AWS::AccessAnalyzer::Analyzer - AWS CloudFormation
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS::AccessAnalyzer::Analyzer

AWS::AccessAnalyzer::Analyzer 资源指定新的分析器。分析器是表示 IAM Access Analyzer 功能的对象。需要使用分析器,Access Analyzer 才能正常运行。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{ "Type" : "AWS::AccessAnalyzer::Analyzer", "Properties" : { "AnalyzerName" : String, "ArchiveRules" : [ ArchiveRule, ... ], "Tags" : [ Tag, ... ], "Type" : String } }

YAML

Type: AWS::AccessAnalyzer::Analyzer Properties: AnalyzerName: String ArchiveRules: - ArchiveRule Tags: - Tag Type: String

属性

AnalyzerName

分析器的名称。

必需:否

类型:字符串

Update requires: Replacement

ArchiveRules

指定要为分析器添加的存档规则。

必需:否

类型ArchiveRule 列表

Update requires: No interruption

Tags

要应用于分析器的标签。

必需:否

类型Tag 的列表

Update requires: No interruption

Type

类型表示分析器的信任区域。

允许的值:ACCOUNT | ORGANIZATION

必需:是

类型:字符串

Update requires: Replacement

返回值

Ref

在将此资源的逻辑 ID 传递给内部 Ref 函数时,Ref 返回创建的分析器的 ARN。

For more information about using the Ref function, see Ref.

示例

声明分析器资源

以下示例说明了如何声明 IAM Access Analyzer Analyzer 资源:

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Analyzer": { "Properties": { "AnalyzerName": "DevAccountAnalyzer", "ArchiveRules": [ { "Filter": [ { "Eq": [ "123456789012" ], "Property": "principal.AWS" } ], "RuleName": "ArchiveTrustedAccountAccess" }, { "Filter": [ { "Contains": [ "arn:aws:s3:::docs-bucket", "arn:aws:s3:::clients-bucket" ], "Property": "resource" } ], "RuleName": "ArchivePublicS3BucketsAccess" } ], "Tags": [ { "Key": "Kind", "Value": "Dev" } ], "Type": "ACCOUNT" }, "Type": "AWS::AccessAnalyzer::Analyzer" } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: Analyzer: Type: 'AWS::AccessAnalyzer::Analyzer' Properties: AnalyzerName: MyAccountAnalyzer Type: ACCOUNT Tags: - Key: Kind Value: Dev ArchiveRules: - # Archive findings for a trusted AWS account RuleName: ArchiveTrustedAccountAccess Filter: - Property: 'principal.AWS' Eq: - '123456789012' - # Archive findings for known public S3 buckets RuleName: ArchivePublicS3BucketsAccess Filter: - Property: 'resource' Contains: - 'arn:aws:s3:::docs-bucket' - 'arn:aws:s3:::clients-bucket'