UNPKG

@cloud-copilot/iam-lens

Version:

Visibility in IAM in and across AWS accounts

github.com/cloud-copilot/iam-lens

cloud-copilot/iam-lens

86 lines 3.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
import { type EvaluationResult, type RequestAnalysis } from '@cloud-copilot/iam-simulate'; import type { Job } from '@cloud-copilot/job'; import { IamCollectClient } from '../collect/client.js'; import type { S3AbacOverride } from '../utils/s3Abac.js'; import type { WhoCanAllowed } from './whoCan.js'; export interface WhoCanWorkItem { resource: string | undefined; resourceAccount: string | undefined; action: string; principal: string; strictContextKeys: string[] | undefined; collectDenyDetails: boolean; } /** * Execution result when the principal is allowed access. */ export interface AllowedWhoCanExecutionResult { type: 'allowed'; workItem: WhoCanWorkItem; allowed: WhoCanAllowed; } /** * Execution result when the principal is denied access, without detailed analysis. */ export interface DeniedWhoCanExecutionResult { type: 'denied'; workItem: WhoCanWorkItem; } /** * Execution result when the principal is denied access for a single resource pattern, * with detailed analysis included. */ export interface DeniedSingleWhoCanExecutionResult { type: 'denied_single'; workItem: WhoCanWorkItem; analysis: RequestAnalysis; } /** * Details about a denied resource pattern, including the analysis for why it was denied. */ export interface WhoCanDenyResourceDetails { /** * The resource pattern that was tested. */ pattern: string; /** * The type of resource for the pattern. */ resourceType: string; /** * The analysis explaining why the request was denied. */ analysis: RequestAnalysis; } /** * Execution result when the principal is denied access for a wildcard resource, * with detailed analysis for each denied pattern. */ export interface DeniedWildcardWhoCanExecutionResult { type: 'denied_wildcard'; workItem: WhoCanWorkItem; overallResult: EvaluationResult; deniedPatterns: WhoCanDenyResourceDetails[]; } /** * The result of executing a whoCan work item. * Contains either the allowed result or the deny analysis (but not both). */ export type WhoCanExecutionResult = AllowedWhoCanExecutionResult | DeniedWhoCanExecutionResult | DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult; /** * Union type for denied execution results that include detailed analysis. */ export type DeniedWhoCanExecutionResultWithDetails = DeniedSingleWhoCanExecutionResult | DeniedWildcardWhoCanExecutionResult; /** * The possible values for the `type` discriminator of a WhoCanExecutionResult. */ export type WhoCanExecutionResultType = WhoCanExecutionResult['type']; export declare function createJobForWhoCanWorkItem(workItem: WhoCanWorkItem, collectClient: IamCollectClient, whoCanOptions: WhoCanOptions): Job<WhoCanExecutionResult, Record<string, unknown>>; export interface WhoCanOptions { s3AbacOverride?: S3AbacOverride; collectDenyDetails?: boolean; collectGrantDetails?: boolean; strictContextKeys?: string[]; } export declare function executeWhoCan(workItem: WhoCanWorkItem, collectClient: IamCollectClient, whoCanOptions: WhoCanOptions): Promise<WhoCanExecutionResult>; //# sourceMappingURL=WhoCanWorker.d.ts.map