AWS::AccessAnalyzer::Analyzer - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::AccessAnalyzer::Analyzer

The AWS::AccessAnalyzer::Analyzer resource specifies a new analyzer. The analyzer is an object that represents the IAM Access Analyzer feature. An analyzer is required for Access Analyzer to become operational.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::AccessAnalyzer::Analyzer", "Properties" : { "AnalyzerConfiguration" : AnalyzerConfiguration, "AnalyzerName" : String, "ArchiveRules" : [ ArchiveRule, ... ], "Tags" : [ Tag, ... ], "Type" : String } }

YAML

Type: AWS::AccessAnalyzer::Analyzer Properties: AnalyzerConfiguration: AnalyzerConfiguration AnalyzerName: String ArchiveRules: - ArchiveRule Tags: - Tag Type: String

Properties

AnalyzerConfiguration

Contains information about the configuration of an unused access analyzer for an Amazon organization or account.

Required: No

Type: AnalyzerConfiguration

Update requires: Replacement

AnalyzerName

The name of the analyzer.

Required: No

Type: String

Minimum: 1

Maximum: 1024

Update requires: Replacement

ArchiveRules

Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule.

Required: No

Type: Array of ArchiveRule

Update requires: No interruption

Tags

An array of key-value pairs to apply to the analyzer.

Required: No

Type: Array of Tag

Maximum: 50

Update requires: No interruption

Type

The type represents the zone of trust for the analyzer.

Allowed Values: ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ORGANIZATION_UNUSED_ACCESS

Required: Yes

Type: String

Minimum: 0

Maximum: 1024

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the analyzer created.

For more information about using the Ref function, see Ref.

Fn::GetAtt

Arn

The ARN of the analyzer that was created.

Examples

Declare an Analyzer Resource

The following example shows how to declare a IAM Access Analyzer Analyzer resource:

JSON

{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Analyzer": { "Properties": { "AnalyzerName": "DevAccountAnalyzer", "ArchiveRules": [ { "Filter": [ { "Eq": [ "123456789012" ], "Property": "principal.AWS" } ], "RuleName": "ArchiveTrustedAccountAccess" }, { "Filter": [ { "Contains": [ "arn:aws:s3:::docs-bucket", "arn:aws:s3:::clients-bucket" ], "Property": "resource" } ], "RuleName": "ArchivePublicS3BucketsAccess" } ], "Tags": [ { "Key": "Kind", "Value": "Dev" } ], "Type": "ACCOUNT" }, "Type": "AWS::AccessAnalyzer::Analyzer" } } }

YAML

AWSTemplateFormatVersion: 2010-09-09 Resources: Analyzer: Type: 'AWS::AccessAnalyzer::Analyzer' Properties: AnalyzerName: MyAccountAnalyzer Type: ACCOUNT Tags: - Key: Kind Value: Dev ArchiveRules: - # Archive findings for a trusted AWS account RuleName: ArchiveTrustedAccountAccess Filter: - Property: 'principal.AWS' Eq: - '123456789012' - # Archive findings for known public S3 buckets RuleName: ArchivePublicS3BucketsAccess Filter: - Property: 'resource' Contains: - 'arn:aws:s3:::docs-bucket' - 'arn:aws:s3:::clients-bucket'