libZSservicesZSamazonka-iamZSamazonka-iam
Copyright(c) 2013-2021 Brendan Hay
LicenseMozilla Public License, v. 2.0.
MaintainerBrendan Hay <brendan.g.hay+amazonka@gmail.com>
Stabilityauto-generated
Portabilitynon-portable (GHC extensions)
Safe HaskellNone

Amazonka.IAM.Types.EvaluationResult

Description

 
Synopsis

Documentation

data EvaluationResult Source #

Contains the results of a simulation.

This data type is used by the return parameter of SimulateCustomPolicy and SimulatePrincipalPolicy .

See: newEvaluationResult smart constructor.

Constructors

EvaluationResult' 

Fields

  • matchedStatements :: Maybe [Statement]

    A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the operation on the resource, if only one statement denies that operation, then the explicit deny overrides any allow. In addition, the deny statement is the only entry included in the result.

  • evalDecisionDetails :: Maybe (HashMap Text PolicyEvaluationDecisionType)

    Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.

    If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (*), then the parameter is not returned.

    When you make a cross-account request, Amazon Web Services evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return true. For more information about how policies are evaluated, see Evaluating policies within a single account.

    If an Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.

  • resourceSpecificResults :: Maybe [ResourceSpecificResult]

    The individual results of the simulation of the API operation specified in EvalActionName on each resource.

  • evalResourceName :: Maybe Text

    The ARN of the resource that the indicated API operation was tested on.

  • missingContextValues :: Maybe [Text]

    A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. This list is used when the resource in a simulation is "*", either explicitly, or when the ResourceArns parameter blank. If you include a list of resources, then any missing context values are instead included under the ResourceSpecificResults section. To discover the context keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.

  • permissionsBoundaryDecisionDetail :: Maybe PermissionsBoundaryDecisionDetail

    Contains information about the effect that a permissions boundary has on a policy simulation when the boundary is applied to an IAM entity.

  • organizationsDecisionDetail :: Maybe OrganizationsDecisionDetail

    A structure that details how Organizations and its service control policies affect the results of the simulation. Only applies if the simulated user's account is part of an organization.

  • evalActionName :: Text

    The name of the API operation tested on the indicated resource.

  • evalDecision :: PolicyEvaluationDecisionType

    The result of the simulation.

Instances

Instances details
Eq EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

Read EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

Show EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

Generic EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

Associated Types

type Rep EvaluationResult :: Type -> Type #

NFData EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

Methods

rnf :: EvaluationResult -> () #

Hashable EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

FromXML EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

type Rep EvaluationResult Source # 
Instance details

Defined in Amazonka.IAM.Types.EvaluationResult

newEvaluationResult Source #

Create a value of EvaluationResult with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:matchedStatements:EvaluationResult', evaluationResult_matchedStatements - A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the operation on the resource, if only one statement denies that operation, then the explicit deny overrides any allow. In addition, the deny statement is the only entry included in the result.

$sel:evalDecisionDetails:EvaluationResult', evaluationResult_evalDecisionDetails - Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.

If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (*), then the parameter is not returned.

When you make a cross-account request, Amazon Web Services evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return true. For more information about how policies are evaluated, see Evaluating policies within a single account.

If an Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.

$sel:resourceSpecificResults:EvaluationResult', evaluationResult_resourceSpecificResults - The individual results of the simulation of the API operation specified in EvalActionName on each resource.

$sel:evalResourceName:EvaluationResult', evaluationResult_evalResourceName - The ARN of the resource that the indicated API operation was tested on.

$sel:missingContextValues:EvaluationResult', evaluationResult_missingContextValues - A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. This list is used when the resource in a simulation is "*", either explicitly, or when the ResourceArns parameter blank. If you include a list of resources, then any missing context values are instead included under the ResourceSpecificResults section. To discover the context keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.

$sel:permissionsBoundaryDecisionDetail:EvaluationResult', evaluationResult_permissionsBoundaryDecisionDetail - Contains information about the effect that a permissions boundary has on a policy simulation when the boundary is applied to an IAM entity.

$sel:organizationsDecisionDetail:EvaluationResult', evaluationResult_organizationsDecisionDetail - A structure that details how Organizations and its service control policies affect the results of the simulation. Only applies if the simulated user's account is part of an organization.

$sel:evalActionName:EvaluationResult', evaluationResult_evalActionName - The name of the API operation tested on the indicated resource.

$sel:evalDecision:EvaluationResult', evaluationResult_evalDecision - The result of the simulation.

evaluationResult_matchedStatements :: Lens' EvaluationResult (Maybe [Statement]) Source #

A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the operation on the resource, if only one statement denies that operation, then the explicit deny overrides any allow. In addition, the deny statement is the only entry included in the result.

evaluationResult_evalDecisionDetails :: Lens' EvaluationResult (Maybe (HashMap Text PolicyEvaluationDecisionType)) Source #

Additional details about the results of the cross-account evaluation decision. This parameter is populated for only cross-account simulations. It contains a brief summary of how each policy type contributes to the final evaluation decision.

If the simulation evaluates policies within the same account and includes a resource ARN, then the parameter is present but the response is empty. If the simulation evaluates policies within the same account and specifies all resources (*), then the parameter is not returned.

When you make a cross-account request, Amazon Web Services evaluates the request in the trusting account and the trusted account. The request is allowed only if both evaluations return true. For more information about how policies are evaluated, see Evaluating policies within a single account.

If an Organizations SCP included in the evaluation denies access, the simulation ends. In this case, policy evaluation does not proceed any further and this parameter is not returned.

evaluationResult_resourceSpecificResults :: Lens' EvaluationResult (Maybe [ResourceSpecificResult]) Source #

The individual results of the simulation of the API operation specified in EvalActionName on each resource.

evaluationResult_evalResourceName :: Lens' EvaluationResult (Maybe Text) Source #

The ARN of the resource that the indicated API operation was tested on.

evaluationResult_missingContextValues :: Lens' EvaluationResult (Maybe [Text]) Source #

A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. This list is used when the resource in a simulation is "*", either explicitly, or when the ResourceArns parameter blank. If you include a list of resources, then any missing context values are instead included under the ResourceSpecificResults section. To discover the context keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.

evaluationResult_permissionsBoundaryDecisionDetail :: Lens' EvaluationResult (Maybe PermissionsBoundaryDecisionDetail) Source #

Contains information about the effect that a permissions boundary has on a policy simulation when the boundary is applied to an IAM entity.

evaluationResult_organizationsDecisionDetail :: Lens' EvaluationResult (Maybe OrganizationsDecisionDetail) Source #

A structure that details how Organizations and its service control policies affect the results of the simulation. Only applies if the simulated user's account is part of an organization.

evaluationResult_evalActionName :: Lens' EvaluationResult Text Source #

The name of the API operation tested on the indicated resource.