AWS::AccessAnalyzer::Analyzer
AWS::AccessAnalyzer::Analyzer 资源指定新的分析器。分析器是表示 IAM Access Analyzer 功能的对象。需要使用分析器,Access Analyzer 才能正常运行。
语法
要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:
JSON
{ "Type" : "AWS::AccessAnalyzer::Analyzer", "Properties" : { "AnalyzerName" :String, "ArchiveRules" :[ ArchiveRule, ... ], "Tags" :[ Tag, ... ], "Type" :String} }
YAML
Type: AWS::AccessAnalyzer::Analyzer Properties: AnalyzerName:StringArchiveRules:- ArchiveRuleTags:- TagType:String
属性
AnalyzerName-
分析器的名称。
必需:否
类型:字符串
Update requires: Replacement
ArchiveRules-
指定要为分析器添加的存档规则。
必需:否
类型:ArchiveRule 列表
Update requires: No interruption
Tags-
要应用于分析器的标签。
必需:否
类型:Tag 的列表
Update requires: No interruption
Type-
类型表示分析器的信任区域。
允许的值:ACCOUNT | ORGANIZATION
必需:是
类型:字符串
Update requires: Replacement
返回值
Ref
在将此资源的逻辑 ID 传递给内部 Ref 函数时,Ref 返回创建的分析器的 ARN。
For more information about using the Ref function, see Ref.
示例
声明分析器资源
以下示例说明了如何声明 IAM Access Analyzer Analyzer 资源:
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Analyzer": { "Properties": { "AnalyzerName": "DevAccountAnalyzer", "ArchiveRules": [ { "Filter": [ { "Eq": [ "123456789012" ], "Property": "principal.AWS" } ], "RuleName": "ArchiveTrustedAccountAccess" }, { "Filter": [ { "Contains": [ "arn:aws:s3:::docs-bucket", "arn:aws:s3:::clients-bucket" ], "Property": "resource" } ], "RuleName": "ArchivePublicS3BucketsAccess" } ], "Tags": [ { "Key": "Kind", "Value": "Dev" } ], "Type": "ACCOUNT" }, "Type": "AWS::AccessAnalyzer::Analyzer" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Resources: Analyzer: Type: 'AWS::AccessAnalyzer::Analyzer' Properties: AnalyzerName: MyAccountAnalyzer Type: ACCOUNT Tags: - Key: Kind Value: Dev ArchiveRules: - # Archive findings for a trusted AWS account RuleName: ArchiveTrustedAccountAccess Filter: - Property: 'principal.AWS' Eq: - '123456789012' - # Archive findings for known public S3 buckets RuleName: ArchivePublicS3BucketsAccess Filter: - Property: 'resource' Contains: - 'arn:aws:s3:::docs-bucket' - 'arn:aws:s3:::clients-bucket'