AccessAnalyzer / Client / check_access_not_granted



Checks whether the specified access isn’t allowed by a policy.

See also: AWS API Documentation

Request Syntax

response = client.check_access_not_granted(
            'actions': [
  • policyDocument (string) –


    The JSON policy document to use as the content for the policy.

  • access (list) –


    An access object containing the permissions that shouldn’t be granted by the specified policy.

    • (dict) –

      Contains information about actions that define permissions to check against a policy.

      • actions (list) – [REQUIRED]

        A list of actions for the access permissions. Any strings that can be used as an action in an IAM policy can be used in the list of actions to check.

        • (string) –

  • policyType (string) –


    The type of policy. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.

    Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.

Return type:



Response Syntax

    'result': 'PASS'|'FAIL',
    'message': 'string',
    'reasons': [
            'description': 'string',
            'statementIndex': 123,
            'statementId': 'string'

Response Structure

  • (dict) –

    • result (string) –

      The result of the check for whether the access is allowed. If the result is PASS, the specified policy doesn’t allow any of the specified permissions in the access object. If the result is FAIL, the specified policy might allow some or all of the permissions in the access object.

    • message (string) –

      The message indicating whether the specified access is allowed.

    • reasons (list) –

      A description of the reasoning of the result.

      • (dict) –

        Contains information about the reasoning why a check for access passed or failed.

        • description (string) –

          A description of the reasoning of a result of checking for access.

        • statementIndex (integer) –

          The index number of the reason statement.

        • statementId (string) –

          The identifier for the reason statement.


  • AccessAnalyzer.Client.exceptions.ValidationException

  • AccessAnalyzer.Client.exceptions.InternalServerException

  • AccessAnalyzer.Client.exceptions.InvalidParameterException

  • AccessAnalyzer.Client.exceptions.UnprocessableEntityException

  • AccessAnalyzer.Client.exceptions.ThrottlingException

  • AccessAnalyzer.Client.exceptions.AccessDeniedException