| Title: | 'Amazon Web Services' Security, Identity, & Compliance Services |
|---|---|
| Description: | Interface to 'Amazon Web Services' security, identity, and compliance services, including the 'Identity & Access Management' ('IAM') service for managing access to services and resources, and more <https://aws.amazon.com/>. |
| Authors: | David Kretch [aut], Adam Banker [aut], Dyfan Jones [cre], Amazon.com, Inc. [cph] |
| Maintainer: | Dyfan Jones <[email protected]> |
| License: | Apache License (>= 2.0) |
| Version: | 0.7.0 |
| Built: | 2024-10-12 07:33:17 UTC |
| Source: | CRAN |
Identity and Access Management Access Analyzer helps you to set, verify, and refine your IAM policies by providing a suite of capabilities. Its features include findings for external and unused access, basic and custom policy checks for validating policies, and policy generation to generate fine-grained policies. To start using IAM Access Analyzer to identify external or unused access, you first need to create an analyzer.
External access analyzers help identify potential risks of accessing resources by enabling you to identify any resource policies that grant access to an external principal. It does this by using logic-based reasoning to analyze resource-based policies in your Amazon Web Services environment. An external principal can be another Amazon Web Services account, a root user, an IAM user or role, a federated user, an Amazon Web Services service, or an anonymous user. You can also use IAM Access Analyzer to preview public and cross-account access to your resources before deploying permissions changes.
Unused access analyzers help identify potential identity access risks by enabling you to identify unused IAM roles, unused access keys, unused console passwords, and IAM principals with unused service and action-level permissions.
Beyond findings, IAM Access Analyzer provides basic and custom policy checks to validate IAM policies before deploying permissions changes. You can use policy generation to refine permissions by attaching a policy generated using access activity logged in CloudTrail logs.
This guide describes the IAM Access Analyzer operations that you can call programmatically. For general information about IAM Access Analyzer, see Identity and Access Management Access Analyzer in the IAM User Guide.
accessanalyzer( config = list(), credentials = list(), endpoint = NULL, region = NULL )accessanalyzer( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- accessanalyzer(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| apply_archive_rule | Retroactively applies the archive rule to existing findings that meet the archive rule criteria |
| cancel_policy_generation | Cancels the requested policy generation |
| check_access_not_granted | Checks whether the specified access isn't allowed by a policy |
| check_no_new_access | Checks whether new access is allowed for an updated policy when compared to the existing policy |
| check_no_public_access | Checks whether a resource policy can grant public access to the specified resource type |
| create_access_preview | Creates an access preview that allows you to preview IAM Access Analyzer findings for your resource before deploying resource permissions |
| create_analyzer | Creates an analyzer for your account |
| create_archive_rule | Creates an archive rule for the specified analyzer |
| delete_analyzer | Deletes the specified analyzer |
| delete_archive_rule | Deletes the specified archive rule |
| generate_finding_recommendation | Creates a recommendation for an unused permissions finding |
| get_access_preview | Retrieves information about an access preview for the specified analyzer |
| get_analyzed_resource | Retrieves information about a resource that was analyzed |
| get_analyzer | Retrieves information about the specified analyzer |
| get_archive_rule | Retrieves information about an archive rule |
| get_finding | Retrieves information about the specified finding |
| get_finding_recommendation | Retrieves information about a finding recommendation for the specified analyzer |
| get_finding_v2 | Retrieves information about the specified finding |
| get_generated_policy | Retrieves the policy that was generated using StartPolicyGeneration |
| list_access_preview_findings | Retrieves a list of access preview findings generated by the specified access preview |
| list_access_previews | Retrieves a list of access previews for the specified analyzer |
| list_analyzed_resources | Retrieves a list of resources of the specified type that have been analyzed by the specified external access analyzer |
| list_analyzers | Retrieves a list of analyzers |
| list_archive_rules | Retrieves a list of archive rules created for the specified analyzer |
| list_findings | Retrieves a list of findings generated by the specified analyzer |
| list_findings_v2 | Retrieves a list of findings generated by the specified analyzer |
| list_policy_generations | Lists all of the policy generations requested in the last seven days |
| list_tags_for_resource | Retrieves a list of tags applied to the specified resource |
| start_policy_generation | Starts the policy generation request |
| start_resource_scan | Immediately starts a scan of the policies applied to the specified resource |
| tag_resource | Adds a tag to the specified resource |
| untag_resource | Removes a tag from the specified resource |
| update_archive_rule | Updates the criteria and values for the specified archive rule |
| update_findings | Updates the status for the specified findings |
| validate_policy | Requests the validation of a policy and returns a list of findings |
## Not run: svc <- accessanalyzer() svc$check_access_not_granted( access = list( list( actions = list( "s3:PutObject" ) ) ), policyDocument = "{"Version":"2012-10-17","Id":"123","Statement":[{"Sid":...", policyType = "RESOURCE_POLICY" ) ## End(Not run)## Not run: svc <- accessanalyzer() svc$check_access_not_granted( access = list( list( actions = list( "s3:PutObject" ) ) ), policyDocument = "{"Version":"2012-10-17","Id":"123","Statement":[{"Sid":...", policyType = "RESOURCE_POLICY" ) ## End(Not run)
Operations for Amazon Web Services Account Management
account(config = list(), credentials = list(), endpoint = NULL, region = NULL)account(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- account(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_primary_email_update | Accepts the request that originated from StartPrimaryEmailUpdate to update the primary email address (also known as the root user email address) for the specified account |
| delete_alternate_contact | Deletes the specified alternate contact from an Amazon Web Services account |
| disable_region | Disables (opts-out) a particular Region for an account |
| enable_region | Enables (opts-in) a particular Region for an account |
| get_alternate_contact | Retrieves the specified alternate contact attached to an Amazon Web Services account |
| get_contact_information | Retrieves the primary contact information of an Amazon Web Services account |
| get_primary_email | Retrieves the primary email address for the specified account |
| get_region_opt_status | Retrieves the opt-in status of a particular Region |
| list_regions | Lists all the Regions for a given account and their respective opt-in statuses |
| put_alternate_contact | Modifies the specified alternate contact attached to an Amazon Web Services account |
| put_contact_information | Updates the primary contact information of an Amazon Web Services account |
| start_primary_email_update | Starts the process to update the primary email address for the specified account |
## Not run: svc <- account() svc$accept_primary_email_update( Foo = 123 ) ## End(Not run)## Not run: svc <- account() svc$accept_primary_email_update( Foo = 123 ) ## End(Not run)
Certificate Manager
You can use Certificate Manager (ACM) to manage SSL/TLS certificates for your Amazon Web Services-based websites and applications. For more information about using ACM, see the Certificate Manager User Guide.
acm(config = list(), credentials = list(), endpoint = NULL, region = NULL)acm(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- acm(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| add_tags_to_certificate | Adds one or more tags to an ACM certificate |
| delete_certificate | Deletes a certificate and its associated private key |
| describe_certificate | Returns detailed metadata about the specified ACM certificate |
| export_certificate | Exports a private certificate issued by a private certificate authority (CA) for use anywhere |
| get_account_configuration | Returns the account configuration options associated with an Amazon Web Services account |
| get_certificate | Retrieves a certificate and its certificate chain |
| import_certificate | Imports a certificate into Certificate Manager (ACM) to use with services that are integrated with ACM |
| list_certificates | Retrieves a list of certificate ARNs and domain names |
| list_tags_for_certificate | Lists the tags that have been applied to the ACM certificate |
| put_account_configuration | Adds or modifies account-level configurations in ACM |
| remove_tags_from_certificate | Remove one or more tags from an ACM certificate |
| renew_certificate | Renews an eligible ACM certificate |
| request_certificate | Requests an ACM certificate for use with other Amazon Web Services services |
| resend_validation_email | Resends the email that requests domain ownership validation |
| update_certificate_options | Updates a certificate |
## Not run: svc <- acm() svc$add_tags_to_certificate( Foo = 123 ) ## End(Not run)## Not run: svc <- acm() svc$add_tags_to_certificate( Foo = 123 ) ## End(Not run)
This is the Amazon Web Services Private Certificate Authority API Reference. It provides descriptions, syntax, and usage examples for each of the actions and data types involved in creating and managing a private certificate authority (CA) for your organization.
The documentation for each action shows the API request parameters and the JSON response. Alternatively, you can use one of the Amazon Web Services SDKs to access an API that is tailored to the programming language or platform that you prefer. For more information, see Amazon Web Services SDKs.
Each Amazon Web Services Private CA API operation has a quota that determines the number of times the operation can be called per second. Amazon Web Services Private CA throttles API requests at different rates depending on the operation. Throttling means that Amazon Web Services Private CA rejects an otherwise valid request because the request exceeds the operation's quota for the number of requests per second. When a request is throttled, Amazon Web Services Private CA returns a ThrottlingException error. Amazon Web Services Private CA does not guarantee a minimum request rate for APIs.
To see an up-to-date list of your Amazon Web Services Private CA quotas, or to request a quota increase, log into your Amazon Web Services account and visit the Service Quotas console.
acmpca(config = list(), credentials = list(), endpoint = NULL, region = NULL)acmpca(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- acmpca(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_certificate_authority | Creates a root or subordinate private certificate authority (CA) |
| create_certificate_authority_audit_report | Creates an audit report that lists every time that your CA private key is used |
| create_permission | Grants one or more permissions on a private CA to the Certificate Manager (ACM) service principal (acm |
| delete_certificate_authority | Deletes a private certificate authority (CA) |
| delete_permission | Revokes permissions on a private CA granted to the Certificate Manager (ACM) service principal (acm |
| delete_policy | Deletes the resource-based policy attached to a private CA |
| describe_certificate_authority | Lists information about your private certificate authority (CA) or one that has been shared with you |
| describe_certificate_authority_audit_report | Lists information about a specific audit report created by calling the CreateCertificateAuthorityAuditReport action |
| get_certificate | Retrieves a certificate from your private CA or one that has been shared with you |
| get_certificate_authority_certificate | Retrieves the certificate and certificate chain for your private certificate authority (CA) or one that has been shared with you |
| get_certificate_authority_csr | Retrieves the certificate signing request (CSR) for your private certificate authority (CA) |
| get_policy | Retrieves the resource-based policy attached to a private CA |
| import_certificate_authority_certificate | Imports a signed private CA certificate into Amazon Web Services Private CA |
| issue_certificate | Uses your private certificate authority (CA), or one that has been shared with you, to issue a client certificate |
| list_certificate_authorities | Lists the private certificate authorities that you created by using the CreateCertificateAuthority action |
| list_permissions | List all permissions on a private CA, if any, granted to the Certificate Manager (ACM) service principal (acm |
| list_tags | Lists the tags, if any, that are associated with your private CA or one that has been shared with you |
| put_policy | Attaches a resource-based policy to a private CA |
| restore_certificate_authority | Restores a certificate authority (CA) that is in the DELETED state |
| revoke_certificate | Revokes a certificate that was issued inside Amazon Web Services Private CA |
| tag_certificate_authority | Adds one or more tags to your private CA |
| untag_certificate_authority | Remove one or more tags from your private CA |
| update_certificate_authority | Updates the status or configuration of a private certificate authority (CA) |
## Not run: svc <- acmpca() svc$create_certificate_authority( Foo = 123 ) ## End(Not run)## Not run: svc <- acmpca() svc$create_certificate_authority( Foo = 123 ) ## End(Not run)
Amazon Cloud Directory
Amazon Cloud Directory is a component of the AWS Directory Service that simplifies the development and management of cloud-scale web, mobile, and IoT applications. This guide describes the Cloud Directory operations that you can call programmatically and includes detailed information on data types and errors. For information about Cloud Directory features, see AWS Directory Service and the Amazon Cloud Directory Developer Guide.
clouddirectory( config = list(), credentials = list(), endpoint = NULL, region = NULL )clouddirectory( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- clouddirectory(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| add_facet_to_object | Adds a new Facet to an object |
| apply_schema | Copies the input published schema, at the specified version, into the Directory with the same name and version as that of the published schema |
| attach_object | Attaches an existing object to another object |
| attach_policy | Attaches a policy object to a regular object |
| attach_to_index | Attaches the specified object to the specified index |
| attach_typed_link | Attaches a typed link to a specified source and target object |
| batch_read | Performs all the read operations in a batch |
| batch_write | Performs all the write operations in a batch |
| create_directory | Creates a Directory by copying the published schema into the directory |
| create_facet | Creates a new Facet in a schema |
| create_index | Creates an index object |
| create_object | Creates an object in a Directory |
| create_schema | Creates a new schema in a development state |
| create_typed_link_facet | Creates a TypedLinkFacet |
| delete_directory | Deletes a directory |
| delete_facet | Deletes a given Facet |
| delete_object | Deletes an object and its associated attributes |
| delete_schema | Deletes a given schema |
| delete_typed_link_facet | Deletes a TypedLinkFacet |
| detach_from_index | Detaches the specified object from the specified index |
| detach_object | Detaches a given object from the parent object |
| detach_policy | Detaches a policy from an object |
| detach_typed_link | Detaches a typed link from a specified source and target object |
| disable_directory | Disables the specified directory |
| enable_directory | Enables the specified directory |
| get_applied_schema_version | Returns current applied schema version ARN, including the minor version in use |
| get_directory | Retrieves metadata about a directory |
| get_facet | Gets details of the Facet, such as facet name, attributes, Rules, or ObjectType |
| get_link_attributes | Retrieves attributes that are associated with a typed link |
| get_object_attributes | Retrieves attributes within a facet that are associated with an object |
| get_object_information | Retrieves metadata about an object |
| get_schema_as_json | Retrieves a JSON representation of the schema |
| get_typed_link_facet_information | Returns the identity attribute order for a specific TypedLinkFacet |
| list_applied_schema_arns | Lists schema major versions applied to a directory |
| list_attached_indices | Lists indices attached to the specified object |
| list_development_schema_arns | Retrieves each Amazon Resource Name (ARN) of schemas in the development state |
| list_directories | Lists directories created within an account |
| list_facet_attributes | Retrieves attributes attached to the facet |
| list_facet_names | Retrieves the names of facets that exist in a schema |
| list_incoming_typed_links | Returns a paginated list of all the incoming TypedLinkSpecifier information for an object |
| list_index | Lists objects attached to the specified index |
| list_managed_schema_arns | Lists the major version families of each managed schema |
| list_object_attributes | Lists all attributes that are associated with an object |
| list_object_children | Returns a paginated list of child objects that are associated with a given object |
| list_object_parent_paths | Retrieves all available parent paths for any object type such as node, leaf node, policy node, and index node objects |
| list_object_parents | Lists parent objects that are associated with a given object in pagination fashion |
| list_object_policies | Returns policies attached to an object in pagination fashion |
| list_outgoing_typed_links | Returns a paginated list of all the outgoing TypedLinkSpecifier information for an object |
| list_policy_attachments | Returns all of the ObjectIdentifiers to which a given policy is attached |
| list_published_schema_arns | Lists the major version families of each published schema |
| list_tags_for_resource | Returns tags for a resource |
| list_typed_link_facet_attributes | Returns a paginated list of all attribute definitions for a particular TypedLinkFacet |
| list_typed_link_facet_names | Returns a paginated list of TypedLink facet names for a particular schema |
| lookup_policy | Lists all policies from the root of the Directory to the object specified |
| publish_schema | Publishes a development schema with a major version and a recommended minor version |
| put_schema_from_json | Allows a schema to be updated using JSON upload |
| remove_facet_from_object | Removes the specified facet from the specified object |
| tag_resource | An API operation for adding tags to a resource |
| untag_resource | An API operation for removing tags from a resource |
| update_facet | Does the following: |
| update_link_attributes | Updates a given typed link’s attributes |
| update_object_attributes | Updates a given object's attributes |
| update_schema | Updates the schema name with a new name |
| update_typed_link_facet | Updates a TypedLinkFacet |
| upgrade_applied_schema | Upgrades a single directory in-place using the PublishedSchemaArn with schema updates found in MinorVersion |
| upgrade_published_schema | Upgrades a published schema under a new minor version revision using the current contents of DevelopmentSchemaArn |
## Not run: svc <- clouddirectory() svc$add_facet_to_object( Foo = 123 ) ## End(Not run)## Not run: svc <- clouddirectory() svc$add_facet_to_object( Foo = 123 ) ## End(Not run)
AWS CloudHSM Service
This is documentation for AWS CloudHSM Classic. For more information, see AWS CloudHSM Classic FAQs, the AWS CloudHSM Classic User Guide, and the AWS CloudHSM Classic API Reference.
For information about the current version of AWS CloudHSM, see AWS CloudHSM, the AWS CloudHSM User Guide, and the AWS CloudHSM API Reference.
cloudhsm(config = list(), credentials = list(), endpoint = NULL, region = NULL)cloudhsm(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- cloudhsm(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| add_tags_to_resource | This is documentation for AWS CloudHSM Classic |
| create_hapg | This is documentation for AWS CloudHSM Classic |
| create_hsm | This is documentation for AWS CloudHSM Classic |
| create_luna_client | This is documentation for AWS CloudHSM Classic |
| delete_hapg | This is documentation for AWS CloudHSM Classic |
| delete_hsm | This is documentation for AWS CloudHSM Classic |
| delete_luna_client | This is documentation for AWS CloudHSM Classic |
| describe_hapg | This is documentation for AWS CloudHSM Classic |
| describe_hsm | This is documentation for AWS CloudHSM Classic |
| describe_luna_client | This is documentation for AWS CloudHSM Classic |
| get_config | This is documentation for AWS CloudHSM Classic |
| list_available_zones | This is documentation for AWS CloudHSM Classic |
| list_hapgs | This is documentation for AWS CloudHSM Classic |
| list_hsms | This is documentation for AWS CloudHSM Classic |
| list_luna_clients | This is documentation for AWS CloudHSM Classic |
| list_tags_for_resource | This is documentation for AWS CloudHSM Classic |
| modify_hapg | This is documentation for AWS CloudHSM Classic |
| modify_hsm | This is documentation for AWS CloudHSM Classic |
| modify_luna_client | This is documentation for AWS CloudHSM Classic |
| remove_tags_from_resource | This is documentation for AWS CloudHSM Classic |
## Not run: svc <- cloudhsm() svc$add_tags_to_resource( Foo = 123 ) ## End(Not run)## Not run: svc <- cloudhsm() svc$add_tags_to_resource( Foo = 123 ) ## End(Not run)
For more information about CloudHSM, see CloudHSM and the CloudHSM User Guide.
cloudhsmv2( config = list(), credentials = list(), endpoint = NULL, region = NULL )cloudhsmv2( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- cloudhsmv2(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| copy_backup_to_region | Copy an CloudHSM cluster backup to a different region |
| create_cluster | Creates a new CloudHSM cluster |
| create_hsm | Creates a new hardware security module (HSM) in the specified CloudHSM cluster |
| delete_backup | Deletes a specified CloudHSM backup |
| delete_cluster | Deletes the specified CloudHSM cluster |
| delete_hsm | Deletes the specified HSM |
| delete_resource_policy | Deletes an CloudHSM resource policy |
| describe_backups | Gets information about backups of CloudHSM clusters |
| describe_clusters | Gets information about CloudHSM clusters |
| get_resource_policy | Retrieves the resource policy document attached to a given resource |
| initialize_cluster | Claims an CloudHSM cluster by submitting the cluster certificate issued by your issuing certificate authority (CA) and the CA's root certificate |
| list_tags | Gets a list of tags for the specified CloudHSM cluster |
| modify_backup_attributes | Modifies attributes for CloudHSM backup |
| modify_cluster | Modifies CloudHSM cluster |
| put_resource_policy | Creates or updates an CloudHSM resource policy |
| restore_backup | Restores a specified CloudHSM backup that is in the PENDING_DELETION state |
| tag_resource | Adds or overwrites one or more tags for the specified CloudHSM cluster |
| untag_resource | Removes the specified tag or tags from the specified CloudHSM cluster |
## Not run: svc <- cloudhsmv2() svc$copy_backup_to_region( Foo = 123 ) ## End(Not run)## Not run: svc <- cloudhsmv2() svc$copy_backup_to_region( Foo = 123 ) ## End(Not run)
Amazon Cognito Federated Identities
Amazon Cognito Federated Identities is a web service that delivers scoped temporary credentials to mobile devices and other untrusted environments. It uniquely identifies a device and supplies the user with a consistent identity over the lifetime of an application.
Using Amazon Cognito Federated Identities, you can enable authentication with one or more third-party identity providers (Facebook, Google, or Login with Amazon) or an Amazon Cognito user pool, and you can also choose to support unauthenticated access from your app. Cognito delivers a unique identifier for each user and acts as an OpenID token provider trusted by AWS Security Token Service (STS) to access temporary, limited-privilege AWS credentials.
For a description of the authentication flow from the Amazon Cognito Developer Guide see Authentication Flow.
For more information see Amazon Cognito Federated Identities.
cognitoidentity( config = list(), credentials = list(), endpoint = NULL, region = NULL )cognitoidentity( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- cognitoidentity(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_identity_pool | Creates a new identity pool |
| delete_identities | Deletes identities from an identity pool |
| delete_identity_pool | Deletes an identity pool |
| describe_identity | Returns metadata related to the given identity, including when the identity was created and any associated linked logins |
| describe_identity_pool | Gets details about a particular identity pool, including the pool name, ID description, creation date, and current number of users |
| get_credentials_for_identity | Returns credentials for the provided identity ID |
| get_id | Generates (or retrieves) a Cognito ID |
| get_identity_pool_roles | Gets the roles for an identity pool |
| get_open_id_token | Gets an OpenID token, using a known Cognito ID |
| get_open_id_token_for_developer_identity | Registers (or retrieves) a Cognito IdentityId and an OpenID Connect token for a user authenticated by your backend authentication process |
| get_principal_tag_attribute_map | Use GetPrincipalTagAttributeMap to list all mappings between PrincipalTags and user attributes |
| list_identities | Lists the identities in an identity pool |
| list_identity_pools | Lists all of the Cognito identity pools registered for your account |
| list_tags_for_resource | Lists the tags that are assigned to an Amazon Cognito identity pool |
| lookup_developer_identity | Retrieves the IdentityID associated with a DeveloperUserIdentifier or the list of DeveloperUserIdentifier values associated with an IdentityId for an existing identity |
| merge_developer_identities | Merges two users having different IdentityIds, existing in the same identity pool, and identified by the same developer provider |
| set_identity_pool_roles | Sets the roles for an identity pool |
| set_principal_tag_attribute_map | You can use this operation to use default (username and clientID) attribute or custom attribute mappings |
| tag_resource | Assigns a set of tags to the specified Amazon Cognito identity pool |
| unlink_developer_identity | Unlinks a DeveloperUserIdentifier from an existing identity |
| unlink_identity | Unlinks a federated identity from an existing account |
| untag_resource | Removes the specified tags from the specified Amazon Cognito identity pool |
| update_identity_pool | Updates an identity pool |
## Not run: svc <- cognitoidentity() svc$create_identity_pool( Foo = 123 ) ## End(Not run)## Not run: svc <- cognitoidentity() svc$create_identity_pool( Foo = 123 ) ## End(Not run)
With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
This API reference provides detailed information about API operations and object types in Amazon Cognito.
Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side authentication of users. You can interact with operations in the Amazon Cognito user pools API as any of the following subjects.
An administrator who wants to configure user pools, app clients, users, groups, or other user pool functions.
A server-side app, like a web application, that wants to use its Amazon Web Services privileges to manage, authenticate, or authorize a user.
A client-side app, like a mobile app, that wants to make unauthenticated requests to manage, authenticate, or authorize a user.
For more information, see Using the Amazon Cognito user pools API and user pool endpoints in the Amazon Cognito Developer Guide.
With your Amazon Web Services SDK, you can build the logic to support
operational flows in every use case for this API. You can also make
direct REST API requests to Amazon Cognito user pools service endpoints.
The following links can get you started with the
CognitoIdentityProvider client in other supported Amazon Web Services
SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs.
cognitoidentityprovider( config = list(), credentials = list(), endpoint = NULL, region = NULL )cognitoidentityprovider( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- cognitoidentityprovider(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| add_custom_attributes | Adds additional user attributes to the user pool schema |
| admin_add_user_to_group | Adds a user to a group |
| admin_confirm_sign_up | This IAM-authenticated API operation confirms user sign-up as an administrator |
| admin_create_user | Creates a new user in the specified user pool |
| admin_delete_user | Deletes a user as an administrator |
| admin_delete_user_attributes | Deletes the user attributes in a user pool as an administrator |
| admin_disable_provider_for_user | Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP) |
| admin_disable_user | Deactivates a user and revokes all access tokens for the user |
| admin_enable_user | Enables the specified user as an administrator |
| admin_forget_device | Forgets the device, as an administrator |
| admin_get_device | Gets the device, as an administrator |
| admin_get_user | Gets the specified user by user name in a user pool as an administrator |
| admin_initiate_auth | Initiates the authentication flow, as an administrator |
| admin_link_provider_for_user | Links an existing user account in a user pool (DestinationUser) to an identity from an external IdP (SourceUser) based on a specified attribute name and value from the external IdP |
| admin_list_devices | Lists devices, as an administrator |
| admin_list_groups_for_user | Lists the groups that a user belongs to |
| admin_list_user_auth_events | A history of user activity and any risks detected as part of Amazon Cognito advanced security |
| admin_remove_user_from_group | Removes the specified user from the specified group |
| admin_reset_user_password | Resets the specified user's password in a user pool as an administrator |
| admin_respond_to_auth_challenge | Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge |
| admin_set_user_mfa_preference | The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred |
| admin_set_user_password | Sets the specified user's password in a user pool as an administrator |
| admin_set_user_settings | This action is no longer supported |
| admin_update_auth_event_feedback | Provides feedback for an authentication event indicating if it was from a valid user |
| admin_update_device_status | Updates the device status as an administrator |
| admin_update_user_attributes | This action might generate an SMS text message |
| admin_user_global_sign_out | Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user |
| associate_software_token | Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response |
| change_password | Changes the password for a specified user in a user pool |
| confirm_device | Confirms tracking of the device |
| confirm_forgot_password | Allows a user to enter a confirmation code to reset a forgotten password |
| confirm_sign_up | This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation |
| create_group | Creates a new group in the specified user pool |
| create_identity_provider | Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool |
| create_resource_server | Creates a new OAuth2 |
| create_user_import_job | Creates a user import job |
| create_user_pool | This action might generate an SMS text message |
| create_user_pool_client | Creates the user pool client |
| create_user_pool_domain | Creates a new domain for a user pool |
| delete_group | Deletes a group |
| delete_identity_provider | Deletes an IdP for a user pool |
| delete_resource_server | Deletes a resource server |
| delete_user | Allows a user to delete their own user profile |
| delete_user_attributes | Deletes the attributes for a user |
| delete_user_pool | Deletes the specified Amazon Cognito user pool |
| delete_user_pool_client | Allows the developer to delete the user pool client |
| delete_user_pool_domain | Deletes a domain for a user pool |
| describe_identity_provider | Gets information about a specific IdP |
| describe_resource_server | Describes a resource server |
| describe_risk_configuration | Describes the risk configuration |
| describe_user_import_job | Describes the user import job |
| describe_user_pool | Returns the configuration information and metadata of the specified user pool |
| describe_user_pool_client | Client method for returning the configuration information and metadata of the specified user pool app client |
| describe_user_pool_domain | Gets information about a domain |
| forget_device | Forgets the specified device |
| forgot_password | Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password |
| get_csv_header | Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job |
| get_device | Gets the device |
| get_group | Gets a group |
| get_identity_provider_by_identifier | Gets the specified IdP |
| get_log_delivery_configuration | Gets the logging configuration of a user pool |
| get_signing_certificate | This method takes a user pool ID, and returns the signing certificate |
| get_ui_customization | Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client |
| get_user | Gets the user attributes and metadata for a user |
| get_user_attribute_verification_code | Generates a user attribute verification code for the specified attribute name |
| get_user_pool_mfa_config | Gets the user pool multi-factor authentication (MFA) configuration |
| global_sign_out | Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user |
| initiate_auth | Initiates sign-in for a user in the Amazon Cognito user directory |
| list_devices | Lists the sign-in devices that Amazon Cognito has registered to the current user |
| list_groups | Lists the groups associated with a user pool |
| list_identity_providers | Lists information about all IdPs for a user pool |
| list_resource_servers | Lists the resource servers for a user pool |
| list_tags_for_resource | Lists the tags that are assigned to an Amazon Cognito user pool |
| list_user_import_jobs | Lists user import jobs for a user pool |
| list_user_pool_clients | Lists the clients that have been created for the specified user pool |
| list_user_pools | Lists the user pools associated with an Amazon Web Services account |
| list_users | Lists users and their basic details in a user pool |
| list_users_in_group | Lists the users in the specified group |
| resend_confirmation_code | Resends the confirmation (for confirmation of registration) to a specific user in the user pool |
| respond_to_auth_challenge | Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge |
| revoke_token | Revokes all of the access tokens generated by, and at the same time as, the specified refresh token |
| set_log_delivery_configuration | Sets up or modifies the logging configuration of a user pool |
| set_risk_configuration | Configures actions on detected risks |
| set_ui_customization | Sets the user interface (UI) customization information for a user pool's built-in app UI |
| set_user_mfa_preference | Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred |
| set_user_pool_mfa_config | Sets the user pool multi-factor authentication (MFA) configuration |
| set_user_settings | This action is no longer supported |
| sign_up | Registers the user in the specified user pool and creates a user name, password, and user attributes |
| start_user_import_job | Starts the user import |
| stop_user_import_job | Stops the user import job |
| tag_resource | Assigns a set of tags to an Amazon Cognito user pool |
| untag_resource | Removes the specified tags from an Amazon Cognito user pool |
| update_auth_event_feedback | Provides the feedback for an authentication event, whether it was from a valid user or not |
| update_device_status | Updates the device status |
| update_group | Updates the specified group with the specified attributes |
| update_identity_provider | Updates IdP information for a user pool |
| update_resource_server | Updates the name and scopes of resource server |
| update_user_attributes | With this operation, your users can update one or more of their attributes with their own credentials |
| update_user_pool | This action might generate an SMS text message |
| update_user_pool_client | Updates the specified user pool app client with the specified attributes |
| update_user_pool_domain | Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool |
| verify_software_token | Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful |
| verify_user_attribute | Verifies the specified user attributes in the user pool |
## Not run: svc <- cognitoidentityprovider() # This request submits a value for all possible parameters for # AdminCreateUser. svc$admin_create_user( DesiredDeliveryMediums = list( "SMS" ), MessageAction = "SUPPRESS", TemporaryPassword = "This-is-my-test-99!", UserAttributes = list( list( Name = "name", Value = "John" ), list( Name = "phone_number", Value = "+12065551212" ), list( Name = "email", Value = "[email protected]" ) ), UserPoolId = "us-east-1_EXAMPLE", Username = "testuser" ) ## End(Not run)## Not run: svc <- cognitoidentityprovider() # This request submits a value for all possible parameters for # AdminCreateUser. svc$admin_create_user( DesiredDeliveryMediums = list( "SMS" ), MessageAction = "SUPPRESS", TemporaryPassword = "This-is-my-test-99!", UserAttributes = list( list( Name = "name", Value = "John" ), list( Name = "phone_number", Value = "+12065551212" ), list( Name = "email", Value = "[email protected]" ) ), UserPoolId = "us-east-1_EXAMPLE", Username = "testuser" ) ## End(Not run)
Amazon Cognito Sync provides an AWS service and client library that enable cross-device syncing of application-related user data. High-level client libraries are available for both iOS and Android. You can use these libraries to persist data locally so that it's available even if the device is offline. Developer credentials don't need to be stored on the mobile device to access the service. You can use Amazon Cognito to obtain a normalized user ID and credentials. User data is persisted in a dataset that can store up to 1 MB of key-value pairs, and you can have up to 20 datasets per user identity.
With Amazon Cognito Sync, the data stored for each identity is accessible only to credentials assigned to that identity. In order to use the Cognito Sync service, you need to make API calls using credentials retrieved with Amazon Cognito Identity service.
If you want to use Cognito Sync in an Android or iOS application, you will probably want to make API calls via the AWS Mobile SDK. To learn more, see the Developer Guide for Android and the Developer Guide for iOS.
cognitosync( config = list(), credentials = list(), endpoint = NULL, region = NULL )cognitosync( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- cognitosync(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| bulk_publish | Initiates a bulk publish of all existing datasets for an Identity Pool to the configured stream |
| delete_dataset | Deletes the specific dataset |
| describe_dataset | Gets meta data about a dataset by identity and dataset name |
| describe_identity_pool_usage | Gets usage details (for example, data storage) about a particular identity pool |
| describe_identity_usage | Gets usage information for an identity, including number of datasets and data usage |
| get_bulk_publish_details | Get the status of the last BulkPublish operation for an identity pool |
| get_cognito_events | Gets the events and the corresponding Lambda functions associated with an identity pool |
| get_identity_pool_configuration | Gets the configuration settings of an identity pool |
| list_datasets | Lists datasets for an identity |
| list_identity_pool_usage | Gets a list of identity pools registered with Cognito |
| list_records | Gets paginated records, optionally changed after a particular sync count for a dataset and identity |
| register_device | Registers a device to receive push sync notifications |
| set_cognito_events | Sets the AWS Lambda function for a given event type for an identity pool |
| set_identity_pool_configuration | Sets the necessary configuration for push sync |
| subscribe_to_dataset | Subscribes to receive notifications when a dataset is modified by another device |
| unsubscribe_from_dataset | Unsubscribes from receiving notifications when a dataset is modified by another device |
| update_records | Posts updates to records and adds and deletes records for a dataset and user |
## Not run: svc <- cognitosync() svc$bulk_publish( Foo = 123 ) ## End(Not run)## Not run: svc <- cognitosync() svc$bulk_publish( Foo = 123 ) ## End(Not run)
Detective uses machine learning and purpose-built visualizations to help you to analyze and investigate security issues across your Amazon Web Services (Amazon Web Services) workloads. Detective automatically extracts time-based events such as login attempts, API calls, and network traffic from CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow logs. It also extracts findings detected by Amazon GuardDuty.
The Detective API primarily supports the creation and management of behavior graphs. A behavior graph contains the extracted data from a set of member accounts, and is created and managed by an administrator account.
To add a member account to the behavior graph, the administrator account sends an invitation to the account. When the account accepts the invitation, it becomes a member account in the behavior graph.
Detective is also integrated with Organizations. The organization management account designates the Detective administrator account for the organization. That account becomes the administrator account for the organization behavior graph. The Detective administrator account is also the delegated administrator account for Detective in Organizations.
The Detective administrator account can enable any organization account as a member account in the organization behavior graph. The organization accounts do not receive invitations. The Detective administrator account can also invite other accounts to the organization behavior graph.
Every behavior graph is specific to a Region. You can only use the API to manage behavior graphs that belong to the Region that is associated with the currently selected endpoint.
The administrator account for a behavior graph can use the Detective API to do the following:
Enable and disable Detective. Enabling Detective creates a new behavior graph.
View the list of member accounts in a behavior graph.
Add member accounts to a behavior graph.
Remove member accounts from a behavior graph.
Apply tags to a behavior graph.
The organization management account can use the Detective API to select the delegated administrator for Detective.
The Detective administrator account for an organization can use the Detective API to do the following:
Perform all of the functions of an administrator account.
Determine whether to automatically enable new organization accounts as member accounts in the organization behavior graph.
An invited member account can use the Detective API to do the following:
View the list of behavior graphs that they are invited to.
Accept an invitation to contribute to a behavior graph.
Decline an invitation to contribute to a behavior graph.
Remove their account from a behavior graph.
All API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
We replaced the term "master account" with the term "administrator account". An administrator account is used to centrally manage multiple accounts. In the case of Detective, the administrator account manages the accounts in their behavior graph.
detective( config = list(), credentials = list(), endpoint = NULL, region = NULL )detective( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- detective(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_invitation | Accepts an invitation for the member account to contribute data to a behavior graph |
| batch_get_graph_member_datasources | Gets data source package information for the behavior graph |
| batch_get_membership_datasources | Gets information on the data source package history for an account |
| create_graph | Creates a new behavior graph for the calling account, and sets that account as the administrator account |
| create_members | CreateMembers is used to send invitations to accounts |
| delete_graph | Disables the specified behavior graph and queues it to be deleted |
| delete_members | Removes the specified member accounts from the behavior graph |
| describe_organization_configuration | Returns information about the configuration for the organization behavior graph |
| disable_organization_admin_account | Removes the Detective administrator account in the current Region |
| disassociate_membership | Removes the member account from the specified behavior graph |
| enable_organization_admin_account | Designates the Detective administrator account for the organization in the current Region |
| get_investigation | Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise |
| get_members | Returns the membership details for specified member accounts for a behavior graph |
| list_datasource_packages | Lists data source packages in the behavior graph |
| list_graphs | Returns the list of behavior graphs that the calling account is an administrator account of |
| list_indicators | Gets the indicators from an investigation |
| list_investigations | Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise |
| list_invitations | Retrieves the list of open and accepted behavior graph invitations for the member account |
| list_members | Retrieves the list of member accounts for a behavior graph |
| list_organization_admin_accounts | Returns information about the Detective administrator account for an organization |
| list_tags_for_resource | Returns the tag values that are assigned to a behavior graph |
| reject_invitation | Rejects an invitation to contribute the account data to a behavior graph |
| start_investigation | Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise |
| start_monitoring_member | Sends a request to enable data ingest for a member account that has a status of ACCEPTED_BUT_DISABLED |
| tag_resource | Applies tag values to a behavior graph |
| untag_resource | Removes tags from a behavior graph |
| update_datasource_packages | Starts a data source packages for the behavior graph |
| update_investigation_state | Updates the state of an investigation |
| update_organization_configuration | Updates the configuration for the Organizations integration in the current Region |
## Not run: svc <- detective() svc$accept_invitation( Foo = 123 ) ## End(Not run)## Not run: svc <- detective() svc$accept_invitation( Foo = 123 ) ## End(Not run)
Directory Service
Directory Service is a web service that makes it easy for you to setup and run directories in the Amazon Web Services cloud, or connect your Amazon Web Services resources with an existing self-managed Microsoft Active Directory. This guide provides detailed information about Directory Service operations, data types, parameters, and errors. For information about Directory Services features, see Directory Service and the Directory Service Administration Guide.
Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to Directory Service and other Amazon Web Services services. For more information about the Amazon Web Services SDKs, including how to download and install them, see Tools for Amazon Web Services.
directoryservice( config = list(), credentials = list(), endpoint = NULL, region = NULL )directoryservice( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- directoryservice(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_shared_directory | Accepts a directory sharing request that was sent from the directory owner account |
| add_ip_routes | If the DNS server for your self-managed domain uses a publicly addressable IP address, you must add a CIDR address block to correctly route traffic to and from your Microsoft AD on Amazon Web Services |
| add_region | Adds two domain controllers in the specified Region for the specified directory |
| add_tags_to_resource | Adds or overwrites one or more tags for the specified directory |
| cancel_schema_extension | Cancels an in-progress schema extension to a Microsoft AD directory |
| connect_directory | Creates an AD Connector to connect to a self-managed directory |
| create_alias | Creates an alias for a directory and assigns the alias to the directory |
| create_computer | Creates an Active Directory computer object in the specified directory |
| create_conditional_forwarder | Creates a conditional forwarder associated with your Amazon Web Services directory |
| create_directory | Creates a Simple AD directory |
| create_log_subscription | Creates a subscription to forward real-time Directory Service domain controller security logs to the specified Amazon CloudWatch log group in your Amazon Web Services account |
| create_microsoft_ad | Creates a Microsoft AD directory in the Amazon Web Services Cloud |
| create_snapshot | Creates a snapshot of a Simple AD or Microsoft AD directory in the Amazon Web Services cloud |
| create_trust | Directory Service for Microsoft Active Directory allows you to configure trust relationships |
| delete_conditional_forwarder | Deletes a conditional forwarder that has been set up for your Amazon Web Services directory |
| delete_directory | Deletes an Directory Service directory |
| delete_log_subscription | Deletes the specified log subscription |
| delete_snapshot | Deletes a directory snapshot |
| delete_trust | Deletes an existing trust relationship between your Managed Microsoft AD directory and an external domain |
| deregister_certificate | Deletes from the system the certificate that was registered for secure LDAP or client certificate authentication |
| deregister_event_topic | Removes the specified directory as a publisher to the specified Amazon SNS topic |
| describe_certificate | Displays information about the certificate registered for secure LDAP or client certificate authentication |
| describe_client_authentication_settings | Retrieves information about the type of client authentication for the specified directory, if the type is specified |
| describe_conditional_forwarders | Obtains information about the conditional forwarders for this account |
| describe_directories | Obtains information about the directories that belong to this account |
| describe_domain_controllers | Provides information about any domain controllers in your directory |
| describe_event_topics | Obtains information about which Amazon SNS topics receive status messages from the specified directory |
| describe_ldaps_settings | Describes the status of LDAP security for the specified directory |
| describe_regions | Provides information about the Regions that are configured for multi-Region replication |
| describe_settings | Retrieves information about the configurable settings for the specified directory |
| describe_shared_directories | Returns the shared directories in your account |
| describe_snapshots | Obtains information about the directory snapshots that belong to this account |
| describe_trusts | Obtains information about the trust relationships for this account |
| describe_update_directory | Describes the updates of a directory for a particular update type |
| disable_client_authentication | Disables alternative client authentication methods for the specified directory |
| disable_ldaps | Deactivates LDAP secure calls for the specified directory |
| disable_radius | Disables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector or Microsoft AD directory |
| disable_sso | Disables single-sign on for a directory |
| enable_client_authentication | Enables alternative client authentication methods for the specified directory |
| enable_ldaps | Activates the switch for the specific directory to always use LDAP secure calls |
| enable_radius | Enables multi-factor authentication (MFA) with the Remote Authentication Dial In User Service (RADIUS) server for an AD Connector or Microsoft AD directory |
| enable_sso | Enables single sign-on for a directory |
| get_directory_limits | Obtains directory limit information for the current Region |
| get_snapshot_limits | Obtains the manual snapshot limits for a directory |
| list_certificates | For the specified directory, lists all the certificates registered for a secure LDAP or client certificate authentication |
| list_ip_routes | Lists the address blocks that you have added to a directory |
| list_log_subscriptions | Lists the active log subscriptions for the Amazon Web Services account |
| list_schema_extensions | Lists all schema extensions applied to a Microsoft AD Directory |
| list_tags_for_resource | Lists all tags on a directory |
| register_certificate | Registers a certificate for a secure LDAP or client certificate authentication |
| register_event_topic | Associates a directory with an Amazon SNS topic |
| reject_shared_directory | Rejects a directory sharing request that was sent from the directory owner account |
| remove_ip_routes | Removes IP address blocks from a directory |
| remove_region | Stops all replication and removes the domain controllers from the specified Region |
| remove_tags_from_resource | Removes tags from a directory |
| reset_user_password | Resets the password for any user in your Managed Microsoft AD or Simple AD directory |
| restore_from_snapshot | Restores a directory using an existing directory snapshot |
| share_directory | Shares a specified directory (DirectoryId) in your Amazon Web Services account (directory owner) with another Amazon Web Services account (directory consumer) |
| start_schema_extension | Applies a schema extension to a Microsoft AD directory |
| unshare_directory | Stops the directory sharing between the directory owner and consumer accounts |
| update_conditional_forwarder | Updates a conditional forwarder that has been set up for your Amazon Web Services directory |
| update_directory_setup | Updates the directory for a particular update type |
| update_number_of_domain_controllers | Adds or removes domain controllers to or from the directory |
| update_radius | Updates the Remote Authentication Dial In User Service (RADIUS) server information for an AD Connector or Microsoft AD directory |
| update_settings | Updates the configurable settings for the specified directory |
| update_trust | Updates the trust that has been set up between your Managed Microsoft AD directory and an self-managed Active Directory |
| verify_trust | Directory Service for Microsoft Active Directory allows you to configure and verify trust relationships |
## Not run: svc <- directoryservice() svc$accept_shared_directory( Foo = 123 ) ## End(Not run)## Not run: svc <- directoryservice() svc$accept_shared_directory( Foo = 123 ) ## End(Not run)
This is the Firewall Manager API Reference. This guide is for developers who need detailed information about the Firewall Manager API actions, data types, and errors. For detailed information about Firewall Manager features, see the Firewall Manager Developer Guide.
Some API actions require explicit resource permissions. For information, see the developer guide topic Service roles for Firewall Manager.
fms(config = list(), credentials = list(), endpoint = NULL, region = NULL)fms(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- fms(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| associate_admin_account | Sets a Firewall Manager default administrator account |
| associate_third_party_firewall | Sets the Firewall Manager policy administrator as a tenant administrator of a third-party firewall service |
| batch_associate_resource | Associate resources to a Firewall Manager resource set |
| batch_disassociate_resource | Disassociates resources from a Firewall Manager resource set |
| delete_apps_list | Permanently deletes an Firewall Manager applications list |
| delete_notification_channel | Deletes an Firewall Manager association with the IAM role and the Amazon Simple Notification Service (SNS) topic that is used to record Firewall Manager SNS logs |
| delete_policy | Permanently deletes an Firewall Manager policy |
| delete_protocols_list | Permanently deletes an Firewall Manager protocols list |
| delete_resource_set | Deletes the specified ResourceSet |
| disassociate_admin_account | Disassociates an Firewall Manager administrator account |
| disassociate_third_party_firewall | Disassociates a Firewall Manager policy administrator from a third-party firewall tenant |
| get_admin_account | Returns the Organizations account that is associated with Firewall Manager as the Firewall Manager default administrator |
| get_admin_scope | Returns information about the specified account's administrative scope |
| get_apps_list | Returns information about the specified Firewall Manager applications list |
| get_compliance_detail | Returns detailed compliance information about the specified member account |
| get_notification_channel | Information about the Amazon Simple Notification Service (SNS) topic that is used to record Firewall Manager SNS logs |
| get_policy | Returns information about the specified Firewall Manager policy |
| get_protection_status | If you created a Shield Advanced policy, returns policy-level attack summary information in the event of a potential DDoS attack |
| get_protocols_list | Returns information about the specified Firewall Manager protocols list |
| get_resource_set | Gets information about a specific resource set |
| get_third_party_firewall_association_status | The onboarding status of a Firewall Manager admin account to third-party firewall vendor tenant |
| get_violation_details | Retrieves violations for a resource based on the specified Firewall Manager policy and Amazon Web Services account |
| list_admin_accounts_for_organization | Returns a AdminAccounts object that lists the Firewall Manager administrators within the organization that are onboarded to Firewall Manager by AssociateAdminAccount |
| list_admins_managing_account | Lists the accounts that are managing the specified Organizations member account |
| list_apps_lists | Returns an array of AppsListDataSummary objects |
| list_compliance_status | Returns an array of PolicyComplianceStatus objects |
| list_discovered_resources | Returns an array of resources in the organization's accounts that are available to be associated with a resource set |
| list_member_accounts | Returns a MemberAccounts object that lists the member accounts in the administrator's Amazon Web Services organization |
| list_policies | Returns an array of PolicySummary objects |
| list_protocols_lists | Returns an array of ProtocolsListDataSummary objects |
| list_resource_set_resources | Returns an array of resources that are currently associated to a resource set |
| list_resource_sets | Returns an array of ResourceSetSummary objects |
| list_tags_for_resource | Retrieves the list of tags for the specified Amazon Web Services resource |
| list_third_party_firewall_firewall_policies | Retrieves a list of all of the third-party firewall policies that are associated with the third-party firewall administrator's account |
| put_admin_account | Creates or updates an Firewall Manager administrator account |
| put_apps_list | Creates an Firewall Manager applications list |
| put_notification_channel | Designates the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs |
| put_policy | Creates an Firewall Manager policy |
| put_protocols_list | Creates an Firewall Manager protocols list |
| put_resource_set | Creates the resource set |
| tag_resource | Adds one or more tags to an Amazon Web Services resource |
| untag_resource | Removes one or more tags from an Amazon Web Services resource |
## Not run: svc <- fms() svc$associate_admin_account( Foo = 123 ) ## End(Not run)## Not run: svc <- fms() svc$associate_admin_account( Foo = 123 ) ## End(Not run)
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following foundational data sources - VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, Amazon EBS volume data, runtime activity belonging to container workloads, such as Amazon EKS, Amazon ECS (including Amazon Web Services Fargate), and Amazon EC2 instances. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.
GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.
GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .
guardduty( config = list(), credentials = list(), endpoint = NULL, region = NULL )guardduty( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- guardduty(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_administrator_invitation | Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation |
| accept_invitation | Accepts the invitation to be monitored by a GuardDuty administrator account |
| archive_findings | Archives GuardDuty findings that are specified by the list of finding IDs |
| create_detector | Creates a single GuardDuty detector |
| create_filter | Creates a filter using the specified finding criteria |
| create_ip_set | Creates a new IPSet, which is called a trusted IP list in the console user interface |
| create_malware_protection_plan | Creates a new Malware Protection plan for the protected resource |
| create_members | Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs |
| create_publishing_destination | Creates a publishing destination to export findings to |
| create_sample_findings | Generates sample findings of types specified by the list of finding types |
| create_threat_intel_set | Creates a new ThreatIntelSet |
| decline_invitations | Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs |
| delete_detector | Deletes an Amazon GuardDuty detector that is specified by the detector ID |
| delete_filter | Deletes the filter specified by the filter name |
| delete_invitations | Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs |
| delete_ip_set | Deletes the IPSet specified by the ipSetId |
| delete_malware_protection_plan | Deletes the Malware Protection plan ID associated with the Malware Protection plan resource |
| delete_members | Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs |
| delete_publishing_destination | Deletes the publishing definition with the specified destinationId |
| delete_threat_intel_set | Deletes the ThreatIntelSet specified by the ThreatIntelSet ID |
| describe_malware_scans | Returns a list of malware scans |
| describe_organization_configuration | Returns information about the account selected as the delegated administrator for GuardDuty |
| describe_publishing_destination | Returns information about the publishing destination specified by the provided destinationId |
| disable_organization_admin_account | Removes the existing GuardDuty delegated administrator of the organization |
| disassociate_from_administrator_account | Disassociates the current GuardDuty member account from its administrator account |
| disassociate_from_master_account | Disassociates the current GuardDuty member account from its administrator account |
| disassociate_members | Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs |
| enable_organization_admin_account | Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator |
| get_administrator_account | Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account |
| get_coverage_statistics | Retrieves aggregated statistics for your account |
| get_detector | Retrieves an Amazon GuardDuty detector specified by the detectorId |
| get_filter | Returns the details of the filter specified by the filter name |
| get_findings | Describes Amazon GuardDuty findings specified by finding IDs |
| get_findings_statistics | Lists Amazon GuardDuty findings statistics for the specified detector ID |
| get_invitations_count | Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation |
| get_ip_set | Retrieves the IPSet specified by the ipSetId |
| get_malware_protection_plan | Retrieves the Malware Protection plan details associated with a Malware Protection plan ID |
| get_malware_scan_settings | Returns the details of the malware scan settings |
| get_master_account | Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account |
| get_member_detectors | Describes which data sources are enabled for the member account's detector |
| get_members | Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs |
| get_organization_statistics | Retrieves how many active member accounts have each feature enabled within GuardDuty |
| get_remaining_free_trial_days | Provides the number of days left for each data source used in the free trial period |
| get_threat_intel_set | Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID |
| get_usage_statistics | Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID |
| invite_members | Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API |
| list_coverage | Lists coverage details for your GuardDuty account |
| list_detectors | Lists detectorIds of all the existing Amazon GuardDuty detector resources |
| list_filters | Returns a paginated list of the current filters |
| list_findings | Lists GuardDuty findings for the specified detector ID |
| list_invitations | Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account |
| list_ip_sets | Lists the IPSets of the GuardDuty service specified by the detector ID |
| list_malware_protection_plans | Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account |
| list_members | Lists details about all member accounts for the current GuardDuty administrator account |
| list_organization_admin_accounts | Lists the accounts designated as GuardDuty delegated administrators |
| list_publishing_destinations | Returns a list of publishing destinations associated with the specified detectorId |
| list_tags_for_resource | Lists tags for a resource |
| list_threat_intel_sets | Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID |
| start_malware_scan | Initiates the malware scan |
| start_monitoring_members | Turns on GuardDuty monitoring of the specified member accounts |
| stop_monitoring_members | Stops GuardDuty monitoring for the specified member accounts |
| tag_resource | Adds tags to a resource |
| unarchive_findings | Unarchives GuardDuty findings specified by the findingIds |
| untag_resource | Removes tags from a resource |
| update_detector | Updates the GuardDuty detector specified by the detector ID |
| update_filter | Updates the filter specified by the filter name |
| update_findings_feedback | Marks the specified GuardDuty findings as useful or not useful |
| update_ip_set | Updates the IPSet specified by the IPSet ID |
| update_malware_protection_plan | Updates an existing Malware Protection plan resource |
| update_malware_scan_settings | Updates the malware scan settings |
| update_member_detectors | Contains information on member accounts to be updated |
| update_organization_configuration | Configures the delegated administrator account with the provided values |
| update_publishing_destination | Updates information about the publishing destination specified by the destinationId |
| update_threat_intel_set | Updates the ThreatIntelSet specified by the ThreatIntelSet ID |
## Not run: svc <- guardduty() svc$accept_administrator_invitation( Foo = 123 ) ## End(Not run)## Not run: svc <- guardduty() svc$accept_administrator_invitation( Foo = 123 ) ## End(Not run)
Identity and Access Management
Identity and Access Management (IAM) is a web service for securely controlling access to Amazon Web Services services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which Amazon Web Services resources users and applications can access. For more information about IAM, see Identity and Access Management (IAM) and the Identity and Access Management User Guide.
iam(config = list(), credentials = list(), endpoint = NULL, region = NULL)iam(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- iam(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| add_client_id_to_open_id_connect_provider | Adds a new client ID (also known as audience) to the list of client IDs already registered for the specified IAM OpenID Connect (OIDC) provider resource |
| add_role_to_instance_profile | Adds the specified IAM role to the specified instance profile |
| add_user_to_group | Adds the specified user to the specified group |
| attach_group_policy | Attaches the specified managed policy to the specified IAM group |
| attach_role_policy | Attaches the specified managed policy to the specified IAM role |
| attach_user_policy | Attaches the specified managed policy to the specified user |
| change_password | Changes the password of the IAM user who is calling this operation |
| create_access_key | Creates a new Amazon Web Services secret access key and corresponding Amazon Web Services access key ID for the specified user |
| create_account_alias | Creates an alias for your Amazon Web Services account |
| create_group | Creates a new group |
| create_instance_profile | Creates a new instance profile |
| create_login_profile | Creates a password for the specified IAM user |
| create_open_id_connect_provider | Creates an IAM entity to describe an identity provider (IdP) that supports OpenID Connect (OIDC) |
| create_policy | Creates a new managed policy for your Amazon Web Services account |
| create_policy_version | Creates a new version of the specified managed policy |
| create_role | Creates a new role for your Amazon Web Services account |
| create_saml_provider | Creates an IAM resource that describes an identity provider (IdP) that supports SAML 2 |
| create_service_linked_role | Creates an IAM role that is linked to a specific Amazon Web Services service |
| create_service_specific_credential | Generates a set of credentials consisting of a user name and password that can be used to access the service specified in the request |
| create_user | Creates a new IAM user for your Amazon Web Services account |
| create_virtual_mfa_device | Creates a new virtual MFA device for the Amazon Web Services account |
| deactivate_mfa_device | Deactivates the specified MFA device and removes it from association with the user name for which it was originally enabled |
| delete_access_key | Deletes the access key pair associated with the specified IAM user |
| delete_account_alias | Deletes the specified Amazon Web Services account alias |
| delete_account_password_policy | Deletes the password policy for the Amazon Web Services account |
| delete_group | Deletes the specified IAM group |
| delete_group_policy | Deletes the specified inline policy that is embedded in the specified IAM group |
| delete_instance_profile | Deletes the specified instance profile |
| delete_login_profile | Deletes the password for the specified IAM user, For more information, see Managing passwords for IAM users |
| delete_open_id_connect_provider | Deletes an OpenID Connect identity provider (IdP) resource object in IAM |
| delete_policy | Deletes the specified managed policy |
| delete_policy_version | Deletes the specified version from the specified managed policy |
| delete_role | Deletes the specified role |
| delete_role_permissions_boundary | Deletes the permissions boundary for the specified IAM role |
| delete_role_policy | Deletes the specified inline policy that is embedded in the specified IAM role |
| delete_saml_provider | Deletes a SAML provider resource in IAM |
| delete_server_certificate | Deletes the specified server certificate |
| delete_service_linked_role | Submits a service-linked role deletion request and returns a DeletionTaskId, which you can use to check the status of the deletion |
| delete_service_specific_credential | Deletes the specified service-specific credential |
| delete_signing_certificate | Deletes a signing certificate associated with the specified IAM user |
| delete_ssh_public_key | Deletes the specified SSH public key |
| delete_user | Deletes the specified IAM user |
| delete_user_permissions_boundary | Deletes the permissions boundary for the specified IAM user |
| delete_user_policy | Deletes the specified inline policy that is embedded in the specified IAM user |
| delete_virtual_mfa_device | Deletes a virtual MFA device |
| detach_group_policy | Removes the specified managed policy from the specified IAM group |
| detach_role_policy | Removes the specified managed policy from the specified role |
| detach_user_policy | Removes the specified managed policy from the specified user |
| enable_mfa_device | Enables the specified MFA device and associates it with the specified IAM user |
| generate_credential_report | Generates a credential report for the Amazon Web Services account |
| generate_organizations_access_report | Generates a report for service last accessed data for Organizations |
| generate_service_last_accessed_details | Generates a report that includes details about when an IAM resource (user, group, role, or policy) was last used in an attempt to access Amazon Web Services services |
| get_access_key_last_used | Retrieves information about when the specified access key was last used |
| get_account_authorization_details | Retrieves information about all IAM users, groups, roles, and policies in your Amazon Web Services account, including their relationships to one another |
| get_account_password_policy | Retrieves the password policy for the Amazon Web Services account |
| get_account_summary | Retrieves information about IAM entity usage and IAM quotas in the Amazon Web Services account |
| get_context_keys_for_custom_policy | Gets a list of all of the context keys referenced in the input policies |
| get_context_keys_for_principal_policy | Gets a list of all of the context keys referenced in all the IAM policies that are attached to the specified IAM entity |
| get_credential_report | Retrieves a credential report for the Amazon Web Services account |
| get_group | Returns a list of IAM users that are in the specified IAM group |
| get_group_policy | Retrieves the specified inline policy document that is embedded in the specified IAM group |
| get_instance_profile | Retrieves information about the specified instance profile, including the instance profile's path, GUID, ARN, and role |
| get_login_profile | Retrieves the user name for the specified IAM user |
| get_mfa_device | Retrieves information about an MFA device for a specified user |
| get_open_id_connect_provider | Returns information about the specified OpenID Connect (OIDC) provider resource object in IAM |
| get_organizations_access_report | Retrieves the service last accessed data report for Organizations that was previously generated using the GenerateOrganizationsAccessReport operation |
| get_policy | Retrieves information about the specified managed policy, including the policy's default version and the total number of IAM users, groups, and roles to which the policy is attached |
| get_policy_version | Retrieves information about the specified version of the specified managed policy, including the policy document |
| get_role | Retrieves information about the specified role, including the role's path, GUID, ARN, and the role's trust policy that grants permission to assume the role |
| get_role_policy | Retrieves the specified inline policy document that is embedded with the specified IAM role |
| get_saml_provider | Returns the SAML provider metadocument that was uploaded when the IAM SAML provider resource object was created or updated |
| get_server_certificate | Retrieves information about the specified server certificate stored in IAM |
| get_service_last_accessed_details | Retrieves a service last accessed report that was created using the GenerateServiceLastAccessedDetails operation |
| get_service_last_accessed_details_with_entities | After you generate a group or policy report using the GenerateServiceLastAccessedDetails operation, you can use the JobId parameter in GetServiceLastAccessedDetailsWithEntities |
| get_service_linked_role_deletion_status | Retrieves the status of your service-linked role deletion |
| get_ssh_public_key | Retrieves the specified SSH public key, including metadata about the key |
| get_user | Retrieves information about the specified IAM user, including the user's creation date, path, unique ID, and ARN |
| get_user_policy | Retrieves the specified inline policy document that is embedded in the specified IAM user |
| list_access_keys | Returns information about the access key IDs associated with the specified IAM user |
| list_account_aliases | Lists the account alias associated with the Amazon Web Services account (Note: you can have only one) |
| list_attached_group_policies | Lists all managed policies that are attached to the specified IAM group |
| list_attached_role_policies | Lists all managed policies that are attached to the specified IAM role |
| list_attached_user_policies | Lists all managed policies that are attached to the specified IAM user |
| list_entities_for_policy | Lists all IAM users, groups, and roles that the specified managed policy is attached to |
| list_group_policies | Lists the names of the inline policies that are embedded in the specified IAM group |
| list_groups | Lists the IAM groups that have the specified path prefix |
| list_groups_for_user | Lists the IAM groups that the specified IAM user belongs to |
| list_instance_profiles | Lists the instance profiles that have the specified path prefix |
| list_instance_profiles_for_role | Lists the instance profiles that have the specified associated IAM role |
| list_instance_profile_tags | Lists the tags that are attached to the specified IAM instance profile |
| list_mfa_devices | Lists the MFA devices for an IAM user |
| list_mfa_device_tags | Lists the tags that are attached to the specified IAM virtual multi-factor authentication (MFA) device |
| list_open_id_connect_providers | Lists information about the IAM OpenID Connect (OIDC) provider resource objects defined in the Amazon Web Services account |
| list_open_id_connect_provider_tags | Lists the tags that are attached to the specified OpenID Connect (OIDC)-compatible identity provider |
| list_policies | Lists all the managed policies that are available in your Amazon Web Services account, including your own customer-defined managed policies and all Amazon Web Services managed policies |
| list_policies_granting_service_access | Retrieves a list of policies that the IAM identity (user, group, or role) can use to access each specified service |
| list_policy_tags | Lists the tags that are attached to the specified IAM customer managed policy |
| list_policy_versions | Lists information about the versions of the specified managed policy, including the version that is currently set as the policy's default version |
| list_role_policies | Lists the names of the inline policies that are embedded in the specified IAM role |
| list_roles | Lists the IAM roles that have the specified path prefix |
| list_role_tags | Lists the tags that are attached to the specified role |
| list_saml_providers | Lists the SAML provider resource objects defined in IAM in the account |
| list_saml_provider_tags | Lists the tags that are attached to the specified Security Assertion Markup Language (SAML) identity provider |
| list_server_certificates | Lists the server certificates stored in IAM that have the specified path prefix |
| list_server_certificate_tags | Lists the tags that are attached to the specified IAM server certificate |
| list_service_specific_credentials | Returns information about the service-specific credentials associated with the specified IAM user |
| list_signing_certificates | Returns information about the signing certificates associated with the specified IAM user |
| list_ssh_public_keys | Returns information about the SSH public keys associated with the specified IAM user |
| list_user_policies | Lists the names of the inline policies embedded in the specified IAM user |
| list_users | Lists the IAM users that have the specified path prefix |
| list_user_tags | Lists the tags that are attached to the specified IAM user |
| list_virtual_mfa_devices | Lists the virtual MFA devices defined in the Amazon Web Services account by assignment status |
| put_group_policy | Adds or updates an inline policy document that is embedded in the specified IAM group |
| put_role_permissions_boundary | Adds or updates the policy that is specified as the IAM role's permissions boundary |
| put_role_policy | Adds or updates an inline policy document that is embedded in the specified IAM role |
| put_user_permissions_boundary | Adds or updates the policy that is specified as the IAM user's permissions boundary |
| put_user_policy | Adds or updates an inline policy document that is embedded in the specified IAM user |
| remove_client_id_from_open_id_connect_provider | Removes the specified client ID (also known as audience) from the list of client IDs registered for the specified IAM OpenID Connect (OIDC) provider resource object |
| remove_role_from_instance_profile | Removes the specified IAM role from the specified Amazon EC2 instance profile |
| remove_user_from_group | Removes the specified user from the specified group |
| reset_service_specific_credential | Resets the password for a service-specific credential |
| resync_mfa_device | Synchronizes the specified MFA device with its IAM resource object on the Amazon Web Services servers |
| set_default_policy_version | Sets the specified version of the specified policy as the policy's default (operative) version |
| set_security_token_service_preferences | Sets the specified version of the global endpoint token as the token version used for the Amazon Web Services account |
| simulate_custom_policy | Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and Amazon Web Services resources to determine the policies' effective permissions |
| simulate_principal_policy | Simulate how a set of IAM policies attached to an IAM entity works with a list of API operations and Amazon Web Services resources to determine the policies' effective permissions |
| tag_instance_profile | Adds one or more tags to an IAM instance profile |
| tag_mfa_device | Adds one or more tags to an IAM virtual multi-factor authentication (MFA) device |
| tag_open_id_connect_provider | Adds one or more tags to an OpenID Connect (OIDC)-compatible identity provider |
| tag_policy | Adds one or more tags to an IAM customer managed policy |
| tag_role | Adds one or more tags to an IAM role |
| tag_saml_provider | Adds one or more tags to a Security Assertion Markup Language (SAML) identity provider |
| tag_server_certificate | Adds one or more tags to an IAM server certificate |
| tag_user | Adds one or more tags to an IAM user |
| untag_instance_profile | Removes the specified tags from the IAM instance profile |
| untag_mfa_device | Removes the specified tags from the IAM virtual multi-factor authentication (MFA) device |
| untag_open_id_connect_provider | Removes the specified tags from the specified OpenID Connect (OIDC)-compatible identity provider in IAM |
| untag_policy | Removes the specified tags from the customer managed policy |
| untag_role | Removes the specified tags from the role |
| untag_saml_provider | Removes the specified tags from the specified Security Assertion Markup Language (SAML) identity provider in IAM |
| untag_server_certificate | Removes the specified tags from the IAM server certificate |
| untag_user | Removes the specified tags from the user |
| update_access_key | Changes the status of the specified access key from Active to Inactive, or vice versa |
| update_account_password_policy | Updates the password policy settings for the Amazon Web Services account |
| update_assume_role_policy | Updates the policy that grants an IAM entity permission to assume a role |
| update_group | Updates the name and/or the path of the specified IAM group |
| update_login_profile | Changes the password for the specified IAM user |
| update_open_id_connect_provider_thumbprint | Replaces the existing list of server certificate thumbprints associated with an OpenID Connect (OIDC) provider resource object with a new list of thumbprints |
| update_role | Updates the description or maximum session duration setting of a role |
| update_role_description | Use UpdateRole instead |
| update_saml_provider | Updates the metadata document for an existing SAML provider resource object |
| update_server_certificate | Updates the name and/or the path of the specified server certificate stored in IAM |
| update_service_specific_credential | Sets the status of a service-specific credential to Active or Inactive |
| update_signing_certificate | Changes the status of the specified user signing certificate from active to disabled, or vice versa |
| update_ssh_public_key | Sets the status of an IAM user's SSH public key to active or inactive |
| update_user | Updates the name and/or the path of the specified IAM user |
| upload_server_certificate | Uploads a server certificate entity for the Amazon Web Services account |
| upload_signing_certificate | Uploads an X |
| upload_ssh_public_key | Uploads an SSH public key and associates it with the specified IAM user |
## Not run: svc <- iam() # The following add-client-id-to-open-id-connect-provider command adds the # client ID my-application-ID to the OIDC provider named # server.example.com: svc$add_client_id_to_open_id_connect_provider( ClientID = "my-application-ID", OpenIDConnectProviderArn = "arn:aws:iam::123456789012:oidc-provider/server.example.com" ) ## End(Not run)## Not run: svc <- iam() # The following add-client-id-to-open-id-connect-provider command adds the # client ID my-application-ID to the OIDC provider named # server.example.com: svc$add_client_id_to_open_id_connect_provider( ClientID = "my-application-ID", OpenIDConnectProviderArn = "arn:aws:iam::123456789012:oidc-provider/server.example.com" ) ## End(Not run)
Identity and Access Management Roles Anywhere provides a secure way for your workloads such as servers, containers, and applications that run outside of Amazon Web Services to obtain temporary Amazon Web Services credentials. Your workloads can use the same IAM policies and roles you have for native Amazon Web Services applications to access Amazon Web Services resources. Using IAM Roles Anywhere eliminates the need to manage long-term credentials for workloads running outside of Amazon Web Services.
To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by their certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public key infrastructure (PKI) and IAM Roles Anywhere. If you don't manage your own PKI system, you can use Private Certificate Authority to create a CA and then use that to establish trust with IAM Roles Anywhere.
This guide describes the IAM Roles Anywhere operations that you can call programmatically. For more information about IAM Roles Anywhere, see the IAM Roles Anywhere User Guide.
iamrolesanywhere( config = list(), credentials = list(), endpoint = NULL, region = NULL )iamrolesanywhere( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- iamrolesanywhere(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_profile | Creates a profile, a list of the roles that Roles Anywhere service is trusted to assume |
| create_trust_anchor | Creates a trust anchor to establish trust between IAM Roles Anywhere and your certificate authority (CA) |
| delete_attribute_mapping | Delete an entry from the attribute mapping rules enforced by a given profile |
| delete_crl | Deletes a certificate revocation list (CRL) |
| delete_profile | Deletes a profile |
| delete_trust_anchor | Deletes a trust anchor |
| disable_crl | Disables a certificate revocation list (CRL) |
| disable_profile | Disables a profile |
| disable_trust_anchor | Disables a trust anchor |
| enable_crl | Enables a certificate revocation list (CRL) |
| enable_profile | Enables temporary credential requests for a profile |
| enable_trust_anchor | Enables a trust anchor |
| get_crl | Gets a certificate revocation list (CRL) |
| get_profile | Gets a profile |
| get_subject | Gets a subject, which associates a certificate identity with authentication attempts |
| get_trust_anchor | Gets a trust anchor |
| import_crl | Imports the certificate revocation list (CRL) |
| list_crls | Lists all certificate revocation lists (CRL) in the authenticated account and Amazon Web Services Region |
| list_profiles | Lists all profiles in the authenticated account and Amazon Web Services Region |
| list_subjects | Lists the subjects in the authenticated account and Amazon Web Services Region |
| list_tags_for_resource | Lists the tags attached to the resource |
| list_trust_anchors | Lists the trust anchors in the authenticated account and Amazon Web Services Region |
| put_attribute_mapping | Put an entry in the attribute mapping rules that will be enforced by a given profile |
| put_notification_settings | Attaches a list of notification settings to a trust anchor |
| reset_notification_settings | Resets the custom notification setting to IAM Roles Anywhere default setting |
| tag_resource | Attaches tags to a resource |
| untag_resource | Removes tags from the resource |
| update_crl | Updates the certificate revocation list (CRL) |
| update_profile | Updates a profile, a list of the roles that IAM Roles Anywhere service is trusted to assume |
| update_trust_anchor | Updates a trust anchor |
## Not run: svc <- iamrolesanywhere() svc$create_profile( Foo = 123 ) ## End(Not run)## Not run: svc <- iamrolesanywhere() svc$create_profile( Foo = 123 ) ## End(Not run)
The Identity Store service used by IAM Identity Center provides a single place to retrieve all of your identities (users and groups). For more information, see the IAM Identity Center User Guide.
This reference guide describes the identity store operations that you can call programmatically and includes detailed information about data types and errors.
IAM Identity Center uses the sso and identitystore API namespaces.
identitystore( config = list(), credentials = list(), endpoint = NULL, region = NULL )identitystore( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- identitystore(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_group | Creates a group within the specified identity store |
| create_group_membership | Creates a relationship between a member and a group |
| create_user | Creates a user within the specified identity store |
| delete_group | Delete a group within an identity store given GroupId |
| delete_group_membership | Delete a membership within a group given MembershipId |
| delete_user | Deletes a user within an identity store given UserId |
| describe_group | Retrieves the group metadata and attributes from GroupId in an identity store |
| describe_group_membership | Retrieves membership metadata and attributes from MembershipId in an identity store |
| describe_user | Retrieves the user metadata and attributes from the UserId in an identity store |
| get_group_id | Retrieves GroupId in an identity store |
| get_group_membership_id | Retrieves the MembershipId in an identity store |
| get_user_id | Retrieves the UserId in an identity store |
| is_member_in_groups | Checks the user's membership in all requested groups and returns if the member exists in all queried groups |
| list_group_memberships | For the specified group in the specified identity store, returns the list of all GroupMembership objects and returns results in paginated form |
| list_group_memberships_for_member | For the specified member in the specified identity store, returns the list of all GroupMembership objects and returns results in paginated form |
| list_groups | Lists all groups in the identity store |
| list_users | Lists all users in the identity store |
| update_group | For the specified group in the specified identity store, updates the group metadata and attributes |
| update_user | For the specified user in the specified identity store, updates the user metadata and attributes |
## Not run: svc <- identitystore() svc$create_group( Foo = 123 ) ## End(Not run)## Not run: svc <- identitystore() svc$create_group( Foo = 123 ) ## End(Not run)
Amazon Inspector enables you to analyze the behavior of your AWS resources and to identify potential security issues. For more information, see Amazon Inspector User Guide.
inspector( config = list(), credentials = list(), endpoint = NULL, region = NULL )inspector( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- inspector(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| add_attributes_to_findings | Assigns attributes (key and value pairs) to the findings that are specified by the ARNs of the findings |
| create_assessment_target | Creates a new assessment target using the ARN of the resource group that is generated by CreateResourceGroup |
| create_assessment_template | Creates an assessment template for the assessment target that is specified by the ARN of the assessment target |
| create_exclusions_preview | Starts the generation of an exclusions preview for the specified assessment template |
| create_resource_group | Creates a resource group using the specified set of tags (key and value pairs) that are used to select the EC2 instances to be included in an Amazon Inspector assessment target |
| delete_assessment_run | Deletes the assessment run that is specified by the ARN of the assessment run |
| delete_assessment_target | Deletes the assessment target that is specified by the ARN of the assessment target |
| delete_assessment_template | Deletes the assessment template that is specified by the ARN of the assessment template |
| describe_assessment_runs | Describes the assessment runs that are specified by the ARNs of the assessment runs |
| describe_assessment_targets | Describes the assessment targets that are specified by the ARNs of the assessment targets |
| describe_assessment_templates | Describes the assessment templates that are specified by the ARNs of the assessment templates |
| describe_cross_account_access_role | Describes the IAM role that enables Amazon Inspector to access your AWS account |
| describe_exclusions | Describes the exclusions that are specified by the exclusions' ARNs |
| describe_findings | Describes the findings that are specified by the ARNs of the findings |
| describe_resource_groups | Describes the resource groups that are specified by the ARNs of the resource groups |
| describe_rules_packages | Describes the rules packages that are specified by the ARNs of the rules packages |
| get_assessment_report | Produces an assessment report that includes detailed and comprehensive results of a specified assessment run |
| get_exclusions_preview | Retrieves the exclusions preview (a list of ExclusionPreview objects) specified by the preview token |
| get_telemetry_metadata | Information about the data that is collected for the specified assessment run |
| list_assessment_run_agents | Lists the agents of the assessment runs that are specified by the ARNs of the assessment runs |
| list_assessment_runs | Lists the assessment runs that correspond to the assessment templates that are specified by the ARNs of the assessment templates |
| list_assessment_targets | Lists the ARNs of the assessment targets within this AWS account |
| list_assessment_templates | Lists the assessment templates that correspond to the assessment targets that are specified by the ARNs of the assessment targets |
| list_event_subscriptions | Lists all the event subscriptions for the assessment template that is specified by the ARN of the assessment template |
| list_exclusions | List exclusions that are generated by the assessment run |
| list_findings | Lists findings that are generated by the assessment runs that are specified by the ARNs of the assessment runs |
| list_rules_packages | Lists all available Amazon Inspector rules packages |
| list_tags_for_resource | Lists all tags associated with an assessment template |
| preview_agents | Previews the agents installed on the EC2 instances that are part of the specified assessment target |
| register_cross_account_access_role | Registers the IAM role that grants Amazon Inspector access to AWS Services needed to perform security assessments |
| remove_attributes_from_findings | Removes entire attributes (key and value pairs) from the findings that are specified by the ARNs of the findings where an attribute with the specified key exists |
| set_tags_for_resource | Sets tags (key and value pairs) to the assessment template that is specified by the ARN of the assessment template |
| start_assessment_run | Starts the assessment run specified by the ARN of the assessment template |
| stop_assessment_run | Stops the assessment run that is specified by the ARN of the assessment run |
| subscribe_to_event | Enables the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic |
| unsubscribe_from_event | Disables the process of sending Amazon Simple Notification Service (SNS) notifications about a specified event to a specified SNS topic |
| update_assessment_target | Updates the assessment target that is specified by the ARN of the assessment target |
## Not run: svc <- inspector() # Assigns attributes (key and value pairs) to the findings that are # specified by the ARNs of the findings. svc$add_attributes_to_findings( attributes = list( list( key = "Example", value = "example" ) ), findingArns = list( "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-..." ) ) ## End(Not run)## Not run: svc <- inspector() # Assigns attributes (key and value pairs) to the findings that are # specified by the ARNs of the findings. svc$add_attributes_to_findings( attributes = list( list( key = "Example", value = "example" ) ), findingArns = list( "arn:aws:inspector:us-west-2:123456789012:target/0-0kFIPusq/template/0-..." ) ) ## End(Not run)
Amazon Inspector is a vulnerability discovery service that automates continuous scanning for security vulnerabilities within your Amazon EC2, Amazon ECR, and Amazon Web Services Lambda environments.
inspector2( config = list(), credentials = list(), endpoint = NULL, region = NULL )inspector2( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- inspector2(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| associate_member | Associates an Amazon Web Services account with an Amazon Inspector delegated administrator |
| batch_get_account_status | Retrieves the Amazon Inspector status of multiple Amazon Web Services accounts within your environment |
| batch_get_code_snippet | Retrieves code snippets from findings that Amazon Inspector detected code vulnerabilities in |
| batch_get_finding_details | Gets vulnerability details for findings |
| batch_get_free_trial_info | Gets free trial status for multiple Amazon Web Services accounts |
| batch_get_member_ec_2_deep_inspection_status | Retrieves Amazon Inspector deep inspection activation status of multiple member accounts within your organization |
| batch_update_member_ec_2_deep_inspection_status | Activates or deactivates Amazon Inspector deep inspection for the provided member accounts in your organization |
| cancel_findings_report | Cancels the given findings report |
| cancel_sbom_export | Cancels a software bill of materials (SBOM) report |
| create_cis_scan_configuration | Creates a CIS scan configuration |
| create_filter | Creates a filter resource using specified filter criteria |
| create_findings_report | Creates a finding report |
| create_sbom_export | Creates a software bill of materials (SBOM) report |
| delete_cis_scan_configuration | Deletes a CIS scan configuration |
| delete_filter | Deletes a filter resource |
| describe_organization_configuration | Describe Amazon Inspector configuration settings for an Amazon Web Services organization |
| disable | Disables Amazon Inspector scans for one or more Amazon Web Services accounts |
| disable_delegated_admin_account | Disables the Amazon Inspector delegated administrator for your organization |
| disassociate_member | Disassociates a member account from an Amazon Inspector delegated administrator |
| enable | Enables Amazon Inspector scans for one or more Amazon Web Services accounts |
| enable_delegated_admin_account | Enables the Amazon Inspector delegated administrator for your Organizations organization |
| get_cis_scan_report | Retrieves a CIS scan report |
| get_cis_scan_result_details | Retrieves CIS scan result details |
| get_configuration | Retrieves setting configurations for Inspector scans |
| get_delegated_admin_account | Retrieves information about the Amazon Inspector delegated administrator for your organization |
| get_ec_2_deep_inspection_configuration | Retrieves the activation status of Amazon Inspector deep inspection and custom paths associated with your account |
| get_encryption_key | Gets an encryption key |
| get_findings_report_status | Gets the status of a findings report |
| get_member | Gets member information for your organization |
| get_sbom_export | Gets details of a software bill of materials (SBOM) report |
| list_account_permissions | Lists the permissions an account has to configure Amazon Inspector |
| list_cis_scan_configurations | Lists CIS scan configurations |
| list_cis_scan_results_aggregated_by_checks | Lists scan results aggregated by checks |
| list_cis_scan_results_aggregated_by_target_resource | Lists scan results aggregated by a target resource |
| list_cis_scans | Returns a CIS scan list |
| list_coverage | Lists coverage details for you environment |
| list_coverage_statistics | Lists Amazon Inspector coverage statistics for your environment |
| list_delegated_admin_accounts | Lists information about the Amazon Inspector delegated administrator of your organization |
| list_filters | Lists the filters associated with your account |
| list_finding_aggregations | Lists aggregated finding data for your environment based on specific criteria |
| list_findings | Lists findings for your environment |
| list_members | List members associated with the Amazon Inspector delegated administrator for your organization |
| list_tags_for_resource | Lists all tags attached to a given resource |
| list_usage_totals | Lists the Amazon Inspector usage totals over the last 30 days |
| reset_encryption_key | Resets an encryption key |
| search_vulnerabilities | Lists Amazon Inspector coverage details for a specific vulnerability |
| send_cis_session_health | Sends a CIS session health |
| send_cis_session_telemetry | Sends a CIS session telemetry |
| start_cis_session | Starts a CIS session |
| stop_cis_session | Stops a CIS session |
| tag_resource | Adds tags to a resource |
| untag_resource | Removes tags from a resource |
| update_cis_scan_configuration | Updates a CIS scan configuration |
| update_configuration | Updates setting configurations for your Amazon Inspector account |
| update_ec_2_deep_inspection_configuration | Activates, deactivates Amazon Inspector deep inspection, or updates custom paths for your account |
| update_encryption_key | Updates an encryption key |
| update_filter | Specifies the action that is to be applied to the findings that match the filter |
| update_organization_configuration | Updates the configurations for your Amazon Inspector organization |
| update_org_ec_2_deep_inspection_configuration | Updates the Amazon Inspector deep inspection custom paths for your organization |
## Not run: svc <- inspector2() svc$associate_member( Foo = 123 ) ## End(Not run)## Not run: svc <- inspector2() svc$associate_member( Foo = 123 ) ## End(Not run)
Key Management Service
Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS operations that you can call programmatically. For general information about KMS, see the Key Management Service Developer Guide .
KMS has replaced the term customer master key (CMK) with KMS key and KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping some variations of this term.
Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to KMS and other Amazon Web Services services. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the Amazon Web Services SDKs, including how to download and install them, see Tools for Amazon Web Services.
We recommend that you use the Amazon Web Services SDKs to make programmatic API calls to KMS.
If you need to use FIPS 140-2 validated cryptographic modules when communicating with Amazon Web Services, use the FIPS endpoint in your preferred Amazon Web Services Region. For more information about the available FIPS endpoints, see Service endpoints in the Key Management Service topic of the Amazon Web Services General Reference.
All KMS API calls must be signed and be transmitted using Transport Layer Security (TLS). KMS recommends you always use the latest supported TLS version. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Signing Requests
Requests must be signed using an access key ID and a secret access key. We strongly recommend that you do not use your Amazon Web Services account root access key ID and secret access key for everyday work. You can use the access key ID and secret access key for an IAM user or you can use the Security Token Service (STS) to generate temporary security credentials and use those to sign requests.
All KMS requests must be signed with Signature Version 4.
Logging API Requests
KMS supports CloudTrail, a service that logs Amazon Web Services API calls and related events for your Amazon Web Services account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the CloudTrail User Guide.
Additional Resources
For more information about credentials and request signing, see the following:
Amazon Web Services Security Credentials - This topic provides general information about the types of credentials used to access Amazon Web Services.
Temporary Security Credentials - This section of the IAM User Guide describes how to create and use temporary security credentials.
Signature Version 4 Signing Process - This set of topics walks you through the process of signing a request using an access key ID and a secret access key.
Commonly Used API Operations
Of the API operations discussed in this guide, the following will prove the most useful for most applications. You will likely perform operations other than these, such as creating keys and assigning policies, by using the console.
kms(config = list(), credentials = list(), endpoint = NULL, region = NULL)kms(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- kms(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| cancel_key_deletion | Cancels the deletion of a KMS key |
| connect_custom_key_store | Connects or reconnects a custom key store to its backing key store |
| create_alias | Creates a friendly name for a KMS key |
| create_custom_key_store | Creates a custom key store backed by a key store that you own and manage |
| create_grant | Adds a grant to a KMS key |
| create_key | Creates a unique customer managed KMS key in your Amazon Web Services account and Region |
| decrypt | Decrypts ciphertext that was encrypted by a KMS key using any of the following operations: |
| delete_alias | Deletes the specified alias |
| delete_custom_key_store | Deletes a custom key store |
| delete_imported_key_material | Deletes key material that was previously imported |
| derive_shared_secret | Derives a shared secret using a key agreement algorithm |
| describe_custom_key_stores | Gets information about custom key stores in the account and Region |
| describe_key | Provides detailed information about a KMS key |
| disable_key | Sets the state of a KMS key to disabled |
| disable_key_rotation | Disables automatic rotation of the key material of the specified symmetric encryption KMS key |
| disconnect_custom_key_store | Disconnects the custom key store from its backing key store |
| enable_key | Sets the key state of a KMS key to enabled |
| enable_key_rotation | Enables automatic rotation of the key material of the specified symmetric encryption KMS key |
| encrypt | Encrypts plaintext of up to 4,096 bytes using a KMS key |
| generate_data_key | Returns a unique symmetric data key for use outside of KMS |
| generate_data_key_pair | Returns a unique asymmetric data key pair for use outside of KMS |
| generate_data_key_pair_without_plaintext | Returns a unique asymmetric data key pair for use outside of KMS |
| generate_data_key_without_plaintext | Returns a unique symmetric data key for use outside of KMS |
| generate_mac | Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm that the key supports |
| generate_random | Returns a random byte string that is cryptographically secure |
| get_key_policy | Gets a key policy attached to the specified KMS key |
| get_key_rotation_status | Provides detailed information about the rotation status for a KMS key, including whether automatic rotation of the key material is enabled for the specified KMS key, the rotation period, and the next scheduled rotation date |
| get_parameters_for_import | Returns the public key and an import token you need to import or reimport key material for a KMS key |
| get_public_key | Returns the public key of an asymmetric KMS key |
| import_key_material | Imports or reimports key material into an existing KMS key that was created without key material |
| list_aliases | Gets a list of aliases in the caller's Amazon Web Services account and region |
| list_grants | Gets a list of all grants for the specified KMS key |
| list_key_policies | Gets the names of the key policies that are attached to a KMS key |
| list_key_rotations | Returns information about all completed key material rotations for the specified KMS key |
| list_keys | Gets a list of all KMS keys in the caller's Amazon Web Services account and Region |
| list_resource_tags | Returns all tags on the specified KMS key |
| list_retirable_grants | Returns information about all grants in the Amazon Web Services account and Region that have the specified retiring principal |
| put_key_policy | Attaches a key policy to the specified KMS key |
| re_encrypt | Decrypts ciphertext and then reencrypts it entirely within KMS |
| replicate_key | Replicates a multi-Region key into the specified Region |
| retire_grant | Deletes a grant |
| revoke_grant | Deletes the specified grant |
| rotate_key_on_demand | Immediately initiates rotation of the key material of the specified symmetric encryption KMS key |
| schedule_key_deletion | Schedules the deletion of a KMS key |
| sign | Creates a digital signature for a message or message digest by using the private key in an asymmetric signing KMS key |
| tag_resource | Adds or edits tags on a customer managed key |
| untag_resource | Deletes tags from a customer managed key |
| update_alias | Associates an existing KMS alias with a different KMS key |
| update_custom_key_store | Changes the properties of a custom key store |
| update_key_description | Updates the description of a KMS key |
| update_primary_region | Changes the primary key of a multi-Region key |
| verify | Verifies a digital signature that was generated by the Sign operation |
| verify_mac | Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC KMS key, and MAC algorithm |
## Not run: svc <- kms() # The following example cancels deletion of the specified KMS key. svc$cancel_key_deletion( KeyId = "1234abcd-12ab-34cd-56ef-1234567890ab" ) ## End(Not run)## Not run: svc <- kms() # The following example cancels deletion of the specified KMS key. svc$cancel_key_deletion( KeyId = "1234abcd-12ab-34cd-56ef-1234567890ab" ) ## End(Not run)
Amazon Macie
macie2(config = list(), credentials = list(), endpoint = NULL, region = NULL)macie2(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- macie2(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_invitation | Accepts an Amazon Macie membership invitation that was received from a specific account |
| batch_get_custom_data_identifiers | Retrieves information about one or more custom data identifiers |
| batch_update_automated_discovery_accounts | Changes the status of automated sensitive data discovery for one or more accounts |
| create_allow_list | Creates and defines the settings for an allow list |
| create_classification_job | Creates and defines the settings for a classification job |
| create_custom_data_identifier | Creates and defines the criteria and other settings for a custom data identifier |
| create_findings_filter | Creates and defines the criteria and other settings for a findings filter |
| create_invitations | Sends an Amazon Macie membership invitation to one or more accounts |
| create_member | Associates an account with an Amazon Macie administrator account |
| create_sample_findings | Creates sample findings |
| decline_invitations | Declines Amazon Macie membership invitations that were received from specific accounts |
| delete_allow_list | Deletes an allow list |
| delete_custom_data_identifier | Soft deletes a custom data identifier |
| delete_findings_filter | Deletes a findings filter |
| delete_invitations | Deletes Amazon Macie membership invitations that were received from specific accounts |
| delete_member | Deletes the association between an Amazon Macie administrator account and an account |
| describe_buckets | Retrieves (queries) statistical data and other information about one or more S3 buckets that Amazon Macie monitors and analyzes for an account |
| describe_classification_job | Retrieves the status and settings for a classification job |
| describe_organization_configuration | Retrieves the Amazon Macie configuration settings for an organization in Organizations |
| disable_macie | Disables Amazon Macie and deletes all settings and resources for a Macie account |
| disable_organization_admin_account | Disables an account as the delegated Amazon Macie administrator account for an organization in Organizations |
| disassociate_from_administrator_account | Disassociates a member account from its Amazon Macie administrator account |
| disassociate_from_master_account | (Deprecated) Disassociates a member account from its Amazon Macie administrator account |
| disassociate_member | Disassociates an Amazon Macie administrator account from a member account |
| enable_macie | Enables Amazon Macie and specifies the configuration settings for a Macie account |
| enable_organization_admin_account | Designates an account as the delegated Amazon Macie administrator account for an organization in Organizations |
| get_administrator_account | Retrieves information about the Amazon Macie administrator account for an account |
| get_allow_list | Retrieves the settings and status of an allow list |
| get_automated_discovery_configuration | Retrieves the configuration settings and status of automated sensitive data discovery for an organization or standalone account |
| get_bucket_statistics | Retrieves (queries) aggregated statistical data about all the S3 buckets that Amazon Macie monitors and analyzes for an account |
| get_classification_export_configuration | Retrieves the configuration settings for storing data classification results |
| get_classification_scope | Retrieves the classification scope settings for an account |
| get_custom_data_identifier | Retrieves the criteria and other settings for a custom data identifier |
| get_findings | Retrieves the details of one or more findings |
| get_findings_filter | Retrieves the criteria and other settings for a findings filter |
| get_findings_publication_configuration | Retrieves the configuration settings for publishing findings to Security Hub |
| get_finding_statistics | Retrieves (queries) aggregated statistical data about findings |
| get_invitations_count | Retrieves the count of Amazon Macie membership invitations that were received by an account |
| get_macie_session | Retrieves the status and configuration settings for an Amazon Macie account |
| get_master_account | (Deprecated) Retrieves information about the Amazon Macie administrator account for an account |
| get_member | Retrieves information about an account that's associated with an Amazon Macie administrator account |
| get_resource_profile | Retrieves (queries) sensitive data discovery statistics and the sensitivity score for an S3 bucket |
| get_reveal_configuration | Retrieves the status and configuration settings for retrieving occurrences of sensitive data reported by findings |
| get_sensitive_data_occurrences | Retrieves occurrences of sensitive data reported by a finding |
| get_sensitive_data_occurrences_availability | Checks whether occurrences of sensitive data can be retrieved for a finding |
| get_sensitivity_inspection_template | Retrieves the settings for the sensitivity inspection template for an account |
| get_usage_statistics | Retrieves (queries) quotas and aggregated usage data for one or more accounts |
| get_usage_totals | Retrieves (queries) aggregated usage data for an account |
| list_allow_lists | Retrieves a subset of information about all the allow lists for an account |
| list_automated_discovery_accounts | Retrieves the status of automated sensitive data discovery for one or more accounts |
| list_classification_jobs | Retrieves a subset of information about one or more classification jobs |
| list_classification_scopes | Retrieves a subset of information about the classification scope for an account |
| list_custom_data_identifiers | Retrieves a subset of information about all the custom data identifiers for an account |
| list_findings | Retrieves a subset of information about one or more findings |
| list_findings_filters | Retrieves a subset of information about all the findings filters for an account |
| list_invitations | Retrieves information about Amazon Macie membership invitations that were received by an account |
| list_managed_data_identifiers | Retrieves information about all the managed data identifiers that Amazon Macie currently provides |
| list_members | Retrieves information about the accounts that are associated with an Amazon Macie administrator account |
| list_organization_admin_accounts | Retrieves information about the delegated Amazon Macie administrator account for an organization in Organizations |
| list_resource_profile_artifacts | Retrieves information about objects that Amazon Macie selected from an S3 bucket for automated sensitive data discovery |
| list_resource_profile_detections | Retrieves information about the types and amount of sensitive data that Amazon Macie found in an S3 bucket |
| list_sensitivity_inspection_templates | Retrieves a subset of information about the sensitivity inspection template for an account |
| list_tags_for_resource | Retrieves the tags (keys and values) that are associated with an Amazon Macie resource |
| put_classification_export_configuration | Adds or updates the configuration settings for storing data classification results |
| put_findings_publication_configuration | Updates the configuration settings for publishing findings to Security Hub |
| search_resources | Retrieves (queries) statistical data and other information about Amazon Web Services resources that Amazon Macie monitors and analyzes |
| tag_resource | Adds or updates one or more tags (keys and values) that are associated with an Amazon Macie resource |
| test_custom_data_identifier | Tests criteria for a custom data identifier |
| untag_resource | Removes one or more tags (keys and values) from an Amazon Macie resource |
| update_allow_list | Updates the settings for an allow list |
| update_automated_discovery_configuration | Changes the configuration settings and status of automated sensitive data discovery for an organization or standalone account |
| update_classification_job | Changes the status of a classification job |
| update_classification_scope | Updates the classification scope settings for an account |
| update_findings_filter | Updates the criteria and other settings for a findings filter |
| update_macie_session | Suspends or re-enables Amazon Macie, or updates the configuration settings for a Macie account |
| update_member_session | Enables an Amazon Macie administrator to suspend or re-enable Macie for a member account |
| update_organization_configuration | Updates the Amazon Macie configuration settings for an organization in Organizations |
| update_resource_profile | Updates the sensitivity score for an S3 bucket |
| update_resource_profile_detections | Updates the sensitivity scoring settings for an S3 bucket |
| update_reveal_configuration | Updates the status and configuration settings for retrieving occurrences of sensitive data reported by findings |
| update_sensitivity_inspection_template | Updates the settings for the sensitivity inspection template for an account |
## Not run: svc <- macie2() svc$accept_invitation( Foo = 123 ) ## End(Not run)## Not run: svc <- macie2() svc$accept_invitation( Foo = 123 ) ## End(Not run)
Amazon Web Services Private CA Connector for Active Directory creates a connector between Amazon Web Services Private CA and Active Directory (AD) that enables you to provision security certificates for AD signed by a private CA that you own. For more information, see Amazon Web Services Private CA Connector for Active Directory.
pcaconnectorad( config = list(), credentials = list(), endpoint = NULL, region = NULL )pcaconnectorad( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- pcaconnectorad(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_connector | Creates a connector between Amazon Web Services Private CA and an Active Directory |
| create_directory_registration | Creates a directory registration that authorizes communication between Amazon Web Services Private CA and an Active Directory |
| create_service_principal_name | Creates a service principal name (SPN) for the service account in Active Directory |
| create_template | Creates an Active Directory compatible certificate template |
| create_template_group_access_control_entry | Create a group access control entry |
| delete_connector | Deletes a connector for Active Directory |
| delete_directory_registration | Deletes a directory registration |
| delete_service_principal_name | Deletes the service principal name (SPN) used by a connector to authenticate with your Active Directory |
| delete_template | Deletes a template |
| delete_template_group_access_control_entry | Deletes a group access control entry |
| get_connector | Lists information about your connector |
| get_directory_registration | A structure that contains information about your directory registration |
| get_service_principal_name | Lists the service principal name that the connector uses to authenticate with Active Directory |
| get_template | Retrieves a certificate template that the connector uses to issue certificates from a private CA |
| get_template_group_access_control_entry | Retrieves the group access control entries for a template |
| list_connectors | Lists the connectors that you created by using the https://docs |
| list_directory_registrations | Lists the directory registrations that you created by using the https://docs |
| list_service_principal_names | Lists the service principal names that the connector uses to authenticate with Active Directory |
| list_tags_for_resource | Lists the tags, if any, that are associated with your resource |
| list_template_group_access_control_entries | Lists group access control entries you created |
| list_templates | Lists the templates, if any, that are associated with a connector |
| tag_resource | Adds one or more tags to your resource |
| untag_resource | Removes one or more tags from your resource |
| update_template | Update template configuration to define the information included in certificates |
| update_template_group_access_control_entry | Update a group access control entry you created using CreateTemplateGroupAccessControlEntry |
## Not run: svc <- pcaconnectorad() svc$create_connector( Foo = 123 ) ## End(Not run)## Not run: svc <- pcaconnectorad() svc$create_connector( Foo = 123 ) ## End(Not run)
This is the Resource Access Manager API Reference. This documentation provides descriptions and syntax for each of the actions and data types in RAM. RAM is a service that helps you securely share your Amazon Web Services resources to other Amazon Web Services accounts. If you use Organizations to manage your accounts, then you can share your resources with your entire organization or to organizational units (OUs). For supported resource types, you can also share resources with individual Identity and Access Management (IAM) roles and users.
To learn more about RAM, see the following resources:
ram(config = list(), credentials = list(), endpoint = NULL, region = NULL)ram(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- ram(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_resource_share_invitation | Accepts an invitation to a resource share from another Amazon Web Services account |
| associate_resource_share | Adds the specified list of principals and list of resources to a resource share |
| associate_resource_share_permission | Adds or replaces the RAM permission for a resource type included in a resource share |
| create_permission | Creates a customer managed permission for a specified resource type that you can attach to resource shares |
| create_permission_version | Creates a new version of the specified customer managed permission |
| create_resource_share | Creates a resource share |
| delete_permission | Deletes the specified customer managed permission in the Amazon Web Services Region in which you call this operation |
| delete_permission_version | Deletes one version of a customer managed permission |
| delete_resource_share | Deletes the specified resource share |
| disassociate_resource_share | Removes the specified principals or resources from participating in the specified resource share |
| disassociate_resource_share_permission | Removes a managed permission from a resource share |
| enable_sharing_with_aws_organization | Enables resource sharing within your organization in Organizations |
| get_permission | Retrieves the contents of a managed permission in JSON format |
| get_resource_policies | Retrieves the resource policies for the specified resources that you own and have shared |
| get_resource_share_associations | Retrieves the lists of resources and principals that associated for resource shares that you own |
| get_resource_share_invitations | Retrieves details about invitations that you have received for resource shares |
| get_resource_shares | Retrieves details about the resource shares that you own or that are shared with you |
| list_pending_invitation_resources | Lists the resources in a resource share that is shared with you but for which the invitation is still PENDING |
| list_permission_associations | Lists information about the managed permission and its associations to any resource shares that use this managed permission |
| list_permissions | Retrieves a list of available RAM permissions that you can use for the supported resource types |
| list_permission_versions | Lists the available versions of the specified RAM permission |
| list_principals | Lists the principals that you are sharing resources with or that are sharing resources with you |
| list_replace_permission_associations_work | Retrieves the current status of the asynchronous tasks performed by RAM when you perform the ReplacePermissionAssociationsWork operation |
| list_resources | Lists the resources that you added to a resource share or the resources that are shared with you |
| list_resource_share_permissions | Lists the RAM permissions that are associated with a resource share |
| list_resource_types | Lists the resource types that can be shared by RAM |
| promote_permission_created_from_policy | When you attach a resource-based policy to a resource, RAM automatically creates a resource share of featureSet=CREATED_FROM_POLICY with a managed permission that has the same IAM permissions as the original resource-based policy |
| promote_resource_share_created_from_policy | When you attach a resource-based policy to a resource, RAM automatically creates a resource share of featureSet=CREATED_FROM_POLICY with a managed permission that has the same IAM permissions as the original resource-based policy |
| reject_resource_share_invitation | Rejects an invitation to a resource share from another Amazon Web Services account |
| replace_permission_associations | Updates all resource shares that use a managed permission to a different managed permission |
| set_default_permission_version | Designates the specified version number as the default version for the specified customer managed permission |
| tag_resource | Adds the specified tag keys and values to a resource share or managed permission |
| untag_resource | Removes the specified tag key and value pairs from the specified resource share or managed permission |
| update_resource_share | Modifies some of the properties of the specified resource share |
## Not run: svc <- ram() svc$accept_resource_share_invitation( Foo = 123 ) ## End(Not run)## Not run: svc <- ram() svc$accept_resource_share_invitation( Foo = 123 ) ## End(Not run)
Amazon Web Services Secrets Manager
Amazon Web Services Secrets Manager provides a service to enable you to store, manage, and retrieve, secrets.
This guide provides descriptions of the Secrets Manager API. For more information about using this service, see the Amazon Web Services Secrets Manager User Guide.
API Version
This version of the Secrets Manager API Reference documents the Secrets Manager API version 2017-10-17.
For a list of endpoints, see Amazon Web Services Secrets Manager endpoints.
Support and Feedback for Amazon Web Services Secrets Manager
We welcome your feedback. Send your comments to [email protected], or post your feedback and questions in the Amazon Web Services Secrets Manager Discussion Forum. For more information about the Amazon Web Services Discussion Forums, see Forums Help.
Logging API Requests
Amazon Web Services Secrets Manager supports Amazon Web Services CloudTrail, a service that records Amazon Web Services API calls for your Amazon Web Services account and delivers log files to an Amazon S3 bucket. By using information that's collected by Amazon Web Services CloudTrail, you can determine the requests successfully made to Secrets Manager, who made the request, when it was made, and so on. For more about Amazon Web Services Secrets Manager and support for Amazon Web Services CloudTrail, see Logging Amazon Web Services Secrets Manager Events with Amazon Web Services CloudTrail in the Amazon Web Services Secrets Manager User Guide. To learn more about CloudTrail, including enabling it and find your log files, see the Amazon Web Services CloudTrail User Guide.
secretsmanager( config = list(), credentials = list(), endpoint = NULL, region = NULL )secretsmanager( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- secretsmanager(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| batch_get_secret_value | Retrieves the contents of the encrypted fields SecretString or SecretBinary for up to 20 secrets |
| cancel_rotate_secret | Turns off automatic rotation, and if a rotation is currently in progress, cancels the rotation |
| create_secret | Creates a new secret |
| delete_resource_policy | Deletes the resource-based permission policy attached to the secret |
| delete_secret | Deletes a secret and all of its versions |
| describe_secret | Retrieves the details of a secret |
| get_random_password | Generates a random password |
| get_resource_policy | Retrieves the JSON text of the resource-based policy document attached to the secret |
| get_secret_value | Retrieves the contents of the encrypted fields SecretString or SecretBinary from the specified version of a secret, whichever contains content |
| list_secrets | Lists the secrets that are stored by Secrets Manager in the Amazon Web Services account, not including secrets that are marked for deletion |
| list_secret_version_ids | Lists the versions of a secret |
| put_resource_policy | Attaches a resource-based permission policy to a secret |
| put_secret_value | Creates a new version with a new encrypted secret value and attaches it to the secret |
| remove_regions_from_replication | For a secret that is replicated to other Regions, deletes the secret replicas from the Regions you specify |
| replicate_secret_to_regions | Replicates the secret to a new Regions |
| restore_secret | Cancels the scheduled deletion of a secret by removing the DeletedDate time stamp |
| rotate_secret | Configures and starts the asynchronous process of rotating the secret |
| stop_replication_to_replica | Removes the link between the replica secret and the primary secret and promotes the replica to a primary secret in the replica Region |
| tag_resource | Attaches tags to a secret |
| untag_resource | Removes specific tags from a secret |
| update_secret | Modifies the details of a secret, including metadata and the secret value |
| update_secret_version_stage | Modifies the staging labels attached to a version of a secret |
| validate_resource_policy | Validates that a resource policy does not grant a wide range of principals access to your secret |
## Not run: svc <- secretsmanager() # The following example gets the values for three secrets. svc$batch_get_secret_value( SecretIdList = list( "MySecret1", "MySecret2", "MySecret3" ) ) ## End(Not run)## Not run: svc <- secretsmanager() # The following example gets the values for three secrets. svc$batch_get_secret_value( SecretIdList = list( "MySecret1", "MySecret2", "MySecret3" ) ) ## End(Not run)
Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry standards and best practices.
Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.
To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.
In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices, such as Amazon GuardDuty and Amazon Inspector, and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.
Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.
This guide, the Security Hub API Reference, provides information about the Security Hub API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Security Hub, you might find it helpful to also review the Security Hub User Guide . The user guide explains key concepts and provides procedures that demonstrate how to use Security Hub features. It also provides information about topics such as integrating Security Hub with other Amazon Web Servicesservices.
In addition to interacting with Security Hub by making calls to the Security Hub API, you can use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Servicesservices . They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools and SDKs, see Tools to Build on Amazon Web Services.
With the exception of operations that are related to central configuration, Security Hub API requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, API requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of central configuration operations, see the Central configuration terms and concepts section of the Security Hub User Guide.
The following throttling limits apply to Security Hub API operations.
batch_enable_standards -
RateLimit of 1 request per second. BurstLimit of 1 request per
second.
get_findings - RateLimit of 3
requests per second. BurstLimit of 6 requests per second.
batch_import_findings -
RateLimit of 10 requests per second. BurstLimit of 30 requests
per second.
batch_update_findings -
RateLimit of 10 requests per second. BurstLimit of 30 requests
per second.
update_standards_control -
RateLimit of 1 request per second. BurstLimit of 5 requests per
second.
All other operations - RateLimit of 10 requests per second.
BurstLimit of 30 requests per second.
securityhub( config = list(), credentials = list(), endpoint = NULL, region = NULL )securityhub( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- securityhub(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| accept_administrator_invitation | Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from |
| accept_invitation | This method is deprecated |
| batch_delete_automation_rules | Deletes one or more automation rules |
| batch_disable_standards | Disables the standards specified by the provided StandardsSubscriptionArns |
| batch_enable_standards | Enables the standards specified by the provided StandardsArn |
| batch_get_automation_rules | Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs) |
| batch_get_configuration_policy_associations | Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root |
| batch_get_security_controls | Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region |
| batch_get_standards_control_associations | For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard |
| batch_import_findings | Imports security findings generated by a finding provider into Security Hub |
| batch_update_automation_rules | Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters |
| batch_update_findings | Used by Security Hub customers to update information about their investigation into a finding |
| batch_update_standards_control_associations | For a batch of security controls and standards, this operation updates the enablement status of a control in a standard |
| create_action_target | Creates a custom action target in Security Hub |
| create_automation_rule | Creates an automation rule based on input parameters |
| create_configuration_policy | Creates a configuration policy with the defined configuration |
| create_finding_aggregator | Used to enable finding aggregation |
| create_insight | Creates a custom insight in Security Hub |
| create_members | Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account |
| decline_invitations | Declines invitations to become a member account |
| delete_action_target | Deletes a custom action target from Security Hub |
| delete_configuration_policy | Deletes a configuration policy |
| delete_finding_aggregator | Deletes a finding aggregator |
| delete_insight | Deletes the insight specified by the InsightArn |
| delete_invitations | Deletes invitations received by the Amazon Web Services account to become a member account |
| delete_members | Deletes the specified member accounts from Security Hub |
| describe_action_targets | Returns a list of the custom action targets in Security Hub in your account |
| describe_hub | Returns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub |
| describe_organization_configuration | Returns information about the way your organization is configured in Security Hub |
| describe_products | Returns information about product integrations in Security Hub |
| describe_standards | Returns a list of the available standards in Security Hub |
| describe_standards_controls | Returns a list of security standards controls |
| disable_import_findings_for_product | Disables the integration of the specified product with Security Hub |
| disable_organization_admin_account | Disables a Security Hub administrator account |
| disable_security_hub | Disables Security Hub in your account only in the current Amazon Web Services Region |
| disassociate_from_administrator_account | Disassociates the current Security Hub member account from the associated administrator account |
| disassociate_from_master_account | This method is deprecated |
| disassociate_members | Disassociates the specified member accounts from the associated administrator account |
| enable_import_findings_for_product | Enables the integration of a partner product with Security Hub |
| enable_organization_admin_account | Designates the Security Hub administrator account for an organization |
| enable_security_hub | Enables Security Hub for your account in the current Region or the Region you specify in the request |
| get_administrator_account | Provides the details for the Security Hub administrator account for the current member account |
| get_configuration_policy | Provides information about a configuration policy |
| get_configuration_policy_association | Returns the association between a configuration and a target account, organizational unit, or the root |
| get_enabled_standards | Returns a list of the standards that are currently enabled |
| get_finding_aggregator | Returns the current finding aggregation configuration |
| get_finding_history | Returns history for a Security Hub finding in the last 90 days |
| get_findings | Returns a list of findings that match the specified criteria |
| get_insight_results | Lists the results of the Security Hub insight specified by the insight ARN |
| get_insights | Lists and describes insights for the specified insight ARNs |
| get_invitations_count | Returns the count of all Security Hub membership invitations that were sent to the current member account, not including the currently accepted invitation |
| get_master_account | This method is deprecated |
| get_members | Returns the details for the Security Hub member accounts for the specified account IDs |
| get_security_control_definition | Retrieves the definition of a security control |
| invite_members | Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that the invitation is sent from |
| list_automation_rules | A list of automation rules and their metadata for the calling account |
| list_configuration_policies | Lists the configuration policies that the Security Hub delegated administrator has created for your organization |
| list_configuration_policy_associations | Provides information about the associations for your configuration policies and self-managed behavior |
| list_enabled_products_for_import | Lists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub |
| list_finding_aggregators | If finding aggregation is enabled, then ListFindingAggregators returns the ARN of the finding aggregator |
| list_invitations | Lists all Security Hub membership invitations that were sent to the current Amazon Web Services account |
| list_members | Lists details about all member accounts for the current Security Hub administrator account |
| list_organization_admin_accounts | Lists the Security Hub administrator accounts |
| list_security_control_definitions | Lists all of the security controls that apply to a specified standard |
| list_standards_control_associations | Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account |
| list_tags_for_resource | Returns a list of tags associated with a resource |
| start_configuration_policy_association | Associates a target account, organizational unit, or the root with a specified configuration |
| start_configuration_policy_disassociation | Disassociates a target account, organizational unit, or the root from a specified configuration |
| tag_resource | Adds one or more tags to a resource |
| untag_resource | Removes one or more tags from a resource |
| update_action_target | Updates the name and description of a custom action target in Security Hub |
| update_configuration_policy | Updates a configuration policy |
| update_finding_aggregator | Updates the finding aggregation configuration |
| update_findings | UpdateFindings is a deprecated operation |
| update_insight | Updates the Security Hub insight identified by the specified insight ARN |
| update_organization_configuration | Updates the configuration of your organization in Security Hub |
| update_security_control | Updates the properties of a security control |
| update_security_hub_configuration | Updates configuration options for Security Hub |
| update_standards_control | Used to control whether an individual security standard control is enabled or disabled |
## Not run: svc <- securityhub() # The following example demonstrates how an account can accept an # invitation from the Security Hub administrator account to be a member # account. This operation is applicable only to member accounts that are # not added through AWS Organizations. svc$accept_administrator_invitation( AdministratorId = "123456789012", InvitationId = "7ab938c5d52d7904ad09f9e7c20cc4eb" ) ## End(Not run)## Not run: svc <- securityhub() # The following example demonstrates how an account can accept an # invitation from the Security Hub administrator account to be a member # account. This operation is applicable only to member accounts that are # not added through AWS Organizations. svc$accept_administrator_invitation( AdministratorId = "123456789012", InvitationId = "7ab938c5d52d7904ad09f9e7c20cc4eb" ) ## End(Not run)
Amazon Security Lake is a fully managed security data lake service. You can use Security Lake to automatically centralize security data from cloud, on-premises, and custom sources into a data lake that's stored in your Amazon Web Services account. Amazon Web Services Organizations is an account management service that lets you consolidate multiple Amazon Web Services accounts into an organization that you create and centrally manage. With Organizations, you can create member accounts and invite existing accounts to join your organization. Security Lake helps you analyze security data for a more complete understanding of your security posture across the entire organization. It can also help you improve the protection of your workloads, applications, and data.
The data lake is backed by Amazon Simple Storage Service (Amazon S3) buckets, and you retain ownership over your data.
Amazon Security Lake integrates with CloudTrail, a service that provides a record of actions taken by a user, role, or an Amazon Web Services service. In Security Lake, CloudTrail captures API calls for Security Lake as events. The calls captured include calls from the Security Lake console and code calls to the Security Lake API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Security Lake. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in Event history. Using the information collected by CloudTrail you can determine the request that was made to Security Lake, the IP address from which the request was made, who made the request, when it was made, and additional details. To learn more about Security Lake information in CloudTrail, see the Amazon Security Lake User Guide.
Security Lake automates the collection of security-related log and event data from integrated Amazon Web Services and third-party services. It also helps you manage the lifecycle of data with customizable retention and replication settings. Security Lake converts ingested data into Apache Parquet format and a standard open-source schema called the Open Cybersecurity Schema Framework (OCSF).
Other Amazon Web Services and third-party services can subscribe to the data that's stored in Security Lake for incident response and security data analytics.
securitylake( config = list(), credentials = list(), endpoint = NULL, region = NULL )securitylake( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- securitylake(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_aws_log_source | Adds a natively supported Amazon Web Service as an Amazon Security Lake source |
| create_custom_log_source | Adds a third-party custom source in Amazon Security Lake, from the Amazon Web Services Region where you want to create a custom source |
| create_data_lake | Initializes an Amazon Security Lake instance with the provided (or default) configuration |
| create_data_lake_exception_subscription | Creates the specified notification subscription in Amazon Security Lake for the organization you specify |
| create_data_lake_organization_configuration | Automatically enables Amazon Security Lake for new member accounts in your organization |
| create_subscriber | Creates a subscription permission for accounts that are already enabled in Amazon Security Lake |
| create_subscriber_notification | Notifies the subscriber when new data is written to the data lake for the sources that the subscriber consumes in Security Lake |
| delete_aws_log_source | Removes a natively supported Amazon Web Service as an Amazon Security Lake source |
| delete_custom_log_source | Removes a custom log source from Amazon Security Lake, to stop sending data from the custom source to Security Lake |
| delete_data_lake | When you disable Amazon Security Lake from your account, Security Lake is disabled in all Amazon Web Services Regions and it stops collecting data from your sources |
| delete_data_lake_exception_subscription | Deletes the specified notification subscription in Amazon Security Lake for the organization you specify |
| delete_data_lake_organization_configuration | Turns off automatic enablement of Amazon Security Lake for member accounts that are added to an organization in Organizations |
| delete_subscriber | Deletes the subscription permission and all notification settings for accounts that are already enabled in Amazon Security Lake |
| delete_subscriber_notification | Deletes the specified notification subscription in Amazon Security Lake for the organization you specify |
| deregister_data_lake_delegated_administrator | Deletes the Amazon Security Lake delegated administrator account for the organization |
| get_data_lake_exception_subscription | Retrieves the details of exception notifications for the account in Amazon Security Lake |
| get_data_lake_organization_configuration | Retrieves the configuration that will be automatically set up for accounts added to the organization after the organization has onboarded to Amazon Security Lake |
| get_data_lake_sources | Retrieves a snapshot of the current Region, including whether Amazon Security Lake is enabled for those accounts and which sources Security Lake is collecting data from |
| get_subscriber | Retrieves the subscription information for the specified subscription ID |
| list_data_lake_exceptions | Lists the Amazon Security Lake exceptions that you can use to find the source of problems and fix them |
| list_data_lakes | Retrieves the Amazon Security Lake configuration object for the specified Amazon Web Services Regions |
| list_log_sources | Retrieves the log sources in the current Amazon Web Services Region |
| list_subscribers | List all subscribers for the specific Amazon Security Lake account ID |
| list_tags_for_resource | Retrieves the tags (keys and values) that are associated with an Amazon Security Lake resource: a subscriber, or the data lake configuration for your Amazon Web Services account in a particular Amazon Web Services Region |
| register_data_lake_delegated_administrator | Designates the Amazon Security Lake delegated administrator account for the organization |
| tag_resource | Adds or updates one or more tags that are associated with an Amazon Security Lake resource: a subscriber, or the data lake configuration for your Amazon Web Services account in a particular Amazon Web Services Region |
| untag_resource | Removes one or more tags (keys and values) from an Amazon Security Lake resource: a subscriber, or the data lake configuration for your Amazon Web Services account in a particular Amazon Web Services Region |
| update_data_lake | Specifies where to store your security data and for how long |
| update_data_lake_exception_subscription | Updates the specified notification subscription in Amazon Security Lake for the organization you specify |
| update_subscriber | Updates an existing subscription for the given Amazon Security Lake account ID |
| update_subscriber_notification | Updates an existing notification method for the subscription (SQS or HTTPs endpoint) or switches the notification subscription endpoint for a subscriber |
## Not run: svc <- securitylake() svc$create_aws_log_source( Foo = 123 ) ## End(Not run)## Not run: svc <- securitylake() svc$create_aws_log_source( Foo = 123 ) ## End(Not run)
Shield Advanced
This is the Shield Advanced API Reference. This guide is for developers who need detailed information about the Shield Advanced API actions, data types, and errors. For detailed information about WAF and Shield Advanced features and an overview of how to use the WAF and Shield Advanced APIs, see the WAF and Shield Developer Guide.
shield(config = list(), credentials = list(), endpoint = NULL, region = NULL)shield(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- shield(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| associate_drt_log_bucket | Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources |
| associate_drt_role | Authorizes the Shield Response Team (SRT) using the specified role, to access your Amazon Web Services account to assist with DDoS attack mitigation during potential attacks |
| associate_health_check | Adds health-based detection to the Shield Advanced protection for a resource |
| associate_proactive_engagement_details | Initializes proactive engagement and sets the list of contacts for the Shield Response Team (SRT) to use |
| create_protection | Enables Shield Advanced for a specific Amazon Web Services resource |
| create_protection_group | Creates a grouping of protected resources so they can be handled as a collective |
| create_subscription | Activates Shield Advanced for an account |
| delete_protection | Deletes an Shield Advanced Protection |
| delete_protection_group | Removes the specified protection group |
| delete_subscription | Removes Shield Advanced from an account |
| describe_attack | Describes the details of a DDoS attack |
| describe_attack_statistics | Provides information about the number and type of attacks Shield has detected in the last year for all resources that belong to your account, regardless of whether you've defined Shield protections for them |
| describe_drt_access | Returns the current role and list of Amazon S3 log buckets used by the Shield Response Team (SRT) to access your Amazon Web Services account while assisting with attack mitigation |
| describe_emergency_contact_settings | A list of email addresses and phone numbers that the Shield Response Team (SRT) can use to contact you if you have proactive engagement enabled, for escalations to the SRT and to initiate proactive customer support |
| describe_protection | Lists the details of a Protection object |
| describe_protection_group | Returns the specification for the specified protection group |
| describe_subscription | Provides details about the Shield Advanced subscription for an account |
| disable_application_layer_automatic_response | Disable the Shield Advanced automatic application layer DDoS mitigation feature for the protected resource |
| disable_proactive_engagement | Removes authorization from the Shield Response Team (SRT) to notify contacts about escalations to the SRT and to initiate proactive customer support |
| disassociate_drt_log_bucket | Removes the Shield Response Team's (SRT) access to the specified Amazon S3 bucket containing the logs that you shared previously |
| disassociate_drt_role | Removes the Shield Response Team's (SRT) access to your Amazon Web Services account |
| disassociate_health_check | Removes health-based detection from the Shield Advanced protection for a resource |
| enable_application_layer_automatic_response | Enable the Shield Advanced automatic application layer DDoS mitigation for the protected resource |
| enable_proactive_engagement | Authorizes the Shield Response Team (SRT) to use email and phone to notify contacts about escalations to the SRT and to initiate proactive customer support |
| get_subscription_state | Returns the SubscriptionState, either Active or Inactive |
| list_attacks | Returns all ongoing DDoS attacks or all DDoS attacks during a specified time period |
| list_protection_groups | Retrieves ProtectionGroup objects for the account |
| list_protections | Retrieves Protection objects for the account |
| list_resources_in_protection_group | Retrieves the resources that are included in the protection group |
| list_tags_for_resource | Gets information about Amazon Web Services tags for a specified Amazon Resource Name (ARN) in Shield |
| tag_resource | Adds or updates tags for a resource in Shield |
| untag_resource | Removes tags from a resource in Shield |
| update_application_layer_automatic_response | Updates an existing Shield Advanced automatic application layer DDoS mitigation configuration for the specified resource |
| update_emergency_contact_settings | Updates the details of the list of email addresses and phone numbers that the Shield Response Team (SRT) can use to contact you if you have proactive engagement enabled, for escalations to the SRT and to initiate proactive customer support |
| update_protection_group | Updates an existing protection group |
| update_subscription | Updates the details of an existing subscription |
## Not run: svc <- shield() svc$associate_drt_log_bucket( Foo = 123 ) ## End(Not run)## Not run: svc <- shield() svc$associate_drt_log_bucket( Foo = 123 ) ## End(Not run)
AWS IAM Identity Center (successor to AWS Single Sign-On) Portal is a web service that makes it easy for you to assign user access to IAM Identity Center resources such as the AWS access portal. Users can get AWS account applications and roles assigned to them and get federated into the application.
Although AWS Single Sign-On was renamed, the sso and identitystore
API namespaces will continue to retain their original name for backward
compatibility purposes. For more information, see IAM Identity Center rename.
This reference guide describes the IAM Identity Center Portal operations that you can call programatically and includes detailed information on data types and errors.
AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms, such as Java, Ruby, .Net, iOS, or Android. The SDKs provide a convenient way to create programmatic access to IAM Identity Center and other AWS services. For more information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.
sso(config = list(), credentials = list(), endpoint = NULL, region = NULL)sso(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- sso(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| get_role_credentials | Returns the STS short-term credentials for a given role name that is assigned to the user |
| list_account_roles | Lists all roles that are assigned to the user for a given AWS account |
| list_accounts | Lists all AWS accounts assigned to the user |
| logout | Removes the locally stored SSO tokens from the client-side cache and sends an API call to the IAM Identity Center service to invalidate the corresponding server-side IAM Identity Center sign in session |
## Not run: svc <- sso() svc$get_role_credentials( Foo = 123 ) ## End(Not run)## Not run: svc <- sso() svc$get_role_credentials( Foo = 123 ) ## End(Not run)
IAM Identity Center (successor to Single Sign-On) helps you securely create, or connect, your workforce identities and manage their access centrally across Amazon Web Services accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization in Amazon Web Services, for organizations of any size and type.
IAM Identity Center uses the sso and identitystore API namespaces.
This reference guide provides information on single sign-on operations which could be used for access management of Amazon Web Services accounts. For information about IAM Identity Center features, see the IAM Identity Center User Guide.
Many operations in the IAM Identity Center APIs rely on identifiers for users and groups, known as principals. For more information about how to work with principals and principal IDs in IAM Identity Center, see the Identity Store API Reference.
Amazon Web Services provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to IAM Identity Center and other Amazon Web Services services. For more information about the Amazon Web Services SDKs, including how to download and install them, see Tools for Amazon Web Services.
ssoadmin(config = list(), credentials = list(), endpoint = NULL, region = NULL)ssoadmin(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- ssoadmin(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| attach_customer_managed_policy_reference_to_permission_set | Attaches the specified customer managed policy to the specified PermissionSet |
| attach_managed_policy_to_permission_set | Attaches an Amazon Web Services managed policy ARN to a permission set |
| create_account_assignment | Assigns access to a principal for a specified Amazon Web Services account using a specified permission set |
| create_application | Creates an application in IAM Identity Center for the given application provider |
| create_application_assignment | Grant application access to a user or group |
| create_instance | Creates an instance of IAM Identity Center for a standalone Amazon Web Services account that is not managed by Organizations or a member Amazon Web Services account in an organization |
| create_instance_access_control_attribute_configuration | Enables the attributes-based access control (ABAC) feature for the specified IAM Identity Center instance |
| create_permission_set | Creates a permission set within a specified IAM Identity Center instance |
| create_trusted_token_issuer | Creates a connection to a trusted token issuer in an instance of IAM Identity Center |
| delete_account_assignment | Deletes a principal's access from a specified Amazon Web Services account using a specified permission set |
| delete_application | Deletes the association with the application |
| delete_application_access_scope | Deletes an IAM Identity Center access scope from an application |
| delete_application_assignment | Revoke application access to an application by deleting application assignments for a user or group |
| delete_application_authentication_method | Deletes an authentication method from an application |
| delete_application_grant | Deletes a grant from an application |
| delete_inline_policy_from_permission_set | Deletes the inline policy from a specified permission set |
| delete_instance | Deletes the instance of IAM Identity Center |
| delete_instance_access_control_attribute_configuration | Disables the attributes-based access control (ABAC) feature for the specified IAM Identity Center instance and deletes all of the attribute mappings that have been configured |
| delete_permissions_boundary_from_permission_set | Deletes the permissions boundary from a specified PermissionSet |
| delete_permission_set | Deletes the specified permission set |
| delete_trusted_token_issuer | Deletes a trusted token issuer configuration from an instance of IAM Identity Center |
| describe_account_assignment_creation_status | Describes the status of the assignment creation request |
| describe_account_assignment_deletion_status | Describes the status of the assignment deletion request |
| describe_application | Retrieves the details of an application associated with an instance of IAM Identity Center |
| describe_application_assignment | Retrieves a direct assignment of a user or group to an application |
| describe_application_provider | Retrieves details about a provider that can be used to connect an Amazon Web Services managed application or customer managed application to IAM Identity Center |
| describe_instance | Returns the details of an instance of IAM Identity Center |
| describe_instance_access_control_attribute_configuration | Returns the list of IAM Identity Center identity store attributes that have been configured to work with attributes-based access control (ABAC) for the specified IAM Identity Center instance |
| describe_permission_set | Gets the details of the permission set |
| describe_permission_set_provisioning_status | Describes the status for the given permission set provisioning request |
| describe_trusted_token_issuer | Retrieves details about a trusted token issuer configuration stored in an instance of IAM Identity Center |
| detach_customer_managed_policy_reference_from_permission_set | Detaches the specified customer managed policy from the specified PermissionSet |
| detach_managed_policy_from_permission_set | Detaches the attached Amazon Web Services managed policy ARN from the specified permission set |
| get_application_access_scope | Retrieves the authorized targets for an IAM Identity Center access scope for an application |
| get_application_assignment_configuration | Retrieves the configuration of PutApplicationAssignmentConfiguration |
| get_application_authentication_method | Retrieves details about an authentication method used by an application |
| get_application_grant | Retrieves details about an application grant |
| get_inline_policy_for_permission_set | Obtains the inline policy assigned to the permission set |
| get_permissions_boundary_for_permission_set | Obtains the permissions boundary for a specified PermissionSet |
| list_account_assignment_creation_status | Lists the status of the Amazon Web Services account assignment creation requests for a specified IAM Identity Center instance |
| list_account_assignment_deletion_status | Lists the status of the Amazon Web Services account assignment deletion requests for a specified IAM Identity Center instance |
| list_account_assignments | Lists the assignee of the specified Amazon Web Services account with the specified permission set |
| list_account_assignments_for_principal | Retrieves a list of the IAM Identity Center associated Amazon Web Services accounts that the principal has access to |
| list_accounts_for_provisioned_permission_set | Lists all the Amazon Web Services accounts where the specified permission set is provisioned |
| list_application_access_scopes | Lists the access scopes and authorized targets associated with an application |
| list_application_assignments | Lists Amazon Web Services account users that are assigned to an application |
| list_application_assignments_for_principal | Lists the applications to which a specified principal is assigned |
| list_application_authentication_methods | Lists all of the authentication methods supported by the specified application |
| list_application_grants | List the grants associated with an application |
| list_application_providers | Lists the application providers configured in the IAM Identity Center identity store |
| list_applications | Lists all applications associated with the instance of IAM Identity Center |
| list_customer_managed_policy_references_in_permission_set | Lists all customer managed policies attached to a specified PermissionSet |
| list_instances | Lists the details of the organization and account instances of IAM Identity Center that were created in or visible to the account calling this API |
| list_managed_policies_in_permission_set | Lists the Amazon Web Services managed policy that is attached to a specified permission set |
| list_permission_set_provisioning_status | Lists the status of the permission set provisioning requests for a specified IAM Identity Center instance |
| list_permission_sets | Lists the PermissionSets in an IAM Identity Center instance |
| list_permission_sets_provisioned_to_account | Lists all the permission sets that are provisioned to a specified Amazon Web Services account |
| list_tags_for_resource | Lists the tags that are attached to a specified resource |
| list_trusted_token_issuers | Lists all the trusted token issuers configured in an instance of IAM Identity Center |
| provision_permission_set | The process by which a specified permission set is provisioned to the specified target |
| put_application_access_scope | Adds or updates the list of authorized targets for an IAM Identity Center access scope for an application |
| put_application_assignment_configuration | Configure how users gain access to an application |
| put_application_authentication_method | Adds or updates an authentication method for an application |
| put_application_grant | Adds a grant to an application |
| put_inline_policy_to_permission_set | Attaches an inline policy to a permission set |
| put_permissions_boundary_to_permission_set | Attaches an Amazon Web Services managed or customer managed policy to the specified PermissionSet as a permissions boundary |
| tag_resource | Associates a set of tags with a specified resource |
| untag_resource | Disassociates a set of tags from a specified resource |
| update_application | Updates application properties |
| update_instance | Update the details for the instance of IAM Identity Center that is owned by the Amazon Web Services account |
| update_instance_access_control_attribute_configuration | Updates the IAM Identity Center identity store attributes that you can use with the IAM Identity Center instance for attributes-based access control (ABAC) |
| update_permission_set | Updates an existing permission set |
| update_trusted_token_issuer | Updates the name of the trusted token issuer, or the path of a source attribute or destination attribute for a trusted token issuer configuration |
## Not run: svc <- ssoadmin() svc$attach_customer_managed_policy_reference_to_permission_set( Foo = 123 ) ## End(Not run)## Not run: svc <- ssoadmin() svc$attach_customer_managed_policy_reference_to_permission_set( Foo = 123 ) ## End(Not run)
IAM Identity Center OpenID Connect (OIDC) is a web service that enables a client (such as CLI or a native application) to register with IAM Identity Center. The service also enables the client to fetch the user’s access token upon successful authentication and authorization with IAM Identity Center.
IAM Identity Center uses the sso and identitystore API namespaces.
Considerations for Using This Guide
Before you begin using this guide, we recommend that you first review the following important information about how the IAM Identity Center OIDC service works.
The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628) that are necessary to enable single sign-on authentication with the CLI.
With older versions of the CLI, the service only emits OIDC access tokens, so to obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that supports token refresh and doesn’t require re-authentication, update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with support for OIDC token refresh and configurable IAM Identity Center session durations. For more information, see Configure Amazon Web Services access portal session duration .
The access tokens provided by this service grant access to all Amazon Web Services account entitlements assigned to an IAM Identity Center user, not just a particular application.
The documentation in this guide does not describe the mechanism to convert the access token into Amazon Web Services Auth (“sigv4”) credentials for use with IAM-protected Amazon Web Services service endpoints. For more information, see GetRoleCredentials in the IAM Identity Center Portal API Reference Guide.
For general information about IAM Identity Center, see What is IAM Identity Center? in the IAM Identity Center User Guide.
ssooidc(config = list(), credentials = list(), endpoint = NULL, region = NULL)ssooidc(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- ssooidc(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_token | Creates and returns access and refresh tokens for clients that are authenticated using client secrets |
| create_token_with_iam | Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities |
| register_client | Registers a client with IAM Identity Center |
| start_device_authorization | Initiates device authorization by requesting a pair of verification codes from the authorization service |
## Not run: svc <- ssooidc() # svc$create_token( clientId = "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", clientSecret = "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0", deviceCode = "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzIn0EXAMPLEDEVICECODE", grantType = "urn:ietf:params:oauth:grant-type:device-code" ) ## End(Not run)## Not run: svc <- ssooidc() # svc$create_token( clientId = "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID", clientSecret = "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0", deviceCode = "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzIn0EXAMPLEDEVICECODE", grantType = "urn:ietf:params:oauth:grant-type:device-code" ) ## End(Not run)
Security Token Service
Security Token Service (STS) enables you to request temporary, limited-privilege credentials for users. This guide provides descriptions of the STS API. For more information about using this service, see Temporary Security Credentials.
sts(config = list(), credentials = list(), endpoint = NULL, region = NULL)sts(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- sts(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| assume_role | Returns a set of temporary security credentials that you can use to access Amazon Web Services resources |
| assume_role_with_saml | Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response |
| assume_role_with_web_identity | Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider |
| decode_authorization_message | Decodes additional information about the authorization status of a request from an encoded message returned in response to an Amazon Web Services request |
| get_access_key_info | Returns the account identifier for the specified access key ID |
| get_caller_identity | Returns details about the IAM user or role whose credentials are used to call the operation |
| get_federation_token | Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a user |
| get_session_token | Returns a set of temporary credentials for an Amazon Web Services account or IAM user |
## Not run: svc <- sts() # svc$assume_role( ExternalId = "123ABC", Policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"A...", RoleArn = "arn:aws:iam::123456789012:role/demo", RoleSessionName = "testAssumeRoleSession", Tags = list( list( Key = "Project", Value = "Unicorn" ), list( Key = "Team", Value = "Automation" ), list( Key = "Cost-Center", Value = "12345" ) ), TransitiveTagKeys = list( "Project", "Cost-Center" ) ) ## End(Not run)## Not run: svc <- sts() # svc$assume_role( ExternalId = "123ABC", Policy = "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"A...", RoleArn = "arn:aws:iam::123456789012:role/demo", RoleSessionName = "testAssumeRoleSession", Tags = list( list( Key = "Project", Value = "Unicorn" ), list( Key = "Team", Value = "Automation" ), list( Key = "Cost-Center", Value = "12345" ) ), TransitiveTagKeys = list( "Project", "Cost-Center" ) ) ## End(Not run)
Amazon Verified Permissions is a permissions management service from Amazon Web Services. You can use Verified Permissions to manage permissions for your application, and authorize user access based on those permissions. Using Verified Permissions, application developers can grant access based on information about the users, resources, and requested actions. You can also evaluate additional information like group membership, attributes of the resources, and session context, such as time of request and IP addresses. Verified Permissions manages these permissions by letting you create and store authorization policies for your applications, such as consumer-facing web sites and enterprise business systems.
Verified Permissions uses Cedar as the policy language to express your permission requirements. Cedar supports both role-based access control (RBAC) and attribute-based access control (ABAC) authorization models.
For more information about configuring, administering, and using Amazon Verified Permissions in your applications, see the Amazon Verified Permissions User Guide.
For more information about the Cedar policy language, see the Cedar Policy Language Guide.
When you write Cedar policies that reference principals, resources and actions, you can define the unique identifiers used for each of those elements. We strongly recommend that you follow these best practices:
Use values like universally unique identifiers (UUIDs) for all principal and resource identifiers.
For example, if user jane leaves the company, and you later let
someone else use the name jane, then that new user automatically
gets access to everything granted by policies that still reference
User::"jane". Cedar can’t distinguish between the new user and the
old. This applies to both principal and resource identifiers. Always
use identifiers that are guaranteed unique and never reused to
ensure that you don’t unintentionally grant access because of the
presence of an old identifier in a policy.
Where you use a UUID for an entity, we recommend that you follow it with the // comment specifier and the ‘friendly’ name of your entity. This helps to make your policies easier to understand. For example: principal == User::"a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111", // alice
Do not include personally identifying, confidential, or sensitive information as part of the unique identifier for your principals or resources. These identifiers are included in log entries shared in CloudTrail trails.
Several operations return structures that appear similar, but have different purposes. As new functionality is added to the product, the structure used in a parameter of one operation might need to change in a way that wouldn't make sense for the same parameter in a different operation. To help you understand the purpose of each, the following naming convention is used for the structures:
Parameter type structures that end in Detail are used in Get
operations.
Parameter type structures that end in Item are used in List
operations.
Parameter type structures that use neither suffix are used in the mutating (create and update) operations.
verifiedpermissions( config = list(), credentials = list(), endpoint = NULL, region = NULL )verifiedpermissions( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- verifiedpermissions(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| batch_is_authorized | Makes a series of decisions about multiple authorization requests for one principal or resource |
| batch_is_authorized_with_token | Makes a series of decisions about multiple authorization requests for one token |
| create_identity_source | Adds an identity source to a policy store–an Amazon Cognito user pool or OpenID Connect (OIDC) identity provider (IdP) |
| create_policy | Creates a Cedar policy and saves it in the specified policy store |
| create_policy_store | Creates a policy store |
| create_policy_template | Creates a policy template |
| delete_identity_source | Deletes an identity source that references an identity provider (IdP) such as Amazon Cognito |
| delete_policy | Deletes the specified policy from the policy store |
| delete_policy_store | Deletes the specified policy store |
| delete_policy_template | Deletes the specified policy template from the policy store |
| get_identity_source | Retrieves the details about the specified identity source |
| get_policy | Retrieves information about the specified policy |
| get_policy_store | Retrieves details about a policy store |
| get_policy_template | Retrieve the details for the specified policy template in the specified policy store |
| get_schema | Retrieve the details for the specified schema in the specified policy store |
| is_authorized | Makes an authorization decision about a service request described in the parameters |
| is_authorized_with_token | Makes an authorization decision about a service request described in the parameters |
| list_identity_sources | Returns a paginated list of all of the identity sources defined in the specified policy store |
| list_policies | Returns a paginated list of all policies stored in the specified policy store |
| list_policy_stores | Returns a paginated list of all policy stores in the calling Amazon Web Services account |
| list_policy_templates | Returns a paginated list of all policy templates in the specified policy store |
| put_schema | Creates or updates the policy schema in the specified policy store |
| update_identity_source | Updates the specified identity source to use a new identity provider (IdP), or to change the mapping of identities from the IdP to a different principal entity type |
| update_policy | Modifies a Cedar static policy in the specified policy store |
| update_policy_store | Modifies the validation setting for a policy store |
| update_policy_template | Updates the specified policy template |
## Not run: svc <- verifiedpermissions() svc$batch_is_authorized( Foo = 123 ) ## End(Not run)## Not run: svc <- verifiedpermissions() svc$batch_is_authorized( Foo = 123 ) ## End(Not run)
This is AWS WAF Classic documentation. For more information, see AWS WAF Classic in the developer guide.
For the latest version of AWS WAF, use the AWS WAFV2 API and see the AWS WAF Developer Guide. With the latest version, AWS WAF has a single set of endpoints for regional and global use.
This is the AWS WAF Classic API Reference for using AWS WAF Classic with Amazon CloudFront. The AWS WAF Classic actions and data types listed in the reference are available for protecting Amazon CloudFront distributions. You can use these actions and data types via the endpoint waf.amazonaws.com. This guide is for developers who need detailed information about the AWS WAF Classic API actions, data types, and errors. For detailed information about AWS WAF Classic features and an overview of how to use the AWS WAF Classic API, see the AWS WAF Classic in the developer guide.
waf(config = list(), credentials = list(), endpoint = NULL, region = NULL)waf(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- waf(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| create_byte_match_set | This is AWS WAF Classic documentation |
| create_geo_match_set | This is AWS WAF Classic documentation |
| create_ip_set | This is AWS WAF Classic documentation |
| create_rate_based_rule | This is AWS WAF Classic documentation |
| create_regex_match_set | This is AWS WAF Classic documentation |
| create_regex_pattern_set | This is AWS WAF Classic documentation |
| create_rule | This is AWS WAF Classic documentation |
| create_rule_group | This is AWS WAF Classic documentation |
| create_size_constraint_set | This is AWS WAF Classic documentation |
| create_sql_injection_match_set | This is AWS WAF Classic documentation |
| create_web_acl | This is AWS WAF Classic documentation |
| create_web_acl_migration_stack | Creates an AWS CloudFormation WAFV2 template for the specified web ACL in the specified Amazon S3 bucket |
| create_xss_match_set | This is AWS WAF Classic documentation |
| delete_byte_match_set | This is AWS WAF Classic documentation |
| delete_geo_match_set | This is AWS WAF Classic documentation |
| delete_ip_set | This is AWS WAF Classic documentation |
| delete_logging_configuration | This is AWS WAF Classic documentation |
| delete_permission_policy | This is AWS WAF Classic documentation |
| delete_rate_based_rule | This is AWS WAF Classic documentation |
| delete_regex_match_set | This is AWS WAF Classic documentation |
| delete_regex_pattern_set | This is AWS WAF Classic documentation |
| delete_rule | This is AWS WAF Classic documentation |
| delete_rule_group | This is AWS WAF Classic documentation |
| delete_size_constraint_set | This is AWS WAF Classic documentation |
| delete_sql_injection_match_set | This is AWS WAF Classic documentation |
| delete_web_acl | This is AWS WAF Classic documentation |
| delete_xss_match_set | This is AWS WAF Classic documentation |
| get_byte_match_set | This is AWS WAF Classic documentation |
| get_change_token | This is AWS WAF Classic documentation |
| get_change_token_status | This is AWS WAF Classic documentation |
| get_geo_match_set | This is AWS WAF Classic documentation |
| get_ip_set | This is AWS WAF Classic documentation |
| get_logging_configuration | This is AWS WAF Classic documentation |
| get_permission_policy | This is AWS WAF Classic documentation |
| get_rate_based_rule | This is AWS WAF Classic documentation |
| get_rate_based_rule_managed_keys | This is AWS WAF Classic documentation |
| get_regex_match_set | This is AWS WAF Classic documentation |
| get_regex_pattern_set | This is AWS WAF Classic documentation |
| get_rule | This is AWS WAF Classic documentation |
| get_rule_group | This is AWS WAF Classic documentation |
| get_sampled_requests | This is AWS WAF Classic documentation |
| get_size_constraint_set | This is AWS WAF Classic documentation |
| get_sql_injection_match_set | This is AWS WAF Classic documentation |
| get_web_acl | This is AWS WAF Classic documentation |
| get_xss_match_set | This is AWS WAF Classic documentation |
| list_activated_rules_in_rule_group | This is AWS WAF Classic documentation |
| list_byte_match_sets | This is AWS WAF Classic documentation |
| list_geo_match_sets | This is AWS WAF Classic documentation |
| list_ip_sets | This is AWS WAF Classic documentation |
| list_logging_configurations | This is AWS WAF Classic documentation |
| list_rate_based_rules | This is AWS WAF Classic documentation |
| list_regex_match_sets | This is AWS WAF Classic documentation |
| list_regex_pattern_sets | This is AWS WAF Classic documentation |
| list_rule_groups | This is AWS WAF Classic documentation |
| list_rules | This is AWS WAF Classic documentation |
| list_size_constraint_sets | This is AWS WAF Classic documentation |
| list_sql_injection_match_sets | This is AWS WAF Classic documentation |
| list_subscribed_rule_groups | This is AWS WAF Classic documentation |
| list_tags_for_resource | This is AWS WAF Classic documentation |
| list_web_ac_ls | This is AWS WAF Classic documentation |
| list_xss_match_sets | This is AWS WAF Classic documentation |
| put_logging_configuration | This is AWS WAF Classic documentation |
| put_permission_policy | This is AWS WAF Classic documentation |
| tag_resource | This is AWS WAF Classic documentation |
| untag_resource | This is AWS WAF Classic documentation |
| update_byte_match_set | This is AWS WAF Classic documentation |
| update_geo_match_set | This is AWS WAF Classic documentation |
| update_ip_set | This is AWS WAF Classic documentation |
| update_rate_based_rule | This is AWS WAF Classic documentation |
| update_regex_match_set | This is AWS WAF Classic documentation |
| update_regex_pattern_set | This is AWS WAF Classic documentation |
| update_rule | This is AWS WAF Classic documentation |
| update_rule_group | This is AWS WAF Classic documentation |
| update_size_constraint_set | This is AWS WAF Classic documentation |
| update_sql_injection_match_set | This is AWS WAF Classic documentation |
| update_web_acl | This is AWS WAF Classic documentation |
| update_xss_match_set | This is AWS WAF Classic documentation |
## Not run: svc <- waf() # The following example creates an IP match set named MyIPSetFriendlyName. svc$create_ip_set( ChangeToken = "abcd12f2-46da-4fdb-b8d5-fbd4c466928f", Name = "MyIPSetFriendlyName" ) ## End(Not run)## Not run: svc <- waf() # The following example creates an IP match set named MyIPSetFriendlyName. svc$create_ip_set( ChangeToken = "abcd12f2-46da-4fdb-b8d5-fbd4c466928f", Name = "MyIPSetFriendlyName" ) ## End(Not run)
This is AWS WAF Classic Regional documentation. For more information, see AWS WAF Classic in the developer guide.
For the latest version of AWS WAF, use the AWS WAFV2 API and see the AWS WAF Developer Guide. With the latest version, AWS WAF has a single set of endpoints for regional and global use.
This is the AWS WAF Regional Classic API Reference for using AWS WAF Classic with the AWS resources, Elastic Load Balancing (ELB) Application Load Balancers and API Gateway APIs. The AWS WAF Classic actions and data types listed in the reference are available for protecting Elastic Load Balancing (ELB) Application Load Balancers and API Gateway APIs. You can use these actions and data types by means of the endpoints listed in AWS Regions and Endpoints. This guide is for developers who need detailed information about the AWS WAF Classic API actions, data types, and errors. For detailed information about AWS WAF Classic features and an overview of how to use the AWS WAF Classic API, see the AWS WAF Classic in the developer guide.
wafregional( config = list(), credentials = list(), endpoint = NULL, region = NULL )wafregional( config = list(), credentials = list(), endpoint = NULL, region = NULL )
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- wafregional(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| associate_web_acl | This is AWS WAF Classic Regional documentation |
| create_byte_match_set | This is AWS WAF Classic documentation |
| create_geo_match_set | This is AWS WAF Classic documentation |
| create_ip_set | This is AWS WAF Classic documentation |
| create_rate_based_rule | This is AWS WAF Classic documentation |
| create_regex_match_set | This is AWS WAF Classic documentation |
| create_regex_pattern_set | This is AWS WAF Classic documentation |
| create_rule | This is AWS WAF Classic documentation |
| create_rule_group | This is AWS WAF Classic documentation |
| create_size_constraint_set | This is AWS WAF Classic documentation |
| create_sql_injection_match_set | This is AWS WAF Classic documentation |
| create_web_acl | This is AWS WAF Classic documentation |
| create_web_acl_migration_stack | Creates an AWS CloudFormation WAFV2 template for the specified web ACL in the specified Amazon S3 bucket |
| create_xss_match_set | This is AWS WAF Classic documentation |
| delete_byte_match_set | This is AWS WAF Classic documentation |
| delete_geo_match_set | This is AWS WAF Classic documentation |
| delete_ip_set | This is AWS WAF Classic documentation |
| delete_logging_configuration | This is AWS WAF Classic documentation |
| delete_permission_policy | This is AWS WAF Classic documentation |
| delete_rate_based_rule | This is AWS WAF Classic documentation |
| delete_regex_match_set | This is AWS WAF Classic documentation |
| delete_regex_pattern_set | This is AWS WAF Classic documentation |
| delete_rule | This is AWS WAF Classic documentation |
| delete_rule_group | This is AWS WAF Classic documentation |
| delete_size_constraint_set | This is AWS WAF Classic documentation |
| delete_sql_injection_match_set | This is AWS WAF Classic documentation |
| delete_web_acl | This is AWS WAF Classic documentation |
| delete_xss_match_set | This is AWS WAF Classic documentation |
| disassociate_web_acl | This is AWS WAF Classic Regional documentation |
| get_byte_match_set | This is AWS WAF Classic documentation |
| get_change_token | This is AWS WAF Classic documentation |
| get_change_token_status | This is AWS WAF Classic documentation |
| get_geo_match_set | This is AWS WAF Classic documentation |
| get_ip_set | This is AWS WAF Classic documentation |
| get_logging_configuration | This is AWS WAF Classic documentation |
| get_permission_policy | This is AWS WAF Classic documentation |
| get_rate_based_rule | This is AWS WAF Classic documentation |
| get_rate_based_rule_managed_keys | This is AWS WAF Classic documentation |
| get_regex_match_set | This is AWS WAF Classic documentation |
| get_regex_pattern_set | This is AWS WAF Classic documentation |
| get_rule | This is AWS WAF Classic documentation |
| get_rule_group | This is AWS WAF Classic documentation |
| get_sampled_requests | This is AWS WAF Classic documentation |
| get_size_constraint_set | This is AWS WAF Classic documentation |
| get_sql_injection_match_set | This is AWS WAF Classic documentation |
| get_web_acl | This is AWS WAF Classic documentation |
| get_web_acl_for_resource | This is AWS WAF Classic Regional documentation |
| get_xss_match_set | This is AWS WAF Classic documentation |
| list_activated_rules_in_rule_group | This is AWS WAF Classic documentation |
| list_byte_match_sets | This is AWS WAF Classic documentation |
| list_geo_match_sets | This is AWS WAF Classic documentation |
| list_ip_sets | This is AWS WAF Classic documentation |
| list_logging_configurations | This is AWS WAF Classic documentation |
| list_rate_based_rules | This is AWS WAF Classic documentation |
| list_regex_match_sets | This is AWS WAF Classic documentation |
| list_regex_pattern_sets | This is AWS WAF Classic documentation |
| list_resources_for_web_acl | This is AWS WAF Classic Regional documentation |
| list_rule_groups | This is AWS WAF Classic documentation |
| list_rules | This is AWS WAF Classic documentation |
| list_size_constraint_sets | This is AWS WAF Classic documentation |
| list_sql_injection_match_sets | This is AWS WAF Classic documentation |
| list_subscribed_rule_groups | This is AWS WAF Classic documentation |
| list_tags_for_resource | This is AWS WAF Classic documentation |
| list_web_ac_ls | This is AWS WAF Classic documentation |
| list_xss_match_sets | This is AWS WAF Classic documentation |
| put_logging_configuration | This is AWS WAF Classic documentation |
| put_permission_policy | This is AWS WAF Classic documentation |
| tag_resource | This is AWS WAF Classic documentation |
| untag_resource | This is AWS WAF Classic documentation |
| update_byte_match_set | This is AWS WAF Classic documentation |
| update_geo_match_set | This is AWS WAF Classic documentation |
| update_ip_set | This is AWS WAF Classic documentation |
| update_rate_based_rule | This is AWS WAF Classic documentation |
| update_regex_match_set | This is AWS WAF Classic documentation |
| update_regex_pattern_set | This is AWS WAF Classic documentation |
| update_rule | This is AWS WAF Classic documentation |
| update_rule_group | This is AWS WAF Classic documentation |
| update_size_constraint_set | This is AWS WAF Classic documentation |
| update_sql_injection_match_set | This is AWS WAF Classic documentation |
| update_web_acl | This is AWS WAF Classic documentation |
| update_xss_match_set | This is AWS WAF Classic documentation |
## Not run: svc <- wafregional() # The following example creates an IP match set named MyIPSetFriendlyName. svc$create_ip_set( ChangeToken = "abcd12f2-46da-4fdb-b8d5-fbd4c466928f", Name = "MyIPSetFriendlyName" ) ## End(Not run)## Not run: svc <- wafregional() # The following example creates an IP match set named MyIPSetFriendlyName. svc$create_ip_set( ChangeToken = "abcd12f2-46da-4fdb-b8d5-fbd4c466928f", Name = "MyIPSetFriendlyName" ) ## End(Not run)
WAF
This is the latest version of the WAF API, released in November, 2019. The names of the entities that you use to access this API, like endpoints and namespaces, all have the versioning information added, like "V2" or "v2", to distinguish from the prior version. We recommend migrating your resources to this version, because it has a number of significant improvements.
If you used WAF prior to this release, you can't use this WAFV2 API to access any WAF resources that you created before. You can access your old rules, web ACLs, and other WAF resources only through the WAF Classic APIs. The WAF Classic APIs have retained the prior names, endpoints, and namespaces.
For information, including how to migrate your WAF resources to this version, see the WAF Developer Guide.
WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync GraphQL API, Amazon Cognito user pool, App Runner service, or Amazon Web Services Verified Access instance. WAF also lets you control access to your content, to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code (Forbidden), or with a custom response.
This API guide is for developers who need detailed information about WAF API actions, data types, and errors. For detailed information about WAF features and guidance for configuring and using WAF, see the WAF Developer Guide.
You can make calls using the endpoints listed in WAF endpoints and quotas.
For regional applications, you can use any of the endpoints in the list. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.
For Amazon CloudFront applications, you must use the API endpoint listed for US East (N. Virginia): us-east-1.
Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
We currently provide two versions of the WAF API: this API and the prior versions, the classic WAF APIs. This new API provides the same functionality as the older versions, with the following major improvements:
You use one API for both global and regional applications. Where you
need to distinguish the scope, you specify a Scope parameter and
set it to CLOUDFRONT or REGIONAL.
You can define a web ACL or rule group with a single call, and update it with a single call. You define all rule specifications in JSON format, and pass them to your rule group or web ACL calls.
The limits WAF places on the use of rules more closely reflects the cost of running each type of rule. Rule groups include capacity settings, so you know the maximum cost of a rule group when you use it.
wafv2(config = list(), credentials = list(), endpoint = NULL, region = NULL)wafv2(config = list(), credentials = list(), endpoint = NULL, region = NULL)
config |
Optional configuration of credentials, endpoint, and/or region.
|
credentials |
Optional credentials shorthand for the config parameter
|
endpoint |
Optional shorthand for complete URL to use for the constructed client. |
region |
Optional shorthand for AWS Region used in instantiating the client. |
A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
svc <- wafv2(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
| associate_web_acl | Associates a web ACL with a regional application resource, to protect the resource |
| check_capacity | Returns the web ACL capacity unit (WCU) requirements for a specified scope and set of rules |
| create_api_key | Creates an API key that contains a set of token domains |
| create_ip_set | Creates an IPSet, which you use to identify web requests that originate from specific IP addresses or ranges of IP addresses |
| create_regex_pattern_set | Creates a RegexPatternSet, which you reference in a RegexPatternSetReferenceStatement, to have WAF inspect a web request component for the specified patterns |
| create_rule_group | Creates a RuleGroup per the specifications provided |
| create_web_acl | Creates a WebACL per the specifications provided |
| delete_api_key | Deletes the specified API key |
| delete_firewall_manager_rule_groups | Deletes all rule groups that are managed by Firewall Manager for the specified web ACL |
| delete_ip_set | Deletes the specified IPSet |
| delete_logging_configuration | Deletes the LoggingConfiguration from the specified web ACL |
| delete_permission_policy | Permanently deletes an IAM policy from the specified rule group |
| delete_regex_pattern_set | Deletes the specified RegexPatternSet |
| delete_rule_group | Deletes the specified RuleGroup |
| delete_web_acl | Deletes the specified WebACL |
| describe_all_managed_products | Provides high-level information for the Amazon Web Services Managed Rules rule groups and Amazon Web Services Marketplace managed rule groups |
| describe_managed_products_by_vendor | Provides high-level information for the managed rule groups owned by a specific vendor |
| describe_managed_rule_group | Provides high-level information for a managed rule group, including descriptions of the rules |
| disassociate_web_acl | Disassociates the specified regional application resource from any existing web ACL association |
| generate_mobile_sdk_release_url | Generates a presigned download URL for the specified release of the mobile SDK |
| get_decrypted_api_key | Returns your API key in decrypted form |
| get_ip_set | Retrieves the specified IPSet |
| get_logging_configuration | Returns the LoggingConfiguration for the specified web ACL |
| get_managed_rule_set | Retrieves the specified managed rule set |
| get_mobile_sdk_release | Retrieves information for the specified mobile SDK release, including release notes and tags |
| get_permission_policy | Returns the IAM policy that is attached to the specified rule group |
| get_rate_based_statement_managed_keys | Retrieves the IP addresses that are currently blocked by a rate-based rule instance |
| get_regex_pattern_set | Retrieves the specified RegexPatternSet |
| get_rule_group | Retrieves the specified RuleGroup |
| get_sampled_requests | Gets detailed information about a specified number of requests--a sample--that WAF randomly selects from among the first 5,000 requests that your Amazon Web Services resource received during a time range that you choose |
| get_web_acl | Retrieves the specified WebACL |
| get_web_acl_for_resource | Retrieves the WebACL for the specified resource |
| list_api_keys | Retrieves a list of the API keys that you've defined for the specified scope |
| list_available_managed_rule_groups | Retrieves an array of managed rule groups that are available for you to use |
| list_available_managed_rule_group_versions | Returns a list of the available versions for the specified managed rule group |
| list_ip_sets | Retrieves an array of IPSetSummary objects for the IP sets that you manage |
| list_logging_configurations | Retrieves an array of your LoggingConfiguration objects |
| list_managed_rule_sets | Retrieves the managed rule sets that you own |
| list_mobile_sdk_releases | Retrieves a list of the available releases for the mobile SDK and the specified device platform |
| list_regex_pattern_sets | Retrieves an array of RegexPatternSetSummary objects for the regex pattern sets that you manage |
| list_resources_for_web_acl | Retrieves an array of the Amazon Resource Names (ARNs) for the regional resources that are associated with the specified web ACL |
| list_rule_groups | Retrieves an array of RuleGroupSummary objects for the rule groups that you manage |
| list_tags_for_resource | Retrieves the TagInfoForResource for the specified resource |
| list_web_ac_ls | Retrieves an array of WebACLSummary objects for the web ACLs that you manage |
| put_logging_configuration | Enables the specified LoggingConfiguration, to start logging from a web ACL, according to the configuration provided |
| put_managed_rule_set_versions | Defines the versions of your managed rule set that you are offering to the customers |
| put_permission_policy | Use this to share a rule group with other accounts |
| tag_resource | Associates tags with the specified Amazon Web Services resource |
| untag_resource | Disassociates tags from an Amazon Web Services resource |
| update_ip_set | Updates the specified IPSet |
| update_managed_rule_set_version_expiry_date | Updates the expiration information for your managed rule set |
| update_regex_pattern_set | Updates the specified RegexPatternSet |
| update_rule_group | Updates the specified RuleGroup |
| update_web_acl | Updates the specified WebACL |
## Not run: svc <- wafv2() svc$associate_web_acl( Foo = 123 ) ## End(Not run)## Not run: svc <- wafv2() svc$associate_web_acl( Foo = 123 ) ## End(Not run)