@ -5040,6 +5040,199 @@ func (c *IAM) GenerateCredentialReportWithContext(ctx aws.Context, input *Genera
return out , req . Send ( )
return out , req . Send ( )
}
}
const opGenerateOrganizationsAccessReport = "GenerateOrganizationsAccessReport"
// GenerateOrganizationsAccessReportRequest generates a "aws/request.Request" representing the
// client's request for the GenerateOrganizationsAccessReport operation. The "output" return
// value will be populated with the request's response once the request completes
// successfully.
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See GenerateOrganizationsAccessReport for more information on using the GenerateOrganizationsAccessReport
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the GenerateOrganizationsAccessReportRequest method.
// req, resp := client.GenerateOrganizationsAccessReportRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GenerateOrganizationsAccessReport
func ( c * IAM ) GenerateOrganizationsAccessReportRequest ( input * GenerateOrganizationsAccessReportInput ) ( req * request . Request , output * GenerateOrganizationsAccessReportOutput ) {
op := & request . Operation {
Name : opGenerateOrganizationsAccessReport ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & GenerateOrganizationsAccessReportInput { }
}
output = & GenerateOrganizationsAccessReportOutput { }
req = c . newRequest ( op , input , output )
return
}
// GenerateOrganizationsAccessReport API operation for AWS Identity and Access Management.
//
// Generates a report for service last accessed data for AWS Organizations.
// You can generate a report for any entities (organization root, organizational
// unit, or account) or policies in your organization.
//
// To call this operation, you must be signed in using your AWS Organizations
// master account credentials. You can use your long-term IAM user or root user
// credentials, or temporary credentials from assuming an IAM role. SCPs must
// be enabled for your organization root. You must have the required IAM and
// AWS Organizations permissions. For more information, see Refining Permissions
// Using Service Last Accessed Data (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)
// in the IAM User Guide.
//
// You can generate a service last accessed data report for entities by specifying
// only the entity's path. This data includes a list of services that are allowed
// by any service control policies (SCPs) that apply to the entity.
//
// You can generate a service last accessed data report for a policy by specifying
// an entity's path and an optional AWS Organizations policy ID. This data includes
// a list of services that are allowed by the specified SCP.
//
// For each service in both report types, the data includes the most recent
// account activity that the policy allows to account principals in the entity
// or the entity's children. For important information about the data, reporting
// period, permissions required, troubleshooting, and supported Regions see
// Reducing Permissions Using Service Last Accessed Data (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)
// in the IAM User Guide.
//
// The data includes all attempts to access AWS, not just the successful ones.
// This includes all attempts that were made using the AWS Management Console,
// the AWS API through any of the SDKs, or any of the command line tools. An
// unexpected entry in the service last accessed data does not mean that an
// account has been compromised, because the request might have been denied.
// Refer to your CloudTrail logs as the authoritative source for information
// about all API calls and whether they were successful or denied access. For
// more information, see Logging IAM Events with CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
// in the IAM User Guide.
//
// This operation returns a JobId. Use this parameter in the GetOrganizationsAccessReport
// operation to check the status of the report generation. To check the status
// of this request, use the JobId parameter in the GetOrganizationsAccessReport
// operation and test the JobStatus response parameter. When the job is complete,
// you can retrieve the report.
//
// To generate a service last accessed data report for entities, specify an
// entity path without specifying the optional AWS Organizations policy ID.
// The type of entity that you specify determines the data returned in the report.
//
// * Root – When you specify the organizations root as the entity, the
// resulting report lists all of the services allowed by SCPs that are attached
// to your root. For each service, the report includes data for all accounts
// in your organization except the master account, because the master account
// is not limited by SCPs.
//
// * OU – When you specify an organizational unit (OU) as the entity, the
// resulting report lists all of the services allowed by SCPs that are attached
// to the OU and its parents. For each service, the report includes data
// for all accounts in the OU or its children. This data excludes the master
// account, because the master account is not limited by SCPs.
//
// * Master account – When you specify the master account, the resulting
// report lists all AWS services, because the master account is not limited
// by SCPs. For each service, the report includes data for only the master
// account.
//
// * Account – When you specify another account as the entity, the resulting
// report lists all of the services allowed by SCPs that are attached to
// the account and its parents. For each service, the report includes data
// for only the specified account.
//
// To generate a service last accessed data report for policies, specify an
// entity path and the optional AWS Organizations policy ID. The type of entity
// that you specify determines the data returned for each service.
//
// * Root – When you specify the root entity and a policy ID, the resulting
// report lists all of the services that are allowed by the specified SCP.
// For each service, the report includes data for all accounts in your organization
// to which the SCP applies. This data excludes the master account, because
// the master account is not limited by SCPs. If the SCP is not attached
// to any entities in the organization, then the report will return a list
// of services with no data.
//
// * OU – When you specify an OU entity and a policy ID, the resulting
// report lists all of the services that are allowed by the specified SCP.
// For each service, the report includes data for all accounts in the OU
// or its children to which the SCP applies. This means that other accounts
// outside the OU that are affected by the SCP might not be included in the
// data. This data excludes the master account, because the master account
// is not limited by SCPs. If the SCP is not attached to the OU or one of
// its children, the report will return a list of services with no data.
//
// * Master account – When you specify the master account, the resulting
// report lists all AWS services, because the master account is not limited
// by SCPs. If you specify a policy ID in the CLI or API, the policy is ignored.
// For each service, the report includes data for only the master account.
//
// * Account – When you specify another account entity and a policy ID,
// the resulting report lists all of the services that are allowed by the
// specified SCP. For each service, the report includes data for only the
// specified account. This means that other accounts in the organization
// that are affected by the SCP might not be included in the data. If the
// SCP is not attached to the account, the report will return a list of services
// with no data.
//
// Service last accessed data does not use other policy types when determining
// whether a principal could access a service. These other policy types include
// identity-based policies, resource-based policies, access control lists, IAM
// permissions boundaries, and STS assume role policies. It only applies SCP
// logic. For more about the evaluation of policy types, see Evaluating Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-basics)
// in the IAM User Guide.
//
// For more information about service last accessed data, see Reducing Policy
// Scope by Viewing User Activity (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)
// in the IAM User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Identity and Access Management's
// API operation GenerateOrganizationsAccessReport for usage and error information.
//
// Returned Error Codes:
// * ErrCodeReportGenerationLimitExceededException "ReportGenerationLimitExceeded"
// The request failed because the maximum number of concurrent requests for
// this account are already running.
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GenerateOrganizationsAccessReport
func ( c * IAM ) GenerateOrganizationsAccessReport ( input * GenerateOrganizationsAccessReportInput ) ( * GenerateOrganizationsAccessReportOutput , error ) {
req , out := c . GenerateOrganizationsAccessReportRequest ( input )
return out , req . Send ( )
}
// GenerateOrganizationsAccessReportWithContext is the same as GenerateOrganizationsAccessReport with the addition of
// the ability to pass a context and additional request options.
//
// See GenerateOrganizationsAccessReport for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * IAM ) GenerateOrganizationsAccessReportWithContext ( ctx aws . Context , input * GenerateOrganizationsAccessReportInput , opts ... request . Option ) ( * GenerateOrganizationsAccessReportOutput , error ) {
req , out := c . GenerateOrganizationsAccessReportRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opGenerateServiceLastAccessedDetails = "GenerateServiceLastAccessedDetails"
const opGenerateServiceLastAccessedDetails = "GenerateServiceLastAccessedDetails"
// GenerateServiceLastAccessedDetailsRequest generates a "aws/request.Request" representing the
// GenerateServiceLastAccessedDetailsRequest generates a "aws/request.Request" representing the
@ -5084,12 +5277,11 @@ func (c *IAM) GenerateServiceLastAccessedDetailsRequest(input *GenerateServiceLa
// GenerateServiceLastAccessedDetails API operation for AWS Identity and Access Management.
// GenerateServiceLastAccessedDetails API operation for AWS Identity and Access Management.
//
//
// Generates a request for a report that includes details about when an IAM
// Generates a report that includes details about when an IAM resource (user,
// resource (user, group, role, or policy) was last used in an attempt to access
// group, role, or policy) was last used in an attempt to access AWS services.
// AWS services. Recent activity usually appears within four hours. IAM reports
// Recent activity usually appears within four hours. IAM reports activity for
// activity for the last 365 days, or less if your Region began supporting this
// the last 365 days, or less if your Region began supporting this feature within
// feature within the last year. For more information, see Regions Where Data
// the last year. For more information, see Regions Where Data Is Tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period).
// Is Tracked (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#access-advisor_tracking-period).
//
//
// The service last accessed data includes all attempts to access an AWS API,
// The service last accessed data includes all attempts to access an AWS API,
// not just the successful ones. This includes all attempts that were made using
// not just the successful ones. This includes all attempts that were made using
@ -6361,6 +6553,105 @@ func (c *IAM) GetOpenIDConnectProviderWithContext(ctx aws.Context, input *GetOpe
return out , req . Send ( )
return out , req . Send ( )
}
}
const opGetOrganizationsAccessReport = "GetOrganizationsAccessReport"
// GetOrganizationsAccessReportRequest generates a "aws/request.Request" representing the
// client's request for the GetOrganizationsAccessReport operation. The "output" return
// value will be populated with the request's response once the request completes
// successfully.
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See GetOrganizationsAccessReport for more information on using the GetOrganizationsAccessReport
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the GetOrganizationsAccessReportRequest method.
// req, resp := client.GetOrganizationsAccessReportRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetOrganizationsAccessReport
func ( c * IAM ) GetOrganizationsAccessReportRequest ( input * GetOrganizationsAccessReportInput ) ( req * request . Request , output * GetOrganizationsAccessReportOutput ) {
op := & request . Operation {
Name : opGetOrganizationsAccessReport ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & GetOrganizationsAccessReportInput { }
}
output = & GetOrganizationsAccessReportOutput { }
req = c . newRequest ( op , input , output )
return
}
// GetOrganizationsAccessReport API operation for AWS Identity and Access Management.
//
// Retrieves the service last accessed data report for AWS Organizations that
// was previously generated using the GenerateOrganizationsAccessReport operation.
// This operation retrieves the status of your report job and the report contents.
//
// Depending on the parameters that you passed when you generated the report,
// the data returned could include different information. For details, see GenerateOrganizationsAccessReport.
//
// To call this operation, you must be signed in to the master account in your
// organization. SCPs must be enabled for your organization root. You must have
// permissions to perform this operation. For more information, see Refining
// Permissions Using Service Last Accessed Data (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html)
// in the IAM User Guide.
//
// For each service that principals in an account (root users, IAM users, or
// IAM roles) could access using SCPs, the operation returns details about the
// most recent access attempt. If there was no attempt, the service is listed
// without details about the most recent attempt to access the service. If the
// operation fails, it returns the reason that it failed.
//
// By default, the list is sorted by service namespace.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Identity and Access Management's
// API operation GetOrganizationsAccessReport for usage and error information.
//
// Returned Error Codes:
// * ErrCodeNoSuchEntityException "NoSuchEntity"
// The request was rejected because it referenced a resource entity that does
// not exist. The error message describes the resource.
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/iam-2010-05-08/GetOrganizationsAccessReport
func ( c * IAM ) GetOrganizationsAccessReport ( input * GetOrganizationsAccessReportInput ) ( * GetOrganizationsAccessReportOutput , error ) {
req , out := c . GetOrganizationsAccessReportRequest ( input )
return out , req . Send ( )
}
// GetOrganizationsAccessReportWithContext is the same as GetOrganizationsAccessReport with the addition of
// the ability to pass a context and additional request options.
//
// See GetOrganizationsAccessReport for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * IAM ) GetOrganizationsAccessReportWithContext ( ctx aws . Context , input * GetOrganizationsAccessReportInput , opts ... request . Option ) ( * GetOrganizationsAccessReportOutput , error ) {
req , out := c . GetOrganizationsAccessReportRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opGetPolicy = "GetPolicy"
const opGetPolicy = "GetPolicy"
// GetPolicyRequest generates a "aws/request.Request" representing the
// GetPolicyRequest generates a "aws/request.Request" representing the
@ -7080,10 +7371,11 @@ func (c *IAM) GetServiceLastAccessedDetailsRequest(input *GetServiceLastAccessed
// GetServiceLastAccessedDetails API operation for AWS Identity and Access Management.
// GetServiceLastAccessedDetails API operation for AWS Identity and Access Management.
//
//
// After you generate a user, group, role, or policy report using the GenerateServiceLastAccessedDetails
// Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails
// operation, you can use the JobId parameter in GetServiceLastAccessedDetails.
// operation. You can use the JobId parameter in GetServiceLastAccessedDetails
// This operation retrieves the status of your report job and a list of AWS
// to retrieve the status of your report job. When the report is complete, you
// services that the resource (user, group, role, or managed policy) can access.
// can retrieve the generated report. The report includes a list of AWS services
// that the resource (user, group, role, or managed policy) can access.
//
//
// Service last accessed data does not use other policy types when determining
// Service last accessed data does not use other policy types when determining
// whether a resource could access a service. These other policy types include
// whether a resource could access a service. These other policy types include
@ -15036,6 +15328,108 @@ func (c *IAM) UploadSigningCertificateWithContext(ctx aws.Context, input *Upload
return out , req . Send ( )
return out , req . Send ( )
}
}
// An object that contains details about when a principal in the reported AWS
// Organizations entity last attempted to access an AWS service. A principal
// can be an IAM user, an IAM role, or the AWS account root user within the
// reported Organizations entity.
//
// This data type is a response element in the GetOrganizationsAccessReport
// operation.
type AccessDetail struct {
_ struct { } ` type:"structure" `
// The path of the Organizations entity (root, organizational unit, or account)
// from which an authenticated principal last attempted to access the service.
// AWS does not report unauthenticated requests.
//
// This field is null if no principals (IAM users, IAM roles, or root users)
// in the reported Organizations entity attempted to access the service within
// the reporting period (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).
EntityPath * string ` min:"19" type:"string" `
// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
// when an authenticated principal most recently attempted to access the service.
// AWS does not report unauthenticated requests.
//
// This field is null if no principals in the reported Organizations entity
// attempted to access the service within the reporting period (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).
LastAuthenticatedTime * time . Time ` type:"timestamp" `
// The Region where the last service access attempt occurred.
//
// This field is null if no principals in the reported Organizations entity
// attempted to access the service within the reporting period (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).
Region * string ` type:"string" `
// The name of the service in which access was attempted.
//
// ServiceName is a required field
ServiceName * string ` type:"string" required:"true" `
// The namespace of the service in which access was attempted.
//
// To learn the service namespace of a service, go to Actions, Resources, and
// Condition Keys for AWS Services (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html)
// in the IAM User Guide. Choose the name of the service to view details for
// that service. In the first paragraph, find the service prefix. For example,
// (service prefix: a4b). For more information about service namespaces, see
// AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces)
// in the AWS General Reference.
//
// ServiceNamespace is a required field
ServiceNamespace * string ` min:"1" type:"string" required:"true" `
// The number of accounts with authenticated principals (root users, IAM users,
// and IAM roles) that attempted to access the service in the reporting period.
TotalAuthenticatedEntities * int64 ` type:"integer" `
}
// String returns the string representation
func ( s AccessDetail ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AccessDetail ) GoString ( ) string {
return s . String ( )
}
// SetEntityPath sets the EntityPath field's value.
func ( s * AccessDetail ) SetEntityPath ( v string ) * AccessDetail {
s . EntityPath = & v
return s
}
// SetLastAuthenticatedTime sets the LastAuthenticatedTime field's value.
func ( s * AccessDetail ) SetLastAuthenticatedTime ( v time . Time ) * AccessDetail {
s . LastAuthenticatedTime = & v
return s
}
// SetRegion sets the Region field's value.
func ( s * AccessDetail ) SetRegion ( v string ) * AccessDetail {
s . Region = & v
return s
}
// SetServiceName sets the ServiceName field's value.
func ( s * AccessDetail ) SetServiceName ( v string ) * AccessDetail {
s . ServiceName = & v
return s
}
// SetServiceNamespace sets the ServiceNamespace field's value.
func ( s * AccessDetail ) SetServiceNamespace ( v string ) * AccessDetail {
s . ServiceNamespace = & v
return s
}
// SetTotalAuthenticatedEntities sets the TotalAuthenticatedEntities field's value.
func ( s * AccessDetail ) SetTotalAuthenticatedEntities ( v int64 ) * AccessDetail {
s . TotalAuthenticatedEntities = & v
return s
}
// Contains information about an AWS access key.
// Contains information about an AWS access key.
//
//
// This data type is used as a response element in the CreateAccessKey and ListAccessKeys
// This data type is used as a response element in the CreateAccessKey and ListAccessKeys
@ -15130,12 +15524,12 @@ type AccessKeyLastUsed struct {
// * An access key exists but has not been used since IAM began tracking
// * An access key exists but has not been used since IAM began tracking
// this information.
// this information.
//
//
// * There is no sign-in data associated with the user
// * There is no sign-in data associated with the user .
//
//
// LastUsedDate is a required field
// LastUsedDate is a required field
LastUsedDate * time . Time ` type:"timestamp" required:"true" `
LastUsedDate * time . Time ` type:"timestamp" required:"true" `
// The AWS r egion where this access key was most recently used. The value for
// The AWS R egion where this access key was most recently used. The value for
// this field is "N/A" in the following situations:
// this field is "N/A" in the following situations:
//
//
// * The user does not have an access key.
// * The user does not have an access key.
@ -15143,9 +15537,9 @@ type AccessKeyLastUsed struct {
// * An access key exists but has not been used since IAM began tracking
// * An access key exists but has not been used since IAM began tracking
// this information.
// this information.
//
//
// * There is no sign-in data associated with the user
// * There is no sign-in data associated with the user .
//
//
// For more information about AWS r egions, see Regions and Endpoints (https://docs.aws.amazon.com/general/latest/gr/rande.html)
// For more information about AWS R egions, see Regions and Endpoints (https://docs.aws.amazon.com/general/latest/gr/rande.html)
// in the Amazon Web Services General Reference.
// in the Amazon Web Services General Reference.
//
//
// Region is a required field
// Region is a required field
@ -15159,7 +15553,7 @@ type AccessKeyLastUsed struct {
// * An access key exists but has not been used since IAM started tracking
// * An access key exists but has not been used since IAM started tracking
// this information.
// this information.
//
//
// * There is no sign-in data associated with the user
// * There is no sign-in data associated with the user .
//
//
// ServiceName is a required field
// ServiceName is a required field
ServiceName * string ` type:"string" required:"true" `
ServiceName * string ` type:"string" required:"true" `
@ -16778,7 +17172,7 @@ type CreateRoleInput struct {
// The trust relationship policy document that grants an entity permission to
// The trust relationship policy document that grants an entity permission to
// assume the role.
// assume the role.
//
//
// i n IAM, you must provide a JSON policy that has been converted to a string.
// I n IAM, you must provide a JSON policy that has been converted to a string.
// However, for AWS CloudFormation templates formatted in YAML, you can provide
// However, for AWS CloudFormation templates formatted in YAML, you can provide
// the policy in JSON or YAML format. AWS CloudFormation always converts a YAML
// the policy in JSON or YAML format. AWS CloudFormation always converts a YAML
// policy to JSON format before submitting it to IAM.
// policy to JSON format before submitting it to IAM.
@ -19072,7 +19466,7 @@ type DeletionTaskFailureReasonType struct {
// role has active sessions or if any resources that were used by the role have
// role has active sessions or if any resources that were used by the role have
// not been deleted from the linked service, the role can't be deleted. This
// not been deleted from the linked service, the role can't be deleted. This
// parameter includes a list of the resources that are associated with the role
// parameter includes a list of the resources that are associated with the role
// and the r egion in which the resources are being used.
// and the R egion in which the resources are being used.
RoleUsageList [ ] * RoleUsageType ` type:"list" `
RoleUsageList [ ] * RoleUsageType ` type:"list" `
}
}
@ -19593,8 +19987,9 @@ func (s *EntityInfo) SetType(v string) *EntityInfo {
// Contains information about the reason that the operation failed.
// Contains information about the reason that the operation failed.
//
//
// This data type is used as a response element in the GetServiceLastAccessedDetails
// This data type is used as a response element in the GetOrganizationsAccessReport,
// operation and the GetServiceLastAccessedDetailsWithEntities operation.
// GetServiceLastAccessedDetails, and GetServiceLastAccessedDetailsWithEntities
// operations.
type ErrorDetails struct {
type ErrorDetails struct {
_ struct { } ` type:"structure" `
_ struct { } ` type:"structure" `
@ -19662,7 +20057,7 @@ type EvaluationResult struct {
// A list of the statements in the input policies that determine the result
// A list of the statements in the input policies that determine the result
// for this scenario. Remember that even if multiple statements allow the operation
// for this scenario. Remember that even if multiple statements allow the operation
// on the resource, if only one statement denies that operation, then the explicit
// on the resource, if only one statement denies that operation, then the explicit
// deny overrides any allow. In addition, the deny statement is the only entry
// deny overrides any allow. In addition, the deny statement is the only entry
// included in the result.
// included in the result.
MatchedStatements [ ] * Statement ` type:"list" `
MatchedStatements [ ] * Statement ` type:"list" `
@ -19675,7 +20070,7 @@ type EvaluationResult struct {
// call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.
// call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.
MissingContextValues [ ] * string ` type:"list" `
MissingContextValues [ ] * string ` type:"list" `
// A structure that details how AWS Organizations and its service control policies
// A structure that details how Organizations and its service control policies
// affect the results of the simulation. Only applies if the simulated user's
// affect the results of the simulation. Only applies if the simulated user's
// account is part of an organization.
// account is part of an organization.
OrganizationsDecisionDetail * OrganizationsDecisionDetail ` type:"structure" `
OrganizationsDecisionDetail * OrganizationsDecisionDetail ` type:"structure" `
@ -19790,6 +20185,87 @@ func (s *GenerateCredentialReportOutput) SetState(v string) *GenerateCredentialR
return s
return s
}
}
type GenerateOrganizationsAccessReportInput struct {
_ struct { } ` type:"structure" `
// The path of the AWS Organizations entity (root, OU, or account). You can
// build an entity path using the known structure of your organization. For
// example, assume that your account ID is 123456789012 and its parent OU ID
// is ou-rge0-awsabcde. The organization root ID is r-f6g7h8i9j0example and
// your organization ID is o-a1b2c3d4e5. Your entity path is o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-rge0-awsabcde/123456789012.
//
// EntityPath is a required field
EntityPath * string ` min:"19" type:"string" required:"true" `
// The identifier of the AWS Organizations service control policy (SCP). This
// parameter is optional.
//
// This ID is used to generate information about when an account principal that
// is limited by the SCP attempted to access an AWS service.
OrganizationsPolicyId * string ` type:"string" `
}
// String returns the string representation
func ( s GenerateOrganizationsAccessReportInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GenerateOrganizationsAccessReportInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * GenerateOrganizationsAccessReportInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "GenerateOrganizationsAccessReportInput" }
if s . EntityPath == nil {
invalidParams . Add ( request . NewErrParamRequired ( "EntityPath" ) )
}
if s . EntityPath != nil && len ( * s . EntityPath ) < 19 {
invalidParams . Add ( request . NewErrParamMinLen ( "EntityPath" , 19 ) )
}
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetEntityPath sets the EntityPath field's value.
func ( s * GenerateOrganizationsAccessReportInput ) SetEntityPath ( v string ) * GenerateOrganizationsAccessReportInput {
s . EntityPath = & v
return s
}
// SetOrganizationsPolicyId sets the OrganizationsPolicyId field's value.
func ( s * GenerateOrganizationsAccessReportInput ) SetOrganizationsPolicyId ( v string ) * GenerateOrganizationsAccessReportInput {
s . OrganizationsPolicyId = & v
return s
}
type GenerateOrganizationsAccessReportOutput struct {
_ struct { } ` type:"structure" `
// The job identifier that you can use in the GetOrganizationsAccessReport operation.
JobId * string ` min:"36" type:"string" `
}
// String returns the string representation
func ( s GenerateOrganizationsAccessReportOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GenerateOrganizationsAccessReportOutput ) GoString ( ) string {
return s . String ( )
}
// SetJobId sets the JobId field's value.
func ( s * GenerateOrganizationsAccessReportOutput ) SetJobId ( v string ) * GenerateOrganizationsAccessReportOutput {
s . JobId = & v
return s
}
type GenerateServiceLastAccessedDetailsInput struct {
type GenerateServiceLastAccessedDetailsInput struct {
_ struct { } ` type:"structure" `
_ struct { } ` type:"structure" `
@ -20878,6 +21354,211 @@ func (s *GetOpenIDConnectProviderOutput) SetUrl(v string) *GetOpenIDConnectProvi
return s
return s
}
}
type GetOrganizationsAccessReportInput struct {
_ struct { } ` type:"structure" `
// The identifier of the request generated by the GenerateOrganizationsAccessReport
// operation.
//
// JobId is a required field
JobId * string ` min:"36" type:"string" required:"true" `
// Use this parameter only when paginating results and only after you receive
// a response indicating that the results are truncated. Set it to the value
// of the Marker element in the response that you received to indicate where
// the next call should start.
Marker * string ` min:"1" type:"string" `
// Use this only when paginating results to indicate the maximum number of items
// you want in the response. If additional items exist beyond the maximum you
// specify, the IsTruncated response element is true.
//
// If you do not include this parameter, the number of items defaults to 100.
// Note that IAM might return fewer results, even when there are more results
// available. In that case, the IsTruncated response element returns true, and
// Marker contains a value to include in the subsequent call that tells the
// service where to continue from.
MaxItems * int64 ` min:"1" type:"integer" `
// The key that is used to sort the results. If you choose the namespace key,
// the results are returned in alphabetical order. If you choose the time key,
// the results are sorted numerically by the date and time.
SortKey * string ` type:"string" enum:"sortKeyType" `
}
// String returns the string representation
func ( s GetOrganizationsAccessReportInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetOrganizationsAccessReportInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * GetOrganizationsAccessReportInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "GetOrganizationsAccessReportInput" }
if s . JobId == nil {
invalidParams . Add ( request . NewErrParamRequired ( "JobId" ) )
}
if s . JobId != nil && len ( * s . JobId ) < 36 {
invalidParams . Add ( request . NewErrParamMinLen ( "JobId" , 36 ) )
}
if s . Marker != nil && len ( * s . Marker ) < 1 {
invalidParams . Add ( request . NewErrParamMinLen ( "Marker" , 1 ) )
}
if s . MaxItems != nil && * s . MaxItems < 1 {
invalidParams . Add ( request . NewErrParamMinValue ( "MaxItems" , 1 ) )
}
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetJobId sets the JobId field's value.
func ( s * GetOrganizationsAccessReportInput ) SetJobId ( v string ) * GetOrganizationsAccessReportInput {
s . JobId = & v
return s
}
// SetMarker sets the Marker field's value.
func ( s * GetOrganizationsAccessReportInput ) SetMarker ( v string ) * GetOrganizationsAccessReportInput {
s . Marker = & v
return s
}
// SetMaxItems sets the MaxItems field's value.
func ( s * GetOrganizationsAccessReportInput ) SetMaxItems ( v int64 ) * GetOrganizationsAccessReportInput {
s . MaxItems = & v
return s
}
// SetSortKey sets the SortKey field's value.
func ( s * GetOrganizationsAccessReportInput ) SetSortKey ( v string ) * GetOrganizationsAccessReportInput {
s . SortKey = & v
return s
}
type GetOrganizationsAccessReportOutput struct {
_ struct { } ` type:"structure" `
// An object that contains details about the most recent attempt to access the
// service.
AccessDetails [ ] * AccessDetail ` type:"list" `
// Contains information about the reason that the operation failed.
//
// This data type is used as a response element in the GetOrganizationsAccessReport,
// GetServiceLastAccessedDetails, and GetServiceLastAccessedDetailsWithEntities
// operations.
ErrorDetails * ErrorDetails ` type:"structure" `
// A flag that indicates whether there are more items to return. If your results
// were truncated, you can make a subsequent pagination request using the Marker
// request parameter to retrieve more items. Note that IAM might return fewer
// than the MaxItems number of results even when there are more results available.
// We recommend that you check IsTruncated after every call to ensure that you
// receive all your results.
IsTruncated * bool ` type:"boolean" `
// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
// when the generated report job was completed or failed.
//
// This field is null if the job is still in progress, as indicated by a job
// status value of IN_PROGRESS.
JobCompletionDate * time . Time ` type:"timestamp" `
// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
// when the report job was created.
//
// JobCreationDate is a required field
JobCreationDate * time . Time ` type:"timestamp" required:"true" `
// The status of the job.
//
// JobStatus is a required field
JobStatus * string ` type:"string" required:"true" enum:"jobStatusType" `
// When IsTruncated is true, this element is present and contains the value
// to use for the Marker parameter in a subsequent pagination request.
Marker * string ` min:"1" type:"string" `
// The number of services that the applicable SCPs allow account principals
// to access.
NumberOfServicesAccessible * int64 ` type:"integer" `
// The number of services that account principals are allowed but did not attempt
// to access.
NumberOfServicesNotAccessed * int64 ` type:"integer" `
}
// String returns the string representation
func ( s GetOrganizationsAccessReportOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetOrganizationsAccessReportOutput ) GoString ( ) string {
return s . String ( )
}
// SetAccessDetails sets the AccessDetails field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetAccessDetails ( v [ ] * AccessDetail ) * GetOrganizationsAccessReportOutput {
s . AccessDetails = v
return s
}
// SetErrorDetails sets the ErrorDetails field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetErrorDetails ( v * ErrorDetails ) * GetOrganizationsAccessReportOutput {
s . ErrorDetails = v
return s
}
// SetIsTruncated sets the IsTruncated field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetIsTruncated ( v bool ) * GetOrganizationsAccessReportOutput {
s . IsTruncated = & v
return s
}
// SetJobCompletionDate sets the JobCompletionDate field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetJobCompletionDate ( v time . Time ) * GetOrganizationsAccessReportOutput {
s . JobCompletionDate = & v
return s
}
// SetJobCreationDate sets the JobCreationDate field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetJobCreationDate ( v time . Time ) * GetOrganizationsAccessReportOutput {
s . JobCreationDate = & v
return s
}
// SetJobStatus sets the JobStatus field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetJobStatus ( v string ) * GetOrganizationsAccessReportOutput {
s . JobStatus = & v
return s
}
// SetMarker sets the Marker field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetMarker ( v string ) * GetOrganizationsAccessReportOutput {
s . Marker = & v
return s
}
// SetNumberOfServicesAccessible sets the NumberOfServicesAccessible field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetNumberOfServicesAccessible ( v int64 ) * GetOrganizationsAccessReportOutput {
s . NumberOfServicesAccessible = & v
return s
}
// SetNumberOfServicesNotAccessed sets the NumberOfServicesNotAccessed field's value.
func ( s * GetOrganizationsAccessReportOutput ) SetNumberOfServicesNotAccessed ( v int64 ) * GetOrganizationsAccessReportOutput {
s . NumberOfServicesNotAccessed = & v
return s
}
type GetPolicyInput struct {
type GetPolicyInput struct {
_ struct { } ` type:"structure" `
_ struct { } ` type:"structure" `
@ -21585,8 +22266,8 @@ type GetServiceLastAccessedDetailsOutput struct {
// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
// when the generated report job was completed or failed.
// when the generated report job was completed or failed.
//
//
// This field is null if the job is still in progress, as indicated by a JobStatus
// This field is null if the job is still in progress, as indicated by a job
// value of IN_PROGRESS.
// status value of IN_PROGRESS.
//
//
// JobCompletionDate is a required field
// JobCompletionDate is a required field
JobCompletionDate * time . Time ` type:"timestamp" required:"true" `
JobCompletionDate * time . Time ` type:"timestamp" required:"true" `
@ -21792,6 +22473,9 @@ type GetServiceLastAccessedDetailsWithEntitiesOutput struct {
// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
// The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601),
// when the generated report job was completed or failed.
// when the generated report job was completed or failed.
//
//
// This field is null if the job is still in progress, as indicated by a job
// status value of IN_PROGRESS.
//
// JobCompletionDate is a required field
// JobCompletionDate is a required field
JobCompletionDate * time . Time ` type:"timestamp" required:"true" `
JobCompletionDate * time . Time ` type:"timestamp" required:"true" `
@ -26271,11 +26955,12 @@ func (s *OpenIDConnectProviderListEntry) SetArn(v string) *OpenIDConnectProvider
return s
return s
}
}
// Contains information about AWS Organizations's effect on a policy simulation.
// Contains information about the effect that Organizations has on a policy
// simulation.
type OrganizationsDecisionDetail struct {
type OrganizationsDecisionDetail struct {
_ struct { } ` type:"structure" `
_ struct { } ` type:"structure" `
// Specifies whether the simulated operation is allowed by the AWS Organizations
// Specifies whether the simulated operation is allowed by the Organizations
// service control policies that impact the simulated user's account.
// service control policies that impact the simulated user's account.
AllowedByOrganizations * bool ` type:"boolean" `
AllowedByOrganizations * bool ` type:"boolean" `
}
}
@ -26914,7 +27599,9 @@ type PutGroupPolicyInput struct {
// The name of the group to associate the policy with.
// The name of the group to associate the policy with.
//
//
// ®ex-name;.
// This parameter allows (through its regex pattern (http://wikipedia.org/wiki/regex))
// a string of characters consisting of upper and lowercase alphanumeric characters
// with no spaces. You can also include any of the following characters: _+=,.@-.
//
//
// GroupName is a required field
// GroupName is a required field
GroupName * string ` min:"1" type:"string" required:"true" `
GroupName * string ` min:"1" type:"string" required:"true" `
@ -28201,7 +28888,7 @@ func (s *RoleDetail) SetTags(v []*Tag) *RoleDetail {
type RoleUsageType struct {
type RoleUsageType struct {
_ struct { } ` type:"structure" `
_ struct { } ` type:"structure" `
// The name of the r egion where the service-linked role is being used.
// The name of the R egion where the service-linked role is being used.
Region * string ` min:"1" type:"string" `
Region * string ` min:"1" type:"string" `
// The name of the resource that is using the service-linked role.
// The name of the resource that is using the service-linked role.
@ -28599,10 +29286,10 @@ type ServiceLastAccessed struct {
// ServiceNamespace is a required field
// ServiceNamespace is a required field
ServiceNamespace * string ` min:"1" type:"string" required:"true" `
ServiceNamespace * string ` min:"1" type:"string" required:"true" `
// The total number of authenticated entities that have attempted to access
// The total number of authenticated principals (root user, IAM users, or IAM
// the service.
// roles) that have attempted to access the service.
//
//
// This field is null if no IAM entitie s attempted to access the service within
// This field is null if no principal s attempted to access the service within
// the reporting period (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).
// the reporting period (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html#service-last-accessed-reporting-period).
TotalAuthenticatedEntities * int64 ` type:"integer" `
TotalAuthenticatedEntities * int64 ` type:"integer" `
}
}
@ -29379,7 +30066,7 @@ type SimulatePrincipalPolicyInput struct {
CallerArn * string ` min:"1" type:"string" `
CallerArn * string ` min:"1" type:"string" `
// A list of context keys and corresponding values for the simulation to use.
// A list of context keys and corresponding values for the simulation to use.
// Whenever a context key is evaluated in one of the simulated IAM permission
// Whenever a context key is evaluated in one of the simulated IAM permission s
// policies, the corresponding value is supplied.
// policies, the corresponding value is supplied.
ContextEntries [ ] * ContextEntry ` type:"list" `
ContextEntries [ ] * ContextEntry ` type:"list" `
@ -31837,7 +32524,7 @@ type User struct {
// * A password exists but has not been used since IAM started tracking this
// * A password exists but has not been used since IAM started tracking this
// information on October 20, 2014.
// information on October 20, 2014.
//
//
// A null value does not mean that the user never had a password. Also, if the
// A null value does not mean that the user never had a password. Also, if the
// user does not currently have a password, but had one in the past, then this
// user does not currently have a password, but had one in the past, then this
// field contains the date and time the most recent password was used.
// field contains the date and time the most recent password was used.
//
//
@ -32334,6 +33021,20 @@ const (
PolicyTypeManaged = "MANAGED"
PolicyTypeManaged = "MANAGED"
)
)
const (
// SortKeyTypeServiceNamespaceAscending is a sortKeyType enum value
SortKeyTypeServiceNamespaceAscending = "SERVICE_NAMESPACE_ASCENDING"
// SortKeyTypeServiceNamespaceDescending is a sortKeyType enum value
SortKeyTypeServiceNamespaceDescending = "SERVICE_NAMESPACE_DESCENDING"
// SortKeyTypeLastAuthenticatedTimeAscending is a sortKeyType enum value
SortKeyTypeLastAuthenticatedTimeAscending = "LAST_AUTHENTICATED_TIME_ASCENDING"
// SortKeyTypeLastAuthenticatedTimeDescending is a sortKeyType enum value
SortKeyTypeLastAuthenticatedTimeDescending = "LAST_AUTHENTICATED_TIME_DESCENDING"
)
const (
const (
// StatusTypeActive is a statusType enum value
// StatusTypeActive is a statusType enum value
StatusTypeActive = "Active"
StatusTypeActive = "Active"