AccessAnalyzer / Client / get_finding_v2

get_finding_v2#

AccessAnalyzer.Client.get_finding_v2(**kwargs)#

Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.

See also: AWS API Documentation

Request Syntax

response = client.get_finding_v2(
    analyzerArn='string',
    id='string',
    maxResults=123,
    nextToken='string'
)
Parameters:
  • analyzerArn (string) –

    [REQUIRED]

    The ARN of the analyzer that generated the finding.

  • id (string) –

    [REQUIRED]

    The ID of the finding to retrieve.

  • maxResults (integer) – The maximum number of results to return in the response.

  • nextToken (string) – A token used for pagination of results returned.

Return type:

dict

Returns:

Response Syntax

{
    'analyzedAt': datetime(2015, 1, 1),
    'createdAt': datetime(2015, 1, 1),
    'error': 'string',
    'id': 'string',
    'nextToken': 'string',
    'resource': 'string',
    'resourceType': 'AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret'|'AWS::EFS::FileSystem'|'AWS::EC2::Snapshot'|'AWS::ECR::Repository'|'AWS::RDS::DBSnapshot'|'AWS::RDS::DBClusterSnapshot'|'AWS::SNS::Topic'|'AWS::S3Express::DirectoryBucket',
    'resourceOwnerAccount': 'string',
    'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
    'updatedAt': datetime(2015, 1, 1),
    'findingDetails': [
        {
            'externalAccessDetails': {
                'action': [
                    'string',
                ],
                'condition': {
                    'string': 'string'
                },
                'isPublic': True|False,
                'principal': {
                    'string': 'string'
                },
                'sources': [
                    {
                        'type': 'POLICY'|'BUCKET_ACL'|'S3_ACCESS_POINT'|'S3_ACCESS_POINT_ACCOUNT',
                        'detail': {
                            'accessPointArn': 'string',
                            'accessPointAccount': 'string'
                        }
                    },
                ]
            },
            'unusedPermissionDetails': {
                'actions': [
                    {
                        'action': 'string',
                        'lastAccessed': datetime(2015, 1, 1)
                    },
                ],
                'serviceNamespace': 'string',
                'lastAccessed': datetime(2015, 1, 1)
            },
            'unusedIamUserAccessKeyDetails': {
                'accessKeyId': 'string',
                'lastAccessed': datetime(2015, 1, 1)
            },
            'unusedIamRoleDetails': {
                'lastAccessed': datetime(2015, 1, 1)
            },
            'unusedIamUserPasswordDetails': {
                'lastAccessed': datetime(2015, 1, 1)
            }
        },
    ],
    'findingType': 'ExternalAccess'|'UnusedIAMRole'|'UnusedIAMUserAccessKey'|'UnusedIAMUserPassword'|'UnusedPermission'
}

Response Structure

  • (dict) –

    • analyzedAt (datetime) –

      The time at which the resource-based policy or IAM entity that generated the finding was analyzed.

    • createdAt (datetime) –

      The time at which the finding was created.

    • error (string) –

      An error.

    • id (string) –

      The ID of the finding to retrieve.

    • nextToken (string) –

      A token used for pagination of results returned.

    • resource (string) –

      The resource that generated the finding.

    • resourceType (string) –

      The type of the resource identified in the finding.

    • resourceOwnerAccount (string) –

      Tye Amazon Web Services account ID that owns the resource.

    • status (string) –

      The status of the finding.

    • updatedAt (datetime) –

      The time at which the finding was updated.

    • findingDetails (list) –

      A localized message that explains the finding and provides guidance on how to address it.

      • (dict) –

        Contains information about an external access or unused access finding. Only one parameter can be used in a FindingDetails object.

        Note

        This is a Tagged Union structure. Only one of the following top level keys will be set: externalAccessDetails, unusedPermissionDetails, unusedIamUserAccessKeyDetails, unusedIamRoleDetails, unusedIamUserPasswordDetails. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

        'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
        
        • externalAccessDetails (dict) –

          The details for an external access analyzer finding.

          • action (list) –

            The action in the analyzed policy statement that an external principal has permission to use.

            • (string) –

          • condition (dict) –

            The condition in the analyzed policy statement that resulted in an external access finding.

            • (string) –

              • (string) –

          • isPublic (boolean) –

            Specifies whether the external access finding is public.

          • principal (dict) –

            The external principal that has access to a resource within the zone of trust.

            • (string) –

              • (string) –

          • sources (list) –

            The sources of the external access finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

            • (dict) –

              The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

              • type (string) –

                Indicates the type of access that generated the finding.

              • detail (dict) –

                Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.

                • accessPointArn (string) –

                  The ARN of the access point that generated the finding. The ARN format depends on whether the ARN represents an access point or a multi-region access point.

                • accessPointAccount (string) –

                  The account of the cross-account access point that generated the finding.

        • unusedPermissionDetails (dict) –

          The details for an unused access analyzer finding with an unused permission finding type.

          • actions (list) –

            A list of unused actions for which the unused access finding was generated.

            • (dict) –

              Contains information about an unused access finding for an action. IAM Access Analyzer charges for unused access analysis based on the number of IAM roles and users analyzed per month. For more details on pricing, see IAM Access Analyzer pricing.

              • action (string) –

                The action for which the unused access finding was generated.

              • lastAccessed (datetime) –

                The time at which the action was last accessed.

          • serviceNamespace (string) –

            The namespace of the Amazon Web Services service that contains the unused actions.

          • lastAccessed (datetime) –

            The time at which the permission last accessed.

        • unusedIamUserAccessKeyDetails (dict) –

          The details for an unused access analyzer finding with an unused IAM user access key finding type.

          • accessKeyId (string) –

            The ID of the access key for which the unused access finding was generated.

          • lastAccessed (datetime) –

            The time at which the access key was last accessed.

        • unusedIamRoleDetails (dict) –

          The details for an unused access analyzer finding with an unused IAM role finding type.

          • lastAccessed (datetime) –

            The time at which the role was last accessed.

        • unusedIamUserPasswordDetails (dict) –

          The details for an unused access analyzer finding with an unused IAM user password finding type.

          • lastAccessed (datetime) –

            The time at which the password was last accessed.

    • findingType (string) –

      The type of the finding. For external access analyzers, the type is ExternalAccess. For unused access analyzers, the type can be UnusedIAMRole, UnusedIAMUserAccessKey, UnusedIAMUserPassword, or UnusedPermission.

Exceptions

  • AccessAnalyzer.Client.exceptions.ResourceNotFoundException

  • AccessAnalyzer.Client.exceptions.ValidationException

  • AccessAnalyzer.Client.exceptions.InternalServerException

  • AccessAnalyzer.Client.exceptions.ThrottlingException

  • AccessAnalyzer.Client.exceptions.AccessDeniedException