Skip to content

/AWS1/CL_AANEXTERNALACCESSDETS

Contains information about an external access finding.

CONSTRUCTOR

IMPORTING

Required arguments:

it_condition TYPE /AWS1/CL_AANCONDITIONKEYMAP_W=>TT_CONDITIONKEYMAP TT_CONDITIONKEYMAP

The condition in the analyzed policy statement that resulted in an external access finding.

Optional arguments:

it_action TYPE /AWS1/CL_AANACTIONLIST_W=>TT_ACTIONLIST TT_ACTIONLIST

The action in the analyzed policy statement that an external principal has permission to use.

iv_ispublic TYPE /AWS1/AANBOOLEAN /AWS1/AANBOOLEAN

Specifies whether the external access finding is public.

it_principal TYPE /AWS1/CL_AANPRINCIPALMAP_W=>TT_PRINCIPALMAP TT_PRINCIPALMAP

The external principal that has access to a resource within the zone of trust.

it_sources TYPE /AWS1/CL_AANFINDINGSOURCE=>TT_FINDINGSOURCELIST TT_FINDINGSOURCELIST

The sources of the external access finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

iv_resourcectlplyrestriction TYPE /AWS1/AANRESRCCTLPLYRESTRICT00 /AWS1/AANRESRCCTLPLYRESTRICT00

The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).

  • APPLICABLE: There is an RCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. For example, if s3:DeleteObject is blocked by the RCP and the restriction is APPLICABLE, then s3:DeleteObject would still be included in the list of actions for the finding.

  • FAILED_TO_EVALUATE_RCP: There was an error evaluating the RCP.

  • NOT_APPLICABLE: There was no RCP present in the organization, or there was no RCP applicable to the resource. For example, the resource being analyzed is an Amazon RDS snapshot and there is an RCP in the organization, but the RCP only impacts Amazon S3 buckets.

  • APPLIED: This restriction is not currently available for external access findings.

Queryable Attributes

action

The action in the analyzed policy statement that an external principal has permission to use.

Accessible with the following methods

Method Description
GET_ACTION() Getter for ACTION, with configurable default
ASK_ACTION() Getter for ACTION w/ exceptions if field has no value
HAS_ACTION() Determine if ACTION has a value

condition

The condition in the analyzed policy statement that resulted in an external access finding.

Accessible with the following methods

Method Description
GET_CONDITION() Getter for CONDITION, with configurable default
ASK_CONDITION() Getter for CONDITION w/ exceptions if field has no value
HAS_CONDITION() Determine if CONDITION has a value

isPublic

Specifies whether the external access finding is public.

Accessible with the following methods

Method Description
GET_ISPUBLIC() Getter for ISPUBLIC, with configurable default
ASK_ISPUBLIC() Getter for ISPUBLIC w/ exceptions if field has no value
HAS_ISPUBLIC() Determine if ISPUBLIC has a value

principal

The external principal that has access to a resource within the zone of trust.

Accessible with the following methods

Method Description
GET_PRINCIPAL() Getter for PRINCIPAL, with configurable default
ASK_PRINCIPAL() Getter for PRINCIPAL w/ exceptions if field has no value
HAS_PRINCIPAL() Determine if PRINCIPAL has a value

sources

The sources of the external access finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

Accessible with the following methods

Method Description
GET_SOURCES() Getter for SOURCES, with configurable default
ASK_SOURCES() Getter for SOURCES w/ exceptions if field has no value
HAS_SOURCES() Determine if SOURCES has a value

resourceControlPolicyRestriction

The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).

  • APPLICABLE: There is an RCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. For example, if s3:DeleteObject is blocked by the RCP and the restriction is APPLICABLE, then s3:DeleteObject would still be included in the list of actions for the finding.

  • FAILED_TO_EVALUATE_RCP: There was an error evaluating the RCP.

  • NOT_APPLICABLE: There was no RCP present in the organization, or there was no RCP applicable to the resource. For example, the resource being analyzed is an Amazon RDS snapshot and there is an RCP in the organization, but the RCP only impacts Amazon S3 buckets.

  • APPLIED: This restriction is not currently available for external access findings.

Accessible with the following methods

Method Description
GET_RESRCCTLPLYRESTRICTION() Getter for RESOURCECTLPOLICYRESTRICTION, with configurable d
ASK_RESRCCTLPLYRESTRICTION() Getter for RESOURCECTLPOLICYRESTRICTION w/ exceptions if fie
HAS_RESRCCTLPLYRESTRICTION() Determine if RESOURCECTLPOLICYRESTRICTION has a value