AccessAnalyzer / Client / check_no_public_access

check_no_public_access

AccessAnalyzer.Client.check_no_public_access(**kwargs)

Checks whether a resource policy can grant public access to the specified resource type.

See also: AWS API Documentation

Request Syntax

response = client.check_no_public_access(
    policyDocument='string',
    resourceType='AWS::DynamoDB::Table'|'AWS::DynamoDB::Stream'|'AWS::EFS::FileSystem'|'AWS::OpenSearchService::Domain'|'AWS::Kinesis::Stream'|'AWS::Kinesis::StreamConsumer'|'AWS::KMS::Key'|'AWS::Lambda::Function'|'AWS::S3::Bucket'|'AWS::S3::AccessPoint'|'AWS::S3Express::DirectoryBucket'|'AWS::S3::Glacier'|'AWS::S3Outposts::Bucket'|'AWS::S3Outposts::AccessPoint'|'AWS::SecretsManager::Secret'|'AWS::SNS::Topic'|'AWS::SQS::Queue'|'AWS::IAM::AssumeRolePolicyDocument'|'AWS::S3Tables::TableBucket'|'AWS::ApiGateway::RestApi'|'AWS::CodeArtifact::Domain'|'AWS::Backup::BackupVault'|'AWS::CloudTrail::Dashboard'|'AWS::CloudTrail::EventDataStore'|'AWS::S3Tables::Table'|'AWS::S3Express::AccessPoint'
)

Parameters:

• policyDocument (string) –

  [REQUIRED]

  The JSON policy document to evaluate for public access.

• resourceType (string) –

  [REQUIRED]

  The type of resource to evaluate for public access. For example, to check for public access to Amazon S3 buckets, you can choose AWS::S3::Bucket for the resource type.

  For resource types not supported as valid values, IAM Access Analyzer will return an error.

Return type:

dict

Returns:

Response Syntax

{
    'result': 'PASS'|'FAIL',
    'message': 'string',
    'reasons': [
        {
            'description': 'string',
            'statementIndex': 123,
            'statementId': 'string'
        },
    ]
}

Response Structure

• (dict) –

  • result (string) –

    The result of the check for public access to the specified resource type. If the result is PASS, the policy doesn’t allow public access to the specified resource type. If the result is FAIL, the policy might allow public access to the specified resource type.

  • message (string) –

    The message indicating whether the specified policy allows public access to resources.

  • reasons (list) –

    A list of reasons why the specified resource policy grants public access for the resource type.

    • (dict) –

      Contains information about the reasoning why a check for access passed or failed.

      • description (string) –

        A description of the reasoning of a result of checking for access.

      • statementIndex (integer) –

        The index number of the reason statement.

      • statementId (string) –

        The identifier for the reason statement.

Exceptions

• AccessAnalyzer.Client.exceptions.InternalServerException

• AccessAnalyzer.Client.exceptions.ValidationException

• AccessAnalyzer.Client.exceptions.InvalidParameterException

• AccessAnalyzer.Client.exceptions.UnprocessableEntityException

• AccessAnalyzer.Client.exceptions.ThrottlingException

• AccessAnalyzer.Client.exceptions.AccessDeniedException