AccessAnalyzer / Client / get_finding

get_finding#

AccessAnalyzer.Client.get_finding(**kwargs)#

Retrieves information about the specified finding. GetFinding and GetFindingV2 both use access-analyzer:GetFinding in the Action element of an IAM policy statement. You must have permission to perform the access-analyzer:GetFinding action.

See also: AWS API Documentation

Request Syntax

response = client.get_finding(
    analyzerArn='string',
    id='string'
)
Parameters:
  • analyzerArn (string) –

    [REQUIRED]

    The ARN of the analyzer that generated the finding.

  • id (string) –

    [REQUIRED]

    The ID of the finding to retrieve.

Return type:

dict

Returns:

Response Syntax

{
    'finding': {
        'id': 'string',
        'principal': {
            'string': 'string'
        },
        'action': [
            'string',
        ],
        'resource': 'string',
        'isPublic': True|False,
        'resourceType': 'AWS::S3::Bucket'|'AWS::IAM::Role'|'AWS::SQS::Queue'|'AWS::Lambda::Function'|'AWS::Lambda::LayerVersion'|'AWS::KMS::Key'|'AWS::SecretsManager::Secret'|'AWS::EFS::FileSystem'|'AWS::EC2::Snapshot'|'AWS::ECR::Repository'|'AWS::RDS::DBSnapshot'|'AWS::RDS::DBClusterSnapshot'|'AWS::SNS::Topic'|'AWS::S3Express::DirectoryBucket'|'AWS::DynamoDB::Table'|'AWS::DynamoDB::Stream'|'AWS::IAM::User',
        'condition': {
            'string': 'string'
        },
        'createdAt': datetime(2015, 1, 1),
        'analyzedAt': datetime(2015, 1, 1),
        'updatedAt': datetime(2015, 1, 1),
        'status': 'ACTIVE'|'ARCHIVED'|'RESOLVED',
        'resourceOwnerAccount': 'string',
        'error': 'string',
        'sources': [
            {
                'type': 'POLICY'|'BUCKET_ACL'|'S3_ACCESS_POINT'|'S3_ACCESS_POINT_ACCOUNT',
                'detail': {
                    'accessPointArn': 'string',
                    'accessPointAccount': 'string'
                }
            },
        ],
        'resourceControlPolicyRestriction': 'APPLICABLE'|'FAILED_TO_EVALUATE_RCP'|'NOT_APPLICABLE'
    }
}

Response Structure

  • (dict) –

    The response to the request.

    • finding (dict) –

      A finding object that contains finding details.

      • id (string) –

        The ID of the finding.

      • principal (dict) –

        The external principal that has access to a resource within the zone of trust.

        • (string) –

          • (string) –

      • action (list) –

        The action in the analyzed policy statement that an external principal has permission to use.

        • (string) –

      • resource (string) –

        The resource that an external principal has access to.

      • isPublic (boolean) –

        Indicates whether the policy that generated the finding allows public access to the resource.

      • resourceType (string) –

        The type of the resource identified in the finding.

      • condition (dict) –

        The condition in the analyzed policy statement that resulted in a finding.

        • (string) –

          • (string) –

      • createdAt (datetime) –

        The time at which the finding was generated.

      • analyzedAt (datetime) –

        The time at which the resource was analyzed.

      • updatedAt (datetime) –

        The time at which the finding was updated.

      • status (string) –

        The current status of the finding.

      • resourceOwnerAccount (string) –

        The Amazon Web Services account ID that owns the resource.

      • error (string) –

        An error.

      • sources (list) –

        The sources of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

        • (dict) –

          The source of the finding. This indicates how the access that generated the finding is granted. It is populated for Amazon S3 bucket findings.

          • type (string) –

            Indicates the type of access that generated the finding.

          • detail (dict) –

            Includes details about how the access that generated the finding is granted. This is populated for Amazon S3 bucket findings.

            • accessPointArn (string) –

              The ARN of the access point that generated the finding. The ARN format depends on whether the ARN represents an access point or a multi-region access point.

            • accessPointAccount (string) –

              The account of the cross-account access point that generated the finding.

      • resourceControlPolicyRestriction (string) –

        The type of restriction applied to the finding by the resource owner with an Organizations resource control policy (RCP).

Exceptions

  • AccessAnalyzer.Client.exceptions.ResourceNotFoundException

  • AccessAnalyzer.Client.exceptions.ValidationException

  • AccessAnalyzer.Client.exceptions.InternalServerException

  • AccessAnalyzer.Client.exceptions.ThrottlingException

  • AccessAnalyzer.Client.exceptions.AccessDeniedException