rw] encryption_context_equals
    #   A list of key-value pairs that must match the encryption context in
    #   the [cryptographic operation][1] request. The grant allows the
    #   operation only when the encryption context in the request is the
    #   same as the encryption context specified in this constraint.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] encryption_context_subset
    #   A list of key-value pairs that must be included in the encryption
    #   context of the [cryptographic operation][1] request. The grant
    #   allows the cryptographic operation only when the encryption context
    #   in the request includes the key-value pairs specified in this
    #   constraint, although it can include additional key-value pairs.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
    #   @return [Hash<String,String>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation
    #
    class KmsGrantConstraints < Struct.new(
      :encryption_context_equals,
      :encryption_context_subset)
      SENSITIVE = []
      include Aws::Structure
    end

    # Proposed access control configuration for a KMS key. You can propose a
    # configuration for a new KMS key or an existing KMS key that you own by
    # specifying the key policy and KMS grant configuration. If the
    # configuration is for an existing key and you do not specify the key
    # policy, the access preview uses the existing policy for the key. If
    # the access preview is for a new resource and you do not specify the
    # key policy, then the access preview uses the default key policy. The
    # proposed key policy cannot be an empty string. For more information,
    # see [Default key policy][1]. For more information about key policy
    # limits, see [Resource quotas][2].
    #
    #
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
    # [2]: https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html
    #
    # @!attribute [rw] key_policies
    #   Resource policy configuration for the KMS key. The only valid value
    #   for the name of the key policy is `default`. For more information,
    #   see [Default key policy][1].
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
    #   @return [Hash<String,String>]
    #
    # @!attribute [rw] grants
    #   A list of proposed grant configurations for the KMS key. If the
    #   proposed grant configuration is for an existing key, the access
    #   preview uses the proposed list of grant configurations in place of
    #   the existing grants. Otherwise, the access preview uses the existing
    #   grants for the key.
    #   @return [Array<Types::KmsGrantConfiguration>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation
    #
    class KmsKeyConfiguration < Struct.new(
      :key_policies,
      :grants)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] access_preview_id
    #   The unique ID for the access preview.
    #   @return [String]
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] used to generate the access.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] filter
    #   Criteria to filter the returned findings.
    #   @return [Hash<String,Types::Criterion>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsRequest AWS API Documentation
    #
    class ListAccessPreviewFindingsRequest < Struct.new(
      :access_preview_id,
      :analyzer_arn,
      :filter,
      :next_token,
      :max_results)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] findings
    #   A list of access preview findings that match the specified filter
    #   criteria.
    #   @return [Array<Types::AccessPreviewFinding>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewFindingsResponse AWS API Documentation
    #
    class ListAccessPreviewFindingsResponse < Struct.new(
      :findings,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] used to generate the access preview.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsRequest AWS API Documentation
    #
    class ListAccessPreviewsRequest < Struct.new(
      :analyzer_arn,
      :next_token,
      :max_results)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] access_previews
    #   A list of access previews retrieved for the analyzer.
    #   @return [Array<Types::AccessPreviewSummary>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAccessPreviewsResponse AWS API Documentation
    #
    class ListAccessPreviewsResponse < Struct.new(
      :access_previews,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves a list of resources that have been analyzed.
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] to retrieve a list of analyzed
    #   resources from.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The type of resource.
    #   @return [String]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesRequest AWS API Documentation
    #
    class ListAnalyzedResourcesRequest < Struct.new(
      :analyzer_arn,
      :resource_type,
      :next_token,
      :max_results)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] analyzed_resources
    #   A list of resources that were analyzed.
    #   @return [Array<Types::AnalyzedResourceSummary>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzedResourcesResponse AWS API Documentation
    #
    class ListAnalyzedResourcesResponse < Struct.new(
      :analyzed_resources,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves a list of analyzers.
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @!attribute [rw] type
    #   The type of analyzer.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersRequest AWS API Documentation
    #
    class ListAnalyzersRequest < Struct.new(
      :next_token,
      :max_results,
      :type)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] analyzers
    #   The analyzers retrieved.
    #   @return [Array<Types::AnalyzerSummary>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListAnalyzersResponse AWS API Documentation
    #
    class ListAnalyzersResponse < Struct.new(
      :analyzers,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves a list of archive rules created for the specified analyzer.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the analyzer to retrieve rules from.
    #   @return [String]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the request.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesRequest AWS API Documentation
    #
    class ListArchiveRulesRequest < Struct.new(
      :analyzer_name,
      :next_token,
      :max_results)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] archive_rules
    #   A list of archive rules created for the specified analyzer.
    #   @return [Array<Types::ArchiveRuleSummary>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListArchiveRulesResponse AWS API Documentation
    #
    class ListArchiveRulesResponse < Struct.new(
      :archive_rules,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves a list of findings generated by the specified analyzer.
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] to retrieve findings from.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] filter
    #   A filter to match for the findings to return.
    #   @return [Hash<String,Types::Criterion>]
    #
    # @!attribute [rw] sort
    #   The sort order for the findings returned.
    #   @return [Types::SortCriteria]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsRequest AWS API Documentation
    #
    class ListFindingsRequest < Struct.new(
      :analyzer_arn,
      :filter,
      :sort,
      :next_token,
      :max_results)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] findings
    #   A list of findings retrieved from the analyzer that match the filter
    #   criteria specified, if any.
    #   @return [Array<Types::FindingSummary>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsResponse AWS API Documentation
    #
    class ListFindingsResponse < Struct.new(
      :findings,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] to retrieve findings from.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] filter
    #   A filter to match for the findings to return.
    #   @return [Hash<String,Types::Criterion>]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] sort
    #   The criteria used to sort.
    #   @return [Types::SortCriteria]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsV2Request AWS API Documentation
    #
    class ListFindingsV2Request < Struct.new(
      :analyzer_arn,
      :filter,
      :max_results,
      :next_token,
      :sort)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] findings
    #   A list of findings retrieved from the analyzer that match the filter
    #   criteria specified, if any.
    #   @return [Array<Types::FindingSummaryV2>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListFindingsV2Response AWS API Documentation
    #
    class ListFindingsV2Response < Struct.new(
      :findings,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] principal_arn
    #   The ARN of the IAM entity (user or role) for which you are
    #   generating a policy. Use this with `ListGeneratedPolicies` to filter
    #   the results to only include results for a specific principal.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsRequest AWS API Documentation
    #
    class ListPolicyGenerationsRequest < Struct.new(
      :principal_arn,
      :max_results,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] policy_generations
    #   A `PolicyGeneration` object that contains details about the
    #   generated policy.
    #   @return [Array<Types::PolicyGeneration>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListPolicyGenerationsResponse AWS API Documentation
    #
    class ListPolicyGenerationsResponse < Struct.new(
      :policy_generations,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Retrieves a list of tags applied to the specified resource.
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the resource to retrieve tags from.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceRequest AWS API Documentation
    #
    class ListTagsForResourceRequest < Struct.new(
      :resource_arn)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @!attribute [rw] tags
    #   The tags that are applied to the specified resource.
    #   @return [Hash<String,String>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ListTagsForResourceResponse AWS API Documentation
    #
    class ListTagsForResourceResponse < Struct.new(
      :tags)
      SENSITIVE = []
      include Aws::Structure
    end

    # A location in a policy that is represented as a path through the JSON
    # representation and a corresponding span.
    #
    # @!attribute [rw] path
    #   A path in a policy, represented as a sequence of path elements.
    #   @return [Array<Types::PathElement>]
    #
    # @!attribute [rw] span
    #   A span in a policy.
    #   @return [Types::Span]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Location AWS API Documentation
    #
    class Location < Struct.new(
      :path,
      :span)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed `InternetConfiguration` or `VpcConfiguration` to apply to
    # the Amazon S3 access point. `VpcConfiguration` does not apply to
    # multi-region access points. You can make the access point accessible
    # from the internet, or you can specify that all requests made through
    # that access point must originate from a specific virtual private cloud
    # (VPC). You can specify only one type of network configuration. For
    # more information, see [Creating access points][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
    #
    # @note NetworkOriginConfiguration is a union - when making an API calls you must set exactly one of the members.
    #
    # @note NetworkOriginConfiguration is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of NetworkOriginConfiguration corresponding to the set member.
    #
    # @!attribute [rw] vpc_configuration
    #   The proposed virtual private cloud (VPC) configuration for the
    #   Amazon S3 access point. VPC configuration does not apply to
    #   multi-region access points. For more information, see
    #   [VpcConfiguration][1].
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
    #   @return [Types::VpcConfiguration]
    #
    # @!attribute [rw] internet_configuration
    #   The configuration for the Amazon S3 access point or multi-region
    #   access point with an `Internet` origin.
    #   @return [Types::InternetConfiguration]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/NetworkOriginConfiguration AWS API Documentation
    #
    class NetworkOriginConfiguration < Struct.new(
      :vpc_configuration,
      :internet_configuration,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class VpcConfiguration < NetworkOriginConfiguration; end
      class InternetConfiguration < NetworkOriginConfiguration; end
      class Unknown < NetworkOriginConfiguration; end
    end

    # A single element in a path through the JSON representation of a
    # policy.
    #
    # @note PathElement is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of PathElement corresponding to the set member.
    #
    # @!attribute [rw] index
    #   Refers to an index in a JSON array.
    #   @return [Integer]
    #
    # @!attribute [rw] key
    #   Refers to a key in a JSON object.
    #   @return [String]
    #
    # @!attribute [rw] substring
    #   Refers to a substring of a literal string in a JSON object.
    #   @return [Types::Substring]
    #
    # @!attribute [rw] value
    #   Refers to the value associated with a given key in a JSON object.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PathElement AWS API Documentation
    #
    class PathElement < Struct.new(
      :index,
      :key,
      :substring,
      :value,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class Index < PathElement; end
      class Key < PathElement; end
      class Substring < PathElement; end
      class Value < PathElement; end
      class Unknown < PathElement; end
    end

    # Contains details about the policy generation status and properties.
    #
    # @!attribute [rw] job_id
    #   The `JobId` that is returned by the `StartPolicyGeneration`
    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
    #   retrieve the generated policies or used with
    #   `CancelPolicyGeneration` to cancel the policy generation request.
    #   @return [String]
    #
    # @!attribute [rw] principal_arn
    #   The ARN of the IAM entity (user or role) for which you are
    #   generating a policy.
    #   @return [String]
    #
    # @!attribute [rw] status
    #   The status of the policy generation request.
    #   @return [String]
    #
    # @!attribute [rw] started_on
    #   A timestamp of when the policy generation started.
    #   @return [Time]
    #
    # @!attribute [rw] completed_on
    #   A timestamp of when the policy generation was completed.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGeneration AWS API Documentation
    #
    class PolicyGeneration < Struct.new(
      :job_id,
      :principal_arn,
      :status,
      :started_on,
      :completed_on)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains the ARN details about the IAM entity for which the policy is
    # generated.
    #
    # @!attribute [rw] principal_arn
    #   The ARN of the IAM entity (user or role) for which you are
    #   generating a policy.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/PolicyGenerationDetails AWS API Documentation
    #
    class PolicyGenerationDetails < Struct.new(
      :principal_arn)
      SENSITIVE = []
      include Aws::Structure
    end

    # A position in a policy.
    #
    # @!attribute [rw] line
    #   The line of the position, starting from 1.
    #   @return [Integer]
    #
    # @!attribute [rw] column
    #   The column of the position, starting from 0.
    #   @return [Integer]
    #
    # @!attribute [rw] offset
    #   The offset within the policy that corresponds to the position,
    #   starting from 0.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Position AWS API Documentation
    #
    class Position < Struct.new(
      :line,
      :column,
      :offset)
      SENSITIVE = []
      include Aws::Structure
    end

    # The values for a manual Amazon RDS DB cluster snapshot attribute.
    #
    # @note RdsDbClusterSnapshotAttributeValue is a union - when making an API calls you must set exactly one of the members.
    #
    # @note RdsDbClusterSnapshotAttributeValue is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of RdsDbClusterSnapshotAttributeValue corresponding to the set member.
    #
    # @!attribute [rw] account_ids
    #   The Amazon Web Services account IDs that have access to the manual
    #   Amazon RDS DB cluster snapshot. If the value `all` is specified,
    #   then the Amazon RDS DB cluster snapshot is public and can be copied
    #   or restored by all Amazon Web Services accounts.
    #
    #   * If the configuration is for an existing Amazon RDS DB cluster
    #     snapshot and you do not specify the `accountIds` in
    #     `RdsDbClusterSnapshotAttributeValue`, then the access preview uses
    #     the existing shared `accountIds` for the snapshot.
    #
    #   * If the access preview is for a new resource and you do not specify
    #     the specify the `accountIds` in
    #     `RdsDbClusterSnapshotAttributeValue`, then the access preview
    #     considers the snapshot without any attributes.
    #
    #   * To propose deletion of existing shared `accountIds`, you can
    #     specify an empty list for `accountIds` in the
    #     `RdsDbClusterSnapshotAttributeValue`.
    #   @return [Array<String>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbClusterSnapshotAttributeValue AWS API Documentation
    #
    class RdsDbClusterSnapshotAttributeValue < Struct.new(
      :account_ids,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class AccountIds < RdsDbClusterSnapshotAttributeValue; end
      class Unknown < RdsDbClusterSnapshotAttributeValue; end
    end

    # The proposed access control configuration for an Amazon RDS DB cluster
    # snapshot. You can propose a configuration for a new Amazon RDS DB
    # cluster snapshot or an Amazon RDS DB cluster snapshot that you own by
    # specifying the `RdsDbClusterSnapshotAttributeValue` and optional KMS
    # encryption key. For more information, see
    # [ModifyDBClusterSnapshotAttribute][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBClusterSnapshotAttribute.html
    #
    # @!attribute [rw] attributes
    #   The names and values of manual DB cluster snapshot attributes.
    #   Manual DB cluster snapshot attributes are used to authorize other
    #   Amazon Web Services accounts to restore a manual DB cluster
    #   snapshot. The only valid value for `AttributeName` for the attribute
    #   map is `restore`
    #   @return [Hash<String,Types::RdsDbClusterSnapshotAttributeValue>]
    #
    # @!attribute [rw] kms_key_id
    #   The KMS key identifier for an encrypted Amazon RDS DB cluster
    #   snapshot. The KMS key identifier is the key ARN, key ID, alias ARN,
    #   or alias name for the KMS key.
    #
    #   * If the configuration is for an existing Amazon RDS DB cluster
    #     snapshot and you do not specify the `kmsKeyId`, or you specify an
    #     empty string, then the access preview uses the existing `kmsKeyId`
    #     of the snapshot.
    #
    #   * If the access preview is for a new resource and you do not specify
    #     the specify the `kmsKeyId`, then the access preview considers the
    #     snapshot as unencrypted.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbClusterSnapshotConfiguration AWS API Documentation
    #
    class RdsDbClusterSnapshotConfiguration < Struct.new(
      :attributes,
      :kms_key_id)
      SENSITIVE = []
      include Aws::Structure
    end

    # The name and values of a manual Amazon RDS DB snapshot attribute.
    # Manual DB snapshot attributes are used to authorize other Amazon Web
    # Services accounts to restore a manual DB snapshot.
    #
    # @note RdsDbSnapshotAttributeValue is a union - when making an API calls you must set exactly one of the members.
    #
    # @note RdsDbSnapshotAttributeValue is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of RdsDbSnapshotAttributeValue corresponding to the set member.
    #
    # @!attribute [rw] account_ids
    #   The Amazon Web Services account IDs that have access to the manual
    #   Amazon RDS DB snapshot. If the value `all` is specified, then the
    #   Amazon RDS DB snapshot is public and can be copied or restored by
    #   all Amazon Web Services accounts.
    #
    #   * If the configuration is for an existing Amazon RDS DB snapshot and
    #     you do not specify the `accountIds` in
    #     `RdsDbSnapshotAttributeValue`, then the access preview uses the
    #     existing shared `accountIds` for the snapshot.
    #
    #   * If the access preview is for a new resource and you do not specify
    #     the specify the `accountIds` in `RdsDbSnapshotAttributeValue`,
    #     then the access preview considers the snapshot without any
    #     attributes.
    #
    #   * To propose deletion of an existing shared `accountIds`, you can
    #     specify an empty list for `accountIds` in the
    #     `RdsDbSnapshotAttributeValue`.
    #   @return [Array<String>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbSnapshotAttributeValue AWS API Documentation
    #
    class RdsDbSnapshotAttributeValue < Struct.new(
      :account_ids,
      :unknown)
      SENSITIVE = []
      include Aws::Structure
      include Aws::Structure::Union

      class AccountIds < RdsDbSnapshotAttributeValue; end
      class Unknown < RdsDbSnapshotAttributeValue; end
    end

    # The proposed access control configuration for an Amazon RDS DB
    # snapshot. You can propose a configuration for a new Amazon RDS DB
    # snapshot or an Amazon RDS DB snapshot that you own by specifying the
    # `RdsDbSnapshotAttributeValue` and optional KMS encryption key. For
    # more information, see [ModifyDBSnapshotAttribute][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html
    #
    # @!attribute [rw] attributes
    #   The names and values of manual DB snapshot attributes. Manual DB
    #   snapshot attributes are used to authorize other Amazon Web Services
    #   accounts to restore a manual DB snapshot. The only valid value for
    #   `attributeName` for the attribute map is restore.
    #   @return [Hash<String,Types::RdsDbSnapshotAttributeValue>]
    #
    # @!attribute [rw] kms_key_id
    #   The KMS key identifier for an encrypted Amazon RDS DB snapshot. The
    #   KMS key identifier is the key ARN, key ID, alias ARN, or alias name
    #   for the KMS key.
    #
    #   * If the configuration is for an existing Amazon RDS DB snapshot and
    #     you do not specify the `kmsKeyId`, or you specify an empty string,
    #     then the access preview uses the existing `kmsKeyId` of the
    #     snapshot.
    #
    #   * If the access preview is for a new resource and you do not specify
    #     the specify the `kmsKeyId`, then the access preview considers the
    #     snapshot as unencrypted.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/RdsDbSnapshotConfiguration AWS API Documentation
    #
    class RdsDbSnapshotConfiguration < Struct.new(
      :attributes,
      :kms_key_id)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about the reasoning why a check for access passed
    # or failed.
    #
    # @!attribute [rw] description
    #   A description of the reasoning of a result of checking for access.
    #   @return [String]
    #
    # @!attribute [rw] statement_index
    #   The index number of the reason statement.
    #   @return [Integer]
    #
    # @!attribute [rw] statement_id
    #   The identifier for the reason statement.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ReasonSummary AWS API Documentation
    #
    class ReasonSummary < Struct.new(
      :description,
      :statement_index,
      :statement_id)
      SENSITIVE = []
      include Aws::Structure
    end

    # The specified resource could not be found.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @!attribute [rw] resource_id
    #   The ID of the resource.
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The type of the resource.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ResourceNotFoundException AWS API Documentation
    #
    class ResourceNotFoundException < Struct.new(
      :message,
      :resource_id,
      :resource_type)
      SENSITIVE = []
      include Aws::Structure
    end

    # The configuration for an Amazon S3 access point or multi-region access
    # point for the bucket. You can propose up to 10 access points or
    # multi-region access points per bucket. If the proposed Amazon S3
    # access point configuration is for an existing bucket, the access
    # preview uses the proposed access point configuration in place of the
    # existing access points. To propose an access point without a policy,
    # you can provide an empty string as the access point policy. For more
    # information, see [Creating access points][1]. For more information
    # about access point policy limits, see [Access points restrictions and
    # limitations][2].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html
    # [2]: https://docs.aws.amazon.com/AmazonS3/latest/dev/access-points-restrictions-limitations.html
    #
    # @!attribute [rw] access_point_policy
    #   The access point or multi-region access point policy.
    #   @return [String]
    #
    # @!attribute [rw] public_access_block
    #   The proposed `S3PublicAccessBlock` configuration to apply to this
    #   Amazon S3 access point or multi-region access point.
    #   @return [Types::S3PublicAccessBlockConfiguration]
    #
    # @!attribute [rw] network_origin
    #   The proposed `Internet` and `VpcConfiguration` to apply to this
    #   Amazon S3 access point. `VpcConfiguration` does not apply to
    #   multi-region access points. If the access preview is for a new
    #   resource and neither is specified, the access preview uses
    #   `Internet` for the network origin. If the access preview is for an
    #   existing resource and neither is specified, the access preview uses
    #   the exiting network origin.
    #   @return [Types::NetworkOriginConfiguration]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3AccessPointConfiguration AWS API Documentation
    #
    class S3AccessPointConfiguration < Struct.new(
      :access_point_policy,
      :public_access_block,
      :network_origin)
      SENSITIVE = []
      include Aws::Structure
    end

    # A proposed access control list grant configuration for an Amazon S3
    # bucket. For more information, see [How to Specify an ACL][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#setting-acls
    #
    # @!attribute [rw] permission
    #   The permissions being granted.
    #   @return [String]
    #
    # @!attribute [rw] grantee
    #   The grantee to whom you’re assigning access rights.
    #   @return [Types::AclGrantee]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketAclGrantConfiguration AWS API Documentation
    #
    class S3BucketAclGrantConfiguration < Struct.new(
      :permission,
      :grantee)
      SENSITIVE = []
      include Aws::Structure
    end

    # Proposed access control configuration for an Amazon S3 bucket. You can
    # propose a configuration for a new Amazon S3 bucket or an existing
    # Amazon S3 bucket that you own by specifying the Amazon S3 bucket
    # policy, bucket ACLs, bucket BPA settings, Amazon S3 access points, and
    # multi-region access points attached to the bucket. If the
    # configuration is for an existing Amazon S3 bucket and you do not
    # specify the Amazon S3 bucket policy, the access preview uses the
    # existing policy attached to the bucket. If the access preview is for a
    # new resource and you do not specify the Amazon S3 bucket policy, the
    # access preview assumes a bucket without a policy. To propose deletion
    # of an existing bucket policy, you can specify an empty string. For
    # more information about bucket policy limits, see [Bucket Policy
    # Examples][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
    #
    # @!attribute [rw] bucket_policy
    #   The proposed bucket policy for the Amazon S3 bucket.
    #   @return [String]
    #
    # @!attribute [rw] bucket_acl_grants
    #   The proposed list of ACL grants for the Amazon S3 bucket. You can
    #   propose up to 100 ACL grants per bucket. If the proposed grant
    #   configuration is for an existing bucket, the access preview uses the
    #   proposed list of grant configurations in place of the existing
    #   grants. Otherwise, the access preview uses the existing grants for
    #   the bucket.
    #   @return [Array<Types::S3BucketAclGrantConfiguration>]
    #
    # @!attribute [rw] bucket_public_access_block
    #   The proposed block public access configuration for the Amazon S3
    #   bucket.
    #   @return [Types::S3PublicAccessBlockConfiguration]
    #
    # @!attribute [rw] access_points
    #   The configuration of Amazon S3 access points or multi-region access
    #   points for the bucket. You can propose up to 10 new access points
    #   per bucket.
    #   @return [Hash<String,Types::S3AccessPointConfiguration>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3BucketConfiguration AWS API Documentation
    #
    class S3BucketConfiguration < Struct.new(
      :bucket_policy,
      :bucket_acl_grants,
      :bucket_public_access_block,
      :access_points)
      SENSITIVE = []
      include Aws::Structure
    end

    # The `PublicAccessBlock` configuration to apply to this Amazon S3
    # bucket. If the proposed configuration is for an existing Amazon S3
    # bucket and the configuration is not specified, the access preview uses
    # the existing setting. If the proposed configuration is for a new
    # bucket and the configuration is not specified, the access preview uses
    # `false`. If the proposed configuration is for a new access point or
    # multi-region access point and the access point BPA configuration is
    # not specified, the access preview uses `true`. For more information,
    # see [PublicAccessBlockConfiguration][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-publicaccessblockconfiguration.html
    #
    # @!attribute [rw] ignore_public_acls
    #   Specifies whether Amazon S3 should ignore public ACLs for this
    #   bucket and objects in this bucket.
    #   @return [Boolean]
    #
    # @!attribute [rw] restrict_public_buckets
    #   Specifies whether Amazon S3 should restrict public bucket policies
    #   for this bucket.
    #   @return [Boolean]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/S3PublicAccessBlockConfiguration AWS API Documentation
    #
    class S3PublicAccessBlockConfiguration < Struct.new(
      :ignore_public_acls,
      :restrict_public_buckets)
      SENSITIVE = []
      include Aws::Structure
    end

    # The configuration for a Secrets Manager secret. For more information,
    # see [CreateSecret][1].
    #
    # You can propose a configuration for a new secret or an existing secret
    # that you own by specifying the secret policy and optional KMS
    # encryption key. If the configuration is for an existing secret and you
    # do not specify the secret policy, the access preview uses the existing
    # policy for the secret. If the access preview is for a new resource and
    # you do not specify the policy, the access preview assumes a secret
    # without a policy. To propose deletion of an existing policy, you can
    # specify an empty string. If the proposed configuration is for a new
    # secret and you do not specify the KMS key ID, the access preview uses
    # the Amazon Web Services managed key `aws/secretsmanager`. If you
    # specify an empty string for the KMS key ID, the access preview uses
    # the Amazon Web Services managed key of the Amazon Web Services
    # account. For more information about secret policy limits, see [Quotas
    # for Secrets Manager.][2].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html
    # [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_limits.html
    #
    # @!attribute [rw] kms_key_id
    #   The proposed ARN, key ID, or alias of the KMS key.
    #   @return [String]
    #
    # @!attribute [rw] secret_policy
    #   The proposed resource policy defining who can access or manage the
    #   secret.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SecretsManagerSecretConfiguration AWS API Documentation
    #
    class SecretsManagerSecretConfiguration < Struct.new(
      :kms_key_id,
      :secret_policy)
      SENSITIVE = []
      include Aws::Structure
    end

    # Service quote met error.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @!attribute [rw] resource_id
    #   The resource ID.
    #   @return [String]
    #
    # @!attribute [rw] resource_type
    #   The resource type.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ServiceQuotaExceededException AWS API Documentation
    #
    class ServiceQuotaExceededException < Struct.new(
      :message,
      :resource_id,
      :resource_type)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed access control configuration for an Amazon SNS topic. You
    # can propose a configuration for a new Amazon SNS topic or an existing
    # Amazon SNS topic that you own by specifying the policy. If the
    # configuration is for an existing Amazon SNS topic and you do not
    # specify the Amazon SNS policy, then the access preview uses the
    # existing Amazon SNS policy for the topic. If the access preview is for
    # a new resource and you do not specify the policy, then the access
    # preview assumes an Amazon SNS topic without a policy. To propose
    # deletion of an existing Amazon SNS topic policy, you can specify an
    # empty string for the Amazon SNS policy. For more information, see
    # [Topic][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/sns/latest/api/API_Topic.html
    #
    # @!attribute [rw] topic_policy
    #   The JSON policy text that defines who can access an Amazon SNS
    #   topic. For more information, see [Example cases for Amazon SNS
    #   access control][1] in the *Amazon SNS Developer Guide*.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/sns/latest/dg/sns-access-policy-use-cases.html
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SnsTopicConfiguration AWS API Documentation
    #
    class SnsTopicConfiguration < Struct.new(
      :topic_policy)
      SENSITIVE = []
      include Aws::Structure
    end

    # The criteria used to sort.
    #
    # @!attribute [rw] attribute_name
    #   The name of the attribute to sort on.
    #   @return [String]
    #
    # @!attribute [rw] order_by
    #   The sort order, ascending or descending.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SortCriteria AWS API Documentation
    #
    class SortCriteria < Struct.new(
      :attribute_name,
      :order_by)
      SENSITIVE = []
      include Aws::Structure
    end

    # A span in a policy. The span consists of a start position (inclusive)
    # and end position (exclusive).
    #
    # @!attribute [rw] start
    #   The start position of the span (inclusive).
    #   @return [Types::Position]
    #
    # @!attribute [rw] end
    #   The end position of the span (exclusive).
    #   @return [Types::Position]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Span AWS API Documentation
    #
    class Span < Struct.new(
      :start,
      :end)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed access control configuration for an Amazon SQS queue. You
    # can propose a configuration for a new Amazon SQS queue or an existing
    # Amazon SQS queue that you own by specifying the Amazon SQS policy. If
    # the configuration is for an existing Amazon SQS queue and you do not
    # specify the Amazon SQS policy, the access preview uses the existing
    # Amazon SQS policy for the queue. If the access preview is for a new
    # resource and you do not specify the policy, the access preview assumes
    # an Amazon SQS queue without a policy. To propose deletion of an
    # existing Amazon SQS queue policy, you can specify an empty string for
    # the Amazon SQS policy. For more information about Amazon SQS policy
    # limits, see [Quotas related to policies][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/quotas-policies.html
    #
    # @!attribute [rw] queue_policy
    #   The proposed resource policy for the Amazon SQS queue.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/SqsQueueConfiguration AWS API Documentation
    #
    class SqsQueueConfiguration < Struct.new(
      :queue_policy)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] policy_generation_details
    #   Contains the ARN of the IAM entity (user or role) for which you are
    #   generating a policy.
    #   @return [Types::PolicyGenerationDetails]
    #
    # @!attribute [rw] cloud_trail_details
    #   A `CloudTrailDetails` object that contains details about a `Trail`
    #   that you want to analyze to generate policies.
    #   @return [Types::CloudTrailDetails]
    #
    # @!attribute [rw] client_token
    #   A unique, case-sensitive identifier that you provide to ensure the
    #   idempotency of the request. Idempotency ensures that an API request
    #   completes only once. With an idempotent request, if the original
    #   request completes successfully, the subsequent retries with the same
    #   client token return the result from the original successful request
    #   and they have no additional effect.
    #
    #   If you do not specify a client token, one is automatically generated
    #   by the Amazon Web Services SDK.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationRequest AWS API Documentation
    #
    class StartPolicyGenerationRequest < Struct.new(
      :policy_generation_details,
      :cloud_trail_details,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] job_id
    #   The `JobId` that is returned by the `StartPolicyGeneration`
    #   operation. The `JobId` can be used with `GetGeneratedPolicy` to
    #   retrieve the generated policies or used with
    #   `CancelPolicyGeneration` to cancel the policy generation request.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartPolicyGenerationResponse AWS API Documentation
    #
    class StartPolicyGenerationResponse < Struct.new(
      :job_id)
      SENSITIVE = []
      include Aws::Structure
    end

    # Starts a scan of the policies applied to the specified resource.
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] to use to scan the policies applied to
    #   the specified resource.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the resource to scan.
    #   @return [String]
    #
    # @!attribute [rw] resource_owner_account
    #   The Amazon Web Services account ID that owns the resource. For most
    #   Amazon Web Services resources, the owning account is the account in
    #   which the resource was created.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StartResourceScanRequest AWS API Documentation
    #
    class StartResourceScanRequest < Struct.new(
      :analyzer_arn,
      :resource_arn,
      :resource_owner_account)
      SENSITIVE = []
      include Aws::Structure
    end

    # Provides more details about the current status of the analyzer. For
    # example, if the creation for the analyzer fails, a `Failed` status is
    # returned. For an analyzer with organization as the type, this failure
    # can be due to an issue with creating the service-linked roles required
    # in the member accounts of the Amazon Web Services organization.
    #
    # @!attribute [rw] code
    #   The reason code for the current status of the analyzer.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/StatusReason AWS API Documentation
    #
    class StatusReason < Struct.new(
      :code)
      SENSITIVE = []
      include Aws::Structure
    end

    # A reference to a substring of a literal string in a JSON document.
    #
    # @!attribute [rw] start
    #   The start index of the substring, starting from 0.
    #   @return [Integer]
    #
    # @!attribute [rw] length
    #   The length of the substring.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Substring AWS API Documentation
    #
    class Substring < Struct.new(
      :start,
      :length)
      SENSITIVE = []
      include Aws::Structure
    end

    # Adds a tag to the specified resource.
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the resource to add the tag to.
    #   @return [String]
    #
    # @!attribute [rw] tags
    #   The tags to add to the resource.
    #   @return [Hash<String,String>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/TagResourceRequest AWS API Documentation
    #
    class TagResourceRequest < Struct.new(
      :resource_arn,
      :tags)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/TagResourceResponse AWS API Documentation
    #
    class TagResourceResponse < Aws::EmptyStructure; end

    # Throttling limit exceeded error.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @!attribute [rw] retry_after_seconds
    #   The seconds to wait to retry.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ThrottlingException AWS API Documentation
    #
    class ThrottlingException < Struct.new(
      :message,
      :retry_after_seconds)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains details about the CloudTrail trail being analyzed to generate
    # a policy.
    #
    # @!attribute [rw] cloud_trail_arn
    #   Specifies the ARN of the trail. The format of a trail ARN is
    #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
    #   @return [String]
    #
    # @!attribute [rw] regions
    #   A list of regions to get CloudTrail data from and analyze to
    #   generate a policy.
    #   @return [Array<String>]
    #
    # @!attribute [rw] all_regions
    #   Possible values are `true` or `false`. If set to `true`, IAM Access
    #   Analyzer retrieves CloudTrail data from all regions to analyze and
    #   generate a policy.
    #   @return [Boolean]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/Trail AWS API Documentation
    #
    class Trail < Struct.new(
      :cloud_trail_arn,
      :regions,
      :all_regions)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains details about the CloudTrail trail being analyzed to generate
    # a policy.
    #
    # @!attribute [rw] cloud_trail_arn
    #   Specifies the ARN of the trail. The format of a trail ARN is
    #   `arn:aws:cloudtrail:us-east-2:123456789012:trail/MyTrail`.
    #   @return [String]
    #
    # @!attribute [rw] regions
    #   A list of regions to get CloudTrail data from and analyze to
    #   generate a policy.
    #   @return [Array<String>]
    #
    # @!attribute [rw] all_regions
    #   Possible values are `true` or `false`. If set to `true`, IAM Access
    #   Analyzer retrieves CloudTrail data from all regions to analyze and
    #   generate a policy.
    #   @return [Boolean]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/TrailProperties AWS API Documentation
    #
    class TrailProperties < Struct.new(
      :cloud_trail_arn,
      :regions,
      :all_regions)
      SENSITIVE = []
      include Aws::Structure
    end

    # The specified entity could not be processed.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnprocessableEntityException AWS API Documentation
    #
    class UnprocessableEntityException < Struct.new(
      :message)
      SENSITIVE = []
      include Aws::Structure
    end

    # Removes a tag from the specified resource.
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the resource to remove the tag from.
    #   @return [String]
    #
    # @!attribute [rw] tag_keys
    #   The key for the tag to add.
    #   @return [Array<String>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UntagResourceRequest AWS API Documentation
    #
    class UntagResourceRequest < Struct.new(
      :resource_arn,
      :tag_keys)
      SENSITIVE = []
      include Aws::Structure
    end

    # The response to the request.
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UntagResourceResponse AWS API Documentation
    #
    class UntagResourceResponse < Aws::EmptyStructure; end

    # Contains information about an unused access analyzer.
    #
    # @!attribute [rw] unused_access_age
    #   The specified access age in days for which to generate findings for
    #   unused access. For example, if you specify 90 days, the analyzer
    #   will generate findings for IAM entities within the accounts of the
    #   selected organization for any access that hasn't been used in 90 or
    #   more days since the analyzer's last scan. You can choose a value
    #   between 1 and 180 days.
    #   @return [Integer]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedAccessConfiguration AWS API Documentation
    #
    class UnusedAccessConfiguration < Struct.new(
      :unused_access_age)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an unused access finding for an action. IAM
    # Access Analyzer charges for unused access analysis based on the number
    # of IAM roles and users analyzed per month. For more details on
    # pricing, see [IAM Access Analyzer pricing][1].
    #
    #
    #
    # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
    #
    # @!attribute [rw] action
    #   The action for which the unused access finding was generated.
    #   @return [String]
    #
    # @!attribute [rw] last_accessed
    #   The time at which the action was last accessed.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedAction AWS API Documentation
    #
    class UnusedAction < Struct.new(
      :action,
      :last_accessed)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an unused access finding for an IAM role.
    # IAM Access Analyzer charges for unused access analysis based on the
    # number of IAM roles and users analyzed per month. For more details on
    # pricing, see [IAM Access Analyzer pricing][1].
    #
    #
    #
    # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
    #
    # @!attribute [rw] last_accessed
    #   The time at which the role was last accessed.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamRoleDetails AWS API Documentation
    #
    class UnusedIamRoleDetails < Struct.new(
      :last_accessed)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an unused access finding for an IAM user
    # access key. IAM Access Analyzer charges for unused access analysis
    # based on the number of IAM roles and users analyzed per month. For
    # more details on pricing, see [IAM Access Analyzer pricing][1].
    #
    #
    #
    # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
    #
    # @!attribute [rw] access_key_id
    #   The ID of the access key for which the unused access finding was
    #   generated.
    #   @return [String]
    #
    # @!attribute [rw] last_accessed
    #   The time at which the access key was last accessed.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamUserAccessKeyDetails AWS API Documentation
    #
    class UnusedIamUserAccessKeyDetails < Struct.new(
      :access_key_id,
      :last_accessed)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an unused access finding for an IAM user
    # password. IAM Access Analyzer charges for unused access analysis based
    # on the number of IAM roles and users analyzed per month. For more
    # details on pricing, see [IAM Access Analyzer pricing][1].
    #
    #
    #
    # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
    #
    # @!attribute [rw] last_accessed
    #   The time at which the password was last accessed.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedIamUserPasswordDetails AWS API Documentation
    #
    class UnusedIamUserPasswordDetails < Struct.new(
      :last_accessed)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about an unused access finding for a permission.
    # IAM Access Analyzer charges for unused access analysis based on the
    # number of IAM roles and users analyzed per month. For more details on
    # pricing, see [IAM Access Analyzer pricing][1].
    #
    #
    #
    # [1]: https://aws.amazon.com/iam/access-analyzer/pricing
    #
    # @!attribute [rw] actions
    #   A list of unused actions for which the unused access finding was
    #   generated.
    #   @return [Array<Types::UnusedAction>]
    #
    # @!attribute [rw] service_namespace
    #   The namespace of the Amazon Web Services service that contains the
    #   unused actions.
    #   @return [String]
    #
    # @!attribute [rw] last_accessed
    #   The time at which the permission last accessed.
    #   @return [Time]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UnusedPermissionDetails AWS API Documentation
    #
    class UnusedPermissionDetails < Struct.new(
      :actions,
      :service_namespace,
      :last_accessed)
      SENSITIVE = []
      include Aws::Structure
    end

    # Updates the specified archive rule.
    #
    # @!attribute [rw] analyzer_name
    #   The name of the analyzer to update the archive rules for.
    #   @return [String]
    #
    # @!attribute [rw] rule_name
    #   The name of the rule to update.
    #   @return [String]
    #
    # @!attribute [rw] filter
    #   A filter to match for the rules to update. Only rules that match the
    #   filter are updated.
    #   @return [Hash<String,Types::Criterion>]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UpdateArchiveRuleRequest AWS API Documentation
    #
    class UpdateArchiveRuleRequest < Struct.new(
      :analyzer_name,
      :rule_name,
      :filter,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Updates findings with the new values provided in the request.
    #
    # @!attribute [rw] analyzer_arn
    #   The [ARN of the analyzer][1] that generated the findings to update.
    #
    #
    #
    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
    #   @return [String]
    #
    # @!attribute [rw] status
    #   The state represents the action to take to update the finding
    #   Status. Use `ARCHIVE` to change an Active finding to an Archived
    #   finding. Use `ACTIVE` to change an Archived finding to an Active
    #   finding.
    #   @return [String]
    #
    # @!attribute [rw] ids
    #   The IDs of the findings to update.
    #   @return [Array<String>]
    #
    # @!attribute [rw] resource_arn
    #   The ARN of the resource identified in the finding.
    #   @return [String]
    #
    # @!attribute [rw] client_token
    #   A client token.
    #
    #   **A suitable default value is auto-generated.** You should normally
    #   not need to pass this option.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/UpdateFindingsRequest AWS API Documentation
    #
    class UpdateFindingsRequest < Struct.new(
      :analyzer_arn,
      :status,
      :ids,
      :resource_arn,
      :client_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # A finding in a policy. Each finding is an actionable recommendation
    # that can be used to improve the policy.
    #
    # @!attribute [rw] finding_details
    #   A localized message that explains the finding and provides guidance
    #   on how to address it.
    #   @return [String]
    #
    # @!attribute [rw] finding_type
    #   The impact of the finding.
    #
    #   Security warnings report when the policy allows access that we
    #   consider overly permissive.
    #
    #   Errors report when a part of the policy is not functional.
    #
    #   Warnings report non-security issues when a policy does not conform
    #   to policy writing best practices.
    #
    #   Suggestions recommend stylistic improvements in the policy that do
    #   not impact access.
    #   @return [String]
    #
    # @!attribute [rw] issue_code
    #   The issue code provides an identifier of the issue associated with
    #   this finding.
    #   @return [String]
    #
    # @!attribute [rw] learn_more_link
    #   A link to additional documentation about the type of finding.
    #   @return [String]
    #
    # @!attribute [rw] locations
    #   The list of locations in the policy document that are related to the
    #   finding. The issue code provides a summary of an issue identified by
    #   the finding.
    #   @return [Array<Types::Location>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyFinding AWS API Documentation
    #
    class ValidatePolicyFinding < Struct.new(
      :finding_details,
      :finding_type,
      :issue_code,
      :learn_more_link,
      :locations)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] locale
    #   The locale to use for localizing the findings.
    #   @return [String]
    #
    # @!attribute [rw] max_results
    #   The maximum number of results to return in the response.
    #   @return [Integer]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @!attribute [rw] policy_document
    #   The JSON policy document to use as the content for the policy.
    #   @return [String]
    #
    # @!attribute [rw] policy_type
    #   The type of policy to validate. Identity policies grant permissions
    #   to IAM principals. Identity policies include managed and inline
    #   policies for IAM roles, users, and groups.
    #
    #   Resource policies grant permissions on Amazon Web Services
    #   resources. Resource policies include trust policies for IAM roles
    #   and bucket policies for Amazon S3 buckets. You can provide a generic
    #   input such as identity policy or resource policy or a specific input
    #   such as managed policy or Amazon S3 bucket policy.
    #
    #   Service control policies (SCPs) are a type of organization policy
    #   attached to an Amazon Web Services organization, organizational unit
    #   (OU), or an account.
    #   @return [String]
    #
    # @!attribute [rw] validate_policy_resource_type
    #   The type of resource to attach to your resource policy. Specify a
    #   value for the policy validation resource type only if the policy
    #   type is `RESOURCE_POLICY`. For example, to validate a resource
    #   policy to attach to an Amazon S3 bucket, you can choose
    #   `AWS::S3::Bucket` for the policy validation resource type.
    #
    #   For resource types not supported as valid values, IAM Access
    #   Analyzer runs policy checks that apply to all resource policies. For
    #   example, to validate a resource policy to attach to a KMS key, do
    #   not specify a value for the policy validation resource type and IAM
    #   Access Analyzer will run policy checks that apply to all resource
    #   policies.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyRequest AWS API Documentation
    #
    class ValidatePolicyRequest < Struct.new(
      :locale,
      :max_results,
      :next_token,
      :policy_document,
      :policy_type,
      :validate_policy_resource_type)
      SENSITIVE = []
      include Aws::Structure
    end

    # @!attribute [rw] findings
    #   The list of findings in a policy returned by IAM Access Analyzer
    #   based on its suite of policy checks.
    #   @return [Array<Types::ValidatePolicyFinding>]
    #
    # @!attribute [rw] next_token
    #   A token used for pagination of results returned.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidatePolicyResponse AWS API Documentation
    #
    class ValidatePolicyResponse < Struct.new(
      :findings,
      :next_token)
      SENSITIVE = []
      include Aws::Structure
    end

    # Validation exception error.
    #
    # @!attribute [rw] message
    #   @return [String]
    #
    # @!attribute [rw] reason
    #   The reason for the exception.
    #   @return [String]
    #
    # @!attribute [rw] field_list
    #   A list of fields that didn't validate.
    #   @return [Array<Types::ValidationExceptionField>]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidationException AWS API Documentation
    #
    class ValidationException < Struct.new(
      :message,
      :reason,
      :field_list)
      SENSITIVE = []
      include Aws::Structure
    end

    # Contains information about a validation exception.
    #
    # @!attribute [rw] name
    #   The name of the validation exception.
    #   @return [String]
    #
    # @!attribute [rw] message
    #   A message about the validation exception.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/ValidationExceptionField AWS API Documentation
    #
    class ValidationExceptionField < Struct.new(
      :name,
      :message)
      SENSITIVE = []
      include Aws::Structure
    end

    # The proposed virtual private cloud (VPC) configuration for the Amazon
    # S3 access point. VPC configuration does not apply to multi-region
    # access points. For more information, see [VpcConfiguration][1].
    #
    #
    #
    # [1]: https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_VpcConfiguration.html
    #
    # @!attribute [rw] vpc_id
    #   If this field is specified, this access point will only allow
    #   connections from the specified VPC ID.
    #   @return [String]
    #
    # @see http://docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/VpcConfiguration AWS API Documentation
    #
    class VpcConfiguration < Struct.new(
      :vpc_id)
      SENSITIVE = []
      include Aws::Structure
    end

  end
end