This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.
AWS::AccessAnalyzer::Analyzer
The AWS::AccessAnalyzer::Analyzer resource specifies a new analyzer. The
            analyzer is an object that represents the IAM Access Analyzer feature. An analyzer is
            required for Access Analyzer to become operational.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::AccessAnalyzer::Analyzer", "Properties" : { "AnalyzerConfiguration" :AnalyzerConfiguration, "AnalyzerName" :String, "ArchiveRules" :[ ArchiveRule, ... ], "Tags" :[ Tag, ... ], "Type" :String} }
YAML
Type: AWS::AccessAnalyzer::Analyzer Properties: AnalyzerConfiguration:AnalyzerConfigurationAnalyzerName:StringArchiveRules:- ArchiveRuleTags:- TagType:String
Properties
- AnalyzerConfiguration
- 
                    Contains information about the configuration of an analyzer for an AWS organization or account. Required: No Type: AnalyzerConfiguration Update requires: Some interruptions 
- AnalyzerName
- 
                    The name of the analyzer. Required: No Type: String Minimum: 1Maximum: 1024Update requires: Replacement 
- ArchiveRules
- 
                    Specifies the archive rules to add for the analyzer. Archive rules automatically archive findings that meet the criteria you define for the rule. Required: No Type: Array of ArchiveRule Update requires: No interruption 
- 
                    An array of key-value pairs to apply to the analyzer. You can use the set of Unicode letters, digits, whitespace, _,.,/,=,+, and-.For the tag key, you can specify a value that is 1 to 128 characters in length and cannot be prefixed with aws:.For the tag value, you can specify a value that is 0 to 256 characters in length. Required: No Type: Array of Tag Maximum: 50Update requires: No interruption 
- Type
- 
                    The type represents the zone of trust for the analyzer. Allowed Values: ACCOUNT | ORGANIZATION | ACCOUNT_UNUSED_ACCESS | ACCOUNT_INTERNAL_ACCESS | ORGANIZATION_INTERNAL_ACCESS | ORGANIZATION_UNUSED_ACCESS Required: Yes Type: String Minimum: 0Maximum: 1024Update requires: Replacement 
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the analyzer created.
For more information about using the Ref function, see Ref.
Fn::GetAtt
- Arn
- 
                            The ARN of the analyzer that was created. 
Examples
Declare an Analyzer Resource
The following example shows how to declare a IAM Access Analyzer
                        Analyzer resource:
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "Analyzer": { "Properties": { "AnalyzerName": "DevAccountAnalyzer", "ArchiveRules": [ { "Filter": [ { "Eq": [ "123456789012" ], "Property": "principal.AWS" } ], "RuleName": "ArchiveTrustedAccountAccess" }, { "Filter": [ { "Contains": [ "arn:aws:s3:::amzn-s3-demo-logging-bucket", "arn:aws:s3:::amzn-s3-demo-website-bucket" ], "Property": "resource" } ], "RuleName": "ArchivePublicS3BucketsAccess" } ], "Tags": [ { "Key": "Kind", "Value": "Dev" } ], "Type": "ACCOUNT" }, "Type": "AWS::AccessAnalyzer::Analyzer" } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Resources: Analyzer: Type: 'AWS::AccessAnalyzer::Analyzer' Properties: AnalyzerName: MyAccountAnalyzer Type: ACCOUNT Tags: - Key: Kind Value: Dev ArchiveRules: - # Archive findings for a trusted AWS account RuleName: ArchiveTrustedAccountAccess Filter: - Property: 'principal.AWS' Eq: - '123456789012' - # Archive findings for known public S3 buckets RuleName: ArchivePublicS3BucketsAccess Filter: - Property: 'resource' Contains: - 'arn:aws:s3:::amzn-s3-demo-logging-bucket' - 'arn:aws:s3:::amzn-s3-demo-website-bucket'