checkAccessNotGranted
abstract suspend fun checkAccessNotGranted(input: CheckAccessNotGrantedRequest): CheckAccessNotGrantedResponse
Checks whether the specified access isn't allowed by a policy.
Samples
// Passing check. Restrictive identity policy.
val resp = accessAnalyzerClient.checkAccessNotGranted {
access = listOf<Access>(
Access {
actions = listOf<String>(
"s3:PutObject"
)
}
)
policyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:GetObject\",\"Resource\":\"*\"}]}"
policyType = AccessCheckPolicyType.fromValue("RESOURCE_POLICY")
}Content copied to clipboard
// Passing check. Restrictive S3 Bucket resource policy.
val resp = accessAnalyzerClient.checkAccessNotGranted {
access = listOf<Access>(
Access {
resources = listOf<String>(
"arn:aws:s3:::sensitive-bucket/*"
)
}
)
policyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::non-sensitive-bucket/*\"}]}"
policyType = AccessCheckPolicyType.fromValue("RESOURCE_POLICY")
}Content copied to clipboard
// Failing check. Permissive S3 Bucket resource policy.
val resp = accessAnalyzerClient.checkAccessNotGranted {
access = listOf<Access>(
Access {
resources = listOf<String>(
"arn:aws:s3:::my-bucket/*"
)
}
)
policyDocument = "{\"Version\":\"2012-10-17\",\"Id\":\"123\",\"Statement\":[{\"Sid\":\"AllowJohnDoe\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/JohnDoe\"},\"Action\":\"s3:PutObject\",\"Resource\":\"arn:aws:s3:::my-bucket/*\"}]}"
policyType = AccessCheckPolicyType.fromValue("RESOURCE_POLICY")
}Content copied to clipboard