This property defaults to true. If Image Builder installs the SSM agent on a build instance, it removes the agent before creating a snapshot for the AMI. To ensure that the AMI you create includes the SSM agent, set this property to false.
" + "documentation":"Controls whether the SSM agent is removed from your final build image, prior to creating the new AMI. If this is set to true, then the agent is removed from the final image. If it's set to false, then the agent is left in, so that it is included in the new AMI. The default value is false.
" } }, "documentation":"Contains settings for the SSM agent on your build instance.
" diff --git a/services/inspector/pom.xml b/services/inspector/pom.xml index ab1490dc1555..88fc1827cf7d 100644 --- a/services/inspector/pom.xml +++ b/services/inspector/pom.xml @@ -21,7 +21,7 @@S3 on Outposts access points simplify managing data access at scale for shared datasets in Amazon S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC).
This action creates an endpoint and associates it with the specified Outpost.
Related actions include:
" + "documentation":"Amazon S3 on Outposts Access Points simplify managing data access at scale for shared datasets in S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC). For more information, see Accessing S3 on Outposts using VPC only access points.
This action creates an endpoint and associates it with the specified Outposts.
It can take up to 5 minutes for this action to complete.
Related actions include:
" }, "DeleteEndpoint":{ "name":"DeleteEndpoint", @@ -43,7 +43,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"ValidationException"} ], - "documentation":"S3 on Outposts access points simplify managing data access at scale for shared datasets in Amazon S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC).
This action deletes an endpoint.
Related actions include:
" + "documentation":"Amazon S3 on Outposts Access Points simplify managing data access at scale for shared datasets in S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC). For more information, see Accessing S3 on Outposts using VPC only access points.
This action deletes an endpoint.
It can take up to 5 minutes for this action to complete.
Related actions include:
" }, "ListEndpoints":{ "name":"ListEndpoints", @@ -59,7 +59,7 @@ {"shape":"AccessDeniedException"}, {"shape":"ValidationException"} ], - "documentation":"S3 on Outposts access points simplify managing data access at scale for shared datasets in Amazon S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC).
This action lists endpoints associated with the Outpost.
Related actions include:
" + "documentation":"Amazon S3 on Outposts Access Points simplify managing data access at scale for shared datasets in S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC). For more information, see Accessing S3 on Outposts using VPC only access points.
This action lists endpoints associated with the Outposts.
Related actions include:
" } }, "shapes":{ @@ -72,11 +72,7 @@ "error":{"httpStatusCode":403}, "exception":true }, - "CidrBlock":{ - "type":"string", - "max":20, - "min":1 - }, + "CidrBlock":{"type":"string"}, "ConflictException":{ "type":"structure", "members":{ @@ -96,15 +92,23 @@ "members":{ "OutpostId":{ "shape":"OutpostId", - "documentation":"The ID of the AWS Outpost.
" + "documentation":"The ID of the AWS Outposts.
" }, "SubnetId":{ "shape":"SubnetId", - "documentation":"The ID of the subnet in the selected VPC.
" + "documentation":"The ID of the subnet in the selected VPC. The endpoint subnet must belong to the Outpost that has the Amazon S3 on Outposts provisioned.
" }, "SecurityGroupId":{ "shape":"SecurityGroupId", "documentation":"The ID of the security group to use with the endpoint.
" + }, + "AccessType":{ + "shape":"EndpointAccessType", + "documentation":"The type of access for the on-premise network connectivity for the Outpost endpoint. To access the endpoint from an on-premises network, you must specify the access type and provide the customer owned IPv4 pool.
" + }, + "CustomerOwnedIpv4Pool":{ + "shape":"CustomerOwnedIpv4Pool", + "documentation":"The ID of the customer-owned IPv4 pool for the endpoint. IP addresses will be allocated from this pool for the endpoint.
" } } }, @@ -118,6 +122,10 @@ } }, "CreationTime":{"type":"timestamp"}, + "CustomerOwnedIpv4Pool":{ + "type":"string", + "pattern":"^ipv4pool-coip-([0-9a-f]{17})$" + }, "DeleteEndpointRequest":{ "type":"structure", "required":[ @@ -127,13 +135,13 @@ "members":{ "EndpointId":{ "shape":"EndpointId", - "documentation":"The ID of the end point.
", + "documentation":"The ID of the endpoint.
", "location":"querystring", "locationName":"endpointId" }, "OutpostId":{ "shape":"OutpostId", - "documentation":"The ID of the AWS Outpost.
", + "documentation":"The ID of the AWS Outposts.
", "location":"querystring", "locationName":"outpostId" } @@ -148,7 +156,7 @@ }, "OutpostsId":{ "shape":"OutpostId", - "documentation":"The ID of the AWS Outpost.
" + "documentation":"The ID of the AWS Outposts.
" }, "CidrBlock":{ "shape":"CidrBlock", @@ -165,27 +173,51 @@ "NetworkInterfaces":{ "shape":"NetworkInterfaces", "documentation":"The network interface of the endpoint.
" + }, + "VpcId":{ + "shape":"VpcId", + "documentation":"The ID of the VPC used for the endpoint.
" + }, + "SubnetId":{ + "shape":"SubnetId", + "documentation":"The ID of the subnet used for the endpoint.
" + }, + "SecurityGroupId":{ + "shape":"SecurityGroupId", + "documentation":"The ID of the security group used for the endpoint.
" + }, + "AccessType":{ + "shape":"EndpointAccessType", + "documentation":"" + }, + "CustomerOwnedIpv4Pool":{ + "shape":"CustomerOwnedIpv4Pool", + "documentation":"The ID of the customer-owned IPv4 pool used for the endpoint.
" } }, - "documentation":"S3 on Outposts access points simplify managing data access at scale for shared datasets in Amazon S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC).
" + "documentation":"Amazon S3 on Outposts Access Points simplify managing data access at scale for shared datasets in S3 on Outposts. S3 on Outposts uses endpoints to connect to Outposts buckets so that you can perform actions within your virtual private cloud (VPC). For more information, see Accessing S3 on Outposts using VPC only access points.
" + }, + "EndpointAccessType":{ + "type":"string", + "enum":[ + "Private", + "CustomerOwnedIp" + ] }, "EndpointArn":{ "type":"string", - "max":500, - "min":5, "pattern":"^arn:(aws|aws-cn|aws-us-gov|aws-iso|aws-iso-b):s3-outposts:[a-z\\-0-9]*:[0-9]{12}:outpost/(op-[a-f0-9]{17}|ec2)/endpoint/[a-zA-Z0-9]{19}$" }, "EndpointId":{ "type":"string", - "max":500, - "min":5, "pattern":"^[a-zA-Z0-9]{19}$" }, "EndpointStatus":{ "type":"string", "enum":[ - "PENDING", - "AVAILABLE" + "Pending", + "Available", + "Deleting" ] }, "Endpoints":{ @@ -225,7 +257,7 @@ "members":{ "Endpoints":{ "shape":"Endpoints", - "documentation":"Returns an array of endpoints associated with AWS Outpost.
" + "documentation":"Returns an array of endpoints associated with AWS Outposts.
" }, "NextToken":{ "shape":"NextToken", @@ -248,11 +280,7 @@ }, "documentation":"The container for the network interface.
" }, - "NetworkInterfaceId":{ - "type":"string", - "max":100, - "min":1 - }, + "NetworkInterfaceId":{"type":"string"}, "NetworkInterfaces":{ "type":"list", "member":{"shape":"NetworkInterface"} @@ -265,8 +293,6 @@ }, "OutpostId":{ "type":"string", - "max":100, - "min":1, "pattern":"^(op-[a-f0-9]{17}|\\d{12}|ec2)$" }, "ResourceNotFoundException":{ @@ -280,14 +306,10 @@ }, "SecurityGroupId":{ "type":"string", - "max":100, - "min":1, "pattern":"^sg-([0-9a-f]{8}|[0-9a-f]{17})$" }, "SubnetId":{ "type":"string", - "max":100, - "min":1, "pattern":"^subnet-([0-9a-f]{8}|[0-9a-f]{17})$" }, "ValidationException":{ @@ -298,7 +320,8 @@ "documentation":"There was an exception validating this data.
", "error":{"httpStatusCode":400}, "exception":true - } + }, + "VpcId":{"type":"string"} }, "documentation":"Amazon S3 on Outposts provides access to S3 on Outposts operations.
" } diff --git a/services/sagemaker/pom.xml b/services/sagemaker/pom.xml index 7743319f7a15..c042d901742a 100644 --- a/services/sagemaker/pom.xml +++ b/services/sagemaker/pom.xml @@ -20,7 +20,7 @@Disables the standards specified by the provided StandardsSubscriptionArns
.
For more information, see Security Standards section of the AWS Security Hub User Guide.
" + "documentation":"Disables the standards specified by the provided StandardsSubscriptionArns
.
For more information, see Security Standards section of the Security Hub User Guide.
" }, "BatchEnableStandards":{ "name":"BatchEnableStandards", @@ -78,7 +78,7 @@ {"shape":"InvalidAccessException"}, {"shape":"LimitExceededException"} ], - "documentation":"Enables the standards specified by the provided StandardsArn
. To obtain the ARN for a standard, use the DescribeStandards
operation.
For more information, see the Security Standards section of the AWS Security Hub User Guide.
" + "documentation":"Enables the standards specified by the provided StandardsArn
. To obtain the ARN for a standard, use the DescribeStandards
operation.
For more information, see the Security Standards section of the Security Hub User Guide.
" }, "BatchImportFindings":{ "name":"BatchImportFindings", @@ -110,7 +110,7 @@ {"shape":"LimitExceededException"}, {"shape":"InvalidAccessException"} ], - "documentation":"Used by Security Hub customers to update information about their investigation into a finding. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account.
Updates from BatchUpdateFindings
do not affect the value of UpdatedAt
for a finding.
Administrator and member accounts can use BatchUpdateFindings
to update the following finding fields and objects.
Confidence
Criticality
Note
RelatedFindings
Severity
Types
UserDefinedFields
VerificationState
Workflow
You can configure IAM policies to restrict access to fields and field values. For example, you might not want member accounts to be able to suppress findings or change the finding severity. See Configuring access to BatchUpdateFindings in the AWS Security Hub User Guide.
" + "documentation":"Used by Security Hub customers to update information about their investigation into a finding. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account.
Updates from BatchUpdateFindings
do not affect the value of UpdatedAt
for a finding.
Administrator and member accounts can use BatchUpdateFindings
to update the following finding fields and objects.
Confidence
Criticality
Note
RelatedFindings
Severity
Types
UserDefinedFields
VerificationState
Workflow
You can configure IAM policies to restrict access to fields and field values. For example, you might not want member accounts to be able to suppress findings or change the finding severity. See Configuring access to BatchUpdateFindings in the Security Hub User Guide.
" }, "CreateActionTarget":{ "name":"CreateActionTarget", @@ -161,7 +161,7 @@ {"shape":"InvalidAccessException"}, {"shape":"ResourceConflictException"} ], - "documentation":"Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account.
CreateMembers
is always used to add accounts that are not organization members.
For accounts that are part of an organization, CreateMembers
is only used in the following cases:
Security Hub is not configured to automatically add new accounts in an organization.
The account was disassociated or deleted in Security Hub.
This action can only be used by an account that has Security Hub enabled. To enable Security Hub, you can use the EnableSecurityHub
operation.
For accounts that are not organization members, you create the account association and then send an invitation to the member account. To send the invitation, you use the InviteMembers
operation. If the account owner accepts the invitation, the account becomes a member account in Security Hub.
Accounts that are part of an organization do not receive an invitation. They automatically become a member account in Security Hub.
A permissions policy is added that permits the administrator account to view the findings generated in the member account. When Security Hub is enabled in a member account, the member account findings are also visible to the administrator account.
To remove the association between the administrator and member accounts, use the DisassociateFromMasterAccount
or DisassociateMembers
operation.
Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account.
CreateMembers
is always used to add accounts that are not organization members.
For accounts that are managed using Organizations, CreateMembers
is only used in the following cases:
Security Hub is not configured to automatically add new organization accounts.
The account was disassociated or deleted in Security Hub.
This action can only be used by an account that has Security Hub enabled. To enable Security Hub, you can use the EnableSecurityHub
operation.
For accounts that are not organization members, you create the account association and then send an invitation to the member account. To send the invitation, you use the InviteMembers
operation. If the account owner accepts the invitation, the account becomes a member account in Security Hub.
Accounts that are managed using Organizations do not receive an invitation. They automatically become a member account in Security Hub, and Security Hub is automatically enabled for those accounts. Note that Security Hub cannot be enabled automatically for the organization management account. The organization management account must enable Security Hub before the administrator account enables it as a member account.
A permissions policy is added that permits the administrator account to view the findings generated in the member account. When Security Hub is enabled in a member account, the member account findings are also visible to the administrator account.
To remove the association between the administrator and member accounts, use the DisassociateFromMasterAccount
or DisassociateMembers
operation.
Deletes invitations received by the AWS account to become a member account.
This operation is only used by accounts that are not part of an organization. Organization accounts do not receive invitations.
" + "documentation":"Deletes invitations received by the Amazon Web Services account to become a member account.
This operation is only used by accounts that are not part of an organization. Organization accounts do not receive invitations.
" }, "DeleteMembers":{ "name":"DeleteMembers", @@ -492,7 +492,7 @@ {"shape":"ResourceConflictException"}, {"shape":"AccessDeniedException"} ], - "documentation":"Enables Security Hub for your account in the current Region or the Region you specify in the request.
When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from other services that are integrated with Security Hub.
When you use the EnableSecurityHub
operation to enable Security Hub, you also automatically enable the following standards.
CIS AWS Foundations
AWS Foundational Security Best Practices
You do not enable the Payment Card Industry Data Security Standard (PCI DSS) standard.
To not enable the automatically enabled standards, set EnableDefaultStandards
to false
.
After you enable Security Hub, to enable a standard, use the BatchEnableStandards
operation. To disable a standard, use the BatchDisableStandards
operation.
To learn more, see Setting Up AWS Security Hub in the AWS Security Hub User Guide.
" + "documentation":"Enables Security Hub for your account in the current Region or the Region you specify in the request.
When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from other services that are integrated with Security Hub.
When you use the EnableSecurityHub
operation to enable Security Hub, you also automatically enable the following standards.
CIS Amazon Web Services Foundations
Amazon Web Services Foundational Security Best Practices
You do not enable the Payment Card Industry Data Security Standard (PCI DSS) standard.
To not enable the automatically enabled standards, set EnableDefaultStandards
to false
.
After you enable Security Hub, to enable a standard, use the BatchEnableStandards
operation. To disable a standard, use the BatchDisableStandards
operation.
To learn more, see the setup information in the Security Hub User Guide.
" }, "GetAdministratorAccount":{ "name":"GetAdministratorAccount", @@ -644,7 +644,7 @@ {"shape":"LimitExceededException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":"Invites other AWS accounts to become member accounts for the Security Hub administrator account that the invitation is sent from.
This operation is only used to invite accounts that do not belong to an organization. Organization accounts do not receive invitations.
Before you can use this action to invite a member, you must first use the CreateMembers
action to create the member account in Security Hub.
When the account owner enables Security Hub and accepts the invitation to become a member account, the administrator account can view the findings generated from the member account.
" + "documentation":"Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that the invitation is sent from.
This operation is only used to invite accounts that do not belong to an organization. Organization accounts do not receive invitations.
Before you can use this action to invite a member, you must first use the CreateMembers
action to create the member account in Security Hub.
When the account owner enables Security Hub and accepts the invitation to become a member account, the administrator account can view the findings generated from the member account.
" }, "ListEnabledProductsForImport":{ "name":"ListEnabledProductsForImport", @@ -675,7 +675,7 @@ {"shape":"InvalidAccessException"}, {"shape":"LimitExceededException"} ], - "documentation":"Lists all Security Hub membership invitations that were sent to the current AWS account.
This operation is only used by accounts that are managed by invitation. Accounts that are managed using the integration with AWS Organizations do not receive invitations.
" + "documentation":"Lists all Security Hub membership invitations that were sent to the current Amazon Web Services account.
This operation is only used by accounts that are managed by invitation. Accounts that are managed using the integration with Organizations do not receive invitations.
" }, "ListMembers":{ "name":"ListMembers", @@ -916,14 +916,14 @@ "members":{ "AccountId":{ "shape":"AccountId", - "documentation":"The ID of an AWS account.
" + "documentation":"The ID of an Amazon Web Services account.
" }, "Email":{ "shape":"NonEmptyString", - "documentation":"The email of an AWS account.
" + "documentation":"The email of an Amazon Web Services account.
" } }, - "documentation":"The details of an AWS account.
" + "documentation":"The details of an Amazon Web Services account.
" }, "AccountDetailsList":{ "type":"list", @@ -958,7 +958,7 @@ "documentation":"Included if ActionType
is PORT_PROBE
. Provides details about the port probe that was detected.
Provides details about one of the following actions that affects or that was taken on a resource:
A remote IP address issued an AWS API call
A DNS request was received
A remote IP address attempted to connect to an EC2 instance
A remote IP address attempted a port probe on an EC2 instance
Provides details about one of the following actions that affects or that was taken on a resource:
A remote IP address issued an Amazon Web Services API call
A DNS request was received
A remote IP address attempted to connect to an EC2 instance
A remote IP address attempted a port probe on an EC2 instance
The AWS account identifier of the Security Hub administrator account.
" + "documentation":"The Amazon Web Services account identifier of the Security Hub administrator account.
" }, "Status":{ "shape":"AdminStatus", @@ -1112,7 +1112,7 @@ }, "ServiceName":{ "shape":"NonEmptyString", - "documentation":"The name of the AWS service that the API method belongs to.
" + "documentation":"The name of the Amazon Web Services service that the API method belongs to.
" }, "CallerType":{ "shape":"NonEmptyString", @@ -1350,7 +1350,7 @@ }, "TracingEnabled":{ "shape":"Boolean", - "documentation":"Indicates whether active tracing with AWS X-Ray is enabled for the stage.
" + "documentation":"Indicates whether active tracing with X-Ray is enabled for the stage.
" }, "CreatedDate":{ "shape":"NonEmptyString", @@ -1556,7 +1556,7 @@ }, "InUseBy":{ "shape":"StringList", - "documentation":"The list of ARNs for the AWS resources that use the certificate.
" + "documentation":"The list of ARNs for the Amazon Web Services resources that use the certificate.
" }, "IssuedAt":{ "shape":"NonEmptyString", @@ -1592,7 +1592,7 @@ }, "RenewalSummary":{ "shape":"AwsCertificateManagerCertificateRenewalSummary", - "documentation":"Information about the status of the AWS Certificate Manager managed renewal for the certificate. Provided only when the certificate type is AMAZON_ISSUED
.
Information about the status of the Certificate Manager managed renewal for the certificate. Provided only when the certificate type is AMAZON_ISSUED
.
The source of the certificate. For certificates that AWS Certificate Manager provides, Type
is AMAZON_ISSUED
. For certificates that are imported with ImportCertificate
, Type
is IMPORTED
.
Valid values: IMPORTED
| AMAZON_ISSUED
| PRIVATE
The source of the certificate. For certificates that Certificate Manager provides, Type
is AMAZON_ISSUED
. For certificates that are imported with ImportCertificate
, Type
is IMPORTED
.
Valid values: IMPORTED
| AMAZON_ISSUED
| PRIVATE
Provides details about an AWS Certificate Manager certificate.
" + "documentation":"Provides details about an Certificate Manager certificate.
" }, "AwsCertificateManagerCertificateDomainValidationOption":{ "type":"structure", @@ -1634,11 +1634,11 @@ }, "ValidationDomain":{ "shape":"NonEmptyString", - "documentation":"The domain name that AWS Certificate Manager uses to send domain validation emails.
" + "documentation":"The domain name that Certificate Manager uses to send domain validation emails.
" }, "ValidationEmails":{ "shape":"StringList", - "documentation":"A list of email addresses that AWS Certificate Manager uses to send domain validation emails.
" + "documentation":"A list of email addresses that Certificate Manager uses to send domain validation emails.
" }, "ValidationMethod":{ "shape":"NonEmptyString", @@ -1649,7 +1649,7 @@ "documentation":"The validation status of the domain name.
" } }, - "documentation":"Contains information about one of the following:
The initial validation of each domain name that occurs as a result of the RequestCertificate
request
The validation of each domain name in the certificate, as it pertains to AWS Certificate Manager managed renewal
Contains information about one of the following:
The initial validation of each domain name that occurs as a result of the RequestCertificate
request
The validation of each domain name in the certificate, as it pertains to Certificate Manager managed renewal
Information about the validation of each domain name in the certificate, as it pertains to AWS Certificate Manager managed renewal. Provided only when the certificate type is AMAZON_ISSUED
.
Information about the validation of each domain name in the certificate, as it pertains to Certificate Manager managed renewal. Provided only when the certificate type is AMAZON_ISSUED
.
The status of the AWS Certificate Manager managed renewal of the certificate.
Valid values: PENDING_AUTO_RENEWAL
| PENDING_VALIDATION
| SUCCESS
| FAILED
The status of the Certificate Manager managed renewal of the certificate.
Valid values: PENDING_AUTO_RENEWAL
| PENDING_VALIDATION
| SUCCESS
| FAILED
Indicates when the renewal summary was last updated.
Uses the date-time
format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z
.
Contains information about the AWS Certificate Manager managed renewal for an AMAZON_ISSUED
certificate.
Contains information about the Certificate Manager managed renewal for an AMAZON_ISSUED
certificate.
A unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution.
" + "documentation":"A unique identifier that specifies the WAF web ACL, if any, to associate with this distribution.
" } }, "documentation":"A distribution configuration.
" @@ -1826,7 +1826,7 @@ "members":{ "Bucket":{ "shape":"NonEmptyString", - "documentation":"The Amazon S3 bucket to store the access logs in.
" + "documentation":"The S3 bucket to store the access logs in.
" }, "Enabled":{ "shape":"Boolean", @@ -1900,7 +1900,7 @@ "members":{ "DomainName":{ "shape":"NonEmptyString", - "documentation":"Amazon S3 origins: The DNS name of the Amazon S3 bucket from which you want CloudFront to get objects for this origin.
" + "documentation":"Amazon S3 origins: The DNS name of the S3 bucket from which you want CloudFront to get objects for this origin.
" }, "Id":{ "shape":"NonEmptyString", @@ -1915,7 +1915,7 @@ "documentation":"An origin that is an S3 bucket that is not configured with static website hosting.
" } }, - "documentation":"A complex type that describes the Amazon S3 bucket, HTTP server (for example, a web server), Amazon Elemental MediaStore, or other server from which CloudFront gets your files.
" + "documentation":"A complex type that describes the S3 bucket, HTTP server (for example, a web server), AWS Elemental MediaStore, or other server from which CloudFront gets your files.
" }, "AwsCloudFrontDistributionOriginItemList":{ "type":"list", @@ -1950,7 +1950,7 @@ }, "CloudWatchLogsRoleArn":{ "shape":"NonEmptyString", - "documentation":"The ARN of the role that the CloudWatch Logs endpoint assumes when it writes to the log group.
" + "documentation":"The ARN of the role that the CloudWatch Events endpoint assumes when it writes to the log group.
" }, "HasCustomEventSelectors":{ "shape":"Boolean", @@ -1970,11 +1970,11 @@ }, "IsOrganizationTrail":{ "shape":"Boolean", - "documentation":"Whether the trail is created for all accounts in an organization in AWS Organizations, or only for the current AWS account.
" + "documentation":"Whether the trail is created for all accounts in an organization in Organizations, or only for the current Amazon Web Services account.
" }, "KmsKeyId":{ "shape":"NonEmptyString", - "documentation":"The AWS KMS key ID to use to encrypt the logs.
" + "documentation":"The KMS key ID to use to encrypt the logs.
" }, "LogFileValidationEnabled":{ "shape":"Boolean", @@ -2012,7 +2012,7 @@ "members":{ "EncryptionKey":{ "shape":"NonEmptyString", - "documentation":"The AWS Key Management Service (AWS KMS) customer master key (CMK) used to encrypt the build output artifacts.
You can specify either the ARN of the CMK or, if available, the CMK alias (using the format alias/alias-name).
" + "documentation":"The KMS customer master key (CMK) used to encrypt the build output artifacts.
You can specify either the ARN of the CMK or, if available, the CMK alias (using the format alias/alias-name).
" }, "Environment":{ "shape":"AwsCodeBuildProjectEnvironment", @@ -2028,14 +2028,14 @@ }, "ServiceRole":{ "shape":"NonEmptyString", - "documentation":"The ARN of the IAM role that enables AWS CodeBuild to interact with dependent AWS services on behalf of the AWS account.
" + "documentation":"The ARN of the IAM role that enables CodeBuild to interact with dependent Amazon Web Services services on behalf of the Amazon Web Services account.
" }, "VpcConfig":{ "shape":"AwsCodeBuildProjectVpcConfig", - "documentation":"Information about the VPC configuration that AWS CodeBuild accesses.
" + "documentation":"Information about the VPC configuration that CodeBuild accesses.
" } }, - "documentation":"Information about an AWS CodeBuild project.
" + "documentation":"Information about an CodeBuild project.
" }, "AwsCodeBuildProjectEnvironment":{ "type":"structure", @@ -2046,7 +2046,7 @@ }, "ImagePullCredentialsType":{ "shape":"NonEmptyString", - "documentation":"The type of credentials AWS CodeBuild uses to pull images in your build.
Valid values:
CODEBUILD
specifies that AWS CodeBuild uses its own credentials. This requires that you modify your ECR repository policy to trust the AWS CodeBuild service principal.
SERVICE_ROLE
specifies that AWS CodeBuild uses your build project's service role.
When you use a cross-account or private registry image, you must use SERVICE_ROLE
credentials. When you use an AWS CodeBuild curated image, you must use CODEBUILD
credentials.
The type of credentials CodeBuild uses to pull images in your build.
Valid values:
CODEBUILD
specifies that CodeBuild uses its own credentials. This requires that you modify your ECR repository policy to trust the CodeBuild service principal.
SERVICE_ROLE
specifies that CodeBuild uses your build project's service role.
When you use a cross-account or private registry image, you must use SERVICE_ROLE
credentials. When you use an CodeBuild curated image, you must use CODEBUILD
credentials.
The ARN or name of credentials created using AWS Secrets Manager.
The credential can use the name of the credentials only if they exist in your current AWS Region.
The ARN or name of credentials created using Secrets Manager.
The credential can use the name of the credentials only if they exist in your current Amazon Web Services Region.
The service that created the credentials to access a private Docker registry.
The valid value, SECRETS_MANAGER
, is for AWS Secrets Manager.
The service that created the credentials to access a private Docker registry.
The valid value, SECRETS_MANAGER
, is for Secrets Manager.
The credentials for access to a private registry.
" @@ -2078,11 +2078,11 @@ "members":{ "Type":{ "shape":"NonEmptyString", - "documentation":"The type of repository that contains the source code to be built. Valid values are:
BITBUCKET
- The source code is in a Bitbucket repository.
CODECOMMIT
- The source code is in an AWS CodeCommit repository.
CODEPIPELINE
- The source code settings are specified in the source action of a pipeline in AWS CodePipeline.
GITHUB
- The source code is in a GitHub repository.
GITHUB_ENTERPRISE
- The source code is in a GitHub Enterprise repository.
NO_SOURCE
- The project does not have input source code.
S3
- The source code is in an S3 input bucket.
The type of repository that contains the source code to be built. Valid values are:
BITBUCKET
- The source code is in a Bitbucket repository.
CODECOMMIT
- The source code is in an CodeCommit repository.
CODEPIPELINE
- The source code settings are specified in the source action of a pipeline in CodePipeline.
GITHUB
- The source code is in a GitHub repository.
GITHUB_ENTERPRISE
- The source code is in a GitHub Enterprise repository.
NO_SOURCE
- The project does not have input source code.
S3
- The source code is in an S3 input bucket.
Information about the location of the source code to be built.
Valid values include:
For source code settings that are specified in the source action of a pipeline in AWS CodePipeline, location should not be specified. If it is specified, AWS CodePipeline ignores it. This is because AWS CodePipeline uses the settings in a pipeline's source action instead of this value.
For source code in an AWS CodeCommit repository, the HTTPS clone URL to the repository that contains the source code and the build spec file (for example, https://git-codecommit.region-ID.amazonaws.com/v1/repos/repo-name
).
For source code in an S3 input bucket, one of the following.
The path to the ZIP file that contains the source code (for example, bucket-name/path/to/object-name.zip
).
The path to the folder that contains the source code (for example, bucket-name/path/to/source-code/folder/
).
For source code in a GitHub repository, the HTTPS clone URL to the repository that contains the source and the build spec file.
For source code in a Bitbucket repository, the HTTPS clone URL to the repository that contains the source and the build spec file.
Information about the location of the source code to be built.
Valid values include:
For source code settings that are specified in the source action of a pipeline in CodePipeline, location should not be specified. If it is specified, CodePipeline ignores it. This is because CodePipeline uses the settings in a pipeline's source action instead of this value.
For source code in an CodeCommit repository, the HTTPS clone URL to the repository that contains the source code and the build spec file (for example, https://git-codecommit.region-ID.amazonaws.com/v1/repos/repo-name
).
For source code in an S3 input bucket, one of the following.
The path to the ZIP file that contains the source code (for example, bucket-name/path/to/object-name.zip
).
The path to the folder that contains the source code (for example, bucket-name/path/to/source-code/folder/
).
For source code in a GitHub repository, the HTTPS clone URL to the repository that contains the source and the build spec file.
For source code in a Bitbucket repository, the HTTPS clone URL to the repository that contains the source and the build spec file.
A list of one or more subnet IDs in your Amazon VPC.
" + "documentation":"A list of one or more subnet IDs in your VPC.
" }, "SecurityGroupIds":{ "shape":"NonEmptyStringList", - "documentation":"A list of one or more security group IDs in your Amazon VPC.
" + "documentation":"A list of one or more security group IDs in your VPC.
" } }, - "documentation":"Information about the VPC configuration that AWS CodeBuild accesses.
" + "documentation":"Information about the VPC configuration that CodeBuild accesses.
" }, "AwsCorsConfiguration":{ "type":"structure", @@ -2406,7 +2406,7 @@ }, "KmsMasterKeyId":{ "shape":"NonEmptyString", - "documentation":"The identifier of the AWS KMS customer master key (CMK) that will be used for AWS KMS encryption for the replica.
" + "documentation":"The identifier of the KMS customer master key (CMK) that will be used for KMS encryption for the replica.
" }, "ProvisionedThroughputOverride":{ "shape":"AwsDynamoDbTableProvisionedThroughputOverride", @@ -2488,7 +2488,7 @@ }, "KmsMasterKeyArn":{ "shape":"NonEmptyString", - "documentation":"The ARN of the AWS KMS customer master key (CMK) that is used for the AWS KMS encryption.
" + "documentation":"The ARN of the KMS customer master key (CMK) that is used for the KMS encryption.
" } }, "documentation":"Information about the server-side encryption for the table.
" @@ -2520,7 +2520,7 @@ }, "AllocationId":{ "shape":"NonEmptyString", - "documentation":"The identifier that AWS assigns to represent the allocation of the Elastic IP address for use with Amazon VPC.
" + "documentation":"The identifier that Amazon Web Services assigns to represent the allocation of the Elastic IP address for use with Amazon VPC.
" }, "AssociationId":{ "shape":"NonEmptyString", @@ -2544,7 +2544,7 @@ }, "NetworkInterfaceOwnerId":{ "shape":"NonEmptyString", - "documentation":"The AWS account ID of the owner of the network interface.
" + "documentation":"The Amazon Web Services account ID of the owner of the network interface.
" }, "PrivateIpAddress":{ "shape":"NonEmptyString", @@ -2648,7 +2648,7 @@ }, "OwnerId":{ "shape":"NonEmptyString", - "documentation":"The identifier of the AWS account that owns the network ACL.
" + "documentation":"The identifier of the Amazon Web Services account that owns the network ACL.
" }, "VpcId":{ "shape":"NonEmptyString", @@ -2732,7 +2732,7 @@ }, "InstanceOwnerId":{ "shape":"NonEmptyString", - "documentation":"The AWS account ID of the owner of the instance.
" + "documentation":"The Amazon Web Services account ID of the owner of the instance.
" }, "Status":{ "shape":"NonEmptyString", @@ -2842,7 +2842,7 @@ }, "OwnerId":{ "shape":"NonEmptyString", - "documentation":"The AWS account ID of the owner of the security group.
" + "documentation":"The Amazon Web Services account ID of the owner of the security group.
" }, "VpcId":{ "shape":"NonEmptyString", @@ -2876,7 +2876,7 @@ }, "UserIdGroupPairs":{ "shape":"AwsEc2SecurityGroupUserIdGroupPairList", - "documentation":"The security group and AWS account ID pairs.
" + "documentation":"The security group and Amazon Web Services account ID pairs.
" }, "IpRanges":{ "shape":"AwsEc2SecurityGroupIpRangeList", @@ -2888,7 +2888,7 @@ }, "PrefixListIds":{ "shape":"AwsEc2SecurityGroupPrefixListIdList", - "documentation":"[VPC only] The prefix list IDs for an AWS service. With outbound rules, this is the AWS service to access through a VPC endpoint from instances associated with the security group.
" + "documentation":"[VPC only] The prefix list IDs for an Amazon Web Services service. With outbound rules, this is the Amazon Web Services service to access through a VPC endpoint from instances associated with the security group.
" } }, "documentation":"An IP permission for an EC2 security group.
" @@ -2956,7 +2956,7 @@ }, "UserId":{ "shape":"NonEmptyString", - "documentation":"The ID of an AWS account.
For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
[EC2-Classic] Required when adding or removing rules that reference a security group in another VPC.
" + "documentation":"The ID of an Amazon Web Services account.
For a referenced security group in another VPC, the account ID of the referenced security group is returned in the response. If the referenced security group is deleted, this value is not returned.
[EC2-Classic] Required when adding or removing rules that reference a security group in another VPC.
" }, "VpcId":{ "shape":"NonEmptyString", @@ -3006,7 +3006,7 @@ }, "OwnerId":{ "shape":"NonEmptyString", - "documentation":"The identifier of the AWS account that owns the subnet.
" + "documentation":"The identifier of the Amazon Web Services account that owns the subnet.
" }, "State":{ "shape":"NonEmptyString", @@ -3029,7 +3029,7 @@ "documentation":"The IPV6 CIDR blocks that are associated with the subnet.
" } }, - "documentation":"Contains information about a subnet in EC2.
" + "documentation":"Contains information about a subnet in Amazon EC2.
" }, "AwsEc2VolumeAttachment":{ "type":"structure", @@ -3051,7 +3051,7 @@ "documentation":"The attachment state of the volume.
" } }, - "documentation":"An attachment to an AWS EC2 volume.
" + "documentation":"An attachment to an Amazon EC2 volume.
" }, "AwsEc2VolumeAttachmentList":{ "type":"list", @@ -3082,7 +3082,7 @@ }, "KmsKeyId":{ "shape":"NonEmptyString", - "documentation":"The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to protect the volume encryption key for the volume.
" + "documentation":"The ARN of the KMS customer master key (CMK) that was used to protect the volume encryption key for the volume.
" }, "Attachments":{ "shape":"AwsEc2VolumeAttachmentList", @@ -3229,6 +3229,280 @@ }, "documentation":"provides details about an ECS cluster.
" }, + "AwsEcsServiceCapacityProviderStrategyDetails":{ + "type":"structure", + "members":{ + "Base":{ + "shape":"Integer", + "documentation":"The minimum number of tasks to run on the capacity provider. Only one strategy item can specify a value for Base
.
The value must be between 0 and 100000.
" + }, + "CapacityProvider":{ + "shape":"NonEmptyString", + "documentation":"The short name of the capacity provider.
" + }, + "Weight":{ + "shape":"Integer", + "documentation":"The relative percentage of the total number of tasks that should use the capacity provider.
If no weight is specified, the default value is 0. At least one capacity provider must have a weight greater than 0.
The value can be between 0 and 1000.
" + } + }, + "documentation":"Strategy item for the capacity provider strategy that the service uses.
" + }, + "AwsEcsServiceCapacityProviderStrategyList":{ + "type":"list", + "member":{"shape":"AwsEcsServiceCapacityProviderStrategyDetails"} + }, + "AwsEcsServiceDeploymentConfigurationDeploymentCircuitBreakerDetails":{ + "type":"structure", + "members":{ + "Enable":{ + "shape":"Boolean", + "documentation":"Whether to enable the deployment circuit breaker logic for the service.
" + }, + "Rollback":{ + "shape":"Boolean", + "documentation":"Whether to roll back the service if a service deployment fails. If rollback is enabled, when a service deployment fails, the service is rolled back to the last deployment that completed successfully.
" + } + }, + "documentation":"Determines whether a service deployment fails if a service cannot reach a steady state.
" + }, + "AwsEcsServiceDeploymentConfigurationDetails":{ + "type":"structure", + "members":{ + "DeploymentCircuitBreaker":{ + "shape":"AwsEcsServiceDeploymentConfigurationDeploymentCircuitBreakerDetails", + "documentation":"Determines whether a service deployment fails if a service cannot reach a steady state.
" + }, + "MaximumPercent":{ + "shape":"Integer", + "documentation":"For a service that uses the rolling update (ECS
) deployment type, the maximum number of tasks in a service that are allowed in the RUNNING
or PENDING
state during a deployment, and for tasks that use the EC2 launch type, when any container instances are in the DRAINING
state. Provided as a percentage of the desired number of tasks. The default value is 200%.
For a service that uses the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types, and tasks that use the EC2 launch type, the maximum number of tasks in the service that remain in the RUNNING
state while the container instances are in the DRAINING
state.
For the Fargate launch type, the maximum percent value is not used.
" + }, + "MinimumHealthyPercent":{ + "shape":"Integer", + "documentation":"For a service that uses the rolling update (ECS
) deployment type, the minimum number of tasks in a service that must remain in the RUNNING
state during a deployment, and while any container instances are in the DRAINING
state if the service contains tasks using the EC2 launch type. Expressed as a percentage of the desired number of tasks. The default value is 100%.
For a service that uses the blue/green (CODE_DEPLOY
) or EXTERNAL
deployment types and tasks that use the EC2 launch type, the minimum number of the tasks in the service that remain in the RUNNING
state while the container instances are in the DRAINING
state.
For the Fargate launch type, the minimum healthy percent value is not used.
" + } + }, + "documentation":"Optional deployment parameters for the service.
" + }, + "AwsEcsServiceDeploymentControllerDetails":{ + "type":"structure", + "members":{ + "Type":{ + "shape":"NonEmptyString", + "documentation":"The rolling update (ECS
) deployment type replaces the current running version of the container with the latest version.
The blue/green (CODE_DEPLOY
) deployment type uses the blue/green deployment model that is powered by CodeDeploy. This deployment model a new deployment of a service can be verified before production traffic is sent to it.
The external (EXTERNAL
) deployment type allows the use of any third-party deployment controller for full control over the deployment process for an Amazon ECS service.
Valid values: ECS
| CODE_DEPLOY
| EXTERNAL
Information about the deployment controller type that the service uses.
" + }, + "AwsEcsServiceDetails":{ + "type":"structure", + "members":{ + "CapacityProviderStrategy":{ + "shape":"AwsEcsServiceCapacityProviderStrategyList", + "documentation":"The capacity provider strategy that the service uses.
" + }, + "Cluster":{ + "shape":"NonEmptyString", + "documentation":"The ARN of the cluster that hosts the service.
" + }, + "DeploymentConfiguration":{ + "shape":"AwsEcsServiceDeploymentConfigurationDetails", + "documentation":"Deployment parameters for the service. Includes the number of tasks that run and the order in which to start and stop tasks.
" + }, + "DeploymentController":{ + "shape":"AwsEcsServiceDeploymentControllerDetails", + "documentation":"Contains the deployment controller type that the service uses.
" + }, + "DesiredCount":{ + "shape":"Integer", + "documentation":"The number of instantiations of the task definition to run on the service.
" + }, + "EnableEcsManagedTags":{ + "shape":"Boolean", + "documentation":"Whether to enable Amazon ECS managed tags for the tasks in the service.
" + }, + "EnableExecuteCommand":{ + "shape":"Boolean", + "documentation":"Whether the execute command functionality is enabled for the service.
" + }, + "HealthCheckGracePeriodSeconds":{ + "shape":"Integer", + "documentation":"After a task starts, the amount of time in seconds that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks.
" + }, + "LaunchType":{ + "shape":"NonEmptyString", + "documentation":"The launch type that the service uses.
Valid values: EC2
| FARGATE
| EXTERNAL
Information about the load balancers that the service uses.
" + }, + "Name":{ + "shape":"NonEmptyString", + "documentation":"The name of the service.
" + }, + "NetworkConfiguration":{ + "shape":"AwsEcsServiceNetworkConfigurationDetails", + "documentation":"For tasks that use the awsvpc
networking mode, the VPC subnet and security group configuration.
The placement constraints for the tasks in the service.
" + }, + "PlacementStrategies":{ + "shape":"AwsEcsServicePlacementStrategiesList", + "documentation":"Information about how tasks for the service are placed.
" + }, + "PlatformVersion":{ + "shape":"NonEmptyString", + "documentation":"The platform version on which to run the service. Only specified for tasks that are hosted on Fargate. If a platform version is not specified, the LATEST
platform version is used by default.
Indicates whether to propagate the tags from the task definition to the task or from the service to the task. If no value is provided, then tags are not propagated.
Valid values: TASK_DEFINITION
| SERVICE
The ARN of the IAM role that is associated with the service. The role allows the Amazon ECS container agent to register container instances with an Elastic Load Balancing load balancer.
" + }, + "SchedulingStrategy":{ + "shape":"NonEmptyString", + "documentation":"The scheduling strategy to use for the service.
The REPLICA
scheduling strategy places and maintains the desired number of tasks across the cluster. By default, the service scheduler spreads tasks across Availability Zones. Task placement strategies and constraints are used to customize task placement decisions.
The DAEMON
scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that are specified in the cluster. The service scheduler also evaluates the task placement constraints for running tasks and stops tasks that do not meet the placement constraints.
Valid values: REPLICA
| DAEMON
The ARN of the service.
" + }, + "ServiceName":{ + "shape":"NonEmptyString", + "documentation":"The name of the service.
The name can contain up to 255 characters. It can use letters, numbers, underscores, and hyphens.
" + }, + "ServiceRegistries":{ + "shape":"AwsEcsServiceServiceRegistriesList", + "documentation":"Information about the service discovery registries to assign to the service.
" + }, + "TaskDefinition":{ + "shape":"NonEmptyString", + "documentation":"The task definition to use for tasks in the service.
" + } + }, + "documentation":"Provides details about a service within an ECS cluster.
" + }, + "AwsEcsServiceLoadBalancersDetails":{ + "type":"structure", + "members":{ + "ContainerName":{ + "shape":"NonEmptyString", + "documentation":"The name of the container to associate with the load balancer.
" + }, + "ContainerPort":{ + "shape":"Integer", + "documentation":"The port on the container to associate with the load balancer. This port must correspond to a containerPort
in the task definition the tasks in the service are using. For tasks that use the EC2 launch type, the container instance they are launched on must allow ingress traffic on the hostPort
of the port mapping.
The name of the load balancer to associate with the Amazon ECS service or task set.
Only specified when using a Classic Load Balancer. For an Application Load Balancer or a Network Load Balancer, the load balancer name is omitted.
" + }, + "TargetGroupArn":{ + "shape":"NonEmptyString", + "documentation":"The ARN of the Elastic Load Balancing target group or groups associated with a service or task set.
Only specified when using an Application Load Balancer or a Network Load Balancer. For a Classic Load Balancer, the target group ARN is omitted.
" + } + }, + "documentation":"Information about a load balancer that the service uses.
" + }, + "AwsEcsServiceLoadBalancersList":{ + "type":"list", + "member":{"shape":"AwsEcsServiceLoadBalancersDetails"} + }, + "AwsEcsServiceNetworkConfigurationAwsVpcConfigurationDetails":{ + "type":"structure", + "members":{ + "AssignPublicIp":{ + "shape":"NonEmptyString", + "documentation":"Whether the task's elastic network interface receives a public IP address. The default value is DISABLED
.
Valid values: ENABLED
| DISABLED
The IDs of the security groups associated with the task or service.
You can provide up to five security groups.
" + }, + "Subnets":{ + "shape":"NonEmptyStringList", + "documentation":"The IDs of the subnets associated with the task or service.
You can provide up to 16 subnets.
" + } + }, + "documentation":"For tasks that use the awsvpc
networking mode, the VPC subnet and security group configuration.
The VPC subnet and security group configuration.
" + } + }, + "documentation":"For tasks that use the awsvpc
networking mode, the VPC subnet and security group configuration.
A cluster query language expression to apply to the constraint. You cannot specify an expression if the constraint type is distinctInstance
.
The type of constraint. Use distinctInstance
to run each task in a particular group on a different container instance. Use memberOf
to restrict the selection to a group of valid candidates.
Valid values: distinctInstance
| memberOf
A placement constraint for the tasks in the service.
" + }, + "AwsEcsServicePlacementConstraintsList":{ + "type":"list", + "member":{"shape":"AwsEcsServicePlacementConstraintsDetails"} + }, + "AwsEcsServicePlacementStrategiesDetails":{ + "type":"structure", + "members":{ + "Field":{ + "shape":"NonEmptyString", + "documentation":"The field to apply the placement strategy against.
For the spread
placement strategy, valid values are instanceId
(or host
, which has the same effect), or any platform or custom attribute that is applied to a container instance, such as attribute:ecs.availability-zone
.
For the binpack
placement strategy, valid values are cpu
and memory
.
For the random
placement strategy, this attribute is not used.
The type of placement strategy.
The random
placement strategy randomly places tasks on available candidates.
The spread
placement strategy spreads placement across available candidates evenly based on the value of Field
.
The binpack
strategy places tasks on available candidates that have the least available amount of the resource that is specified in Field
.
Valid values: random
| spread
| binpack
A placement strategy that determines how to place the tasks for the service.
" + }, + "AwsEcsServicePlacementStrategiesList":{ + "type":"list", + "member":{"shape":"AwsEcsServicePlacementStrategiesDetails"} + }, + "AwsEcsServiceServiceRegistriesDetails":{ + "type":"structure", + "members":{ + "ContainerName":{ + "shape":"NonEmptyString", + "documentation":"The container name value to use for the service discovery service.
If the task definition uses the bridge
or host
network mode, you must specify ContainerName
and ContainerPort
.
If the task definition uses the awsvpc
network mode and a type SRV DNS record, you must specify either ContainerName
and ContainerPort
, or Port
, but not both.
The port value to use for the service discovery service.
If the task definition uses the bridge
or host
network mode, you must specify ContainerName
and ContainerPort
.
If the task definition uses the awsvpc
network mode and a type SRV DNS record, you must specify either ContainerName
and ContainerPort
, or Port
, but not both.
The port value to use for a service discovery service that specifies an SRV record. This field can be used if both the awsvpc
awsvpc network mode and SRV records are used.
The ARN of the service registry.
" + } + }, + "documentation":"Information about a service discovery registry to assign to the service.
" + }, + "AwsEcsServiceServiceRegistriesList":{ + "type":"list", + "member":{"shape":"AwsEcsServiceServiceRegistriesDetails"} + }, "AwsEcsTaskDefinitionContainerDefinitionsDependsOnDetails":{ "type":"structure", "members":{ @@ -3836,7 +4110,7 @@ }, "TaskRoleArn":{ "shape":"NonEmptyString", - "documentation":"The short name or ARN of the IAM role that grants containers in the task permission to call AWS API operations on your behalf.
" + "documentation":"The short name or ARN of the IAM role that grants containers in the task permission to call Amazon Web Services API operations on your behalf.
" }, "Volumes":{ "shape":"AwsEcsTaskDefinitionVolumesList", @@ -4156,7 +4430,7 @@ "members":{ "AccessPolicies":{ "shape":"NonEmptyString", - "documentation":"IAM policy document specifying the access policies for the new Amazon ES domain.
" + "documentation":"IAM policy document specifying the access policies for the new Elasticsearch domain.
" }, "DomainEndpointOptions":{ "shape":"AwsElasticsearchDomainDomainEndpointOptions", @@ -4164,24 +4438,28 @@ }, "DomainId":{ "shape":"NonEmptyString", - "documentation":"Unique identifier for an Amazon ES domain.
" + "documentation":"Unique identifier for an Elasticsearch domain.
" }, "DomainName":{ "shape":"NonEmptyString", - "documentation":"Name of an Amazon ES domain.
Domain names are unique across all domains owned by the same account within an AWS Region.
Domain names must start with a lowercase letter and must be between 3 and 28 characters.
Valid characters are a-z (lowercase only), 0-9, and – (hyphen).
" + "documentation":"Name of an Elasticsearch domain.
Domain names are unique across all domains owned by the same account within an Amazon Web Services Region.
Domain names must start with a lowercase letter and must be between 3 and 28 characters.
Valid characters are a-z (lowercase only), 0-9, and – (hyphen).
" }, "Endpoint":{ "shape":"NonEmptyString", - "documentation":"Domain-specific endpoint used to submit index, search, and data upload requests to an Amazon ES domain.
The endpoint is a service URL.
" + "documentation":"Domain-specific endpoint used to submit index, search, and data upload requests to an Elasticsearch domain.
The endpoint is a service URL.
" }, "Endpoints":{ "shape":"FieldMap", - "documentation":"The key-value pair that exists if the Amazon ES domain uses VPC endpoints.
" + "documentation":"The key-value pair that exists if the Elasticsearch domain uses VPC endpoints.
" }, "ElasticsearchVersion":{ "shape":"NonEmptyString", "documentation":"Elasticsearch version.
" }, + "ElasticsearchClusterConfig":{ + "shape":"AwsElasticsearchDomainElasticsearchClusterConfigDetails", + "documentation":"Information about an Elasticsearch cluster configuration.
" + }, "EncryptionAtRestOptions":{ "shape":"AwsElasticsearchDomainEncryptionAtRestOptions", "documentation":"Details about the configuration for encryption at rest.
" @@ -4200,10 +4478,10 @@ }, "VPCOptions":{ "shape":"AwsElasticsearchDomainVPCOptions", - "documentation":"Information that Amazon ES derives based on VPCOptions
for the domain.
Information that Elasticsearch derives based on VPCOptions
for the domain.
Information about an Elasticsearch domain.
" + "documentation":"Information about an Amazon Elasticsearch Service domain.
" }, "AwsElasticsearchDomainDomainEndpointOptions":{ "type":"structure", @@ -4219,6 +4497,50 @@ }, "documentation":"Additional options for the domain endpoint, such as whether to require HTTPS for all traffic.
" }, + "AwsElasticsearchDomainElasticsearchClusterConfigDetails":{ + "type":"structure", + "members":{ + "DedicatedMasterCount":{ + "shape":"Integer", + "documentation":"The number of instances to use for the master node. If this attribute is specified, then DedicatedMasterEnabled
must be true
.
Whether to use a dedicated master node for the Elasticsearch domain. A dedicated master node performs cluster management tasks, but doesn't hold data or respond to data upload requests.
" + }, + "DedicatedMasterType":{ + "shape":"NonEmptyString", + "documentation":"The hardware configuration of the computer that hosts the dedicated master node. For example, m3.medium.elasticsearch
. If this attribute is specified, then DedicatedMasterEnabled
must be true
.
The number of data nodes to use in the Elasticsearch domain.
" + }, + "InstanceType":{ + "shape":"NonEmptyString", + "documentation":"The instance type for your data nodes. For example, m3.medium.elasticsearch
.
Configuration options for zone awareness. Provided if ZoneAwarenessEnabled
is true
.
Whether to enable zone awareness for the Elasticsearch domain. When zone awareness is enabled, Elasticsearch allocates the cluster's nodes and replica index shards across Availability Zones in the same Region. This prevents data loss and minimizes downtime if a node or data center fails.
" + } + }, + "documentation":"details about the configuration of an Elasticsearch cluster.
" + }, + "AwsElasticsearchDomainElasticsearchClusterConfigZoneAwarenessConfigDetails":{ + "type":"structure", + "members":{ + "AvailabilityZoneCount":{ + "shape":"Integer", + "documentation":"he number of Availability Zones that the domain uses. Valid values are 2 and 3. The default is 2.
" + } + }, + "documentation":"Configuration options for zone awareness.
" + }, "AwsElasticsearchDomainEncryptionAtRestOptions":{ "type":"structure", "members":{ @@ -4243,7 +4565,8 @@ "SearchSlowLogs":{ "shape":"AwsElasticsearchDomainLogPublishingOptionsLogConfig", "documentation":"Configures the Elasticsearch search slow log publishing.
" - } + }, + "AuditLogs":{"shape":"AwsElasticsearchDomainLogPublishingOptionsLogConfig"} }, "documentation":"configures the CloudWatch Logs to publish for the Elasticsearch domain.
" }, @@ -4325,7 +4648,7 @@ "documentation":"ID for the VPC.
" } }, - "documentation":"Information that Amazon ES derives based on VPCOptions
for the domain.
Information that Elasticsearch derives based on VPCOptions
for the domain.
The AWS account ID of the account for the key.
" + "documentation":"The Amazon Web Services account ID of the account for the key.
" }, "AccessKeyId":{ "shape":"NonEmptyString", @@ -4784,7 +5107,7 @@ }, "AccountId":{ "shape":"NonEmptyString", - "documentation":"The identifier of the AWS account that created the session.
" + "documentation":"The identifier of the Amazon Web Services account that created the session.
" }, "UserName":{ "shape":"NonEmptyString", @@ -5136,7 +5459,7 @@ "members":{ "AWSAccountId":{ "shape":"NonEmptyString", - "documentation":"The twelve-digit account ID of the AWS account that owns the CMK.
" + "documentation":"The twelve-digit account ID of the Amazon Web Services account that owns the CMK.
" }, "CreationDate":{ "shape":"Double", @@ -5148,7 +5471,7 @@ }, "KeyManager":{ "shape":"NonEmptyString", - "documentation":"The manager of the CMK. CMKs in your AWS account are either customer managed or AWS managed.
" + "documentation":"The manager of the CMK. CMKs in your Amazon Web Services account are either customer managed or Amazon Web Services managed.
" }, "KeyState":{ "shape":"NonEmptyString", @@ -5156,7 +5479,7 @@ }, "Origin":{ "shape":"NonEmptyString", - "documentation":"The source of the CMK's key material.
When this value is AWS_KMS
, AWS KMS created the key material.
When this value is EXTERNAL
, the key material was imported from your existing key management infrastructure or the CMK lacks key material.
When this value is AWS_CLOUDHSM
, the key material was created in the AWS CloudHSM cluster associated with a custom key store.
The source of the CMK's key material.
When this value is AWS_KMS
, KMS created the key material.
When this value is EXTERNAL
, the key material was imported from your existing key management infrastructure or the CMK lacks key material.
When this value is AWS_CLOUDHSM
, the key material was created in the CloudHSM cluster associated with a custom key store.
An Amazon S3 bucket in the same AWS Region as your function. The bucket can be in a different AWS account.
" + "documentation":"An Amazon S3 bucket in the same Amazon Web Services Region as your function. The bucket can be in a different Amazon Web Services account.
" }, "S3Key":{ "shape":"NonEmptyString", @@ -5182,7 +5505,7 @@ }, "ZipFile":{ "shape":"NonEmptyString", - "documentation":"The base64-encoded contents of the deployment package. AWS SDK and AWS CLI clients handle the encoding for you.
" + "documentation":"The base64-encoded contents of the deployment package. Amazon Web Services SDK and Amazon Web Services CLI clients handle the encoding for you.
" } }, "documentation":"The code for the Lambda function. You can specify either an object in Amazon S3, or upload a deployment package directly.
" @@ -5192,7 +5515,7 @@ "members":{ "TargetArn":{ "shape":"NonEmptyString", - "documentation":"The ARN of an Amazon SQS queue or Amazon SNS topic.
" + "documentation":"The ARN of an SQS queue or SNS topic.
" } }, "documentation":"The dead-letter queue for failed asynchronous invocations.
" @@ -5226,7 +5549,7 @@ }, "KmsKeyArn":{ "shape":"NonEmptyString", - "documentation":"The KMS key that's used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK.
" + "documentation":"The KMS key that is used to encrypt the function's environment variables. This key is only returned if you've configured a customer managed CMK.
" }, "LastModified":{ "shape":"NonEmptyString", @@ -5262,7 +5585,7 @@ }, "TracingConfig":{ "shape":"AwsLambdaFunctionTracingConfig", - "documentation":"The function's AWS X-Ray tracing configuration.
" + "documentation":"The function's X-Ray tracing configuration.
" }, "VpcConfig":{ "shape":"AwsLambdaFunctionVpcConfig", @@ -5315,7 +5638,7 @@ "documentation":"The size of the layer archive in bytes.
" } }, - "documentation":"An AWS Lambda layer.
" + "documentation":"An Lambda layer.
" }, "AwsLambdaFunctionLayerList":{ "type":"list", @@ -5329,7 +5652,7 @@ "documentation":"The tracing mode.
" } }, - "documentation":"The function's AWS X-Ray tracing configuration.
" + "documentation":"The function's X-Ray tracing configuration.
" }, "AwsLambdaFunctionVpcConfig":{ "type":"structure", @@ -5467,11 +5790,11 @@ }, "KmsKeyId":{ "shape":"NonEmptyString", - "documentation":"The ARN of the AWS KMS master key that is used to encrypt the database instances in the DB cluster.
" + "documentation":"The ARN of the KMS master key that is used to encrypt the database instances in the DB cluster.
" }, "DbClusterResourceId":{ "shape":"NonEmptyString", - "documentation":"The identifier of the DB cluster. The identifier must be unique within each AWS Region and is immutable.
" + "documentation":"The identifier of the DB cluster. The identifier must be unique within each Amazon Web Services Region and is immutable.
" }, "AssociatedRoles":{ "shape":"AwsRdsDbClusterAssociatedRoles", @@ -5507,7 +5830,7 @@ }, "CrossAccountClone":{ "shape":"Boolean", - "documentation":"Whether the DB cluster is a clone of a DB cluster owned by a different AWS account.
" + "documentation":"Whether the DB cluster is a clone of a DB cluster owned by a different Amazon Web Services account.
" }, "DomainMemberships":{ "shape":"AwsRdsDbDomainMemberships", @@ -5645,7 +5968,7 @@ }, "KmsKeyId":{ "shape":"NonEmptyString", - "documentation":"The ARN of the AWS KMS master key that is used to encrypt the database instances in the DB cluster.
" + "documentation":"The ARN of the KMS master key that is used to encrypt the database instances in the DB cluster.
" }, "DbClusterIdentifier":{ "shape":"NonEmptyString", @@ -5697,14 +6020,14 @@ }, "FeatureName":{ "shape":"NonEmptyString", - "documentation":"The name of the feature associated with the IAM)role.
" + "documentation":"The name of the feature associated with the IAM role.
" }, "Status":{ "shape":"NonEmptyString", - "documentation":"Describes the state of the association between the IAM role and the DB instance. The Status
property returns one of the following values:
ACTIVE
- The IAM role ARN is associated with the DB instance and can be used to access other AWS services on your behalf.
PENDING
- The IAM role ARN is being associated with the DB instance.
INVALID
- The IAM role ARN is associated with the DB instance. But the DB instance is unable to assume the IAM role in order to access other AWS services on your behalf.
Describes the state of the association between the IAM role and the DB instance. The Status
property returns one of the following values:
ACTIVE
- The IAM role ARN is associated with the DB instance and can be used to access other Amazon Web Services services on your behalf.
PENDING
- The IAM role ARN is being associated with the DB instance.
INVALID
- The IAM role ARN is associated with the DB instance. But the DB instance is unable to assume the IAM role in order to access other Amazon Web Services services on your behalf.
An AWS Identity and Access Management (IAM) role associated with the DB instance.
" + "documentation":"An IAM role associated with the DB instance.
" }, "AwsRdsDbInstanceAssociatedRoles":{ "type":"list", @@ -5715,7 +6038,7 @@ "members":{ "AssociatedRoles":{ "shape":"AwsRdsDbInstanceAssociatedRoles", - "documentation":"The AWS Identity and Access Management (IAM) roles associated with the DB instance.
" + "documentation":"The IAM roles associated with the DB instance.
" }, "CACertificateIdentifier":{ "shape":"NonEmptyString", @@ -5739,7 +6062,7 @@ }, "DbiResourceId":{ "shape":"NonEmptyString", - "documentation":"The AWS Region-unique, immutable identifier for the DB instance. This identifier is found in AWS CloudTrail log entries whenever the AWS KMS key for the DB instance is accessed.
" + "documentation":"The Amazon Web Services Region-unique, immutable identifier for the DB instance. This identifier is found in CloudTrail log entries whenever the KMS key for the DB instance is accessed.
" }, "DBName":{ "shape":"NonEmptyString", @@ -5763,7 +6086,7 @@ }, "IAMDatabaseAuthenticationEnabled":{ "shape":"Boolean", - "documentation":"True if mapping of AWS Identity and Access Management (IAM) accounts to database accounts is enabled, and otherwise false.
IAM database authentication can be enabled for the following database engines.
For MySQL 5.6, minor version 5.6.34 or higher
For MySQL 5.7, minor version 5.7.16 or higher
Aurora 5.6 or higher
True if mapping of IAM accounts to database accounts is enabled, and otherwise false.
IAM database authentication can be enabled for the following database engines.
For MySQL 5.6, minor version 5.6.34 or higher
For MySQL 5.7, minor version 5.7.16 or higher
Aurora 5.6 or higher
If StorageEncrypted
is true, the AWS KMS key identifier for the encrypted DB instance.
If StorageEncrypted
is true, the KMS key identifier for the encrypted DB instance.
The identifier of the AWS KMS key used to encrypt the Performance Insights data.
" + "documentation":"The identifier of the KMS key used to encrypt the Performance Insights data.
" }, "PerformanceInsightsRetentionPeriod":{ "shape":"Integer", @@ -6170,7 +6493,7 @@ }, "SourceRegion":{ "shape":"NonEmptyString", - "documentation":"The AWS Region that the DB snapshot was created in or copied from.
" + "documentation":"The Amazon Web Services Region that the DB snapshot was created in or copied from.
" }, "SourceDbSnapshotIdentifier":{ "shape":"NonEmptyString", @@ -6190,7 +6513,7 @@ }, "KmsKeyId":{ "shape":"NonEmptyString", - "documentation":"If Encrypted
is true
, the AWS KMS key identifier for the encrypted DB snapshot.
If Encrypted
is true
, the KMS key identifier for the encrypted DB snapshot.
The identifier of the account that is associated with the event notification subscription.
" + }, + "CustomerAwsId":{ + "shape":"NonEmptyString", + "documentation":"The identifier of the event notification subscription.
" + }, + "Enabled":{ + "shape":"Boolean", + "documentation":"Whether the event notification subscription is enabled.
" + }, + "EventCategoriesList":{ + "shape":"NonEmptyStringList", + "documentation":"The list of event categories for the event notification subscription.
" + }, + "EventSubscriptionArn":{ + "shape":"NonEmptyString", + "documentation":"The ARN of the event notification subscription.
" + }, + "SnsTopicArn":{ + "shape":"NonEmptyString", + "documentation":"The ARN of the SNS topic to post the event notifications to.
" + }, + "SourceIdsList":{ + "shape":"NonEmptyStringList", + "documentation":"A list of source identifiers for the event notification subscription.
" + }, + "SourceType":{ + "shape":"NonEmptyString", + "documentation":"The source type for the event notification subscription.
" + }, + "Status":{ + "shape":"NonEmptyString", + "documentation":"The status of the event notification subscription.
Valid values: creating
| modifying
| deleting
| active
| no-permission
| topic-not-exist
The datetime when the event notification subscription was created.
Uses the date-time
format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z
.
Details about an Amazon RDS event notification subscription. The subscription allows Amazon RDS to post events to an SNS topic.
" + }, "AwsRdsPendingCloudWatchLogsExports":{ "type":"structure", "members":{ @@ -6546,11 +6915,11 @@ }, "IamRoles":{ "shape":"AwsRedshiftClusterIamRoles", - "documentation":"A list of IAM roles that the cluster can use to access other AWS services.
" + "documentation":"A list of IAM roles that the cluster can use to access other Amazon Web Services services.
" }, "KmsKeyId":{ "shape":"NonEmptyString", - "documentation":"The identifier of the AWS KMS encryption key that is used to encrypt data in the cluster.
" + "documentation":"The identifier of the KMS encryption key that is used to encrypt data in the cluster.
" }, "MaintenanceTrackName":{ "shape":"NonEmptyString", @@ -6677,7 +7046,7 @@ "documentation":"The ARN of the IAM role.
" } }, - "documentation":"An IAM role that the cluster can use to access other AWS services.
" + "documentation":"An IAM role that the cluster can use to access other Amazon Web Services services.
" }, "AwsRedshiftClusterIamRoles":{ "type":"list", @@ -6812,7 +7181,7 @@ }, "RestrictPublicBuckets":{ "shape":"Boolean", - "documentation":"Indicates whether to restrict access to an access point or S3 bucket that has a public policy to only AWS service principals and authorized users within the S3 bucket owner's account.
" + "documentation":"Indicates whether to restrict access to an access point or S3 bucket that has a public policy to only Amazon Web Services service principals and authorized users within the S3 bucket owner's account.
" } }, "documentation":"provides information about the Amazon S3 Public Access Block configuration for accounts.
" @@ -7052,7 +7421,7 @@ }, "KMSMasterKeyID":{ "shape":"NonEmptyString", - "documentation":"AWS KMS customer master key (CMK) ID to use for the default encryption.
" + "documentation":"KMS customer master key (CMK) ID to use for the default encryption.
" } }, "documentation":"Specifies the default server-side encryption to apply to new objects in the bucket.
" @@ -7106,7 +7475,7 @@ }, "SSEKMSKeyId":{ "shape":"NonEmptyString", - "documentation":"The identifier of the AWS Key Management Service (AWS KMS) symmetric customer managed customer master key (CMK) that was used for the object.
" + "documentation":"The identifier of the KMS symmetric customer managed customer master key (CMK) that was used for the object.
" } }, "documentation":"Details about an Amazon S3 object.
" @@ -7124,7 +7493,7 @@ }, "KmsKeyId":{ "shape":"NonEmptyString", - "documentation":"The ARN, Key ID, or alias of the AWS KMS customer master key (CMK) used to encrypt the SecretString
or SecretBinary
values for versions of this secret.
The ARN, Key ID, or alias of the KMS customer master key (CMK) used to encrypt the SecretString
or SecretBinary
values for versions of this secret.
The user-provided description of the secret.
" } }, - "documentation":"Details about an AWS Secrets Manager secret.
" + "documentation":"Details about an Secrets Manager secret.
" }, "AwsSecretsManagerSecretRotationRules":{ "type":"structure", @@ -7186,13 +7555,25 @@ "shape":"NonEmptyString", "documentation":"The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration.
" }, + "ProductName":{ + "shape":"NonEmptyString", + "documentation":"The name of the product that generated the finding.
Security Hub populates this attribute automatically for each finding. You cannot update it using BatchImportFindings
or BatchUpdateFindings
. The exception to this is when you use a custom integration.
When you use the Security Hub console to filter findings by product name, you use this attribute.
When you use the Security Hub API to filter findings by product name, you use the aws/securityhub/ProductyName
attribute under ProductFields
.
Security Hub does not synchronize those two attributes.
" + }, + "CompanyName":{ + "shape":"NonEmptyString", + "documentation":"The name of the company for the product that generated the finding.
Security Hub populates this attribute automatically for each finding. You cannot be updated using BatchImportFindings
or BatchUpdateFindings
. The exception to this is when you use a custom integration.
When you use the Security Hub console to filter findings by company name, you use this attribute.
When you use the Security Hub API to filter findings by company name, you use the aws/securityhub/CompanyName
attribute under ProductFields
.
Security Hub does not synchronize those two attributes.
" + }, + "Region":{ + "shape":"NonEmptyString", + "documentation":"The Region from which the finding was generated.
Security Hub populates this attribute automatically for each finding. You cannot update it using BatchImportFindings
or BatchUpdateFindings
.
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.
" }, "AwsAccountId":{ "shape":"NonEmptyString", - "documentation":"The AWS account ID that a finding is generated in.
" + "documentation":"The Amazon Web Services account ID that a finding is generated in.
" }, "Types":{ "shape":"TypeList", @@ -7244,7 +7625,7 @@ }, "ProductFields":{ "shape":"FieldMap", - "documentation":"A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding
format.
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding
format.
Can contain up to 50 key-value pairs. For each key-value pair, the key can contain up to 128 characters, and the value can contain up to 2048 characters.
" }, "UserDefinedFields":{ "shape":"FieldMap", @@ -7276,7 +7657,7 @@ }, "Compliance":{ "shape":"Compliance", - "documentation":"This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported security standard, such as CIS AWS Foundations. Contains security standard-related finding details.
" + "documentation":"This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported security standard, such as CIS Amazon Web Services Foundations. Contains security standard-related finding details.
" }, "VerificationState":{ "shape":"VerificationState", @@ -7319,7 +7700,7 @@ "documentation":"In a BatchImportFindings
request, finding providers use FindingProviderFields
to provide and update their own values for confidence, criticality, related findings, severity, and types.
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding
format enables you to share findings between AWS security services and third-party solutions, and security standards checks.
A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and standards checks.
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding
format enables you to share findings between Amazon Web Services security services and third-party solutions, and security standards checks.
A finding is a potential security issue generated either by Amazon Web Services services or by the integrated third-party solutions and standards checks.
The AWS account ID that a finding is generated in.
" + "documentation":"The Amazon Web Services account ID that a finding is generated in.
" }, "Id":{ "shape":"StringFilterList", @@ -7340,6 +7721,10 @@ "shape":"StringFilterList", "documentation":"The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.
" }, + "Region":{ + "shape":"StringFilterList", + "documentation":"The Region from which the finding was generated.
" + }, "Type":{ "shape":"StringFilterList", "documentation":"A finding type in the format of namespace/category/classifier
that classifies a finding.
The native severity as defined by the security-findings provider's solution that generated the finding.
", "deprecated":true, - "deprecatedMessage":"This filter is deprecated, use FindingProviiltersSeverityOriginal instead." + "deprecatedMessage":"This filter is deprecated. Instead, use FindingProviderSeverityOriginal." }, "SeverityNormalized":{ "shape":"NumberFilterList", "documentation":"The normalized severity of a finding.
", "deprecated":true, - "deprecatedMessage":"This filter is deprecated, use SeverityLabel or FindingProviderFieldsSeverityLabel instead." + "deprecatedMessage":"This filter is deprecated. Instead, use SeverityLabel or FindingProviderFieldsSeverityLabel." }, "SeverityLabel":{ "shape":"StringFilterList", @@ -7406,11 +7791,11 @@ }, "ProductName":{ "shape":"StringFilterList", - "documentation":"The name of the solution (product) that generates findings.
" + "documentation":"The name of the solution (product) that generates findings.
Note that this is a filter against the aws/securityhub/ProductName
field in ProductFields
. It is not a filter for the top-level ProductName
field.
The name of the findings provider (company) that owns the solution (product) that generates findings.
" + "documentation":"The name of the findings provider (company) that owns the solution (product) that generates findings.
Note that this is a filter against the aws/securityhub/CompanyName
field in ProductFields
. It is not a filter for the top-level CompanyName
field.
The canonical AWS partition name that the Region is assigned to.
" + "documentation":"The canonical Amazon Web Services partition name that the Region is assigned to.
" }, "ResourceRegion":{ "shape":"StringFilterList", - "documentation":"The canonical AWS external Region name where this resource is located.
" + "documentation":"The canonical Amazon Web Services external Region name where this resource is located.
" }, "ResourceTags":{ "shape":"MapFilterList", - "documentation":"A list of AWS tags associated with a resource at the time the finding was processed.
" + "documentation":"A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
" }, "ResourceAwsEc2InstanceType":{ "shape":"StringFilterList", @@ -7590,7 +7975,13 @@ }, "ResourceAwsIamAccessKeyUserName":{ "shape":"StringFilterList", - "documentation":"The user associated with the IAM access key related to a finding.
" + "documentation":"The user associated with the IAM access key related to a finding.
", + "deprecated":true, + "deprecatedMessage":"This filter is deprecated. Instead, use ResourceAwsIamAccessKeyPrincipalName." + }, + "ResourceAwsIamAccessKeyPrincipalName":{ + "shape":"StringFilterList", + "documentation":"The name of the principal that is associated with an IAM access key.
" }, "ResourceAwsIamAccessKeyStatus":{ "shape":"StringFilterList", @@ -7600,6 +7991,10 @@ "shape":"DateFilterList", "documentation":"The creation date/time of the IAM access key related to a finding.
" }, + "ResourceAwsIamUserUserName":{ + "shape":"StringFilterList", + "documentation":"The name of an IAM user.
" + }, "ResourceContainerName":{ "shape":"StringFilterList", "documentation":"The name of the container related to a finding.
" @@ -7622,7 +8017,7 @@ }, "ComplianceStatus":{ "shape":"StringFilterList", - "documentation":"Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details.
" + "documentation":"Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS Amazon Web Services Foundations. Contains security standard-related finding details.
" }, "VerificationState":{ "shape":"StringFilterList", @@ -7728,11 +8123,11 @@ "members":{ "KmsMasterKeyId":{ "shape":"NonEmptyString", - "documentation":"The ID of an AWS managed customer master key (CMK) for Amazon SNS or a custom CMK.
" + "documentation":"The ID of an Amazon Web Services managed customer master key (CMK) for Amazon SNS or a custom CMK.
" }, "Subscription":{ "shape":"AwsSnsTopicSubscriptionList", - "documentation":"Subscription is an embedded property that describes the subscription endpoints of an Amazon SNS topic.
" + "documentation":"Subscription is an embedded property that describes the subscription endpoints of an SNS topic.
" }, "TopicName":{ "shape":"NonEmptyString", @@ -7768,11 +8163,11 @@ "members":{ "KmsDataKeyReusePeriodSeconds":{ "shape":"Integer", - "documentation":"The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again.
" + "documentation":"The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling KMS again.
" }, "KmsMasterKeyId":{ "shape":"NonEmptyString", - "documentation":"The ID of an AWS managed customer master key (CMK) for Amazon SQS or a custom CMK.
" + "documentation":"The ID of an Amazon Web Services managed customer master key (CMK) for Amazon SQS or a custom CMK.
" }, "QueueName":{ "shape":"NonEmptyString", @@ -7903,14 +8298,14 @@ "documentation":"A unique identifier for a WebACL.
" } }, - "documentation":"Details about a WAF WebACL.
" + "documentation":"Details about an WAF WebACL.
" }, "AwsWafWebAclRule":{ "type":"structure", "members":{ "Action":{ "shape":"WafAction", - "documentation":"Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.
" + "documentation":"Specifies the action that CloudFront or WAF takes when a web request matches the conditions in the rule.
" }, "ExcludedRules":{ "shape":"WafExcludedRuleList", @@ -7933,7 +8328,7 @@ "documentation":"The rule type.
Valid values: REGULAR
| RATE_BASED
| GROUP
The default is REGULAR
.
Details for a rule in a WAF WebACL.
" + "documentation":"Details for a rule in an WAF WebACL.
" }, "AwsWafWebAclRuleList":{ "type":"list", @@ -7983,7 +8378,7 @@ "members":{ "Findings":{ "shape":"BatchImportFindingsRequestFindingList", - "documentation":"A list of findings to import. To successfully import a finding, it must follow the AWS Security Finding Format. Maximum of 100 findings per request.
" + "documentation":"A list of findings to import. To successfully import a finding, it must follow the Amazon Web Services Security Finding Format. Maximum of 100 findings per request.
" } } }, @@ -8213,7 +8608,7 @@ "members":{ "Status":{ "shape":"ComplianceStatus", - "documentation":"The result of a standards check.
The valid values for Status
are as follows.
PASSED
- Standards check passed for all evaluated resources.
WARNING
- Some information is missing or this check is not supported for your configuration.
FAILED
- Standards check failed for at least one evaluated resource.
NOT_AVAILABLE
- Check could not be performed due to a service outage, API error, or because the result of the AWS Config evaluation was NOT_APPLICABLE
. If the AWS Config evaluation result was NOT_APPLICABLE
, then after 3 days, Security Hub automatically archives the finding.
The result of a standards check.
The valid values for Status
are as follows.
PASSED
- Standards check passed for all evaluated resources.
WARNING
- Some information is missing or this check is not supported for your configuration.
FAILED
- Standards check failed for at least one evaluated resource.
NOT_AVAILABLE
- Check could not be performed due to a service outage, API error, or because the result of the Config evaluation was NOT_APPLICABLE
. If the Config evaluation result was NOT_APPLICABLE
, then after 3 days, Security Hub automatically archives the finding.
For findings generated from controls, a list of reasons behind the value of Status
. For the list of status reason codes and their meanings, see Standards-related information in the ASFF in the AWS Security Hub User Guide.
For findings generated from controls, a list of reasons behind the value of Status
. For the list of status reason codes and their meanings, see Standards-related information in the ASFF in the Security Hub User Guide.
Contains finding details that are specific to control-based findings. Only returned for findings generated from controls.
" @@ -8357,7 +8752,7 @@ "members":{ "UnprocessedAccounts":{ "shape":"ResultList", - "documentation":"The list of AWS accounts that were not processed. For each account, the list includes the account ID and the email address.
" + "documentation":"The list of Amazon Web Services accounts that were not processed. For each account, the list includes the account ID and the email address.
" } } }, @@ -8497,7 +8892,7 @@ "members":{ "UnprocessedAccounts":{ "shape":"ResultList", - "documentation":"The list of AWS accounts that were not processed. For each account, the list includes the account ID and the email address.
" + "documentation":"The list of Amazon Web Services accounts that were not processed. For each account, the list includes the account ID and the email address.
" } } }, @@ -8560,7 +8955,7 @@ "members":{ "UnprocessedAccounts":{ "shape":"ResultList", - "documentation":"The list of AWS accounts for which the invitations were not deleted. For each account, the list includes the account ID and the email address.
" + "documentation":"The list of Amazon Web Services accounts for which the invitations were not deleted. For each account, the list includes the account ID and the email address.
" } } }, @@ -8579,7 +8974,7 @@ "members":{ "UnprocessedAccounts":{ "shape":"ResultList", - "documentation":"The list of AWS accounts that were not deleted. For each account, the list includes the account ID and the email address.
" + "documentation":"The list of Amazon Web Services accounts that were not deleted. For each account, the list includes the account ID and the email address.
" } } }, @@ -8703,7 +9098,7 @@ "members":{ "StandardsSubscriptionArn":{ "shape":"NonEmptyString", - "documentation":"The ARN of a resource that represents your subscription to a supported standard. To get the subscription ARNs of the standards you have enabled, use the GetEnabledStandards
operation.
The ARN of a resource that represents your subscription to a supported standard. To get the subscription ARNs of the standards you have enabled, use the GetEnabledStandards
operation.
The AWS account identifier of the Security Hub administrator account.
" + "documentation":"The Amazon Web Services account identifier of the Security Hub administrator account.
" } } }, @@ -8885,7 +9280,7 @@ "members":{ "AdminAccountId":{ "shape":"NonEmptyString", - "documentation":"The AWS account identifier of the account to designate as the Security Hub administrator account.
" + "documentation":"The Amazon Web Services account identifier of the account to designate as the Security Hub administrator account.
" } } }, @@ -9147,7 +9542,7 @@ }, "UnprocessedAccounts":{ "shape":"ResultList", - "documentation":"The list of AWS accounts that could not be processed. For each account, the list includes the account ID and the email address.
" + "documentation":"The list of Amazon Web Services accounts that could not be processed. For each account, the list includes the account ID and the email address.
" } } }, @@ -9344,7 +9739,7 @@ "members":{ "AccountIds":{ "shape":"AccountIdList", - "documentation":"The list of account IDs of the AWS accounts to invite to Security Hub as members.
" + "documentation":"The list of account IDs of the Amazon Web Services accounts to invite to Security Hub as members.
" } } }, @@ -9353,7 +9748,7 @@ "members":{ "UnprocessedAccounts":{ "shape":"ResultList", - "documentation":"The list of AWS accounts that could not be processed. For each account, the list includes the account ID and the email address.
" + "documentation":"The list of Amazon Web Services accounts that could not be processed. For each account, the list includes the account ID and the email address.
" } } }, @@ -9435,7 +9830,7 @@ "Message":{"shape":"NonEmptyString"}, "Code":{"shape":"NonEmptyString"} }, - "documentation":"The request was rejected because it attempted to create resources beyond the current AWS account or throttling limits. The error code describes the limit exceeded.
", + "documentation":"The request was rejected because it attempted to create resources beyond the current Amazon Web Services account or throttling limits. The error code describes the limit exceeded.
", "error":{"httpStatusCode":429}, "exception":true }, @@ -9695,7 +10090,7 @@ "members":{ "AccountId":{ "shape":"AccountId", - "documentation":"The AWS account ID of the member account.
" + "documentation":"The Amazon Web Services account ID of the member account.
" }, "Email":{ "shape":"NonEmptyString", @@ -9703,17 +10098,17 @@ }, "MasterId":{ "shape":"NonEmptyString", - "documentation":"This is replaced by AdministratorID
.
The AWS account ID of the Security Hub administrator account associated with this member account.
", + "documentation":"This is replaced by AdministratorID
.
The Amazon Web Services account ID of the Security Hub administrator account associated with this member account.
", "deprecated":true, "deprecatedMessage":"This field is deprecated, use AdministratorId instead." }, "AdministratorId":{ "shape":"NonEmptyString", - "documentation":"The AWS account ID of the Security Hub administrator account associated with this member account.
" + "documentation":"The Amazon Web Services account ID of the Security Hub administrator account associated with this member account.
" }, "MemberStatus":{ "shape":"NonEmptyString", - "documentation":"The status of the relationship between the member account and its administrator account.
The status can have one of the following values:
CREATED
- Indicates that the administrator account added the member account, but has not yet invited the member account.
INVITED
- Indicates that the administrator account invited the member account. The member account has not yet responded to the invitation.
ENABLED
- Indicates that the member account is currently active. For manually invited member accounts, indicates that the member account accepted the invitation.
REMOVED
- Indicates that the administrator account disassociated the member account.
RESIGNED
- Indicates that the member account disassociated themselves from the administrator account.
DELETED
- Indicates that the administrator account deleted the member account.
The status of the relationship between the member account and its administrator account.
The status can have one of the following values:
CREATED
- Indicates that the administrator account added the member account, but has not yet invited the member account.
INVITED
- Indicates that the administrator account invited the member account. The member account has not yet responded to the invitation.
ENABLED
- Indicates that the member account is currently active. For manually invited member accounts, indicates that the member account accepted the invitation.
REMOVED
- Indicates that the administrator account disassociated the member account.
RESIGNED
- Indicates that the member account disassociated themselves from the administrator account.
DELETED
- Indicates that the administrator account deleted the member account.
ACCOUNT_SUSPENDED
- Indicates that an organization account was suspended from Amazon Web Services at the same time that the administrator account tried to enable the organization account as a member account.
For integrations with AWS services, the AWS Console URL from which to activate the service.
For integrations with third-party products, the AWS Marketplace URL from which to subscribe to or purchase the product.
" + "documentation":"For integrations with Amazon Web Services services, the Amazon Web Services Console URL from which to activate the service.
For integrations with third-party products, the Marketplace URL from which to subscribe to or purchase the product.
" }, "ActivationUrl":{ "shape":"NonEmptyString", @@ -10326,11 +10721,11 @@ }, "Partition":{ "shape":"Partition", - "documentation":"The canonical AWS partition name that the Region is assigned to.
" + "documentation":"The canonical Amazon Web Services partition name that the Region is assigned to.
" }, "Region":{ "shape":"NonEmptyString", - "documentation":"The canonical AWS external Region name where this resource is located.
" + "documentation":"The canonical Amazon Web Services external Region name where this resource is located.
" }, "ResourceRole":{ "shape":"NonEmptyString", @@ -10338,7 +10733,7 @@ }, "Tags":{ "shape":"FieldMap", - "documentation":"A list of AWS tags associated with a resource at the time the finding was processed.
" + "documentation":"A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
" }, "DataClassification":{ "shape":"DataClassificationDetails", @@ -10374,7 +10769,7 @@ }, "AwsCodeBuildProject":{ "shape":"AwsCodeBuildProjectDetails", - "documentation":"Details for an AWS CodeBuild project.
" + "documentation":"Details for an CodeBuild project.
" }, "AwsCloudFrontDistribution":{ "shape":"AwsCloudFrontDistributionDetails", @@ -10386,7 +10781,7 @@ }, "AwsEc2NetworkInterface":{ "shape":"AwsEc2NetworkInterfaceDetails", - "documentation":"Details for an Amazon EC2 network interface.
" + "documentation":"Details for an EC2 network interface.
" }, "AwsEc2SecurityGroup":{ "shape":"AwsEc2SecurityGroupDetails", @@ -10406,7 +10801,7 @@ }, "AwsEc2Subnet":{ "shape":"AwsEc2SubnetDetails", - "documentation":"Details about a subnet in EC2.
" + "documentation":"Details about a subnet in Amazon EC2.
" }, "AwsEc2NetworkAcl":{ "shape":"AwsEc2NetworkAclDetails", @@ -10426,7 +10821,7 @@ }, "AwsS3Bucket":{ "shape":"AwsS3BucketDetails", - "documentation":"Details about an Amazon S3 bucket related to a finding.
" + "documentation":"Details about an S3 bucket related to a finding.
" }, "AwsS3AccountPublicAccessBlock":{ "shape":"AwsS3AccountPublicAccessBlockDetails", @@ -10434,7 +10829,7 @@ }, "AwsS3Object":{ "shape":"AwsS3ObjectDetails", - "documentation":"Details about an Amazon S3 object related to a finding.
" + "documentation":"Details about an S3 object related to a finding.
" }, "AwsSecretsManagerSecret":{ "shape":"AwsSecretsManagerSecretDetails", @@ -10482,7 +10877,7 @@ }, "AwsCertificateManagerCertificate":{ "shape":"AwsCertificateManagerCertificateDetails", - "documentation":"Provides details about an AWS Certificate Manager (ACM) certificate.
" + "documentation":"Provides details about an Certificate Manager certificate.
" }, "AwsRedshiftCluster":{ "shape":"AwsRedshiftClusterDetails", @@ -10502,7 +10897,7 @@ }, "AwsKmsKey":{ "shape":"AwsKmsKeyDetails", - "documentation":"Details about a KMS key.
" + "documentation":"Details about an KMS key.
" }, "AwsLambdaFunction":{ "shape":"AwsLambdaFunctionDetails", @@ -10526,7 +10921,7 @@ }, "AwsWafWebAcl":{ "shape":"AwsWafWebAclDetails", - "documentation":"Details for a WAF WebACL.
" + "documentation":"Details for an WAF WebACL.
" }, "AwsRdsDbSnapshot":{ "shape":"AwsRdsDbSnapshotDetails", @@ -10555,6 +10950,14 @@ "Other":{ "shape":"FieldMap", "documentation":"Details about a resource that are not available in a type-specific details object. Use the Other
object in the following cases.
The type-specific object does not contain all of the fields that you want to populate. In this case, first use the type-specific object to populate those fields. Use the Other
object to populate the fields that are missing from the type-specific object.
The resource type does not have a corresponding object. This includes resources for which the type is Other
.
Details about an RDS event notification subscription.
" + }, + "AwsEcsService":{ + "shape":"AwsEcsServiceDetails", + "documentation":"Details about a service within an ECS cluster.
" } }, "documentation":"Additional details about a resource related to a finding.
To provide the details, use the object that corresponds to the resource type. For example, if the resource type is AwsEc2Instance
, then you use the AwsEc2Instance
object to provide the details.
If the type-specific object does not contain all of the fields you want to populate, then you use the Other
object to populate those additional fields.
You also use the Other
object to populate the details when the selected type does not have a corresponding object.
An AWS account ID of the account that was not processed.
" + "documentation":"An Amazon Web Services account ID of the account that was not processed.
" }, "ProcessingResult":{ "shape":"NonEmptyString", @@ -10644,7 +11047,7 @@ "members":{ "Product":{ "shape":"Double", - "documentation":"Deprecated. This attribute is being deprecated. Instead of providing Product
, provide Original
.
The native severity as defined by the AWS service or integrated partner product that generated the finding.
" + "documentation":"Deprecated. This attribute is being deprecated. Instead of providing Product
, provide Original
.
The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
" }, "Label":{ "shape":"SeverityLabel", @@ -10689,7 +11092,7 @@ }, "Product":{ "shape":"Double", - "documentation":"The native severity as defined by the AWS service or integrated partner product that generated the finding.
" + "documentation":"The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
" }, "Label":{ "shape":"SeverityLabel", @@ -10817,7 +11220,7 @@ }, "SeverityRating":{ "shape":"SeverityRating", - "documentation":"The severity of findings generated from this security standard control.
The finding severity is based on an assessment of how easy it would be to compromise AWS resources if the issue is detected.
" + "documentation":"The severity of findings generated from this security standard control.
The finding severity is based on an assessment of how easy it would be to compromise Amazon Web Services resources if the issue is detected.
" }, "RelatedRequirements":{ "shape":"RelatedRequirementsList", @@ -10885,7 +11288,7 @@ "members":{ "StandardsArn":{ "shape":"NonEmptyString", - "documentation":"The ARN of the standard that you want to enable. To view the list of available standards and their ARNs, use the DescribeStandards
operation.
The ARN of the standard that you want to enable. To view the list of available standards and their ARNs, use the DescribeStandards
operation.
A code that represents a reason for the control status. For the list of status reason codes and their meanings, see Standards-related information in the ASFF in the AWS Security Hub User Guide.
" + "documentation":"A code that represents a reason for the control status. For the list of status reason codes and their meanings, see Standards-related information in the ASFF in the Security Hub User Guide.
" }, "Description":{ "shape":"NonEmptyString", @@ -11303,10 +11706,10 @@ "members":{ "Type":{ "shape":"NonEmptyString", - "documentation":"Specifies how you want AWS WAF to respond to requests that match the settings in a rule.
Valid settings include the following:
ALLOW
- AWS WAF allows requests
BLOCK
- AWS WAF blocks requests
COUNT
- AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT
for the default action for a WebACL.
Specifies how you want WAF to respond to requests that match the settings in a rule.
Valid settings include the following:
ALLOW
- WAF allows requests
BLOCK
- WAF blocks requests
COUNT
- WAF increments a counter of the requests that match all of the conditions in the rule. WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT
for the default action for a WebACL.
Details about the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.
" + "documentation":"Details about the action that CloudFront or WAF takes when a web request matches the conditions in the rule.
" }, "WafExcludedRule":{ "type":"structure", @@ -11374,5 +11777,5 @@ "documentation":"Used to update information about the investigation into the finding.
" } }, - "documentation":"Security Hub provides you with a comprehensive view of the security state of your AWS environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from AWS accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the AWS Security Hub User Guide .
When you use operations in the Security Hub API, the requests are executed only in the AWS Region that is currently active or in the specific AWS Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, execute the same command for each Region to apply the change to.
For example, if your Region is set to us-west-2
, when you use CreateMembers
to add a member account to Security Hub, the association of the member account with the administrator account is created only in the us-west-2
Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.
The following throttling limits apply to using Security Hub API operations.
BatchEnableStandards
- RateLimit
of 1 request per second, BurstLimit
of 1 request per second.
GetFindings
- RateLimit
of 3 requests per second. BurstLimit
of 6 requests per second.
UpdateFindings
- RateLimit
of 1 request per second. BurstLimit
of 5 requests per second.
UpdateStandardsControl
- RateLimit
of 1 request per second, BurstLimit
of 5 requests per second.
All other operations - RateLimit
of 10 requests per second. BurstLimit
of 30 requests per second.
Security Hub provides you with a comprehensive view of the security state of your Amazon Web Services environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from Amazon Web Services accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the Security HubUser Guide .
When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, execute the same command for each Region to apply the change to.
For example, if your Region is set to us-west-2
, when you use CreateMembers
to add a member account to Security Hub, the association of the member account with the administrator account is created only in the us-west-2
Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.
The following throttling limits apply to using Security Hub API operations.
BatchEnableStandards
- RateLimit
of 1 request per second, BurstLimit
of 1 request per second.
GetFindings
- RateLimit
of 3 requests per second. BurstLimit
of 6 requests per second.
UpdateFindings
- RateLimit
of 1 request per second. BurstLimit
of 5 requests per second.
UpdateStandardsControl
- RateLimit
of 1 request per second, BurstLimit
of 5 requests per second.
All other operations - RateLimit
of 10 requests per second. BurstLimit
of 30 requests per second.