cdk-iam-floyd
Version:
AWS IAM policy statement generator with fluent interface for AWS CDK
425 lines (424 loc) • 15.3 kB
TypeScript
import { AccessLevelList } from '../../shared/access-level';
import { PolicyStatement, Operator } from '../../shared';
import { aws_iam as iam } from "aws-cdk-lib";
/**
* Statement provider for service [access-analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html).
*
* @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement
*/
export declare class AccessAnalyzer extends PolicyStatement {
servicePrefix: string;
/**
* Grants permission to apply an archive rule
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ApplyArchiveRule.html
*/
toApplyArchiveRule(): this;
/**
* Grants permission to cancel a policy generation
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CancelPolicyGeneration.html
*/
toCancelPolicyGeneration(): this;
/**
* Grants permission to check that specified access is not allowed by a policy
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckAccessNotGranted.html
*/
toCheckAccessNotGranted(): this;
/**
* Grants permission to check that no new access is allowed when compared to an existing policy
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckNoNewAccess.html
*/
toCheckNoNewAccess(): this;
/**
* Grants permission to check that public access is not allowed by a resource policy
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CheckNoPublicAccess.html
*/
toCheckNoPublicAccess(): this;
/**
* Grants permission to create an access preview for the specified analyzer
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAccessPreview.html
*/
toCreateAccessPreview(): this;
/**
* Grants permission to create an analyzer
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* Dependent actions:
* - iam:CreateServiceLinkedRole
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateAnalyzer.html
*/
toCreateAnalyzer(): this;
/**
* Grants permission to create an archive rule for the specified analyzer
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateArchiveRule.html
*/
toCreateArchiveRule(): this;
/**
* Grants permission to create a service-linked analyzer
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* Dependent actions:
* - iam:CreateServiceLinkedRole
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_CreateServiceLinkedAnalyzer.html
*/
toCreateServiceLinkedAnalyzer(): this;
/**
* Grants permission to delete the specified analyzer
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_DeleteAnalyzer.html
*/
toDeleteAnalyzer(): this;
/**
* Grants permission to delete archive rules for the specified analyzer
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_DeleteArchiveRule.html
*/
toDeleteArchiveRule(): this;
/**
* Grants permission to delete the specified service-linked analyzer
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_DeleteServiceLinkedAnalyzer.html
*/
toDeleteServiceLinkedAnalyzer(): this;
/**
* Grants permission to generate recommendation steps to resolve a finding
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GenerateFindingRecommendation.html
*/
toGenerateFindingRecommendation(): this;
/**
* Grants permission to retrieve information about an access preview
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAccessPreview.html
*/
toGetAccessPreview(): this;
/**
* Grants permission to retrieve information about an analyzed resource
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzedResource.html
*/
toGetAnalyzedResource(): this;
/**
* Grants permission to retrieve information about analyzers
*
* Access Level: Read
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetAnalyzer.html
*/
toGetAnalyzer(): this;
/**
* Grants permission to retrieve information about archive rules for the specified analyzer
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetArchiveRule.html
*/
toGetArchiveRule(): this;
/**
* Grants permission to retrieve findings
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingV2.html
*/
toGetFinding(): this;
/**
* Grants permission to retrieve recommendation steps to resolve a finding
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetFindingRecommendation.html
*/
toGetFindingRecommendation(): this;
/**
* Grants permission to retrieve statistics for findings
*
* Access Level: Read
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#access-analyzer-permissions
*/
toGetFindingsStatistics(): this;
/**
* Grants permission to retrieve a policy that was generated using StartPolicyGeneration
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_GetGeneratedPolicy.html
*/
toGetGeneratedPolicy(): this;
/**
* Grants permission to retrieve a list of findings from an access preview
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviewFindings.html
*/
toListAccessPreviewFindings(): this;
/**
* Grants permission to retrieve a list of access previews
*
* Access Level: List
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAccessPreviews.html
*/
toListAccessPreviews(): this;
/**
* Grants permission to retrieve a list of resources that have been analyzed
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzedResources.html
*/
toListAnalyzedResources(): this;
/**
* Grants permission to retrieves a list of analyzers
*
* Access Level: List
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListAnalyzers.html
*/
toListAnalyzers(): this;
/**
* Grants permission to retrieve a list of archive rules from an analyzer
*
* Access Level: List
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListArchiveRules.html
*/
toListArchiveRules(): this;
/**
* Grants permission to retrieve a list of findings from an analyzer
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListFindingsV2.html
*/
toListFindings(): this;
/**
* Grants permission to list all the recently started policy generations
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListPolicyGenerations.html
*/
toListPolicyGenerations(): this;
/**
* Grants permission to retrieve a list of tags applied to a resource
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ListTagsForResource.html
*/
toListTagsForResource(): this;
/**
* Grants permission to start a policy generation
*
* Access Level: Write
*
* Dependent actions:
* - iam:PassRole
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_StartPolicyGeneration.html
*/
toStartPolicyGeneration(): this;
/**
* Grants permission to start a scan of the policies applied to a resource
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_StartResourceScan.html
*/
toStartResourceScan(): this;
/**
* Grants permission to add a tag to a resource
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_TagResource.html
*/
toTagResource(): this;
/**
* Grants permission to remove a tag from a resource
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UntagResource.html
*/
toUntagResource(): this;
/**
* Grants permission to modify an analyzer's configuration
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateAnalyzer.html
*/
toUpdateAnalyzer(): this;
/**
* Grants permission to modify an archive rule
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateArchiveRule.html
*/
toUpdateArchiveRule(): this;
/**
* Grants permission to modify findings
*
* Access Level: Write
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_UpdateFindings.html
*/
toUpdateFindings(): this;
/**
* Grants permission to validate a policy
*
* Access Level: Read
*
* https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html
*/
toValidatePolicy(): this;
protected accessLevelList: AccessLevelList;
/**
* Adds a resource of type Analyzer to the statement
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
*
* @param analyzerName - Identifier for the analyzerName.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onAnalyzer(analyzerName: string, account?: string, region?: string, partition?: string): this;
/**
* Adds a resource of type ArchiveRule to the statement
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html#permission-resources
*
* @param analyzerName - Identifier for the analyzerName.
* @param ruleName - Identifier for the ruleName.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*/
onArchiveRule(analyzerName: string, ruleName: string, account?: string, region?: string, partition?: string): this;
/**
* Filters actions based on the presence of tag key-value pairs in the request
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag
*
* Applies to actions:
* - .toCreateAnalyzer()
* - .toCreateServiceLinkedAnalyzer()
* - .toDeleteAnalyzer()
* - .toDeleteServiceLinkedAnalyzer()
* - .toGetAnalyzer()
* - .toTagResource()
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsRequestTag(tagKey: string, value: string | string[], operator?: Operator | string): this;
/**
* Filters actions based on tag key-value pairs attached to the resource
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag
*
* Applies to resource types:
* - Analyzer
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this;
/**
* Filters actions based on the presence of tag keys in the request
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys
*
* Applies to actions:
* - .toCreateAnalyzer()
* - .toCreateServiceLinkedAnalyzer()
* - .toDeleteAnalyzer()
* - .toDeleteServiceLinkedAnalyzer()
* - .toGetAnalyzer()
* - .toTagResource()
* - .toUntagResource()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsTagKeys(value: string | string[], operator?: Operator | string): this;
/**
* Statement provider for service [access-analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html).
*
*/
constructor(props?: iam.PolicyStatementProps);
}