ACCESS-ANALYZER
ApplyArchiveRule
valid {
input.Body.analyzerArn == STRING
input.Body.ruleName == STRING
input.Body.clientToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
CancelPolicyGeneration
valid {
input.ReqMap.jobId == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
CheckAccessNotGranted
enum_AccessCheckPolicyType := [ "IDENTITY_POLICY", "RESOURCE_POLICY" ]
valid {
input.Body.policyDocument == STRING
input.Body.access[_].actions[_] == STRING
input.Body.access[_].resources[_] == STRING
input.Body.policyType == enum_AccessCheckPolicyType[_]
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
CheckNoNewAccess
enum_AccessCheckPolicyType := [ "IDENTITY_POLICY", "RESOURCE_POLICY" ]
valid {
input.Body.newPolicyDocument == STRING
input.Body.existingPolicyDocument == STRING
input.Body.policyType == enum_AccessCheckPolicyType[_]
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
CheckNoPublicAccess
enum_AccessCheckResourceType := [ "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::EFS::FileSystem", "AWS::OpenSearchService::Domain", "AWS::Kinesis::Stream", "AWS::Kinesis::StreamConsumer", "AWS::KMS::Key", "AWS::Lambda::Function", "AWS::S3::Bucket", "AWS::S3::AccessPoint", "AWS::S3Express::DirectoryBucket", "AWS::S3::Glacier", "AWS::S3Outposts::Bucket", "AWS::S3Outposts::AccessPoint", "AWS::SecretsManager::Secret", "AWS::SNS::Topic", "AWS::SQS::Queue", "AWS::IAM::AssumeRolePolicyDocument" ]
valid {
input.Body.policyDocument == STRING
input.Body.resourceType == enum_AccessCheckResourceType[_]
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
CreateAccessPreview
enum_AclPermission := [ "READ", "WRITE", "READ_ACP", "WRITE_ACP", "FULL_CONTROL" ]
enum_KmsGrantOperation := [ "CreateGrant", "Decrypt", "DescribeKey", "Encrypt", "GenerateDataKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateDataKeyWithoutPlaintext", "GetPublicKey", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "Sign", "Verify" ]
valid {
input.Body.analyzerArn == STRING
input.Body.configurations.STRING.ebsSnapshot.userIds[_] == STRING
input.Body.configurations.STRING.ebsSnapshot.groups[_] == STRING
input.Body.configurations.STRING.ebsSnapshot.kmsKeyId == STRING
input.Body.configurations.STRING.ecrRepository.repositoryPolicy == STRING
input.Body.configurations.STRING.iamRole.trustPolicy == STRING
input.Body.configurations.STRING.efsFileSystem.fileSystemPolicy == STRING
input.Body.configurations.STRING.kmsKey.keyPolicies.STRING == STRING
input.Body.configurations.STRING.kmsKey.grants[_].operations[_] == enum_KmsGrantOperation[_]
input.Body.configurations.STRING.kmsKey.grants[_].granteePrincipal == STRING
input.Body.configurations.STRING.kmsKey.grants[_].retiringPrincipal == STRING
input.Body.configurations.STRING.kmsKey.grants[_].constraints.encryptionContextEquals.STRING == STRING
input.Body.configurations.STRING.kmsKey.grants[_].constraints.encryptionContextSubset.STRING == STRING
input.Body.configurations.STRING.kmsKey.grants[_].issuingAccount == STRING
input.Body.configurations.STRING.rdsDbClusterSnapshot.attributes.STRING.accountIds[_] == STRING
input.Body.configurations.STRING.rdsDbClusterSnapshot.kmsKeyId == STRING
input.Body.configurations.STRING.rdsDbSnapshot.attributes.STRING.accountIds[_] == STRING
input.Body.configurations.STRING.rdsDbSnapshot.kmsKeyId == STRING
input.Body.configurations.STRING.secretsManagerSecret.kmsKeyId == STRING
input.Body.configurations.STRING.secretsManagerSecret.secretPolicy == STRING
input.Body.configurations.STRING.s3Bucket.bucketPolicy == STRING
input.Body.configurations.STRING.s3Bucket.bucketAclGrants[_].permission == enum_AclPermission[_]
input.Body.configurations.STRING.s3Bucket.bucketAclGrants[_].grantee.id == STRING
input.Body.configurations.STRING.s3Bucket.bucketAclGrants[_].grantee.uri == STRING
input.Body.configurations.STRING.s3Bucket.bucketPublicAccessBlock.ignorePublicAcls == BOOLEAN
input.Body.configurations.STRING.s3Bucket.bucketPublicAccessBlock.restrictPublicBuckets == BOOLEAN
input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.accessPointPolicy == STRING
input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.publicAccessBlock.ignorePublicAcls == BOOLEAN
input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.publicAccessBlock.restrictPublicBuckets == BOOLEAN
input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.networkOrigin.vpcConfiguration.vpcId == STRING
input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.networkOrigin.internetConfiguration == {}
input.Body.configurations.STRING.snsTopic.topicPolicy == STRING
input.Body.configurations.STRING.sqsQueue.queuePolicy == STRING
input.Body.configurations.STRING.s3ExpressDirectoryBucket.bucketPolicy == STRING
input.Body.configurations.STRING.dynamodbStream.streamPolicy == STRING
input.Body.configurations.STRING.dynamodbTable.tablePolicy == STRING
input.Body.clientToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
CreateAnalyzer
enum_Type := [ "ACCOUNT", "ORGANIZATION", "ACCOUNT_UNUSED_ACCESS", "ORGANIZATION_UNUSED_ACCESS" ]
valid {
input.Body.analyzerName == STRING
input.Body.type == enum_Type[_]
input.Body.archiveRules[_].ruleName == STRING
input.Body.archiveRules[_].filter.STRING.eq[_] == STRING
input.Body.archiveRules[_].filter.STRING.neq[_] == STRING
input.Body.archiveRules[_].filter.STRING.contains[_] == STRING
input.Body.archiveRules[_].filter.STRING.exists == BOOLEAN
input.Body.tags.STRING == STRING
input.Body.clientToken == STRING
input.Body.configuration.unusedAccess.unusedAccessAge == INTEGER
input.Body.configuration.unusedAccess.analysisRule.exclusions[_].accountIds[_] == STRING
input.Body.configuration.unusedAccess.analysisRule.exclusions[_].resourceTags[_].STRING == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
CreateArchiveRule
valid {
input.Body.ruleName == STRING
input.Body.filter.STRING.eq[_] == STRING
input.Body.filter.STRING.neq[_] == STRING
input.Body.filter.STRING.contains[_] == STRING
input.Body.filter.STRING.exists == BOOLEAN
input.Body.clientToken == STRING
input.ReqMap.analyzerName == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
DeleteAnalyzer
valid {
input.ReqMap.analyzerName == STRING
input.Qs.clientToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
DeleteArchiveRule
valid {
input.ReqMap.analyzerName == STRING
input.ReqMap.ruleName == STRING
input.Qs.clientToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GenerateFindingRecommendation
valid {
input.ReqMap.id == STRING
input.Qs.analyzerArn == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetAccessPreview
valid {
input.ReqMap.accessPreviewId == STRING
input.Qs.analyzerArn == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetAnalyzedResource
valid {
input.Qs.analyzerArn == STRING
input.Qs.resourceArn == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetAnalyzer
valid {
input.ReqMap.analyzerName == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetArchiveRule
valid {
input.ReqMap.analyzerName == STRING
input.ReqMap.ruleName == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetFinding
valid {
input.ReqMap.id == STRING
input.Qs.analyzerArn == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetFindingRecommendation
valid {
input.ReqMap.id == STRING
input.Qs.analyzerArn == STRING
input.Qs.maxResults == INTEGER
input.Qs.nextToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetFindingV2
valid {
input.ReqMap.id == STRING
input.Qs.analyzerArn == STRING
input.Qs.maxResults == INTEGER
input.Qs.nextToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
GetGeneratedPolicy
valid {
input.ReqMap.jobId == STRING
input.Qs.includeResourcePlaceholders == BOOLEAN
input.Qs.includeServiceLevelTemplate == BOOLEAN
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListAccessPreviewFindings
valid {
input.Body.analyzerArn == STRING
input.Body.filter.STRING.eq[_] == STRING
input.Body.filter.STRING.neq[_] == STRING
input.Body.filter.STRING.contains[_] == STRING
input.Body.filter.STRING.exists == BOOLEAN
input.Body.nextToken == STRING
input.Body.maxResults == INTEGER
input.ReqMap.accessPreviewId == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListAccessPreviews
valid {
input.Qs.analyzerArn == STRING
input.Qs.nextToken == STRING
input.Qs.maxResults == INTEGER
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListAnalyzedResources
enum_ResourceType := [ "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket", "AWS::DynamoDB::Table", "AWS::DynamoDB::Stream", "AWS::IAM::User" ]
valid {
input.Body.analyzerArn == STRING
input.Body.resourceType == enum_ResourceType[_]
input.Body.nextToken == STRING
input.Body.maxResults == INTEGER
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListAnalyzers
enum_Type := [ "ACCOUNT", "ORGANIZATION", "ACCOUNT_UNUSED_ACCESS", "ORGANIZATION_UNUSED_ACCESS" ]
valid {
input.Qs.nextToken == STRING
input.Qs.maxResults == INTEGER
input.Qs.type == enum_Type[_]
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListArchiveRules
valid {
input.ReqMap.analyzerName == STRING
input.Qs.nextToken == STRING
input.Qs.maxResults == INTEGER
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListFindings
enum_OrderBy := [ "ASC", "DESC" ]
valid {
input.Body.analyzerArn == STRING
input.Body.filter.STRING.eq[_] == STRING
input.Body.filter.STRING.neq[_] == STRING
input.Body.filter.STRING.contains[_] == STRING
input.Body.filter.STRING.exists == BOOLEAN
input.Body.sort.attributeName == STRING
input.Body.sort.orderBy == enum_OrderBy[_]
input.Body.nextToken == STRING
input.Body.maxResults == INTEGER
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListFindingsV2
enum_OrderBy := [ "ASC", "DESC" ]
valid {
input.Body.analyzerArn == STRING
input.Body.filter.STRING.eq[_] == STRING
input.Body.filter.STRING.neq[_] == STRING
input.Body.filter.STRING.contains[_] == STRING
input.Body.filter.STRING.exists == BOOLEAN
input.Body.maxResults == INTEGER
input.Body.nextToken == STRING
input.Body.sort.attributeName == STRING
input.Body.sort.orderBy == enum_OrderBy[_]
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListPolicyGenerations
valid {
input.Qs.principalArn == STRING
input.Qs.maxResults == INTEGER
input.Qs.nextToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ListTagsForResource
valid {
input.ReqMap.resourceArn == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
StartPolicyGeneration
valid {
input.Body.policyGenerationDetails.principalArn == STRING
input.Body.cloudTrailDetails.trails[_].cloudTrailArn == STRING
input.Body.cloudTrailDetails.trails[_].regions[_] == STRING
input.Body.cloudTrailDetails.trails[_].allRegions == BOOLEAN
input.Body.cloudTrailDetails.accessRole == STRING
input.Body.cloudTrailDetails.startTime == TIMESTAMP
input.Body.cloudTrailDetails.endTime == TIMESTAMP
input.Body.clientToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
StartResourceScan
valid {
input.Body.analyzerArn == STRING
input.Body.resourceArn == STRING
input.Body.resourceOwnerAccount == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
TagResource
valid {
input.Body.tags.STRING == STRING
input.ReqMap.resourceArn == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
UntagResource
valid {
input.ReqMap.resourceArn == STRING
input.Qs.tagKeys[_] == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
UpdateAnalyzer
valid {
input.Body.configuration.unusedAccess.unusedAccessAge == INTEGER
input.Body.configuration.unusedAccess.analysisRule.exclusions[_].accountIds[_] == STRING
input.Body.configuration.unusedAccess.analysisRule.exclusions[_].resourceTags[_].STRING == STRING
input.ReqMap.analyzerName == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
UpdateArchiveRule
valid {
input.Body.filter.STRING.eq[_] == STRING
input.Body.filter.STRING.neq[_] == STRING
input.Body.filter.STRING.contains[_] == STRING
input.Body.filter.STRING.exists == BOOLEAN
input.Body.clientToken == STRING
input.ReqMap.analyzerName == STRING
input.ReqMap.ruleName == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
UpdateFindings
enum_FindingStatusUpdate := [ "ACTIVE", "ARCHIVED" ]
valid {
input.Body.analyzerArn == STRING
input.Body.status == enum_FindingStatusUpdate[_]
input.Body.ids[_] == STRING
input.Body.resourceArn == STRING
input.Body.clientToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
ValidatePolicy
enum_Locale := [ "DE", "EN", "ES", "FR", "IT", "JA", "KO", "PT_BR", "ZH_CN", "ZH_TW" ]
enum_PolicyType := [ "IDENTITY_POLICY", "RESOURCE_POLICY", "SERVICE_CONTROL_POLICY", "RESOURCE_CONTROL_POLICY" ]
enum_ValidatePolicyResourceType := [ "AWS::S3::Bucket", "AWS::S3::AccessPoint", "AWS::S3::MultiRegionAccessPoint", "AWS::S3ObjectLambda::AccessPoint", "AWS::IAM::AssumeRolePolicyDocument", "AWS::DynamoDB::Table" ]
valid {
input.Body.locale == enum_Locale[_]
input.Body.policyDocument == STRING
input.Body.policyType == enum_PolicyType[_]
input.Body.validatePolicyResourceType == enum_ValidatePolicyResourceType[_]
input.Qs.maxResults == INTEGER
input.Qs.nextToken == STRING
input.ProviderMetadata.Account == STRING
input.ProviderMetadata.AccessKeyId == STRING
input.ProviderMetadata.Region == STRING
}
Updated 6 days ago