Access Analyzer Update: This release adds support for the ValidatePolicy API. IAM Access Analyzer is adding over 100 policy checks and actionable recommendations that help you validate your policies during authoring.

Author: AWS

.changes/next-release/feature-AccessAnalyzer-f5ad5de.json

@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Access Analyzer",
+    "contributor": "",
+    "description": "This release adds support for the ValidatePolicy API. IAM Access Analyzer is adding over 100 policy checks and actionable recommendations that help you validate your policies during authoring."
+}

services/accessanalyzer/src/main/resources/codegen-resources/paginators-1.json

@@ -35,6 +35,12 @@
       "output_token": "nextToken",
       "limit_key": "maxResults",
       "result_key": "findings"
+    },
+    "ValidatePolicy": {
+      "input_token": "nextToken",
+      "output_token": "nextToken",
+      "limit_key": "maxResults",
+      "result_key": "findings"
     }
   }
 }

services/accessanalyzer/src/main/resources/codegen-resources/service-2.json

@@ -88,7 +88,7 @@
         {"shape":"ThrottlingException"},
         {"shape":"AccessDeniedException"}
       ],
-      "documentation":"<p>Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule.</p>",
+      "documentation":"<p>Creates an archive rule for the specified analyzer. Archive rules automatically archive new findings that meet the criteria you define when you create the rule.</p> <p>To learn about filter keys that you can use to create an archive rule, see <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-filter-keys.html\">Access Analyzer filter keys</a> in the <b>IAM User Guide</b>.</p>",
       "idempotent":true
     },
     "DeleteAnalyzer":{
@@ -432,6 +432,23 @@
       ],
       "documentation":"<p>Updates the status for the specified findings.</p>",
       "idempotent":true
+    },
+    "ValidatePolicy":{
+      "name":"ValidatePolicy",
+      "http":{
+        "method":"POST",
+        "requestUri":"/policy/validation",
+        "responseCode":200
+      },
+      "input":{"shape":"ValidatePolicyRequest"},
+      "output":{"shape":"ValidatePolicyResponse"},
+      "errors":[
+        {"shape":"ValidationException"},
+        {"shape":"InternalServerException"},
+        {"shape":"ThrottlingException"},
+        {"shape":"AccessDeniedException"}
+      ],
+      "documentation":"<p>Requests the validation of a policy and returns a list of findings. The findings help you identify issues and provide actionable recommendations to resolve the issue and enable you to author functional policies that meet security best practices. </p>"
     }
   },
   "shapes":{
@@ -1540,6 +1557,7 @@
       },
       "documentation":"<p>This configuration sets the Amazon S3 access point network origin to <code>Internet</code>.</p>"
     },
+    "IssueCode":{"type":"string"},
     "IssuingAccount":{"type":"string"},
     "KmsConstraintsKey":{"type":"string"},
     "KmsConstraintsMap":{
@@ -1640,6 +1658,7 @@
       "value":{"shape":"KmsKeyPolicy"}
     },
     "KmsKeyPolicy":{"type":"string"},
+    "LearnMoreLink":{"type":"string"},
     "ListAccessPreviewFindingsRequest":{
       "type":"structure",
       "required":[
@@ -1905,6 +1924,43 @@
       },
       "documentation":"<p>The response to the request.</p>"
     },
+    "Locale":{
+      "type":"string",
+      "enum":[
+        "DE",
+        "EN",
+        "ES",
+        "FR",
+        "IT",
+        "JA",
+        "KO",
+        "PT_BR",
+        "ZH_CN",
+        "ZH_TW"
+      ]
+    },
+    "Location":{
+      "type":"structure",
+      "required":[
+        "path",
+        "span"
+      ],
+      "members":{
+        "path":{
+          "shape":"PathElementList",
+          "documentation":"<p>A path in a policy, represented as a sequence of path elements.</p>"
+        },
+        "span":{
+          "shape":"Span",
+          "documentation":"<p>A span in a policy.</p>"
+        }
+      },
+      "documentation":"<p>A location in a policy that is represented as a path through the JSON representation and a corresponding span.</p>"
+    },
+    "LocationList":{
+      "type":"list",
+      "member":{"shape":"Location"}
+    },
     "Name":{
       "type":"string",
       "max":255,
@@ -1930,7 +1986,66 @@
         "DESC"
       ]
     },
+    "PathElement":{
+      "type":"structure",
+      "members":{
+        "index":{
+          "shape":"Integer",
+          "documentation":"<p>Refers to an index in a JSON array.</p>"
+        },
+        "key":{
+          "shape":"String",
+          "documentation":"<p>Refers to a key in a JSON object.</p>"
+        },
+        "substring":{
+          "shape":"Substring",
+          "documentation":"<p>Refers to a substring of a literal string in a JSON object.</p>"
+        },
+        "value":{
+          "shape":"String",
+          "documentation":"<p>Refers to the value associated with a given key in a JSON object.</p>"
+        }
+      },
+      "documentation":"<p>A single element in a path through the JSON representation of a policy.</p>",
+      "union":true
+    },
+    "PathElementList":{
+      "type":"list",
+      "member":{"shape":"PathElement"}
+    },
+    "PolicyDocument":{"type":"string"},
     "PolicyName":{"type":"string"},
+    "PolicyType":{
+      "type":"string",
+      "enum":[
+        "IDENTITY_POLICY",
+        "RESOURCE_POLICY",
+        "SERVICE_CONTROL_POLICY"
+      ]
+    },
+    "Position":{
+      "type":"structure",
+      "required":[
+        "column",
+        "line",
+        "offset"
+      ],
+      "members":{
+        "column":{
+          "shape":"Integer",
+          "documentation":"<p>The column of the position, starting from 0.</p>"
+        },
+        "line":{
+          "shape":"Integer",
+          "documentation":"<p>The line of the position, starting from 1.</p>"
+        },
+        "offset":{
+          "shape":"Integer",
+          "documentation":"<p>The offset within the policy that corresponds to the position, starting from 0.</p>"
+        }
+      },
+      "documentation":"<p>A position in a policy.</p>"
+    },
     "PrincipalMap":{
       "type":"map",
       "key":{"shape":"String"},
@@ -2132,6 +2247,24 @@
       },
       "documentation":"<p>The criteria used to sort.</p>"
     },
+    "Span":{
+      "type":"structure",
+      "required":[
+        "end",
+        "start"
+      ],
+      "members":{
+        "end":{
+          "shape":"Position",
+          "documentation":"<p>The end position of the span (exclusive).</p>"
+        },
+        "start":{
+          "shape":"Position",
+          "documentation":"<p>The start position of the span (inclusive).</p>"
+        }
+      },
+      "documentation":"<p>A span in a policy. The span consists of a start position (inclusive) and end position (exclusive).</p>"
+    },
     "SqsQueueConfiguration":{
       "type":"structure",
       "members":{
@@ -2173,6 +2306,24 @@
       "documentation":"<p>Provides more details about the current status of the analyzer. For example, if the creation for the analyzer fails, a <code>Failed</code> status is returned. For an analyzer with organization as the type, this failure can be due to an issue with creating the service-linked roles required in the member accounts of the AWS organization.</p>"
     },
     "String":{"type":"string"},
+    "Substring":{
+      "type":"structure",
+      "required":[
+        "length",
+        "start"
+      ],
+      "members":{
+        "length":{
+          "shape":"Integer",
+          "documentation":"<p>The length of the substring.</p>"
+        },
+        "start":{
+          "shape":"Integer",
+          "documentation":"<p>The start index of the substring, starting from 0.</p>"
+        }
+      },
+      "documentation":"<p>A reference to a substring of a literal string in a JSON document.</p>"
+    },
     "TagKeys":{
       "type":"list",
       "member":{"shape":"String"}
@@ -2331,6 +2482,99 @@
       },
       "documentation":"<p>Updates findings with the new values provided in the request.</p>"
     },
+    "ValidatePolicyFinding":{
+      "type":"structure",
+      "required":[
+        "findingDetails",
+        "findingType",
+        "issueCode",
+        "learnMoreLink",
+        "locations"
+      ],
+      "members":{
+        "findingDetails":{
+          "shape":"String",
+          "documentation":"<p>A localized message that explains the finding and provides guidance on how to address it.</p>"
+        },
+        "findingType":{
+          "shape":"ValidatePolicyFindingType",
+          "documentation":"<p>The impact of the finding.</p> <p>Security warnings report when the policy allows access that we consider overly permissive.</p> <p>Errors report when a part of the policy is not functional.</p> <p>Warnings report non-security issues when a policy does not conform to policy writing best practices.</p> <p>Suggestions recommend stylistic improvements in the policy that do not impact access.</p>"
+        },
+        "issueCode":{
+          "shape":"IssueCode",
+          "documentation":"<p>The issue code provides an identifier of the issue associated with this finding.</p>"
+        },
+        "learnMoreLink":{
+          "shape":"LearnMoreLink",
+          "documentation":"<p>A link to additional documentation about the type of finding.</p>"
+        },
+        "locations":{
+          "shape":"LocationList",
+          "documentation":"<p>The list of locations in the policy document that are related to the finding. The issue code provides a summary of an issue identified by the finding.</p>"
+        }
+      },
+      "documentation":"<p>A finding in a policy. Each finding is an actionable recommendation that can be used to improve the policy.</p>"
+    },
+    "ValidatePolicyFindingList":{
+      "type":"list",
+      "member":{"shape":"ValidatePolicyFinding"}
+    },
+    "ValidatePolicyFindingType":{
+      "type":"string",
+      "enum":[
+        "ERROR",
+        "SECURITY_WARNING",
+        "SUGGESTION",
+        "WARNING"
+      ]
+    },
+    "ValidatePolicyRequest":{
+      "type":"structure",
+      "required":[
+        "policyDocument",
+        "policyType"
+      ],
+      "members":{
+        "locale":{
+          "shape":"Locale",
+          "documentation":"<p>The locale to use for localizing the findings.</p>"
+        },
+        "maxResults":{
+          "shape":"Integer",
+          "documentation":"<p>The maximum number of results to return in the response.</p>",
+          "location":"querystring",
+          "locationName":"maxResults"
+        },
+        "nextToken":{
+          "shape":"Token",
+          "documentation":"<p>A token used for pagination of results returned.</p>",
+          "location":"querystring",
+          "locationName":"nextToken"
+        },
+        "policyDocument":{
+          "shape":"PolicyDocument",
+          "documentation":"<p>The JSON policy document to use as the content for the policy.</p>"
+        },
+        "policyType":{
+          "shape":"PolicyType",
+          "documentation":"<p>The type of policy to validate. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups. They also include service-control policies (SCPs) that are attached to an AWS organization, organizational unit (OU), or an account.</p> <p>Resource policies grant permissions on AWS resources. Resource policies include trust policies for IAM roles and bucket policies for S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or S3 bucket policy. </p>"
+        }
+      }
+    },
+    "ValidatePolicyResponse":{
+      "type":"structure",
+      "required":["findings"],
+      "members":{
+        "findings":{
+          "shape":"ValidatePolicyFindingList",
+          "documentation":"<p>The list of findings in a policy returned by Access Analyzer based on its suite of policy checks.</p>"
+        },
+        "nextToken":{
+          "shape":"Token",
+          "documentation":"<p>A token used for pagination of results returned.</p>"
+        }
+      }
+    },
     "ValidationException":{
       "type":"structure",
       "required":[