AccessAnalyzer / Client / check_no_new_access



Checks whether new access is allowed for an updated policy when compared to the existing policy.

You can find examples for reference policies and learn how to set up and run a custom policy check for new access in the IAM Access Analyzer custom policy checks samples repository on GitHub. The reference policies in this repository are meant to be passed to the existingPolicyDocument request parameter.

See also: AWS API Documentation

Request Syntax

response = client.check_no_new_access(
  • newPolicyDocument (string) –


    The JSON policy document to use as the content for the updated policy.

  • existingPolicyDocument (string) –


    The JSON policy document to use as the content for the existing policy.

  • policyType (string) –


    The type of policy to compare. Identity policies grant permissions to IAM principals. Identity policies include managed and inline policies for IAM roles, users, and groups.

    Resource policies grant permissions on Amazon Web Services resources. Resource policies include trust policies for IAM roles and bucket policies for Amazon S3 buckets. You can provide a generic input such as identity policy or resource policy or a specific input such as managed policy or Amazon S3 bucket policy.

Return type:



Response Syntax

    'result': 'PASS'|'FAIL',
    'message': 'string',
    'reasons': [
            'description': 'string',
            'statementIndex': 123,
            'statementId': 'string'

Response Structure

  • (dict) –

    • result (string) –

      The result of the check for new access. If the result is PASS, no new access is allowed by the updated policy. If the result is FAIL, the updated policy might allow new access.

    • message (string) –

      The message indicating whether the updated policy allows new access.

    • reasons (list) –

      A description of the reasoning of the result.

      • (dict) –

        Contains information about the reasoning why a check for access passed or failed.

        • description (string) –

          A description of the reasoning of a result of checking for access.

        • statementIndex (integer) –

          The index number of the reason statement.

        • statementId (string) –

          The identifier for the reason statement.


  • AccessAnalyzer.Client.exceptions.ValidationException

  • AccessAnalyzer.Client.exceptions.InternalServerException

  • AccessAnalyzer.Client.exceptions.InvalidParameterException

  • AccessAnalyzer.Client.exceptions.UnprocessableEntityException

  • AccessAnalyzer.Client.exceptions.ThrottlingException

  • AccessAnalyzer.Client.exceptions.AccessDeniedException