ACCESS-ANALYZER

ApplyArchiveRule

valid {
    input.Body.analyzerArn == STRING
    input.Body.ruleName == STRING
    input.Body.clientToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CancelPolicyGeneration

valid {
    input.ReqMap.jobId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CheckAccessNotGranted

enum_AccessCheckPolicyType := [ "IDENTITY_POLICY", "RESOURCE_POLICY" ]

valid {
    input.Body.policyDocument == STRING
    input.Body.access[_].actions[_] == STRING
    input.Body.policyType == enum_AccessCheckPolicyType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CheckNoNewAccess

enum_AccessCheckPolicyType := [ "IDENTITY_POLICY", "RESOURCE_POLICY" ]

valid {
    input.Body.newPolicyDocument == STRING
    input.Body.existingPolicyDocument == STRING
    input.Body.policyType == enum_AccessCheckPolicyType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateAccessPreview

enum_AclPermission := [ "READ", "WRITE", "READ_ACP", "WRITE_ACP", "FULL_CONTROL" ]
enum_KmsGrantOperation := [ "CreateGrant", "Decrypt", "DescribeKey", "Encrypt", "GenerateDataKey", "GenerateDataKeyPair", "GenerateDataKeyPairWithoutPlaintext", "GenerateDataKeyWithoutPlaintext", "GetPublicKey", "ReEncryptFrom", "ReEncryptTo", "RetireGrant", "Sign", "Verify" ]

valid {
    input.Body.analyzerArn == STRING
    input.Body.configurations.STRING.ebsSnapshot.userIds[_] == STRING
    input.Body.configurations.STRING.ebsSnapshot.groups[_] == STRING
    input.Body.configurations.STRING.ebsSnapshot.kmsKeyId == STRING
    input.Body.configurations.STRING.ecrRepository.repositoryPolicy == STRING
    input.Body.configurations.STRING.iamRole.trustPolicy == STRING
    input.Body.configurations.STRING.efsFileSystem.fileSystemPolicy == STRING
    input.Body.configurations.STRING.kmsKey.keyPolicies.STRING == STRING
    input.Body.configurations.STRING.kmsKey.grants[_].operations[_] == enum_KmsGrantOperation[_]
    input.Body.configurations.STRING.kmsKey.grants[_].granteePrincipal == STRING
    input.Body.configurations.STRING.kmsKey.grants[_].retiringPrincipal == STRING
    input.Body.configurations.STRING.kmsKey.grants[_].constraints.encryptionContextEquals.STRING == STRING
    input.Body.configurations.STRING.kmsKey.grants[_].constraints.encryptionContextSubset.STRING == STRING
    input.Body.configurations.STRING.kmsKey.grants[_].issuingAccount == STRING
    input.Body.configurations.STRING.rdsDbClusterSnapshot.attributes.STRING.accountIds[_] == STRING
    input.Body.configurations.STRING.rdsDbClusterSnapshot.kmsKeyId == STRING
    input.Body.configurations.STRING.rdsDbSnapshot.attributes.STRING.accountIds[_] == STRING
    input.Body.configurations.STRING.rdsDbSnapshot.kmsKeyId == STRING
    input.Body.configurations.STRING.secretsManagerSecret.kmsKeyId == STRING
    input.Body.configurations.STRING.secretsManagerSecret.secretPolicy == STRING
    input.Body.configurations.STRING.s3Bucket.bucketPolicy == STRING
    input.Body.configurations.STRING.s3Bucket.bucketAclGrants[_].permission == enum_AclPermission[_]
    input.Body.configurations.STRING.s3Bucket.bucketAclGrants[_].grantee.id == STRING
    input.Body.configurations.STRING.s3Bucket.bucketAclGrants[_].grantee.uri == STRING
    input.Body.configurations.STRING.s3Bucket.bucketPublicAccessBlock.ignorePublicAcls == BOOLEAN
    input.Body.configurations.STRING.s3Bucket.bucketPublicAccessBlock.restrictPublicBuckets == BOOLEAN
    input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.accessPointPolicy == STRING
    input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.publicAccessBlock.ignorePublicAcls == BOOLEAN
    input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.publicAccessBlock.restrictPublicBuckets == BOOLEAN
    input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.networkOrigin.vpcConfiguration.vpcId == STRING
    input.Body.configurations.STRING.s3Bucket.accessPoints.STRING.networkOrigin.internetConfiguration == {}
    input.Body.configurations.STRING.snsTopic.topicPolicy == STRING
    input.Body.configurations.STRING.sqsQueue.queuePolicy == STRING
    input.Body.configurations.STRING.s3ExpressDirectoryBucket.bucketPolicy == STRING
    input.Body.clientToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateAnalyzer

enum_Type := [ "ACCOUNT", "ORGANIZATION", "ACCOUNT_UNUSED_ACCESS", "ORGANIZATION_UNUSED_ACCESS" ]

valid {
    input.Body.analyzerName == STRING
    input.Body.type == enum_Type[_]
    input.Body.archiveRules[_].ruleName == STRING
    input.Body.archiveRules[_].filter.STRING.eq[_] == STRING
    input.Body.archiveRules[_].filter.STRING.neq[_] == STRING
    input.Body.archiveRules[_].filter.STRING.contains[_] == STRING
    input.Body.archiveRules[_].filter.STRING.exists == BOOLEAN
    input.Body.tags.STRING == STRING
    input.Body.clientToken == STRING
    input.Body.configuration.unusedAccess.unusedAccessAge == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateArchiveRule

valid {
    input.Body.ruleName == STRING
    input.Body.filter.STRING.eq[_] == STRING
    input.Body.filter.STRING.neq[_] == STRING
    input.Body.filter.STRING.contains[_] == STRING
    input.Body.filter.STRING.exists == BOOLEAN
    input.Body.clientToken == STRING
    input.ReqMap.analyzerName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteAnalyzer

valid {
    input.ReqMap.analyzerName == STRING
    input.Qs.clientToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteArchiveRule

valid {
    input.ReqMap.analyzerName == STRING
    input.ReqMap.ruleName == STRING
    input.Qs.clientToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetAccessPreview

valid {
    input.ReqMap.accessPreviewId == STRING
    input.Qs.analyzerArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetAnalyzedResource

valid {
    input.Qs.analyzerArn == STRING
    input.Qs.resourceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetAnalyzer

valid {
    input.ReqMap.analyzerName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetArchiveRule

valid {
    input.ReqMap.analyzerName == STRING
    input.ReqMap.ruleName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetFinding

valid {
    input.ReqMap.id == STRING
    input.Qs.analyzerArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetFindingV2

valid {
    input.ReqMap.id == STRING
    input.Qs.analyzerArn == STRING
    input.Qs.maxResults == INTEGER
    input.Qs.nextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetGeneratedPolicy

valid {
    input.ReqMap.jobId == STRING
    input.Qs.includeResourcePlaceholders == BOOLEAN
    input.Qs.includeServiceLevelTemplate == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAccessPreviewFindings

valid {
    input.Body.analyzerArn == STRING
    input.Body.filter.STRING.eq[_] == STRING
    input.Body.filter.STRING.neq[_] == STRING
    input.Body.filter.STRING.contains[_] == STRING
    input.Body.filter.STRING.exists == BOOLEAN
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.ReqMap.accessPreviewId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAccessPreviews

valid {
    input.Qs.analyzerArn == STRING
    input.Qs.nextToken == STRING
    input.Qs.maxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAnalyzedResources

enum_ResourceType := [ "AWS::S3::Bucket", "AWS::IAM::Role", "AWS::SQS::Queue", "AWS::Lambda::Function", "AWS::Lambda::LayerVersion", "AWS::KMS::Key", "AWS::SecretsManager::Secret", "AWS::EFS::FileSystem", "AWS::EC2::Snapshot", "AWS::ECR::Repository", "AWS::RDS::DBSnapshot", "AWS::RDS::DBClusterSnapshot", "AWS::SNS::Topic", "AWS::S3Express::DirectoryBucket" ]

valid {
    input.Body.analyzerArn == STRING
    input.Body.resourceType == enum_ResourceType[_]
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAnalyzers

enum_Type := [ "ACCOUNT", "ORGANIZATION", "ACCOUNT_UNUSED_ACCESS", "ORGANIZATION_UNUSED_ACCESS" ]

valid {
    input.Qs.nextToken == STRING
    input.Qs.maxResults == INTEGER
    input.Qs.type == enum_Type[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListArchiveRules

valid {
    input.ReqMap.analyzerName == STRING
    input.Qs.nextToken == STRING
    input.Qs.maxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListFindings

enum_OrderBy := [ "ASC", "DESC" ]

valid {
    input.Body.analyzerArn == STRING
    input.Body.filter.STRING.eq[_] == STRING
    input.Body.filter.STRING.neq[_] == STRING
    input.Body.filter.STRING.contains[_] == STRING
    input.Body.filter.STRING.exists == BOOLEAN
    input.Body.sort.attributeName == STRING
    input.Body.sort.orderBy == enum_OrderBy[_]
    input.Body.nextToken == STRING
    input.Body.maxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListFindingsV2

enum_OrderBy := [ "ASC", "DESC" ]

valid {
    input.Body.analyzerArn == STRING
    input.Body.filter.STRING.eq[_] == STRING
    input.Body.filter.STRING.neq[_] == STRING
    input.Body.filter.STRING.contains[_] == STRING
    input.Body.filter.STRING.exists == BOOLEAN
    input.Body.maxResults == INTEGER
    input.Body.nextToken == STRING
    input.Body.sort.attributeName == STRING
    input.Body.sort.orderBy == enum_OrderBy[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListPolicyGenerations

valid {
    input.Qs.principalArn == STRING
    input.Qs.maxResults == INTEGER
    input.Qs.nextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListTagsForResource

valid {
    input.ReqMap.resourceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartPolicyGeneration

valid {
    input.Body.policyGenerationDetails.principalArn == STRING
    input.Body.cloudTrailDetails.trails[_].cloudTrailArn == STRING
    input.Body.cloudTrailDetails.trails[_].regions[_] == STRING
    input.Body.cloudTrailDetails.trails[_].allRegions == BOOLEAN
    input.Body.cloudTrailDetails.accessRole == STRING
    input.Body.cloudTrailDetails.startTime == TIMESTAMP
    input.Body.cloudTrailDetails.endTime == TIMESTAMP
    input.Body.clientToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

StartResourceScan

valid {
    input.Body.analyzerArn == STRING
    input.Body.resourceArn == STRING
    input.Body.resourceOwnerAccount == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

TagResource

valid {
    input.Body.tags.STRING == STRING
    input.ReqMap.resourceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UntagResource

valid {
    input.ReqMap.resourceArn == STRING
    input.Qs.tagKeys[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateArchiveRule

valid {
    input.Body.filter.STRING.eq[_] == STRING
    input.Body.filter.STRING.neq[_] == STRING
    input.Body.filter.STRING.contains[_] == STRING
    input.Body.filter.STRING.exists == BOOLEAN
    input.Body.clientToken == STRING
    input.ReqMap.analyzerName == STRING
    input.ReqMap.ruleName == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateFindings

enum_FindingStatusUpdate := [ "ACTIVE", "ARCHIVED" ]

valid {
    input.Body.analyzerArn == STRING
    input.Body.status == enum_FindingStatusUpdate[_]
    input.Body.ids[_] == STRING
    input.Body.resourceArn == STRING
    input.Body.clientToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ValidatePolicy

enum_Locale := [ "DE", "EN", "ES", "FR", "IT", "JA", "KO", "PT_BR", "ZH_CN", "ZH_TW" ]
enum_PolicyType := [ "IDENTITY_POLICY", "RESOURCE_POLICY", "SERVICE_CONTROL_POLICY" ]
enum_ValidatePolicyResourceType := [ "AWS::S3::Bucket", "AWS::S3::AccessPoint", "AWS::S3::MultiRegionAccessPoint", "AWS::S3ObjectLambda::AccessPoint", "AWS::IAM::AssumeRolePolicyDocument" ]

valid {
    input.Body.locale == enum_Locale[_]
    input.Body.policyDocument == STRING
    input.Body.policyType == enum_PolicyType[_]
    input.Body.validatePolicyResourceType == enum_ValidatePolicyResourceType[_]
    input.Qs.maxResults == INTEGER
    input.Qs.nextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}