aws - account access-analyzer filter

c7n/resources/account.py

@@ -367,6 +367,45 @@ def process(self, resources, event=None):
         return []
 
 
+@filters.register('access-analyzer')
+class AccessAnalyzer(ValueFilter):
+    """Check for access analyzers in an account
+
+    :example:
+
+    .. code-block:: yaml
+
+      policies:
+        - name: account-access-analyzer
+          resource: account
+          filters:
+            - type: access-analyzer
+              key: 'status'
+              value: ACTIVE
+              op: eq
+    """
+
+    schema = type_schema('access-analyzer', rinherit=ValueFilter.schema)
+    schema_alias = False
+    permissions = ('access-analyzer:ListAnalyzers',)
+    annotation_key = 'c7n:matched-analyzers'
+
+    def process(self, resources, event=None):
+        account = resources[0]
+        if not account.get(self.annotation_key):
+            client = local_session(self.manager.session_factory).client('accessanalyzer')
+            analyzers = self.manager.retry(client.list_analyzers)['analyzers']
+        else:
+            analyzers = account.get(self.annotation_key)
+
+        matched_analyzers = []
+        for analyzer in analyzers:
+            if self.match(analyzer):
+                matched_analyzers.append(analyzer)
+        account[self.annotation_key] = matched_analyzers
+        return matched_analyzers and resources or []
+
+
 @filters.register('password-policy')
 class AccountPasswordPolicy(ValueFilter):
     """Check an account's password policy.

tests/data/placebo/test_account_access_analyzer_filter/access-analyzer.ListAnalyzers_1.json

@@ -0,0 +1,15 @@
+{
+    "status_code": 200,
+    "data": {
+        "ResponseMetadata": {},
+        "analyzers": [
+            {
+                "arn": "arn:aws:access-analyzer:us-east-1:0123456789012:analyzer/ConsoleAnalyzer-d534345f-499c-43bd-bbcc-dd637ab352d2",
+                "name": "ConsoleAnalyzer-d534345f-499c-43bd-bbcc-dd637ab352d2",
+                "status": "ACTIVE",
+                "tags": {},
+                "type": "ACCOUNT"
+            }
+        ]
+    }
+}

tests/data/placebo/test_account_access_analyzer_filter/iam.ListAccountAliases_1.json

@@ -0,0 +1,10 @@
+{
+    "status_code": 200,
+    "data": {
+        "AccountAliases": [
+            "custodian-skunk-works"
+        ],
+        "IsTruncated": false,
+        "ResponseMetadata": {}
+    }
+}

tests/test_account.py

@@ -859,6 +859,22 @@ def test_enable_trail(self):
         status = client.get_trail_status(Name=arn)
         self.assertTrue(status["IsLogging"])
 
+    def test_account_access_analyzer_filter(self):
+        session_factory = self.replay_flight_data("test_account_access_analyzer_filter")
+        p = self.load_policy(
+            {
+                "name": "account-access-analyzer",
+                "resource": "account",
+                "filters": [{"type": "access-analyzer",
+                             "key": "status",
+                             "value": "ACTIVE",
+                             "op": "eq"}],
+            },
+            session_factory=session_factory,
+        )
+        resources = p.run()
+        self.assertEqual(len(resources), 1)
+
     def test_account_shield_filter(self):
         session_factory = self.replay_flight_data("test_account_shield_advanced_filter")
         p = self.load_policy(