Skip to content

/AWS1/CL_AANINTERNALACCESSDETS

Contains information about an internal access finding. This includes details about the access that was identified within your Amazon Web Services organization or account.

CONSTRUCTOR

IMPORTING

Optional arguments:

it_action TYPE /AWS1/CL_AANACTIONLIST_W=>TT_ACTIONLIST TT_ACTIONLIST

The action in the analyzed policy statement that has internal access permission to use.

it_condition TYPE /AWS1/CL_AANCONDITIONKEYMAP_W=>TT_CONDITIONKEYMAP TT_CONDITIONKEYMAP

The condition in the analyzed policy statement that resulted in an internal access finding.

it_principal TYPE /AWS1/CL_AANPRINCIPALMAP_W=>TT_PRINCIPALMAP TT_PRINCIPALMAP

The principal that has access to a resource within the internal environment.

iv_principalowneraccount TYPE /AWS1/AANSTRING /AWS1/AANSTRING

The Amazon Web Services account ID that owns the principal identified in the internal access finding.

iv_accesstype TYPE /AWS1/AANINTERNALACCESSTYPE /AWS1/AANINTERNALACCESSTYPE

The type of internal access identified in the finding. This indicates how the access is granted within your Amazon Web Services environment.

iv_principaltype TYPE /AWS1/AANPRINCIPALTYPE /AWS1/AANPRINCIPALTYPE

The type of principal identified in the internal access finding, such as IAM role or IAM user.

it_sources TYPE /AWS1/CL_AANFINDINGSOURCE=>TT_FINDINGSOURCELIST TT_FINDINGSOURCELIST

The sources of the internal access finding. This indicates how the access that generated the finding is granted within your Amazon Web Services environment.

iv_resourcectlplyrestriction TYPE /AWS1/AANRESRCCTLPLYRESTRICT00 /AWS1/AANRESRCCTLPLYRESTRICT00

The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).

  • APPLICABLE: There is an RCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. For example, if s3:DeleteObject is blocked by the RCP and the restriction is APPLICABLE, then s3:DeleteObject would still be included in the list of actions for the finding. Only applicable to internal access findings with the account as the zone of trust.

  • FAILED_TO_EVALUATE_RCP: There was an error evaluating the RCP.

  • NOT_APPLICABLE: There was no RCP present in the organization. For internal access findings with the account as the zone of trust, NOT_APPLICABLE could also indicate that there was no RCP applicable to the resource.

  • APPLIED: An RCP is present in the organization and IAM Access Analyzer included it in the evaluation of effective permissions. For example, if s3:DeleteObject is blocked by the RCP and the restriction is APPLIED, then s3:DeleteObject would not be included in the list of actions for the finding. Only applicable to internal access findings with the organization as the zone of trust.

iv_svcctlpolicyrestriction TYPE /AWS1/AANSVCCTLPLYRESTRICTION /AWS1/AANSVCCTLPLYRESTRICTION

The type of restriction applied to the finding by an Organizations service control policy (SCP).

  • APPLICABLE: There is an SCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. Only applicable to internal access findings with the account as the zone of trust.

  • FAILED_TO_EVALUATE_SCP: There was an error evaluating the SCP.

  • NOT_APPLICABLE: There was no SCP present in the organization. For internal access findings with the account as the zone of trust, NOT_APPLICABLE could also indicate that there was no SCP applicable to the principal.

  • APPLIED: An SCP is present in the organization and IAM Access Analyzer included it in the evaluation of effective permissions. Only applicable to internal access findings with the organization as the zone of trust.

Queryable Attributes

action

The action in the analyzed policy statement that has internal access permission to use.

Accessible with the following methods

Method Description
GET_ACTION() Getter for ACTION, with configurable default
ASK_ACTION() Getter for ACTION w/ exceptions if field has no value
HAS_ACTION() Determine if ACTION has a value

condition

The condition in the analyzed policy statement that resulted in an internal access finding.

Accessible with the following methods

Method Description
GET_CONDITION() Getter for CONDITION, with configurable default
ASK_CONDITION() Getter for CONDITION w/ exceptions if field has no value
HAS_CONDITION() Determine if CONDITION has a value

principal

The principal that has access to a resource within the internal environment.

Accessible with the following methods

Method Description
GET_PRINCIPAL() Getter for PRINCIPAL, with configurable default
ASK_PRINCIPAL() Getter for PRINCIPAL w/ exceptions if field has no value
HAS_PRINCIPAL() Determine if PRINCIPAL has a value

principalOwnerAccount

The Amazon Web Services account ID that owns the principal identified in the internal access finding.

Accessible with the following methods

Method Description
GET_PRINCIPALOWNERACCOUNT() Getter for PRINCIPALOWNERACCOUNT, with configurable default
ASK_PRINCIPALOWNERACCOUNT() Getter for PRINCIPALOWNERACCOUNT w/ exceptions if field has
HAS_PRINCIPALOWNERACCOUNT() Determine if PRINCIPALOWNERACCOUNT has a value

accessType

The type of internal access identified in the finding. This indicates how the access is granted within your Amazon Web Services environment.

Accessible with the following methods

Method Description
GET_ACCESSTYPE() Getter for ACCESSTYPE, with configurable default
ASK_ACCESSTYPE() Getter for ACCESSTYPE w/ exceptions if field has no value
HAS_ACCESSTYPE() Determine if ACCESSTYPE has a value

principalType

The type of principal identified in the internal access finding, such as IAM role or IAM user.

Accessible with the following methods

Method Description
GET_PRINCIPALTYPE() Getter for PRINCIPALTYPE, with configurable default
ASK_PRINCIPALTYPE() Getter for PRINCIPALTYPE w/ exceptions if field has no value
HAS_PRINCIPALTYPE() Determine if PRINCIPALTYPE has a value

sources

The sources of the internal access finding. This indicates how the access that generated the finding is granted within your Amazon Web Services environment.

Accessible with the following methods

Method Description
GET_SOURCES() Getter for SOURCES, with configurable default
ASK_SOURCES() Getter for SOURCES w/ exceptions if field has no value
HAS_SOURCES() Determine if SOURCES has a value

resourceControlPolicyRestriction

The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).

  • APPLICABLE: There is an RCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. For example, if s3:DeleteObject is blocked by the RCP and the restriction is APPLICABLE, then s3:DeleteObject would still be included in the list of actions for the finding. Only applicable to internal access findings with the account as the zone of trust.

  • FAILED_TO_EVALUATE_RCP: There was an error evaluating the RCP.

  • NOT_APPLICABLE: There was no RCP present in the organization. For internal access findings with the account as the zone of trust, NOT_APPLICABLE could also indicate that there was no RCP applicable to the resource.

  • APPLIED: An RCP is present in the organization and IAM Access Analyzer included it in the evaluation of effective permissions. For example, if s3:DeleteObject is blocked by the RCP and the restriction is APPLIED, then s3:DeleteObject would not be included in the list of actions for the finding. Only applicable to internal access findings with the organization as the zone of trust.

Accessible with the following methods

Method Description
GET_RESRCCTLPLYRESTRICTION() Getter for RESOURCECTLPOLICYRESTRICTION, with configurable d
ASK_RESRCCTLPLYRESTRICTION() Getter for RESOURCECTLPOLICYRESTRICTION w/ exceptions if fie
HAS_RESRCCTLPLYRESTRICTION() Determine if RESOURCECTLPOLICYRESTRICTION has a value

serviceControlPolicyRestriction

The type of restriction applied to the finding by an Organizations service control policy (SCP).

  • APPLICABLE: There is an SCP present in the organization but IAM Access Analyzer does not include it in the evaluation of effective permissions. Only applicable to internal access findings with the account as the zone of trust.

  • FAILED_TO_EVALUATE_SCP: There was an error evaluating the SCP.

  • NOT_APPLICABLE: There was no SCP present in the organization. For internal access findings with the account as the zone of trust, NOT_APPLICABLE could also indicate that there was no SCP applicable to the principal.

  • APPLIED: An SCP is present in the organization and IAM Access Analyzer included it in the evaluation of effective permissions. Only applicable to internal access findings with the organization as the zone of trust.

Accessible with the following methods

Method Description
GET_SVCCTLPOLICYRESTRICTION() Getter for SVCCONTROLPOLICYRESTRICTION, with configurable de
ASK_SVCCTLPOLICYRESTRICTION() Getter for SVCCONTROLPOLICYRESTRICTION w/ exceptions if fiel
HAS_SVCCTLPOLICYRESTRICTION() Determine if SVCCONTROLPOLICYRESTRICTION has a value