feat(client-accessanalyzer): This release adds support for external access findings for S3 directory buckets to help you easily identify cross-account access. Updated service API, documentation, and paginators.

awstools · awstools · commit 4feb52a10760 · 2023-11-28T19:07:18.000Z
diff --git a/clients/client-accessanalyzer/src/commands/CreateAccessPreviewCommand.ts b/clients/client-accessanalyzer/src/commands/CreateAccessPreviewCommand.ts
@@ -151,6 +151,9 @@ export interface CreateAccessPreviewCommandOutput extends CreateAccessPreviewRes
  *       sqsQueue: { // SqsQueueConfiguration
  *         queuePolicy: "STRING_VALUE",
  *       },
+ *       s3ExpressDirectoryBucket: { // S3ExpressDirectoryBucketConfiguration
+ *         bucketPolicy: "STRING_VALUE",
+ *       },
  *     },
  *   },
  *   clientToken: "STRING_VALUE",
diff --git a/clients/client-accessanalyzer/src/commands/GetAccessPreviewCommand.ts b/clients/client-accessanalyzer/src/commands/GetAccessPreviewCommand.ts
@@ -158,6 +158,9 @@ export interface GetAccessPreviewCommandOutput extends GetAccessPreviewResponse,
  * //         sqsQueue: { // SqsQueueConfiguration
  * //           queuePolicy: "STRING_VALUE",
  * //         },
+ * //         s3ExpressDirectoryBucket: { // S3ExpressDirectoryBucketConfiguration
+ * //           bucketPolicy: "STRING_VALUE",
+ * //         },
  * //       },
  * //     },
  * //     createdAt: new Date("TIMESTAMP"), // required
diff --git a/clients/client-accessanalyzer/src/models/models_0.ts b/clients/client-accessanalyzer/src/models/models_0.ts
@@ -1830,6 +1830,25 @@ export interface S3BucketConfiguration {
   accessPoints?: Record<string, S3AccessPointConfiguration>;
 }
 
+/**
+ * @public
+ * <p>Proposed access control configuration for an Amazon S3 directory bucket. You can propose a
+ *          configuration for a new Amazon S3 directory bucket or an existing Amazon S3 directory bucket that you
+ *          own by specifying the Amazon S3 bucket policy. If the configuration is for an existing Amazon S3
+ *          directory bucket and you do not specify the Amazon S3 bucket policy, the access preview uses the
+ *          existing policy attached to the directory bucket. If the access preview is for a new
+ *          resource and you do not specify the Amazon S3 bucket policy, the access preview assumes an
+ *          directory bucket without a policy. To propose deletion of an existing bucket policy, you
+ *          can specify an empty string. For more information about bucket policy limits, see <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html">Example bucket policies</a>.</p>
+ */
+export interface S3ExpressDirectoryBucketConfiguration {
+  /**
+   * @public
+   * <p>The proposed bucket policy for the Amazon S3 directory bucket.</p>
+   */
+  bucketPolicy?: string;
+}
+
 /**
  * @public
  * <p>The configuration for a Secrets Manager secret. For more information, see <a href="https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_CreateSecret.html">CreateSecret</a>.</p>
@@ -1914,6 +1933,7 @@ export type Configuration =
   | Configuration.RdsDbClusterSnapshotMember
   | Configuration.RdsDbSnapshotMember
   | Configuration.S3BucketMember
+  | Configuration.S3ExpressDirectoryBucketMember
   | Configuration.SecretsManagerSecretMember
   | Configuration.SnsTopicMember
   | Configuration.SqsQueueMember
@@ -1939,6 +1959,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -1958,6 +1979,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -1977,6 +1999,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -1996,6 +2019,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -2015,6 +2039,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -2034,6 +2059,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -2053,6 +2079,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -2072,12 +2099,13 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
   /**
    * @public
-   * <p>The access control configuration is for an Amazon S3 Bucket. </p>
+   * <p>The access control configuration is for an Amazon S3 bucket. </p>
    */
   export interface S3BucketMember {
     ebsSnapshot?: never;
@@ -2091,6 +2119,7 @@ export namespace Configuration {
     s3Bucket: S3BucketConfiguration;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -2110,6 +2139,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic: SnsTopicConfiguration;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown?: never;
   }
 
@@ -2129,6 +2159,27 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue: SqsQueueConfiguration;
+    s3ExpressDirectoryBucket?: never;
+    $unknown?: never;
+  }
+
+  /**
+   * @public
+   * <p>The access control configuration is for an Amazon S3 directory bucket.</p>
+   */
+  export interface S3ExpressDirectoryBucketMember {
+    ebsSnapshot?: never;
+    ecrRepository?: never;
+    iamRole?: never;
+    efsFileSystem?: never;
+    kmsKey?: never;
+    rdsDbClusterSnapshot?: never;
+    rdsDbSnapshot?: never;
+    secretsManagerSecret?: never;
+    s3Bucket?: never;
+    snsTopic?: never;
+    sqsQueue?: never;
+    s3ExpressDirectoryBucket: S3ExpressDirectoryBucketConfiguration;
     $unknown?: never;
   }
 
@@ -2147,6 +2198,7 @@ export namespace Configuration {
     s3Bucket?: never;
     snsTopic?: never;
     sqsQueue?: never;
+    s3ExpressDirectoryBucket?: never;
     $unknown: [string, any];
   }
 
@@ -2162,6 +2214,7 @@ export namespace Configuration {
     s3Bucket: (value: S3BucketConfiguration) => T;
     snsTopic: (value: SnsTopicConfiguration) => T;
     sqsQueue: (value: SqsQueueConfiguration) => T;
+    s3ExpressDirectoryBucket: (value: S3ExpressDirectoryBucketConfiguration) => T;
     _: (name: string, value: any) => T;
   }
 
@@ -2177,6 +2230,8 @@ export namespace Configuration {
     if (value.s3Bucket !== undefined) return visitor.s3Bucket(value.s3Bucket);
     if (value.snsTopic !== undefined) return visitor.snsTopic(value.snsTopic);
     if (value.sqsQueue !== undefined) return visitor.sqsQueue(value.sqsQueue);
+    if (value.s3ExpressDirectoryBucket !== undefined)
+      return visitor.s3ExpressDirectoryBucket(value.s3ExpressDirectoryBucket);
     return visitor._(value.$unknown[0], value.$unknown[1]);
   };
 }
@@ -2388,6 +2443,7 @@ export type ResourceType =
   | "AWS::RDS::DBClusterSnapshot"
   | "AWS::RDS::DBSnapshot"
   | "AWS::S3::Bucket"
+  | "AWS::S3Express::DirectoryBucket"
   | "AWS::SNS::Topic"
   | "AWS::SQS::Queue"
   | "AWS::SecretsManager::Secret";
diff --git a/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts b/clients/client-accessanalyzer/src/protocols/Aws_restJson1.ts
@@ -130,6 +130,7 @@ import {
   S3AccessPointConfiguration,
   S3BucketAclGrantConfiguration,
   S3BucketConfiguration,
+  S3ExpressDirectoryBucketConfiguration,
   S3PublicAccessBlockConfiguration,
   SecretsManagerSecretConfiguration,
   ServiceQuotaExceededException,
@@ -3343,6 +3344,8 @@ const se_CloudTrailDetails = (input: CloudTrailDetails, context: __SerdeContext)
 
 // se_S3BucketConfiguration omitted.
 
+// se_S3ExpressDirectoryBucketConfiguration omitted.
+
 // se_S3PublicAccessBlockConfiguration omitted.
 
 // se_SecretsManagerSecretConfiguration omitted.
@@ -3822,6 +3825,8 @@ const de_PolicyGenerationList = (output: any, context: __SerdeContext): PolicyGe
 
 // de_S3BucketConfiguration omitted.
 
+// de_S3ExpressDirectoryBucketConfiguration omitted.
+
 // de_S3PublicAccessBlockConfiguration omitted.
 
 // de_SecretsManagerSecretConfiguration omitted.
diff --git a/codegen/sdk-codegen/aws-models/accessanalyzer.json b/codegen/sdk-codegen/aws-models/accessanalyzer.json
@@ -2327,7 +2327,7 @@
         "s3Bucket": {
           "target": "com.amazonaws.accessanalyzer#S3BucketConfiguration",
           "traits": {
-            "smithy.api#documentation": "<p>The access control configuration is for an Amazon S3 Bucket. </p>"
+            "smithy.api#documentation": "<p>The access control configuration is for an Amazon S3 bucket. </p>"
           }
         },
         "snsTopic": {
@@ -2341,6 +2341,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The access control configuration is for an Amazon SQS queue. </p>"
           }
+        },
+        "s3ExpressDirectoryBucket": {
+          "target": "com.amazonaws.accessanalyzer#S3ExpressDirectoryBucketConfiguration",
+          "traits": {
+            "smithy.api#documentation": "<p>The access control configuration is for an Amazon S3 directory bucket.</p>"
+          }
         }
       },
       "traits": {
@@ -5826,6 +5832,10 @@
           {
             "value": "AWS::SNS::Topic",
             "name": "AWS_SNS_TOPIC"
+          },
+          {
+            "value": "AWS::S3Express::DirectoryBucket",
+            "name": "AWS_S3EXPRESS_DIRECTORYBUCKET"
           }
         ]
       }
@@ -5937,6 +5947,23 @@
     "com.amazonaws.accessanalyzer#S3BucketPolicy": {
       "type": "string"
     },
+    "com.amazonaws.accessanalyzer#S3ExpressDirectoryBucketConfiguration": {
+      "type": "structure",
+      "members": {
+        "bucketPolicy": {
+          "target": "com.amazonaws.accessanalyzer#S3ExpressDirectoryBucketPolicy",
+          "traits": {
+            "smithy.api#documentation": "<p>The proposed bucket policy for the Amazon S3 directory bucket.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Proposed access control configuration for an Amazon S3 directory bucket. You can propose a\n         configuration for a new Amazon S3 directory bucket or an existing Amazon S3 directory bucket that you\n         own by specifying the Amazon S3 bucket policy. If the configuration is for an existing Amazon S3\n         directory bucket and you do not specify the Amazon S3 bucket policy, the access preview uses the\n         existing policy attached to the directory bucket. If the access preview is for a new\n         resource and you do not specify the Amazon S3 bucket policy, the access preview assumes an\n         directory bucket without a policy. To propose deletion of an existing bucket policy, you\n         can specify an empty string. For more information about bucket policy limits, see <a href=\"https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html\">Example bucket policies</a>.</p>"
+      }
+    },
+    "com.amazonaws.accessanalyzer#S3ExpressDirectoryBucketPolicy": {
+      "type": "string"
+    },
     "com.amazonaws.accessanalyzer#S3PublicAccessBlockConfiguration": {
       "type": "structure",
       "members": {
