From 2953ff4ddd10a561097b3195aef5b17de9580d2c Mon Sep 17 00:00:00 2001
From: awstools <awstools@amazon.com>
Date: Fri, 27 Sep 2024 18:43:01 +0000
Subject: [PATCH] docs(client-securityhub): Documentation updates for AWS
 Security Hub

---
 clients/client-securityhub/README.md          |  10 +-
 clients/client-securityhub/src/SecurityHub.ts |  10 +-
 .../src/SecurityHubClient.ts                  |  10 +-
 .../AcceptAdministratorInvitationCommand.ts   |   7 +-
 .../commands/BatchUpdateFindingsCommand.ts    |   2 +-
 .../CreateFindingAggregatorCommand.ts         |   7 +-
 .../src/commands/CreateMembersCommand.ts      |   2 +-
 .../src/commands/DeclineInvitationsCommand.ts |   9 +-
 .../DeleteFindingAggregatorCommand.ts         |   9 +-
 .../src/commands/DeleteInvitationsCommand.ts  |  11 +-
 .../src/commands/DescribeProductsCommand.ts   |   2 +-
 .../commands/GetFindingAggregatorCommand.ts   |   6 +-
 .../src/commands/GetFindingsCommand.ts        |   2 +-
 .../commands/GetInvitationsCountCommand.ts    |   9 +-
 .../src/commands/InviteMembersCommand.ts      |  13 ++-
 .../commands/ListFindingAggregatorsCommand.ts |   3 +-
 .../src/commands/ListInvitationsCommand.ts    |  11 +-
 .../UpdateFindingAggregatorCommand.ts         |   8 +-
 clients/client-securityhub/src/index.ts       |  10 +-
 .../client-securityhub/src/models/models_0.ts |  25 ++---
 .../client-securityhub/src/models/models_1.ts |   4 +-
 .../client-securityhub/src/models/models_2.ts |  51 ++++-----
 .../sdk-codegen/aws-models/securityhub.json   | 102 +++++++++---------
 23 files changed, 184 insertions(+), 139 deletions(-)

diff --git a/clients/client-securityhub/README.md b/clients/client-securityhub/README.md
index 8c140737a0bb..3addb08d5417 100644
--- a/clients/client-securityhub/README.md
+++ b/clients/client-securityhub/README.md
@@ -8,7 +8,7 @@ AWS SDK for JavaScript SecurityHub Client for Node.js, Browser and React Native.
 
 <p>Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps
 you assess your Amazon Web Services environment against security industry standards and best practices.</p>
-<p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and
+<p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and
 supported third-party products and helps you analyze your security trends and identify the highest priority security
 issues.</p>
 <p>To help you manage the security state of your organization, Security Hub supports multiple security standards.
@@ -17,10 +17,10 @@ and external compliance frameworks such as the Center for Internet Security (CIS
 Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes
 several security controls, each of which represents a security best practice. Security Hub runs checks against
 security controls and generates control findings to help you assess your compliance against security best practices.</p>
-<p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices,
+<p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services,
 such as Amazon GuardDuty and Amazon Inspector, and
 supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You
-can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.</p>
+can also send Security Hub findings to other Amazon Web Services services and supported third-party products.</p>
 <p>Security Hub offers automation features that help you triage and remediate security issues. For example,
 you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with
 Amazon EventBridge  to trigger automatic responses to specific findings.</p>
@@ -31,12 +31,12 @@ and schemas. If you're new to Security Hub, you might find it helpful to also re
 </a>. The
 user guide explains key concepts and provides procedures
 that demonstrate how to use Security Hub features. It also provides information about topics such as
-integrating Security Hub with other Amazon Web Servicesservices.</p>
+integrating Security Hub with other Amazon Web Services services.</p>
 <p>In addition to interacting with Security Hub  by making calls to the Security Hub API, you can
 use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools
 and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell,
 Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to
-Security Hub  and other Amazon Web Servicesservices . They also handle tasks such as signing requests,
+Security Hub  and other Amazon Web Services services . They also handle tasks such as signing requests,
 managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services  tools
 and SDKs, see <a href="http://aws.amazon.com/developer/tools/">Tools to Build on Amazon Web Services</a>.</p>
 <p>With the exception of operations that are related to central configuration, Security Hub API requests are executed only in
diff --git a/clients/client-securityhub/src/SecurityHub.ts b/clients/client-securityhub/src/SecurityHub.ts
index 728f3d9abca7..4712657e5fba 100644
--- a/clients/client-securityhub/src/SecurityHub.ts
+++ b/clients/client-securityhub/src/SecurityHub.ts
@@ -1746,7 +1746,7 @@ export interface SecurityHub {
 /**
  * <p>Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps
  *            you assess your Amazon Web Services environment against security industry standards and best practices.</p>
- *          <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and
+ *          <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and
  *             supported third-party products and helps you analyze your security trends and identify the highest priority security
  *             issues.</p>
  *          <p>To help you manage the security state of your organization, Security Hub supports multiple security standards.
@@ -1755,10 +1755,10 @@ export interface SecurityHub {
  *             Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes
  *             several security controls, each of which represents a security best practice. Security Hub runs checks against
  *             security controls and generates control findings to help you assess your compliance against security best practices.</p>
- *          <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices,
+ *          <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services,
  *             such as Amazon GuardDuty and Amazon Inspector, and
  *             supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You
- *             can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.</p>
+ *             can also send Security Hub findings to other Amazon Web Services services and supported third-party products.</p>
  *          <p>Security Hub offers automation features that help you triage and remediate security issues. For example,
  *            you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with
  *            Amazon EventBridge  to trigger automatic responses to specific findings.</p>
@@ -1769,12 +1769,12 @@ export interface SecurityHub {
  *             </a>. The
  *            user guide explains key concepts and provides procedures
  *            that demonstrate how to use Security Hub features. It also provides information about topics such as
- *            integrating Security Hub with other Amazon Web Servicesservices.</p>
+ *            integrating Security Hub with other Amazon Web Services services.</p>
  *          <p>In addition to interacting with Security Hub  by making calls to the Security Hub API, you can
  *            use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools
  *             and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell,
  *            Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to
- *            Security Hub  and other Amazon Web Servicesservices . They also handle tasks such as signing requests,
+ *            Security Hub  and other Amazon Web Services services . They also handle tasks such as signing requests,
  *            managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services  tools
  *            and SDKs, see <a href="http://aws.amazon.com/developer/tools/">Tools to Build on Amazon Web Services</a>.</p>
  *          <p>With the exception of operations that are related to central configuration, Security Hub API requests are executed only in
diff --git a/clients/client-securityhub/src/SecurityHubClient.ts b/clients/client-securityhub/src/SecurityHubClient.ts
index 3fcb5911a997..455b4881dde9 100644
--- a/clients/client-securityhub/src/SecurityHubClient.ts
+++ b/clients/client-securityhub/src/SecurityHubClient.ts
@@ -638,7 +638,7 @@ export interface SecurityHubClientResolvedConfig extends SecurityHubClientResolv
 /**
  * <p>Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps
  *            you assess your Amazon Web Services environment against security industry standards and best practices.</p>
- *          <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and
+ *          <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and
  *             supported third-party products and helps you analyze your security trends and identify the highest priority security
  *             issues.</p>
  *          <p>To help you manage the security state of your organization, Security Hub supports multiple security standards.
@@ -647,10 +647,10 @@ export interface SecurityHubClientResolvedConfig extends SecurityHubClientResolv
  *             Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes
  *             several security controls, each of which represents a security best practice. Security Hub runs checks against
  *             security controls and generates control findings to help you assess your compliance against security best practices.</p>
- *          <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices,
+ *          <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services,
  *             such as Amazon GuardDuty and Amazon Inspector, and
  *             supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You
- *             can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.</p>
+ *             can also send Security Hub findings to other Amazon Web Services services and supported third-party products.</p>
  *          <p>Security Hub offers automation features that help you triage and remediate security issues. For example,
  *            you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with
  *            Amazon EventBridge  to trigger automatic responses to specific findings.</p>
@@ -661,12 +661,12 @@ export interface SecurityHubClientResolvedConfig extends SecurityHubClientResolv
  *             </a>. The
  *            user guide explains key concepts and provides procedures
  *            that demonstrate how to use Security Hub features. It also provides information about topics such as
- *            integrating Security Hub with other Amazon Web Servicesservices.</p>
+ *            integrating Security Hub with other Amazon Web Services services.</p>
  *          <p>In addition to interacting with Security Hub  by making calls to the Security Hub API, you can
  *            use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools
  *             and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell,
  *            Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to
- *            Security Hub  and other Amazon Web Servicesservices . They also handle tasks such as signing requests,
+ *            Security Hub  and other Amazon Web Services services . They also handle tasks such as signing requests,
  *            managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services  tools
  *            and SDKs, see <a href="http://aws.amazon.com/developer/tools/">Tools to Build on Amazon Web Services</a>.</p>
  *          <p>With the exception of operations that are related to central configuration, Security Hub API requests are executed only in
diff --git a/clients/client-securityhub/src/commands/AcceptAdministratorInvitationCommand.ts b/clients/client-securityhub/src/commands/AcceptAdministratorInvitationCommand.ts
index b22b9b3d6699..a7f5a02275f5 100644
--- a/clients/client-securityhub/src/commands/AcceptAdministratorInvitationCommand.ts
+++ b/clients/client-securityhub/src/commands/AcceptAdministratorInvitationCommand.ts
@@ -33,7 +33,12 @@ export interface AcceptAdministratorInvitationCommandOutput
     __MetadataBearer {}
 
 /**
- * <p>Accepts the invitation to be a member account and be monitored by the Security Hub administrator
+ * <note>
+ *             <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts.
+ *            For information, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html">Managing Security Hub administrator and member accounts with Organizations</a>
+ *            in the <i>Security Hub User Guide</i>.</p>
+ *          </note>
+ *          <p>Accepts the invitation to be a member account and be monitored by the Security Hub administrator
  *          account that the invitation was sent from.</p>
  *          <p>This operation is only used by member accounts that are not added through
  *          Organizations.</p>
diff --git a/clients/client-securityhub/src/commands/BatchUpdateFindingsCommand.ts b/clients/client-securityhub/src/commands/BatchUpdateFindingsCommand.ts
index 257d849b3b32..f9d74364cb8d 100644
--- a/clients/client-securityhub/src/commands/BatchUpdateFindingsCommand.ts
+++ b/clients/client-securityhub/src/commands/BatchUpdateFindingsCommand.ts
@@ -32,7 +32,7 @@ export interface BatchUpdateFindingsCommandOutput extends BatchUpdateFindingsRes
  *          Requested by administrator accounts or member accounts. Administrator accounts can update findings for
  *          their account and their member accounts. Member accounts can update findings for their
  *          account.</p>
- *          <p>Updates from <code>BatchUpdateFindings</code> do not affect the value of
+ *          <p>Updates from <code>BatchUpdateFindings</code> don't affect the value of
  *             <code>UpdatedAt</code> for a finding.</p>
  *          <p>Administrator and member accounts can use <code>BatchUpdateFindings</code> to update the
  *          following finding fields and objects.</p>
diff --git a/clients/client-securityhub/src/commands/CreateFindingAggregatorCommand.ts b/clients/client-securityhub/src/commands/CreateFindingAggregatorCommand.ts
index 1e33bfe8b3a4..e82ad0be9940 100644
--- a/clients/client-securityhub/src/commands/CreateFindingAggregatorCommand.ts
+++ b/clients/client-securityhub/src/commands/CreateFindingAggregatorCommand.ts
@@ -28,8 +28,11 @@ export interface CreateFindingAggregatorCommandInput extends CreateFindingAggreg
 export interface CreateFindingAggregatorCommandOutput extends CreateFindingAggregatorResponse, __MetadataBearer {}
 
 /**
- * <p>Used to enable finding aggregation. Must be called from the aggregation Region.</p>
- *          <p>For more details about cross-Region replication, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html">Configuring finding aggregation</a> in the <i>Security Hub User Guide</i>.
+ * <note>
+ *             <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>
+ *          </note>
+ *          <p>Used to enable cross-Region aggregation. This operation can be invoked from the home Region only.</p>
+ *          <p>For information about how cross-Region aggregation works, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html">Understanding cross-Region aggregation in Security Hub</a> in the <i>Security Hub User Guide</i>.
  *       </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
diff --git a/clients/client-securityhub/src/commands/CreateMembersCommand.ts b/clients/client-securityhub/src/commands/CreateMembersCommand.ts
index 0e354bf620f8..088f81b42a30 100644
--- a/clients/client-securityhub/src/commands/CreateMembersCommand.ts
+++ b/clients/client-securityhub/src/commands/CreateMembersCommand.ts
@@ -50,7 +50,7 @@ export interface CreateMembersCommandOutput extends CreateMembersResponse, __Met
  *          then send an invitation to the member account. To send the invitation, you use the
  *                <code>InviteMembers</code> operation. If the account owner accepts
  *          the invitation, the account becomes a member account in Security Hub.</p>
- *          <p>Accounts that are managed using Organizations do not receive an invitation. They
+ *          <p>Accounts that are managed using Organizations don't receive an invitation. They
  *          automatically become a member account in Security Hub.</p>
  *          <ul>
  *             <li>
diff --git a/clients/client-securityhub/src/commands/DeclineInvitationsCommand.ts b/clients/client-securityhub/src/commands/DeclineInvitationsCommand.ts
index cb92e755b979..7895103c12dc 100644
--- a/clients/client-securityhub/src/commands/DeclineInvitationsCommand.ts
+++ b/clients/client-securityhub/src/commands/DeclineInvitationsCommand.ts
@@ -28,9 +28,14 @@ export interface DeclineInvitationsCommandInput extends DeclineInvitationsReques
 export interface DeclineInvitationsCommandOutput extends DeclineInvitationsResponse, __MetadataBearer {}
 
 /**
- * <p>Declines invitations to become a member account.</p>
+ * <note>
+ *             <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts.
+ *            For information, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html">Managing Security Hub administrator and member accounts with Organizations</a>
+ *            in the <i>Security Hub User Guide</i>.</p>
+ *          </note>
+ *          <p>Declines invitations to become a Security Hub member account.</p>
  *          <p>A prospective member account uses this operation to decline an invitation to become a member.</p>
- *          <p>This operation is only called by member accounts that aren't part of an organization.
+ *          <p>Only member accounts that aren't part of an Amazon Web Services organization should use this operation.
  *          Organization accounts don't receive invitations.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
diff --git a/clients/client-securityhub/src/commands/DeleteFindingAggregatorCommand.ts b/clients/client-securityhub/src/commands/DeleteFindingAggregatorCommand.ts
index 86ff80a75bd8..f6f309f05b72 100644
--- a/clients/client-securityhub/src/commands/DeleteFindingAggregatorCommand.ts
+++ b/clients/client-securityhub/src/commands/DeleteFindingAggregatorCommand.ts
@@ -28,8 +28,13 @@ export interface DeleteFindingAggregatorCommandInput extends DeleteFindingAggreg
 export interface DeleteFindingAggregatorCommandOutput extends DeleteFindingAggregatorResponse, __MetadataBearer {}
 
 /**
- * <p>Deletes a finding aggregator. When you delete the finding aggregator, you stop finding aggregation.</p>
- *          <p>When you stop finding aggregation, findings that were already aggregated to the aggregation Region are still visible from the aggregation Region. New findings and finding updates are not aggregated.
+ * <note>
+ *             <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>
+ *          </note>
+ *          <p>Deletes a finding aggregator. When you delete the finding aggregator, you stop cross-Region aggregation. Finding replication stops
+ * occurring from the linked Regions to the home Region.</p>
+ *          <p>When you stop cross-Region aggregation, findings that were already replicated and sent to the home Region are still visible from
+ *         the home Region. However, new findings and finding updates are no longer replicated and sent to the home Region.
  *       </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
diff --git a/clients/client-securityhub/src/commands/DeleteInvitationsCommand.ts b/clients/client-securityhub/src/commands/DeleteInvitationsCommand.ts
index dd2ef056eba2..bee70487d638 100644
--- a/clients/client-securityhub/src/commands/DeleteInvitationsCommand.ts
+++ b/clients/client-securityhub/src/commands/DeleteInvitationsCommand.ts
@@ -28,9 +28,14 @@ export interface DeleteInvitationsCommandInput extends DeleteInvitationsRequest
 export interface DeleteInvitationsCommandOutput extends DeleteInvitationsResponse, __MetadataBearer {}
 
 /**
- * <p>Deletes invitations received by the Amazon Web Services account to become a member account.</p>
- *          <p>A Security Hub administrator account can use this operation to delete invitations sent to one or more member accounts.</p>
- *          <p>This operation is only used to delete invitations that are sent to member accounts that aren't part of an organization.
+ * <note>
+ *             <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts.
+ *            For information, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html">Managing Security Hub administrator and member accounts with Organizations</a>
+ *            in the <i>Security Hub User Guide</i>.</p>
+ *          </note>
+ *          <p>Deletes invitations to become a Security Hub member account.</p>
+ *          <p>A Security Hub administrator account can use this operation to delete invitations sent to one or more prospective member accounts.</p>
+ *          <p>This operation is only used to delete invitations that are sent to prospective member accounts that aren't part of an Amazon Web Services organization.
  *          Organization accounts don't receive invitations.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
diff --git a/clients/client-securityhub/src/commands/DescribeProductsCommand.ts b/clients/client-securityhub/src/commands/DescribeProductsCommand.ts
index a8aad8465ef5..9f018530cfe8 100644
--- a/clients/client-securityhub/src/commands/DescribeProductsCommand.ts
+++ b/clients/client-securityhub/src/commands/DescribeProductsCommand.ts
@@ -31,7 +31,7 @@ export interface DescribeProductsCommandOutput extends DescribeProductsResponse,
  * <p>Returns information about product integrations in Security Hub.</p>
  *          <p>You can optionally provide an integration ARN. If you provide an integration ARN, then
  *          the results only include that integration.</p>
- *          <p>If you do not provide an integration ARN, then the results include all of the available
+ *          <p>If you don't provide an integration ARN, then the results include all of the available
  *          product integrations. </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
diff --git a/clients/client-securityhub/src/commands/GetFindingAggregatorCommand.ts b/clients/client-securityhub/src/commands/GetFindingAggregatorCommand.ts
index e831a4ec5c14..9f51cce56683 100644
--- a/clients/client-securityhub/src/commands/GetFindingAggregatorCommand.ts
+++ b/clients/client-securityhub/src/commands/GetFindingAggregatorCommand.ts
@@ -28,7 +28,11 @@ export interface GetFindingAggregatorCommandInput extends GetFindingAggregatorRe
 export interface GetFindingAggregatorCommandOutput extends GetFindingAggregatorResponse, __MetadataBearer {}
 
 /**
- * <p>Returns the current finding aggregation configuration.</p>
+ * <note>
+ *             <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>
+ *          </note>
+ *          <p>Returns the current configuration in the calling account for cross-Region aggregation. A finding aggregator is a resource that establishes
+ * the home Region and any linked Regions.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-securityhub/src/commands/GetFindingsCommand.ts b/clients/client-securityhub/src/commands/GetFindingsCommand.ts
index 380627421842..b9bf5341710e 100644
--- a/clients/client-securityhub/src/commands/GetFindingsCommand.ts
+++ b/clients/client-securityhub/src/commands/GetFindingsCommand.ts
@@ -29,7 +29,7 @@ export interface GetFindingsCommandOutput extends GetFindingsResponse, __Metadat
 
 /**
  * <p>Returns a list of findings that match the specified criteria.</p>
- *          <p>If finding aggregation is enabled, then when you call <code>GetFindings</code> from the aggregation Region, the results include all of the matching findings from both the aggregation Region and the linked Regions.</p>
+ *          <p>If cross-Region aggregation is enabled, then when you call <code>GetFindings</code> from the home Region, the results include all of the matching findings from both the home Region and linked Regions.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-securityhub/src/commands/GetInvitationsCountCommand.ts b/clients/client-securityhub/src/commands/GetInvitationsCountCommand.ts
index 8e82064df251..0141e55d74d3 100644
--- a/clients/client-securityhub/src/commands/GetInvitationsCountCommand.ts
+++ b/clients/client-securityhub/src/commands/GetInvitationsCountCommand.ts
@@ -28,8 +28,13 @@ export interface GetInvitationsCountCommandInput extends GetInvitationsCountRequ
 export interface GetInvitationsCountCommandOutput extends GetInvitationsCountResponse, __MetadataBearer {}
 
 /**
- * <p>Returns the count of all Security Hub membership invitations that were sent to the
- *          current member account, not including the currently accepted invitation. </p>
+ * <note>
+ *             <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts.
+ *            For information, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html">Managing Security Hub administrator and member accounts with Organizations</a>
+ *            in the <i>Security Hub User Guide</i>.</p>
+ *          </note>
+ *          <p>Returns the count of all Security Hub membership invitations that were sent to the
+ *          calling member account, not including the currently accepted invitation. </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-securityhub/src/commands/InviteMembersCommand.ts b/clients/client-securityhub/src/commands/InviteMembersCommand.ts
index c8ad739d126c..1753fb9511b4 100644
--- a/clients/client-securityhub/src/commands/InviteMembersCommand.ts
+++ b/clients/client-securityhub/src/commands/InviteMembersCommand.ts
@@ -28,13 +28,18 @@ export interface InviteMembersCommandInput extends InviteMembersRequest {}
 export interface InviteMembersCommandOutput extends InviteMembersResponse, __MetadataBearer {}
 
 /**
- * <p>Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that
+ * <note>
+ *             <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts.
+ *            For information, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html">Managing Security Hub administrator and member accounts with Organizations</a>
+ *            in the <i>Security Hub User Guide</i>.</p>
+ *          </note>
+ *          <p>Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that
  *          the invitation is sent from.</p>
- *          <p>This operation is only used to invite accounts that do not belong to an organization.
- *          Organization accounts do not receive invitations.</p>
+ *          <p>This operation is only used to invite accounts that don't belong to an Amazon Web Services organization.
+ *          Organization accounts don't receive invitations.</p>
  *          <p>Before you can use this action to invite a member, you must first use the <code>CreateMembers</code> action to create the member account in Security Hub.</p>
  *          <p>When the account owner enables Security Hub and accepts the invitation to become a member
- *          account, the administrator account can view the findings generated from the member account.</p>
+ *          account, the administrator account can view the findings generated in the member account.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-securityhub/src/commands/ListFindingAggregatorsCommand.ts b/clients/client-securityhub/src/commands/ListFindingAggregatorsCommand.ts
index 20823626f745..e3c95cc0a78e 100644
--- a/clients/client-securityhub/src/commands/ListFindingAggregatorsCommand.ts
+++ b/clients/client-securityhub/src/commands/ListFindingAggregatorsCommand.ts
@@ -28,7 +28,8 @@ export interface ListFindingAggregatorsCommandInput extends ListFindingAggregato
 export interface ListFindingAggregatorsCommandOutput extends ListFindingAggregatorsResponse, __MetadataBearer {}
 
 /**
- * <p>If finding aggregation is enabled, then <code>ListFindingAggregators</code> returns the ARN of the finding aggregator. You can run this operation from any Region.</p>
+ * <p>If cross-Region aggregation is enabled, then <code>ListFindingAggregators</code> returns the Amazon Resource Name (ARN)
+ * of the finding aggregator. You can run this operation from any Amazon Web Services Region.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-securityhub/src/commands/ListInvitationsCommand.ts b/clients/client-securityhub/src/commands/ListInvitationsCommand.ts
index 8e850419b0da..93596f83e50f 100644
--- a/clients/client-securityhub/src/commands/ListInvitationsCommand.ts
+++ b/clients/client-securityhub/src/commands/ListInvitationsCommand.ts
@@ -28,9 +28,14 @@ export interface ListInvitationsCommandInput extends ListInvitationsRequest {}
 export interface ListInvitationsCommandOutput extends ListInvitationsResponse, __MetadataBearer {}
 
 /**
- * <p>Lists all Security Hub membership invitations that were sent to the current Amazon Web Services account.</p>
- *          <p>This operation is only used by accounts that are managed by invitation.
- *          Accounts that are managed using the integration with Organizations do not receive invitations.</p>
+ * <note>
+ *             <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts.
+ *            For information, see <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html">Managing Security Hub administrator and member accounts with Organizations</a>
+ *            in the <i>Security Hub User Guide</i>.</p>
+ *          </note>
+ *          <p>Lists all Security Hub membership invitations that were sent to the calling account.</p>
+ *          <p>Only accounts that are managed by invitation can use this operation.
+ *          Accounts that are managed using the integration with Organizations don't receive invitations.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
diff --git a/clients/client-securityhub/src/commands/UpdateFindingAggregatorCommand.ts b/clients/client-securityhub/src/commands/UpdateFindingAggregatorCommand.ts
index 3e4739300cad..b1c8205dccfb 100644
--- a/clients/client-securityhub/src/commands/UpdateFindingAggregatorCommand.ts
+++ b/clients/client-securityhub/src/commands/UpdateFindingAggregatorCommand.ts
@@ -28,8 +28,12 @@ export interface UpdateFindingAggregatorCommandInput extends UpdateFindingAggreg
 export interface UpdateFindingAggregatorCommandOutput extends UpdateFindingAggregatorResponse, __MetadataBearer {}
 
 /**
- * <p>Updates the finding aggregation configuration. Used to update the Region linking mode and the list of included or excluded Regions. You cannot use <code>UpdateFindingAggregator</code> to change the aggregation Region.</p>
- *          <p>You must run <code>UpdateFindingAggregator</code> from the current aggregation Region.
+ * <note>
+ *             <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>
+ *          </note>
+ *          <p>Updates cross-Region aggregation settings. You can use this operation to update the Region linking mode and the list
+ *         of included or excluded Amazon Web Services Regions. However, you can't use this operation to change the home Region.</p>
+ *          <p>You can invoke this operation from the current home Region only.
  *       </p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
diff --git a/clients/client-securityhub/src/index.ts b/clients/client-securityhub/src/index.ts
index 21d1d565d9b6..ef4310e22a64 100644
--- a/clients/client-securityhub/src/index.ts
+++ b/clients/client-securityhub/src/index.ts
@@ -3,7 +3,7 @@
 /**
  * <p>Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps
  *            you assess your Amazon Web Services environment against security industry standards and best practices.</p>
- *          <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and
+ *          <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and
  *             supported third-party products and helps you analyze your security trends and identify the highest priority security
  *             issues.</p>
  *          <p>To help you manage the security state of your organization, Security Hub supports multiple security standards.
@@ -12,10 +12,10 @@
  *             Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes
  *             several security controls, each of which represents a security best practice. Security Hub runs checks against
  *             security controls and generates control findings to help you assess your compliance against security best practices.</p>
- *          <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices,
+ *          <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services,
  *             such as Amazon GuardDuty and Amazon Inspector, and
  *             supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You
- *             can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.</p>
+ *             can also send Security Hub findings to other Amazon Web Services services and supported third-party products.</p>
  *          <p>Security Hub offers automation features that help you triage and remediate security issues. For example,
  *            you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with
  *            Amazon EventBridge  to trigger automatic responses to specific findings.</p>
@@ -26,12 +26,12 @@
  *             </a>. The
  *            user guide explains key concepts and provides procedures
  *            that demonstrate how to use Security Hub features. It also provides information about topics such as
- *            integrating Security Hub with other Amazon Web Servicesservices.</p>
+ *            integrating Security Hub with other Amazon Web Services services.</p>
  *          <p>In addition to interacting with Security Hub  by making calls to the Security Hub API, you can
  *            use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools
  *             and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell,
  *            Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to
- *            Security Hub  and other Amazon Web Servicesservices . They also handle tasks such as signing requests,
+ *            Security Hub  and other Amazon Web Services services . They also handle tasks such as signing requests,
  *            managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services  tools
  *            and SDKs, see <a href="http://aws.amazon.com/developer/tools/">Tools to Build on Amazon Web Services</a>.</p>
  *          <p>With the exception of operations that are related to central configuration, Security Hub API requests are executed only in
diff --git a/clients/client-securityhub/src/models/models_0.ts b/clients/client-securityhub/src/models/models_0.ts
index 34ea9928a7bd..9aaa2a6033f8 100644
--- a/clients/client-securityhub/src/models/models_0.ts
+++ b/clients/client-securityhub/src/models/models_0.ts
@@ -762,7 +762,7 @@ export interface SeverityUpdate {
   /**
    * <p>The normalized severity for the finding. This attribute is to be deprecated in favor of
    *             <code>Label</code>.</p>
-   *          <p>If you provide <code>Normalized</code> and do not provide <code>Label</code>,
+   *          <p>If you provide <code>Normalized</code> and don't provide <code>Label</code>,
    *             <code>Label</code> is set automatically as follows.</p>
    *          <ul>
    *             <li>
@@ -898,7 +898,7 @@ export interface WorkflowUpdate {
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>SUPPRESSED</code> - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.</p>
+   *                   <code>SUPPRESSED</code> - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated.</p>
    *             </li>
    *          </ul>
    * @public
@@ -995,18 +995,15 @@ export type AutomationRulesActionType = (typeof AutomationRulesActionType)[keyof
 
 /**
  * <p>
- *          One or more actions to update finding fields if a finding matches the defined criteria
- *          of the rule.
+ *          One or more actions that Security Hub takes when a finding matches the defined criteria
+ *          of a rule.
  *       </p>
  * @public
  */
 export interface AutomationRulesAction {
   /**
    * <p>
-   *          Specifies that the rule action should update the <code>Types</code> finding field. The <code>Types</code>
-   *          finding field classifies findings in the format of namespace/category/classifier. For more information, see
-   *          <a href="https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html">Types taxonomy for ASFF</a> in
-   *          the <i>Security Hub User Guide</i>.
+   *          Specifies the type of action that Security Hub takes when a finding matches the defined criteria of a rule.
    *       </p>
    * @public
    */
@@ -1965,7 +1962,7 @@ export interface AutomationRulesFindingFilters {
    * <p>
    *          The identifier for the given resource type. For Amazon Web Services resources that are identified by
    *          Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs,
-   *          this is the identifier as defined by the Amazon Web Servicesservice that created the resource.
+   *          this is the identifier as defined by the Amazon Web Services service that created the resource.
    *          For non-Amazon Web Services resources, this is a unique identifier that is associated with the
    *          resource.
    *       </p>
@@ -4731,7 +4728,7 @@ export interface AwsBackupBackupPlanRuleCopyActionsDetails {
   /**
    * <p>Defines when a protected resource is transitioned to cold storage and when it expires.
    *             Backup transitions and expires backups automatically according to the
-   *          lifecycle that you define. If you do not specify a lifecycle, Backup applies
+   *          lifecycle that you define. If you don't specify a lifecycle, Backup applies
    *          the lifecycle policy of the source backup to the destination backup.</p>
    *          <p>Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days.</p>
    * @public
@@ -4801,7 +4798,7 @@ export interface AwsBackupBackupPlanRuleDetails {
   CopyActions?: AwsBackupBackupPlanRuleCopyActionsDetails[];
 
   /**
-   * <p>Defines when a protected resource is transitioned to cold storage and when it expires. Backup transitions and expires backups automatically according to the lifecycle that you define. If you do not specify a lifecycle, Backup applies the lifecycle policy of the source backup to the destination backup.</p>
+   * <p>Defines when a protected resource is transitioned to cold storage and when it expires. Backup transitions and expires backups automatically according to the lifecycle that you define. If you don't specify a lifecycle, Backup applies the lifecycle policy of the source backup to the destination backup.</p>
    *          <p>Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days.</p>
    * @public
    */
@@ -4939,7 +4936,7 @@ export interface AwsBackupBackupVaultDetails {
 
   /**
    * <p>The unique ARN associated with the server-side encryption key. You can specify a key to encrypt your backups from services that support
-   * full Backup management. If you do not specify a key, Backup creates an KMS key for you by default.
+   * full Backup management. If you don't specify a key, Backup creates an KMS key for you by default.
    *       </p>
    * @public
    */
@@ -10662,7 +10659,7 @@ export interface RouteSetDetails {
 
   /**
    * <p>
-   *          The prefix of the destination Amazon Web Servicesservice.
+   *          The prefix of the destination Amazon Web Services service.
    *       </p>
    * @public
    */
@@ -12843,7 +12840,7 @@ export interface AwsEcsServiceDetails {
   /**
    * <p>The scheduling strategy to use for the service.</p>
    *          <p>The <code>REPLICA</code> scheduling strategy places and maintains the desired number of tasks across the cluster. By default, the service scheduler spreads tasks across Availability Zones. Task placement strategies and constraints are used to customize task placement decisions.</p>
-   *          <p>The <code>DAEMON</code> scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that are specified in the cluster. The service scheduler also evaluates the task placement constraints for running tasks and stops tasks that do not meet the placement constraints.</p>
+   *          <p>The <code>DAEMON</code> scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that are specified in the cluster. The service scheduler also evaluates the task placement constraints for running tasks and stops tasks that don't meet the placement constraints.</p>
    *          <p>Valid values: <code>REPLICA</code> | <code>DAEMON</code>
    *          </p>
    * @public
diff --git a/clients/client-securityhub/src/models/models_1.ts b/clients/client-securityhub/src/models/models_1.ts
index 1c759d24c1a1..023a4e4b0c5b 100644
--- a/clients/client-securityhub/src/models/models_1.ts
+++ b/clients/client-securityhub/src/models/models_1.ts
@@ -6687,7 +6687,7 @@ export interface AwsRdsDbInstanceDetails {
    *             <b>Oracle</b>
    *          </p>
    *          <p>Contains the Oracle System ID (SID) of the created DB instance. Not shown when the
-   *          returned parameters do not apply to an Oracle DB instance. </p>
+   *          returned parameters don't apply to an Oracle DB instance. </p>
    * @public
    */
   DBName?: string;
@@ -10044,7 +10044,7 @@ export interface Compliance {
   /**
    * <p>
    *          Typically provides the unique identifier of a control across standards. For Security Hub controls, this field consists of an
-   *           Amazon Web Servicesservice and a unique number, such as <code>APIGateway.5</code>.
+   *           Amazon Web Services service and a unique number, such as <code>APIGateway.5</code>.
    *       </p>
    * @public
    */
diff --git a/clients/client-securityhub/src/models/models_2.ts b/clients/client-securityhub/src/models/models_2.ts
index 3950796210f6..e80def71051c 100644
--- a/clients/client-securityhub/src/models/models_2.ts
+++ b/clients/client-securityhub/src/models/models_2.ts
@@ -958,7 +958,7 @@ export interface AwsWafWebAclRule {
    *          <p>
    *             <code>ActivatedRule</code>|<code>OverrideAction</code> applies only when updating or
    *          adding a <code>RuleGroup</code>
-   *          to a web ACL. In this case you do not use <code>ActivatedRule</code>
+   *          to a web ACL. In this case you don't use <code>ActivatedRule</code>
    *             <code>Action</code>. For all other update requests,
    *             <code>ActivatedRule</code>
    *             <code>Action</code> is used instead of <code>ActivatedRule</code>
@@ -971,7 +971,7 @@ export interface AwsWafWebAclRule {
    * <p>Specifies the order in which the rules in a web
    *          ACL are evaluated. Rules with a lower value for <code>Priority</code> are
    *          evaluated before rules with a higher value. The value must be a unique integer. If you add
-   *          multiple rules to a web ACL, the values do not need to be consecutive.</p>
+   *          multiple rules to a web ACL, the values don't need to be consecutive.</p>
    * @public
    */
   Priority?: number;
@@ -1963,7 +1963,7 @@ export interface Severity {
    *                escalating.</p>
    *             </li>
    *          </ul>
-   *          <p>If you provide <code>Normalized</code> and do not provide <code>Label</code>, then
+   *          <p>If you provide <code>Normalized</code> and don't provide <code>Label</code>, then
    *             <code>Label</code> is set automatically as follows. </p>
    *          <ul>
    *             <li>
@@ -1995,7 +1995,7 @@ export interface Severity {
    * <p>Deprecated. The normalized severity of a finding.
    *          Instead of providing <code>Normalized</code>, provide <code>Label</code>.</p>
    *          <p>The value of <code>Normalized</code> can be an integer between <code>0</code> and <code>100</code>.</p>
-   *          <p>If you provide <code>Label</code> and do not provide <code>Normalized</code>, then
+   *          <p>If you provide <code>Label</code> and don't provide <code>Normalized</code>, then
    *             <code>Normalized</code> is set automatically as follows.</p>
    *          <ul>
    *             <li>
@@ -2654,7 +2654,7 @@ export interface Workflow {
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>SUPPRESSED</code> - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.</p>
+   *                   <code>SUPPRESSED</code> - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated.</p>
    *             </li>
    *             <li>
    *                <p>
@@ -3908,7 +3908,7 @@ export interface AwsSecurityFindingFilters {
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>SUPPRESSED</code> - Indicates that you reviewed the finding and do not believe that any action is
+   *                   <code>SUPPRESSED</code> - Indicates that you reviewed the finding and don't believe that any action is
    *                needed.</p>
    *                <p>The workflow status of a <code>SUPPRESSED</code> finding does not change if
    *                <code>RecordState</code> changes from <code>ARCHIVED</code> to
@@ -4045,7 +4045,7 @@ export interface AwsSecurityFindingFilters {
   /**
    * <p>
    *          The unique identifier of a control across standards. Values for this field typically consist of an
-   *          Amazon Web Servicesservice and a number, such as APIGateway.5.
+   *          Amazon Web Services service and a number, such as APIGateway.5.
    *       </p>
    * @public
    */
@@ -4970,7 +4970,7 @@ export type UpdateStatus = (typeof UpdateStatus)[keyof typeof UpdateStatus];
 export interface SecurityControl {
   /**
    * <p>
-   *          The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Servicesservice name and a
+   *          The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a
    *          number, such as APIGateway.3.
    *       </p>
    * @public
@@ -5182,7 +5182,7 @@ export interface StandardsControlAssociationDetail {
 
   /**
    * <p>
-   *          The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Servicesservice
+   *          The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service
    *          name and a number, such as APIGateway.3.
    *       </p>
    * @public
@@ -6589,7 +6589,7 @@ export type Policy = Policy.SecurityHubMember | Policy.$UnknownMember;
 export namespace Policy {
   /**
    * <p>
-   *             The Amazon Web Servicesservice that the configuration policy applies to.
+   *             The Amazon Web Services service that the configuration policy applies to.
    *         </p>
    * @public
    */
@@ -6761,8 +6761,8 @@ export interface CreateFindingAggregatorRequest {
   RegionLinkingMode: string | undefined;
 
   /**
-   * <p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.</p>
-   *          <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
+   * <p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that don't replicate and send findings to the home Region.</p>
+   *          <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do replicate and send findings to the home Region.
    *       </p>
    *          <p>An <code>InvalidInputException</code> error results if you populate this field while <code>RegionLinkingMode</code> is
    *            <code>NO_REGIONS</code>.</p>
@@ -6776,13 +6776,13 @@ export interface CreateFindingAggregatorRequest {
  */
 export interface CreateFindingAggregatorResponse {
   /**
-   * <p>The ARN of the finding aggregator. You use the finding aggregator ARN to retrieve details for, update, and stop finding aggregation.</p>
+   * <p>The ARN of the finding aggregator. You use the finding aggregator ARN to retrieve details for, update, and stop cross-Region aggregation.</p>
    * @public
    */
   FindingAggregatorArn?: string;
 
   /**
-   * <p>The aggregation Region.</p>
+   * <p>The home Region. Findings generated in linked Regions are replicated and sent to the home Region.</p>
    * @public
    */
   FindingAggregationRegion?: string;
@@ -7749,7 +7749,7 @@ export interface EnableSecurityHubRequest {
 
   /**
    * <p>Whether to enable the security standards that Security Hub has designated as automatically
-   *          enabled. If you do not provide a value for <code>EnableDefaultStandards</code>, it is set
+   *          enabled. If you don't provide a value for <code>EnableDefaultStandards</code>, it is set
    *          to <code>true</code>. To not enable the automatically enabled standards, set
    *             <code>EnableDefaultStandards</code> to <code>false</code>.</p>
    * @public
@@ -7778,7 +7778,8 @@ export interface EnableSecurityHubRequest {
 export interface EnableSecurityHubResponse {}
 
 /**
- * <p>A finding aggregator. A finding aggregator contains the configuration for finding aggregation.</p>
+ * <p>A finding aggregator is a Security Hub resource that specifies cross-Region aggregation settings, including the
+ * home Region and any linked Regions.</p>
  * @public
  */
 export interface FindingAggregator {
@@ -7850,7 +7851,7 @@ export interface FindingHistoryUpdateSource {
    * <p>
    *          Describes the type of finding change event, such as a call to <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html">
    *                <code>BatchImportFindings</code>
-   *             </a> (by an integrated Amazon Web Servicesservice or third party partner integration) or <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html">
+   *             </a> (by an integrated Amazon Web Services service or third party partner integration) or <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html">
    *                <code>BatchUpdateFindings</code>
    *             </a> (by a Security Hub customer).
    *       </p>
@@ -7924,7 +7925,7 @@ export interface FindingHistoryRecord {
 
   /**
    * <p> Identifies the source of the event that changed the finding. For example, an integrated
-   *                 Amazon Web Servicesservice or third-party partner integration may call <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html">
+   *                 Amazon Web Services service or third-party partner integration may call <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html">
    *                <code>BatchImportFindings</code>
    *             </a>, or an Security Hub customer
    *             may call <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html">
@@ -8223,7 +8224,7 @@ export interface GetFindingAggregatorResponse {
   FindingAggregatorArn?: string;
 
   /**
-   * <p>The aggregation Region.</p>
+   * <p>The home Region. Findings generated in linked Regions are replicated and sent to the home Region.</p>
    * @public
    */
   FindingAggregationRegion?: string;
@@ -8534,7 +8535,7 @@ export interface GetInsightResultsResponse {
  */
 export interface GetInsightsRequest {
   /**
-   * <p>The ARNs of the insights to describe. If you do not provide any insight ARNs, then
+   * <p>The ARNs of the insights to describe. If you don't provide any insight ARNs, then
    *             <code>GetInsights</code> returns all of your custom insights. It does not return any
    *          managed insights.</p>
    * @public
@@ -8825,7 +8826,7 @@ export interface SecurityControlDefinition {
   /**
    * <p>
    *          The unique identifier of a security control across standards. Values for this field typically consist of an
-   *          Amazon Web Servicesservice name and a number (for example, APIGateway.3). This parameter differs from
+   *          Amazon Web Services service name and a number (for example, APIGateway.3). This parameter differs from
    *          <code>SecurityControlArn</code>, which is a unique Amazon Resource Name (ARN) assigned to a control. The
    *          ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).
    *       </p>
@@ -9388,7 +9389,7 @@ export interface StandardsControlAssociationSummary {
   /**
    * <p>
    *          A unique standard-agnostic identifier for a control. Values for this field typically consist of an
-   *          Amazon Web Servicesservice and a number, such as APIGateway.5. This field doesn't reference a specific standard.
+   *          Amazon Web Services service and a number, such as APIGateway.5. This field doesn't reference a specific standard.
    *       </p>
    * @public
    */
@@ -9857,8 +9858,8 @@ export interface UpdateFindingAggregatorRequest {
   RegionLinkingMode: string | undefined;
 
   /**
-   * <p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.</p>
-   *          <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.</p>
+   * <p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that don't replicate and send findings to the home Region.</p>
+   *          <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do replicate and send findings to the home Region.</p>
    *          <p>An <code>InvalidInputException</code> error results if you populate this field while <code>RegionLinkingMode</code> is
    *         <code>NO_REGIONS</code>.</p>
    * @public
@@ -9877,7 +9878,7 @@ export interface UpdateFindingAggregatorResponse {
   FindingAggregatorArn?: string;
 
   /**
-   * <p>The aggregation Region.</p>
+   * <p>The home Region. Findings generated in linked Regions are replicated and sent to the home Region.</p>
    * @public
    */
   FindingAggregationRegion?: string;
diff --git a/codegen/sdk-codegen/aws-models/securityhub.json b/codegen/sdk-codegen/aws-models/securityhub.json
index 7d23dec5b1b9..b830e718b723 100644
--- a/codegen/sdk-codegen/aws-models/securityhub.json
+++ b/codegen/sdk-codegen/aws-models/securityhub.json
@@ -55,7 +55,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Accepts the invitation to be a member account and be monitored by the Security Hub administrator\n         account that the invitation was sent from.</p>\n         <p>This operation is only used by member accounts that are not added through\n         Organizations.</p>\n         <p>When the member account accepts the invitation, permission is granted to the administrator\n         account to view findings generated in the member account.</p>",
+        "smithy.api#documentation": "<note>\n            <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts. \n           For information, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html\">Managing Security Hub administrator and member accounts with Organizations</a> \n           in the <i>Security Hub User Guide</i>.</p>\n         </note>\n         <p>Accepts the invitation to be a member account and be monitored by the Security Hub administrator\n         account that the invitation was sent from.</p>\n         <p>This operation is only used by member accounts that are not added through\n         Organizations.</p>\n         <p>When the member account accepts the invitation, permission is granted to the administrator\n         account to view findings generated in the member account.</p>",
         "smithy.api#examples": [
           {
             "title": "To accept an invitation be a member account",
@@ -674,7 +674,7 @@
         "Type": {
           "target": "com.amazonaws.securityhub#AutomationRulesActionType",
           "traits": {
-            "smithy.api#documentation": "<p>\n         Specifies that the rule action should update the <code>Types</code> finding field. The <code>Types</code> \n         finding field classifies findings in the format of namespace/category/classifier. For more information, see\n         <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html\">Types taxonomy for ASFF</a> in \n         the <i>Security Hub User Guide</i>.\n      </p>"
+            "smithy.api#documentation": "<p>\n         Specifies the type of action that Security Hub takes when a finding matches the defined criteria of a rule.\n      </p>"
           }
         },
         "FindingFieldsUpdate": {
@@ -685,7 +685,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>\n         One or more actions to update finding fields if a finding matches the defined criteria \n         of the rule.\n      </p>"
+        "smithy.api#documentation": "<p>\n         One or more actions that Security Hub takes when a finding matches the defined criteria \n         of a rule.\n      </p>"
       }
     },
     "com.amazonaws.securityhub#AutomationRulesActionType": {
@@ -958,7 +958,7 @@
         "ResourceId": {
           "target": "com.amazonaws.securityhub#StringFilterList",
           "traits": {
-            "smithy.api#documentation": "<p>\n         The identifier for the given resource type. For Amazon Web Services resources that are identified by \n         Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, \n         this is the identifier as defined by the Amazon Web Servicesservice that created the resource. \n         For non-Amazon Web Services resources, this is a unique identifier that is associated with the \n         resource.\n      </p>\n         <p>\n   \t\tArray Members: Minimum number of 1 item. Maximum number of 100 items.\n   \t</p>"
+            "smithy.api#documentation": "<p>\n         The identifier for the given resource type. For Amazon Web Services resources that are identified by \n         Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, \n         this is the identifier as defined by the Amazon Web Services service that created the resource. \n         For non-Amazon Web Services resources, this is a unique identifier that is associated with the \n         resource.\n      </p>\n         <p>\n   \t\tArray Members: Minimum number of 1 item. Maximum number of 100 items.\n   \t</p>"
           }
         },
         "ResourcePartition": {
@@ -2986,7 +2986,7 @@
         "Lifecycle": {
           "target": "com.amazonaws.securityhub#AwsBackupBackupPlanLifecycleDetails",
           "traits": {
-            "smithy.api#documentation": "<p>Defines when a protected resource is transitioned to cold storage and when it expires.\n            Backup transitions and expires backups automatically according to the\n         lifecycle that you define. If you do not specify a lifecycle, Backup applies\n         the lifecycle policy of the source backup to the destination backup.</p>\n         <p>Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days.</p>"
+            "smithy.api#documentation": "<p>Defines when a protected resource is transitioned to cold storage and when it expires.\n            Backup transitions and expires backups automatically according to the\n         lifecycle that you define. If you don't specify a lifecycle, Backup applies\n         the lifecycle policy of the source backup to the destination backup.</p>\n         <p>Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days.</p>"
           }
         }
       },
@@ -3054,7 +3054,7 @@
         "Lifecycle": {
           "target": "com.amazonaws.securityhub#AwsBackupBackupPlanLifecycleDetails",
           "traits": {
-            "smithy.api#documentation": "<p>Defines when a protected resource is transitioned to cold storage and when it expires. Backup transitions and expires backups automatically according to the lifecycle that you define. If you do not specify a lifecycle, Backup applies the lifecycle policy of the source backup to the destination backup.</p>\n         <p>Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days.</p>"
+            "smithy.api#documentation": "<p>Defines when a protected resource is transitioned to cold storage and when it expires. Backup transitions and expires backups automatically according to the lifecycle that you define. If you don't specify a lifecycle, Backup applies the lifecycle policy of the source backup to the destination backup.</p>\n         <p>Backups transitioned to cold storage must be stored in cold storage for a minimum of 90 days.</p>"
           }
         }
       },
@@ -3086,7 +3086,7 @@
         "EncryptionKeyArn": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>The unique ARN associated with the server-side encryption key. You can specify a key to encrypt your backups from services that support \nfull Backup management. If you do not specify a key, Backup creates an KMS key for you by default.\n      </p>"
+            "smithy.api#documentation": "<p>The unique ARN associated with the server-side encryption key. You can specify a key to encrypt your backups from services that support \nfull Backup management. If you don't specify a key, Backup creates an KMS key for you by default.\n      </p>"
           }
         },
         "Notifications": {
@@ -9342,7 +9342,7 @@
         "SchedulingStrategy": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>The scheduling strategy to use for the service.</p>\n         <p>The <code>REPLICA</code> scheduling strategy places and maintains the desired number of tasks across the cluster. By default, the service scheduler spreads tasks across Availability Zones. Task placement strategies and constraints are used to customize task placement decisions.</p>\n         <p>The <code>DAEMON</code> scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that are specified in the cluster. The service scheduler also evaluates the task placement constraints for running tasks and stops tasks that do not meet the placement constraints.</p>\n         <p>Valid values: <code>REPLICA</code> | <code>DAEMON</code>\n         </p>"
+            "smithy.api#documentation": "<p>The scheduling strategy to use for the service.</p>\n         <p>The <code>REPLICA</code> scheduling strategy places and maintains the desired number of tasks across the cluster. By default, the service scheduler spreads tasks across Availability Zones. Task placement strategies and constraints are used to customize task placement decisions.</p>\n         <p>The <code>DAEMON</code> scheduling strategy deploys exactly one task on each active container instance that meets all of the task placement constraints that are specified in the cluster. The service scheduler also evaluates the task placement constraints for running tasks and stops tasks that don't meet the placement constraints.</p>\n         <p>Valid values: <code>REPLICA</code> | <code>DAEMON</code>\n         </p>"
           }
         },
         "ServiceArn": {
@@ -15149,7 +15149,7 @@
         "DBName": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>The meaning of this parameter differs according to the database engine you use.</p>\n         <p>\n            <b>MySQL, MariaDB, SQL Server, PostgreSQL</b>\n         </p>\n         <p>Contains the name of the initial database of this instance that was provided at create\n         time, if one was specified when the DB instance was created. This same name is returned for\n         the life of the DB instance.</p>\n         <p>\n            <b>Oracle</b>\n         </p>\n         <p>Contains the Oracle System ID (SID) of the created DB instance. Not shown when the\n         returned parameters do not apply to an Oracle DB instance. </p>"
+            "smithy.api#documentation": "<p>The meaning of this parameter differs according to the database engine you use.</p>\n         <p>\n            <b>MySQL, MariaDB, SQL Server, PostgreSQL</b>\n         </p>\n         <p>Contains the name of the initial database of this instance that was provided at create\n         time, if one was specified when the DB instance was created. This same name is returned for\n         the life of the DB instance.</p>\n         <p>\n            <b>Oracle</b>\n         </p>\n         <p>Contains the Oracle System ID (SID) of the created DB instance. Not shown when the\n         returned parameters don't apply to an Oracle DB instance. </p>"
           }
         },
         "DeletionProtection": {
@@ -18983,7 +18983,7 @@
         "WorkflowStatus": {
           "target": "com.amazonaws.securityhub#StringFilterList",
           "traits": {
-            "smithy.api#documentation": "<p>The status of the investigation into a finding. Allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>NEW</code> - The initial state of a finding, before it is reviewed.</p>\n               <p>Security Hub also resets the workflow status from <code>NOTIFIED</code> or\n                  <code>RESOLVED</code> to <code>NEW</code> in the following cases:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>Compliance.Status</code> changes from <code>PASSED</code> to either <code>WARNING</code>,\n                        <code>FAILED</code>, or <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>NOTIFIED</code> - Indicates that the resource owner has been notified about\n               the security issue. Used when the initial reviewer is not the resource owner, and\n               needs intervention from the resource owner.</p>\n               <p>If one of the following occurs, the workflow status is changed automatically from\n               <code>NOTIFIED</code> to <code>NEW</code>:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to\n                     <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>Compliance.Status</code> changes from <code>PASSED</code> to <code>FAILED</code>,\n                     <code>WARNING</code>, or <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>SUPPRESSED</code> - Indicates that you reviewed the finding and do not believe that any action is\n               needed.</p>\n               <p>The workflow status of a <code>SUPPRESSED</code> finding does not change if\n               <code>RecordState</code> changes from <code>ARCHIVED</code> to\n               <code>ACTIVE</code>.</p>\n            </li>\n            <li>\n               <p>\n                  <code>RESOLVED</code> - The finding was reviewed and remediated and is now\n               considered resolved. </p>\n               <p>The finding remains <code>RESOLVED</code> unless one of the following occurs:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to\n                     <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>Compliance.Status</code> changes from <code>PASSED</code> to <code>FAILED</code>,\n                     <code>WARNING</code>, or <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n               <p>In those cases, the workflow status is automatically reset to <code>NEW</code>.</p>\n               <p>For findings from controls, if <code>Compliance.Status</code> is <code>PASSED</code>,\n               then Security Hub automatically sets the workflow status to <code>RESOLVED</code>.</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The status of the investigation into a finding. Allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>NEW</code> - The initial state of a finding, before it is reviewed.</p>\n               <p>Security Hub also resets the workflow status from <code>NOTIFIED</code> or\n                  <code>RESOLVED</code> to <code>NEW</code> in the following cases:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>Compliance.Status</code> changes from <code>PASSED</code> to either <code>WARNING</code>,\n                        <code>FAILED</code>, or <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>NOTIFIED</code> - Indicates that the resource owner has been notified about\n               the security issue. Used when the initial reviewer is not the resource owner, and\n               needs intervention from the resource owner.</p>\n               <p>If one of the following occurs, the workflow status is changed automatically from\n               <code>NOTIFIED</code> to <code>NEW</code>:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to\n                     <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>Compliance.Status</code> changes from <code>PASSED</code> to <code>FAILED</code>,\n                     <code>WARNING</code>, or <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>SUPPRESSED</code> - Indicates that you reviewed the finding and don't believe that any action is\n               needed.</p>\n               <p>The workflow status of a <code>SUPPRESSED</code> finding does not change if\n               <code>RecordState</code> changes from <code>ARCHIVED</code> to\n               <code>ACTIVE</code>.</p>\n            </li>\n            <li>\n               <p>\n                  <code>RESOLVED</code> - The finding was reviewed and remediated and is now\n               considered resolved. </p>\n               <p>The finding remains <code>RESOLVED</code> unless one of the following occurs:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to\n                     <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>Compliance.Status</code> changes from <code>PASSED</code> to <code>FAILED</code>,\n                     <code>WARNING</code>, or <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n               <p>In those cases, the workflow status is automatically reset to <code>NEW</code>.</p>\n               <p>For findings from controls, if <code>Compliance.Status</code> is <code>PASSED</code>,\n               then Security Hub automatically sets the workflow status to <code>RESOLVED</code>.</p>\n            </li>\n         </ul>"
           }
         },
         "RecordState": {
@@ -19082,7 +19082,7 @@
         "ComplianceSecurityControlId": {
           "target": "com.amazonaws.securityhub#StringFilterList",
           "traits": {
-            "smithy.api#documentation": "<p>\n         The unique identifier of a control across standards. Values for this field typically consist of an \n         Amazon Web Servicesservice and a number, such as APIGateway.5.\n      </p>"
+            "smithy.api#documentation": "<p>\n         The unique identifier of a control across standards. Values for this field typically consist of an \n         Amazon Web Services service and a number, such as APIGateway.5.\n      </p>"
           }
         },
         "ComplianceAssociatedStandardsId": {
@@ -20188,13 +20188,13 @@
         "OverrideAction": {
           "target": "com.amazonaws.securityhub#WafOverrideAction",
           "traits": {
-            "smithy.api#documentation": "<p>Use the <code>OverrideAction</code> to test your <code>RuleGroup</code>.</p>\n         <p>Any rule in a <code>RuleGroup</code> can potentially block a request. If you set the <code>OverrideAction</code> to\n            <code>None</code>, the <code>RuleGroup</code> blocks a request if any individual rule in the <code>RuleGroup</code>\n         matches the request and is configured to block that request.</p>\n         <p>However, if you first want to test the <code>RuleGroup</code>,\n         set the <code>OverrideAction</code> to <code>Count</code>. The <code>RuleGroup</code>\n         then overrides any block action specified by individual rules contained within the group.\n         Instead of blocking matching requests, those requests are counted.</p>\n         <p>\n            <code>ActivatedRule</code>|<code>OverrideAction</code> applies only when updating or\n         adding a <code>RuleGroup</code>\n         to a web ACL. In this case you do not use <code>ActivatedRule</code>\n            <code>Action</code>. For all other update requests,\n            <code>ActivatedRule</code>\n            <code>Action</code> is used instead of <code>ActivatedRule</code>\n            <code>OverrideAction</code>.</p>"
+            "smithy.api#documentation": "<p>Use the <code>OverrideAction</code> to test your <code>RuleGroup</code>.</p>\n         <p>Any rule in a <code>RuleGroup</code> can potentially block a request. If you set the <code>OverrideAction</code> to\n            <code>None</code>, the <code>RuleGroup</code> blocks a request if any individual rule in the <code>RuleGroup</code>\n         matches the request and is configured to block that request.</p>\n         <p>However, if you first want to test the <code>RuleGroup</code>,\n         set the <code>OverrideAction</code> to <code>Count</code>. The <code>RuleGroup</code>\n         then overrides any block action specified by individual rules contained within the group.\n         Instead of blocking matching requests, those requests are counted.</p>\n         <p>\n            <code>ActivatedRule</code>|<code>OverrideAction</code> applies only when updating or\n         adding a <code>RuleGroup</code>\n         to a web ACL. In this case you don't use <code>ActivatedRule</code>\n            <code>Action</code>. For all other update requests,\n            <code>ActivatedRule</code>\n            <code>Action</code> is used instead of <code>ActivatedRule</code>\n            <code>OverrideAction</code>.</p>"
           }
         },
         "Priority": {
           "target": "com.amazonaws.securityhub#Integer",
           "traits": {
-            "smithy.api#documentation": "<p>Specifies the order in which the rules in a web\n         ACL are evaluated. Rules with a lower value for <code>Priority</code> are\n         evaluated before rules with a higher value. The value must be a unique integer. If you add\n         multiple rules to a web ACL, the values do not need to be consecutive.</p>"
+            "smithy.api#documentation": "<p>Specifies the order in which the rules in a web\n         ACL are evaluated. Rules with a lower value for <code>Priority</code> are\n         evaluated before rules with a higher value. The value must be a unique integer. If you add\n         multiple rules to a web ACL, the values don't need to be consecutive.</p>"
           }
         },
         "RuleId": {
@@ -21625,7 +21625,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Used by Security Hub customers to update information about their investigation into a finding.\n         Requested by administrator accounts or member accounts. Administrator accounts can update findings for\n         their account and their member accounts. Member accounts can update findings for their\n         account.</p>\n         <p>Updates from <code>BatchUpdateFindings</code> do not affect the value of\n            <code>UpdatedAt</code> for a finding.</p>\n         <p>Administrator and member accounts can use <code>BatchUpdateFindings</code> to update the\n         following finding fields and objects.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>Confidence</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Criticality</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Note</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>RelatedFindings</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Severity</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Types</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>UserDefinedFields</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>VerificationState</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Workflow</code>\n               </p>\n            </li>\n         </ul>\n         <p>You can configure IAM policies to restrict access to fields and field values. For\n         example, you might not want member accounts to be able to suppress findings or change the\n         finding severity. See <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html#batchupdatefindings-configure-access\">Configuring access to BatchUpdateFindings</a> in the\n         <i>Security Hub User Guide</i>.</p>",
+        "smithy.api#documentation": "<p>Used by Security Hub customers to update information about their investigation into a finding.\n         Requested by administrator accounts or member accounts. Administrator accounts can update findings for\n         their account and their member accounts. Member accounts can update findings for their\n         account.</p>\n         <p>Updates from <code>BatchUpdateFindings</code> don't affect the value of\n            <code>UpdatedAt</code> for a finding.</p>\n         <p>Administrator and member accounts can use <code>BatchUpdateFindings</code> to update the\n         following finding fields and objects.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>Confidence</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Criticality</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Note</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>RelatedFindings</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Severity</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Types</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>UserDefinedFields</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>VerificationState</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>Workflow</code>\n               </p>\n            </li>\n         </ul>\n         <p>You can configure IAM policies to restrict access to fields and field values. For\n         example, you might not want member accounts to be able to suppress findings or change the\n         finding severity. See <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/finding-update-batchupdatefindings.html#batchupdatefindings-configure-access\">Configuring access to BatchUpdateFindings</a> in the\n         <i>Security Hub User Guide</i>.</p>",
         "smithy.api#examples": [
           {
             "title": "To update Security Hub findings",
@@ -22189,7 +22189,7 @@
         "SecurityControlId": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>\n         Typically provides the unique identifier of a control across standards. For Security Hub controls, this field consists of an \n          Amazon Web Servicesservice and a unique number, such as <code>APIGateway.5</code>.\n      </p>"
+            "smithy.api#documentation": "<p>\n         Typically provides the unique identifier of a control across standards. For Security Hub controls, this field consists of an \n          Amazon Web Services service and a unique number, such as <code>APIGateway.5</code>.\n      </p>"
           }
         },
         "AssociatedStandards": {
@@ -23045,7 +23045,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Used to enable finding aggregation. Must be called from the aggregation Region.</p>\n         <p>For more details about cross-Region replication, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html\">Configuring finding aggregation</a> in the <i>Security Hub User Guide</i>.\n      </p>",
+        "smithy.api#documentation": "<note>\n            <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>\n         </note>\n         <p>Used to enable cross-Region aggregation. This operation can be invoked from the home Region only.</p>\n         <p>For information about how cross-Region aggregation works, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html\">Understanding cross-Region aggregation in Security Hub</a> in the <i>Security Hub User Guide</i>.\n      </p>",
         "smithy.api#examples": [
           {
             "title": "To enable cross-Region aggregation",
@@ -23083,7 +23083,7 @@
         "Regions": {
           "target": "com.amazonaws.securityhub#StringList",
           "traits": {
-            "smithy.api#documentation": "<p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.</p>\n         <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.\n      </p>\n         <p>An <code>InvalidInputException</code> error results if you populate this field while <code>RegionLinkingMode</code> is \n           <code>NO_REGIONS</code>.</p>"
+            "smithy.api#documentation": "<p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that don't replicate and send findings to the home Region.</p>\n         <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do replicate and send findings to the home Region.\n      </p>\n         <p>An <code>InvalidInputException</code> error results if you populate this field while <code>RegionLinkingMode</code> is \n           <code>NO_REGIONS</code>.</p>"
           }
         }
       },
@@ -23097,13 +23097,13 @@
         "FindingAggregatorArn": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>The ARN of the finding aggregator. You use the finding aggregator ARN to retrieve details for, update, and stop finding aggregation.</p>"
+            "smithy.api#documentation": "<p>The ARN of the finding aggregator. You use the finding aggregator ARN to retrieve details for, update, and stop cross-Region aggregation.</p>"
           }
         },
         "FindingAggregationRegion": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>The aggregation Region.</p>"
+            "smithy.api#documentation": "<p>The home Region. Findings generated in linked Regions are replicated and sent to the home Region.</p>"
           }
         },
         "RegionLinkingMode": {
@@ -23261,7 +23261,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates a member association in Security Hub between the specified accounts and the account\n         used to make the request, which is the administrator account. If you are integrated with\n         Organizations, then the administrator account is designated by the organization management account.</p>\n         <p>\n            <code>CreateMembers</code> is always used to add accounts that are not organization\n         members.</p>\n         <p>For accounts that are managed using Organizations, <code>CreateMembers</code> is only used\n         in the following cases:</p>\n         <ul>\n            <li>\n               <p>Security Hub is not configured to automatically add new organization accounts.</p>\n            </li>\n            <li>\n               <p>The account was disassociated or deleted in Security Hub.</p>\n            </li>\n         </ul>\n         <p>This action can only be used by an account that has Security Hub enabled. To enable Security Hub, you\n         can use the <code>EnableSecurityHub</code> operation.</p>\n         <p>For accounts that are not organization members, you create the account association and\n         then send an invitation to the member account. To send the invitation, you use the\n               <code>InviteMembers</code> operation. If the account owner accepts\n         the invitation, the account becomes a member account in Security Hub.</p>\n         <p>Accounts that are managed using Organizations do not receive an invitation. They\n         automatically become a member account in Security Hub.</p>\n         <ul>\n            <li>\n               <p>If the organization account does not have Security Hub enabled, then Security Hub and the default standards are automatically enabled. Note that Security Hub cannot be enabled automatically for the organization management account. The organization management account must enable Security Hub before the administrator account enables it as a member account.</p>\n            </li>\n            <li>\n               <p>For organization accounts that already have Security Hub enabled, Security Hub does not make any other changes to those accounts. It does not change their enabled standards or controls.</p>\n            </li>\n         </ul>\n         <p>A permissions policy is added that permits the administrator account to view the findings\n         generated in the member account.</p>\n         <p>To remove the association between the administrator and member accounts, use the <code>DisassociateFromMasterAccount</code> or <code>DisassociateMembers</code> operation.</p>",
+        "smithy.api#documentation": "<p>Creates a member association in Security Hub between the specified accounts and the account\n         used to make the request, which is the administrator account. If you are integrated with\n         Organizations, then the administrator account is designated by the organization management account.</p>\n         <p>\n            <code>CreateMembers</code> is always used to add accounts that are not organization\n         members.</p>\n         <p>For accounts that are managed using Organizations, <code>CreateMembers</code> is only used\n         in the following cases:</p>\n         <ul>\n            <li>\n               <p>Security Hub is not configured to automatically add new organization accounts.</p>\n            </li>\n            <li>\n               <p>The account was disassociated or deleted in Security Hub.</p>\n            </li>\n         </ul>\n         <p>This action can only be used by an account that has Security Hub enabled. To enable Security Hub, you\n         can use the <code>EnableSecurityHub</code> operation.</p>\n         <p>For accounts that are not organization members, you create the account association and\n         then send an invitation to the member account. To send the invitation, you use the\n               <code>InviteMembers</code> operation. If the account owner accepts\n         the invitation, the account becomes a member account in Security Hub.</p>\n         <p>Accounts that are managed using Organizations don't receive an invitation. They\n         automatically become a member account in Security Hub.</p>\n         <ul>\n            <li>\n               <p>If the organization account does not have Security Hub enabled, then Security Hub and the default standards are automatically enabled. Note that Security Hub cannot be enabled automatically for the organization management account. The organization management account must enable Security Hub before the administrator account enables it as a member account.</p>\n            </li>\n            <li>\n               <p>For organization accounts that already have Security Hub enabled, Security Hub does not make any other changes to those accounts. It does not change their enabled standards or controls.</p>\n            </li>\n         </ul>\n         <p>A permissions policy is added that permits the administrator account to view the findings\n         generated in the member account.</p>\n         <p>To remove the association between the administrator and member accounts, use the <code>DisassociateFromMasterAccount</code> or <code>DisassociateMembers</code> operation.</p>",
         "smithy.api#examples": [
           {
             "title": "To add a member account",
@@ -23541,7 +23541,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Declines invitations to become a member account.</p>\n         <p>A prospective member account uses this operation to decline an invitation to become a member.</p>\n         <p>This operation is only called by member accounts that aren't part of an organization.\n         Organization accounts don't receive invitations.</p>",
+        "smithy.api#documentation": "<note>\n            <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts. \n           For information, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html\">Managing Security Hub administrator and member accounts with Organizations</a> \n           in the <i>Security Hub User Guide</i>.</p>\n         </note>\n         <p>Declines invitations to become a Security Hub member account.</p>\n         <p>A prospective member account uses this operation to decline an invitation to become a member.</p>\n         <p>Only member accounts that aren't part of an Amazon Web Services organization should use this operation.\n         Organization accounts don't receive invitations.</p>",
         "smithy.api#examples": [
           {
             "title": "To decline invitation to become a member account",
@@ -23767,7 +23767,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Deletes a finding aggregator. When you delete the finding aggregator, you stop finding aggregation.</p>\n         <p>When you stop finding aggregation, findings that were already aggregated to the aggregation Region are still visible from the aggregation Region. New findings and finding updates are not aggregated.\n      </p>",
+        "smithy.api#documentation": "<note>\n            <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>\n         </note>\n         <p>Deletes a finding aggregator. When you delete the finding aggregator, you stop cross-Region aggregation. Finding replication stops \noccurring from the linked Regions to the home Region.</p>\n         <p>When you stop cross-Region aggregation, findings that were already replicated and sent to the home Region are still visible from \n        the home Region. However, new findings and finding updates are no longer replicated and sent to the home Region.\n      </p>",
         "smithy.api#examples": [
           {
             "title": "To delete a finding aggregator",
@@ -23911,7 +23911,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Deletes invitations received by the Amazon Web Services account to become a member account.</p>\n         <p>A Security Hub administrator account can use this operation to delete invitations sent to one or more member accounts.</p>\n         <p>This operation is only used to delete invitations that are sent to member accounts that aren't part of an organization.\n         Organization accounts don't receive invitations.</p>",
+        "smithy.api#documentation": "<note>\n            <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts. \n           For information, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html\">Managing Security Hub administrator and member accounts with Organizations</a> \n           in the <i>Security Hub User Guide</i>.</p>\n         </note>\n         <p>Deletes invitations to become a Security Hub member account.</p>\n         <p>A Security Hub administrator account can use this operation to delete invitations sent to one or more prospective member accounts.</p>\n         <p>This operation is only used to delete invitations that are sent to prospective member accounts that aren't part of an Amazon Web Services organization.\n         Organization accounts don't receive invitations.</p>",
         "smithy.api#examples": [
           {
             "title": "To delete a custom insight",
@@ -24341,7 +24341,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Returns information about product integrations in Security Hub.</p>\n         <p>You can optionally provide an integration ARN. If you provide an integration ARN, then\n         the results only include that integration.</p>\n         <p>If you do not provide an integration ARN, then the results include all of the available\n         product integrations. </p>",
+        "smithy.api#documentation": "<p>Returns information about product integrations in Security Hub.</p>\n         <p>You can optionally provide an integration ARN. If you provide an integration ARN, then\n         the results only include that integration.</p>\n         <p>If you don't provide an integration ARN, then the results include all of the available\n         product integrations. </p>",
         "smithy.api#examples": [
           {
             "title": "To get information about Security Hub integrations",
@@ -25257,7 +25257,7 @@
         "EnableDefaultStandards": {
           "target": "com.amazonaws.securityhub#Boolean",
           "traits": {
-            "smithy.api#documentation": "<p>Whether to enable the security standards that Security Hub has designated as automatically\n         enabled. If you do not provide a value for <code>EnableDefaultStandards</code>, it is set\n         to <code>true</code>. To not enable the automatically enabled standards, set\n            <code>EnableDefaultStandards</code> to <code>false</code>.</p>"
+            "smithy.api#documentation": "<p>Whether to enable the security standards that Security Hub has designated as automatically\n         enabled. If you don't provide a value for <code>EnableDefaultStandards</code>, it is set\n         to <code>true</code>. To not enable the automatically enabled standards, set\n            <code>EnableDefaultStandards</code> to <code>false</code>.</p>"
           }
         },
         "ControlFindingGenerator": {
@@ -25394,7 +25394,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A finding aggregator. A finding aggregator contains the configuration for finding aggregation.</p>"
+        "smithy.api#documentation": "<p>A finding aggregator is a Security Hub resource that specifies cross-Region aggregation settings, including the \nhome Region and any linked Regions.</p>"
       }
     },
     "com.amazonaws.securityhub#FindingAggregatorList": {
@@ -25424,7 +25424,7 @@
         "UpdateSource": {
           "target": "com.amazonaws.securityhub#FindingHistoryUpdateSource",
           "traits": {
-            "smithy.api#documentation": "<p> Identifies the source of the event that changed the finding. For example, an integrated\n                Amazon Web Servicesservice or third-party partner integration may call <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html\">\n               <code>BatchImportFindings</code>\n            </a>, or an Security Hub customer\n            may call <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html\">\n               <code>BatchUpdateFindings</code>\n            </a>. </p>"
+            "smithy.api#documentation": "<p> Identifies the source of the event that changed the finding. For example, an integrated\n                Amazon Web Services service or third-party partner integration may call <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html\">\n               <code>BatchImportFindings</code>\n            </a>, or an Security Hub customer\n            may call <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html\">\n               <code>BatchUpdateFindings</code>\n            </a>. </p>"
           }
         },
         "Updates": {
@@ -25482,7 +25482,7 @@
         "Type": {
           "target": "com.amazonaws.securityhub#FindingHistoryUpdateSourceType",
           "traits": {
-            "smithy.api#documentation": "<p>\n         Describes the type of finding change event, such as a call to <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html\">\n               <code>BatchImportFindings</code>\n            </a> (by an integrated Amazon Web Servicesservice or third party partner integration) or <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html\">\n               <code>BatchUpdateFindings</code>\n            </a> (by a Security Hub customer). \n      </p>"
+            "smithy.api#documentation": "<p>\n         Describes the type of finding change event, such as a call to <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html\">\n               <code>BatchImportFindings</code>\n            </a> (by an integrated Amazon Web Services service or third party partner integration) or <a href=\"https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html\">\n               <code>BatchUpdateFindings</code>\n            </a> (by a Security Hub customer). \n      </p>"
           }
         },
         "Identity": {
@@ -26184,7 +26184,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Returns the current finding aggregation configuration.</p>",
+        "smithy.api#documentation": "<note>\n            <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>\n         </note>\n         <p>Returns the current configuration in the calling account for cross-Region aggregation. A finding aggregator is a resource that establishes \nthe home Region and any linked Regions.</p>",
         "smithy.api#examples": [
           {
             "title": "To get cross-Region aggregation details",
@@ -26235,7 +26235,7 @@
         "FindingAggregationRegion": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>The aggregation Region.</p>"
+            "smithy.api#documentation": "<p>The home Region. Findings generated in linked Regions are replicated and sent to the home Region.</p>"
           }
         },
         "RegionLinkingMode": {
@@ -26374,7 +26374,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Returns a list of findings that match the specified criteria.</p>\n         <p>If finding aggregation is enabled, then when you call <code>GetFindings</code> from the aggregation Region, the results include all of the matching findings from both the aggregation Region and the linked Regions.</p>",
+        "smithy.api#documentation": "<p>Returns a list of findings that match the specified criteria.</p>\n         <p>If cross-Region aggregation is enabled, then when you call <code>GetFindings</code> from the home Region, the results include all of the matching findings from both the home Region and linked Regions.</p>",
         "smithy.api#examples": [
           {
             "title": "To get a list of findings",
@@ -26716,7 +26716,7 @@
         "InsightArns": {
           "target": "com.amazonaws.securityhub#ArnList",
           "traits": {
-            "smithy.api#documentation": "<p>The ARNs of the insights to describe. If you do not provide any insight ARNs, then\n            <code>GetInsights</code> returns all of your custom insights. It does not return any\n         managed insights.</p>"
+            "smithy.api#documentation": "<p>The ARNs of the insights to describe. If you don't provide any insight ARNs, then\n            <code>GetInsights</code> returns all of your custom insights. It does not return any\n         managed insights.</p>"
           }
         },
         "NextToken": {
@@ -26781,7 +26781,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Returns the count of all Security Hub membership invitations that were sent to the\n         current member account, not including the currently accepted invitation. </p>",
+        "smithy.api#documentation": "<note>\n            <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts. \n           For information, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html\">Managing Security Hub administrator and member accounts with Organizations</a> \n           in the <i>Security Hub User Guide</i>.</p>\n         </note>\n         <p>Returns the count of all Security Hub membership invitations that were sent to the\n         calling member account, not including the currently accepted invitation. </p>",
         "smithy.api#examples": [
           {
             "title": "To get a count of membership invitations",
@@ -27418,7 +27418,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that\n         the invitation is sent from.</p>\n         <p>This operation is only used to invite accounts that do not belong to an organization.\n         Organization accounts do not receive invitations.</p>\n         <p>Before you can use this action to invite a member, you must first use the <code>CreateMembers</code> action to create the member account in Security Hub.</p>\n         <p>When the account owner enables Security Hub and accepts the invitation to become a member\n         account, the administrator account can view the findings generated from the member account.</p>",
+        "smithy.api#documentation": "<note>\n            <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts. \n           For information, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html\">Managing Security Hub administrator and member accounts with Organizations</a> \n           in the <i>Security Hub User Guide</i>.</p>\n         </note>\n         <p>Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that\n         the invitation is sent from.</p>\n         <p>This operation is only used to invite accounts that don't belong to an Amazon Web Services organization.\n         Organization accounts don't receive invitations.</p>\n         <p>Before you can use this action to invite a member, you must first use the <code>CreateMembers</code> action to create the member account in Security Hub.</p>\n         <p>When the account owner enables Security Hub and accepts the invitation to become a member\n         account, the administrator account can view the findings generated in the member account.</p>",
         "smithy.api#examples": [
           {
             "title": "To invite accounts to become members",
@@ -28030,7 +28030,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>If finding aggregation is enabled, then <code>ListFindingAggregators</code> returns the ARN of the finding aggregator. You can run this operation from any Region.</p>",
+        "smithy.api#documentation": "<p>If cross-Region aggregation is enabled, then <code>ListFindingAggregators</code> returns the Amazon Resource Name (ARN) \nof the finding aggregator. You can run this operation from any Amazon Web Services Region.</p>",
         "smithy.api#examples": [
           {
             "title": "To update the enablement status of a standard control",
@@ -28122,7 +28122,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Lists all Security Hub membership invitations that were sent to the current Amazon Web Services account.</p>\n         <p>This operation is only used by accounts that are managed by invitation.\n         Accounts that are managed using the integration with Organizations do not receive invitations.</p>",
+        "smithy.api#documentation": "<note>\n            <p>We recommend using Organizations instead of Security Hub invitations to manage your member accounts. \n           For information, see <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts-orgs.html\">Managing Security Hub administrator and member accounts with Organizations</a> \n           in the <i>Security Hub User Guide</i>.</p>\n         </note>\n         <p>Lists all Security Hub membership invitations that were sent to the calling account.</p>\n         <p>Only accounts that are managed by invitation can use this operation.\n         Accounts that are managed using the integration with Organizations don't receive invitations.</p>",
         "smithy.api#http": {
           "method": "GET",
           "uri": "/invitations",
@@ -29680,7 +29680,7 @@
         "SecurityHub": {
           "target": "com.amazonaws.securityhub#SecurityHubPolicy",
           "traits": {
-            "smithy.api#documentation": "<p>\n            The Amazon Web Servicesservice that the configuration policy applies to.\n        </p>"
+            "smithy.api#documentation": "<p>\n            The Amazon Web Services service that the configuration policy applies to.\n        </p>"
           }
         }
       },
@@ -30875,7 +30875,7 @@
         "DestinationPrefixListId": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>\n         The prefix of the destination Amazon Web Servicesservice.\n      </p>"
+            "smithy.api#documentation": "<p>\n         The prefix of the destination Amazon Web Services service.\n      </p>"
           }
         },
         "EgressOnlyInternetGatewayId": {
@@ -31482,7 +31482,7 @@
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
             "smithy.api#clientOptional": {},
-            "smithy.api#documentation": "<p>\n         The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Servicesservice name and a \n         number, such as APIGateway.3.\n      </p>",
+            "smithy.api#documentation": "<p>\n         The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a \n         number, such as APIGateway.3.\n      </p>",
             "smithy.api#required": {}
           }
         },
@@ -31590,7 +31590,7 @@
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
             "smithy.api#clientOptional": {},
-            "smithy.api#documentation": "<p>\n         The unique identifier of a security control across standards. Values for this field typically consist of an \n         Amazon Web Servicesservice name and a number (for example, APIGateway.3). This parameter differs from \n         <code>SecurityControlArn</code>, which is a unique Amazon Resource Name (ARN) assigned to a control. The \n         ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).\n      </p>",
+            "smithy.api#documentation": "<p>\n         The unique identifier of a security control across standards. Values for this field typically consist of an \n         Amazon Web Services service name and a number (for example, APIGateway.3). This parameter differs from \n         <code>SecurityControlArn</code>, which is a unique Amazon Resource Name (ARN) assigned to a control. The \n         ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).\n      </p>",
             "smithy.api#required": {}
           }
         },
@@ -31986,7 +31986,7 @@
           "name": "securityhub"
         },
         "aws.protocols#restJson1": {},
-        "smithy.api#documentation": "<p>Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps \n           you assess your Amazon Web Services environment against security industry standards and best practices.</p>\n         <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and \n            supported third-party products and helps you analyze your security trends and identify the highest priority security \n            issues.</p>\n         <p>To help you manage the security state of your organization, Security Hub supports multiple security standards. \n           These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, \n            and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data \n            Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes \n            several security controls, each of which represents a security best practice. Security Hub runs checks against \n            security controls and generates control findings to help you assess your compliance against security best practices.</p>\n         <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices, \n            such as Amazon GuardDuty and Amazon Inspector, and \n            supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You \n            can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.</p>\n         <p>Security Hub offers automation features that help you triage and remediate security issues. For example, \n           you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with \n           Amazon EventBridge  to trigger automatic responses to specific findings.</p>\n         <p>This guide, the <i>Security Hub API Reference</i>, provides\n           information about the Security Hub API. This includes supported resources, HTTP methods, parameters,\n           and schemas. If you're new to Security Hub, you might find it helpful to also review the <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html\">\n               <i>Security Hub User Guide</i>\n            </a>. The\n           user guide explains key concepts and provides procedures\n           that demonstrate how to use Security Hub features. It also provides information about topics such as\n           integrating Security Hub with other Amazon Web Servicesservices.</p>\n         <p>In addition to interacting with Security Hub  by making calls to the Security Hub API, you can\n           use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools \n            and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell,\n           Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to\n           Security Hub  and other Amazon Web Servicesservices . They also handle tasks such as signing requests, \n           managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services  tools\n           and SDKs, see <a href=\"http://aws.amazon.com/developer/tools/\">Tools to Build on Amazon Web Services</a>.</p>\n         <p>With the exception of operations that are related to central configuration, Security Hub API requests are executed only in\n         the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change\n         that results from the operation is applied only to that Region. To make the same change in\n         other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, \nAPI requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of \ncentral configuration operations, see the <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html#central-configuration-concepts\">Central configuration \nterms and concepts</a> section of the <i>Security Hub User Guide</i>.</p>\n         <p>The following throttling limits apply to Security Hub API operations.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>BatchEnableStandards</code> - <code>RateLimit</code> of 1 request per\n               second. <code>BurstLimit</code> of 1 request per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>GetFindings</code> - <code>RateLimit</code> of 3 requests per second.\n                  <code>BurstLimit</code> of 6 requests per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BatchImportFindings</code> - <code>RateLimit</code> of 10 requests per second.\n            <code>BurstLimit</code> of 30 requests per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BatchUpdateFindings</code> - <code>RateLimit</code> of 10 requests per second.\n            <code>BurstLimit</code> of 30 requests per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>UpdateStandardsControl</code> - <code>RateLimit</code> of 1 request per\n               second. <code>BurstLimit</code> of 5 requests per second.</p>\n            </li>\n            <li>\n               <p>All other operations - <code>RateLimit</code> of 10 requests per second.\n                  <code>BurstLimit</code> of 30 requests per second.</p>\n            </li>\n         </ul>",
+        "smithy.api#documentation": "<p>Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps \n           you assess your Amazon Web Services environment against security industry standards and best practices.</p>\n         <p>Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and \n            supported third-party products and helps you analyze your security trends and identify the highest priority security \n            issues.</p>\n         <p>To help you manage the security state of your organization, Security Hub supports multiple security standards. \n           These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, \n            and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data \n            Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes \n            several security controls, each of which represents a security best practice. Security Hub runs checks against \n            security controls and generates control findings to help you assess your compliance against security best practices.</p>\n         <p>In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services, \n            such as Amazon GuardDuty and Amazon Inspector, and \n            supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You \n            can also send Security Hub findings to other Amazon Web Services services and supported third-party products.</p>\n         <p>Security Hub offers automation features that help you triage and remediate security issues. For example, \n           you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with \n           Amazon EventBridge  to trigger automatic responses to specific findings.</p>\n         <p>This guide, the <i>Security Hub API Reference</i>, provides\n           information about the Security Hub API. This includes supported resources, HTTP methods, parameters,\n           and schemas. If you're new to Security Hub, you might find it helpful to also review the <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html\">\n               <i>Security Hub User Guide</i>\n            </a>. The\n           user guide explains key concepts and provides procedures\n           that demonstrate how to use Security Hub features. It also provides information about topics such as\n           integrating Security Hub with other Amazon Web Services services.</p>\n         <p>In addition to interacting with Security Hub  by making calls to the Security Hub API, you can\n           use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools \n            and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell,\n           Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to\n           Security Hub  and other Amazon Web Services services . They also handle tasks such as signing requests, \n           managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services  tools\n           and SDKs, see <a href=\"http://aws.amazon.com/developer/tools/\">Tools to Build on Amazon Web Services</a>.</p>\n         <p>With the exception of operations that are related to central configuration, Security Hub API requests are executed only in\n         the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change\n         that results from the operation is applied only to that Region. To make the same change in\n         other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, \nAPI requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of \ncentral configuration operations, see the <a href=\"https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html#central-configuration-concepts\">Central configuration \nterms and concepts</a> section of the <i>Security Hub User Guide</i>.</p>\n         <p>The following throttling limits apply to Security Hub API operations.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>BatchEnableStandards</code> - <code>RateLimit</code> of 1 request per\n               second. <code>BurstLimit</code> of 1 request per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>GetFindings</code> - <code>RateLimit</code> of 3 requests per second.\n                  <code>BurstLimit</code> of 6 requests per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BatchImportFindings</code> - <code>RateLimit</code> of 10 requests per second.\n            <code>BurstLimit</code> of 30 requests per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>BatchUpdateFindings</code> - <code>RateLimit</code> of 10 requests per second.\n            <code>BurstLimit</code> of 30 requests per second.</p>\n            </li>\n            <li>\n               <p>\n                  <code>UpdateStandardsControl</code> - <code>RateLimit</code> of 1 request per\n               second. <code>BurstLimit</code> of 5 requests per second.</p>\n            </li>\n            <li>\n               <p>All other operations - <code>RateLimit</code> of 10 requests per second.\n                  <code>BurstLimit</code> of 30 requests per second.</p>\n            </li>\n         </ul>",
         "smithy.api#title": "AWS SecurityHub",
         "smithy.rules#endpointRuleSet": {
           "version": "1.0",
@@ -33071,13 +33071,13 @@
         "Label": {
           "target": "com.amazonaws.securityhub#SeverityLabel",
           "traits": {
-            "smithy.api#documentation": "<p>The severity value of the finding. The allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>INFORMATIONAL</code> - No issue was found.</p>\n            </li>\n            <li>\n               <p>\n                  <code>LOW</code> - The issue does not require action on its own.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MEDIUM</code> - The issue must be addressed but not urgently.</p>\n            </li>\n            <li>\n               <p>\n                  <code>HIGH</code> - The issue must be addressed as a priority.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CRITICAL</code> - The issue must be remediated immediately to avoid it\n               escalating.</p>\n            </li>\n         </ul>\n         <p>If you provide <code>Normalized</code> and do not provide <code>Label</code>, then\n            <code>Label</code> is set automatically as follows. </p>\n         <ul>\n            <li>\n               <p>0 - <code>INFORMATIONAL</code>\n               </p>\n            </li>\n            <li>\n               <p>1–39 - <code>LOW</code>\n               </p>\n            </li>\n            <li>\n               <p>40–69 - <code>MEDIUM</code>\n               </p>\n            </li>\n            <li>\n               <p>70–89 - <code>HIGH</code>\n               </p>\n            </li>\n            <li>\n               <p>90–100 - <code>CRITICAL</code>\n               </p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The severity value of the finding. The allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>INFORMATIONAL</code> - No issue was found.</p>\n            </li>\n            <li>\n               <p>\n                  <code>LOW</code> - The issue does not require action on its own.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MEDIUM</code> - The issue must be addressed but not urgently.</p>\n            </li>\n            <li>\n               <p>\n                  <code>HIGH</code> - The issue must be addressed as a priority.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CRITICAL</code> - The issue must be remediated immediately to avoid it\n               escalating.</p>\n            </li>\n         </ul>\n         <p>If you provide <code>Normalized</code> and don't provide <code>Label</code>, then\n            <code>Label</code> is set automatically as follows. </p>\n         <ul>\n            <li>\n               <p>0 - <code>INFORMATIONAL</code>\n               </p>\n            </li>\n            <li>\n               <p>1–39 - <code>LOW</code>\n               </p>\n            </li>\n            <li>\n               <p>40–69 - <code>MEDIUM</code>\n               </p>\n            </li>\n            <li>\n               <p>70–89 - <code>HIGH</code>\n               </p>\n            </li>\n            <li>\n               <p>90–100 - <code>CRITICAL</code>\n               </p>\n            </li>\n         </ul>"
           }
         },
         "Normalized": {
           "target": "com.amazonaws.securityhub#Integer",
           "traits": {
-            "smithy.api#documentation": "<p>Deprecated. The normalized severity of a finding.\n         Instead of providing <code>Normalized</code>, provide <code>Label</code>.</p>\n         <p>The value of <code>Normalized</code> can be an integer between <code>0</code> and <code>100</code>.</p>\n         <p>If you provide <code>Label</code> and do not provide <code>Normalized</code>, then\n            <code>Normalized</code> is set automatically as follows.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>INFORMATIONAL</code> - 0</p>\n            </li>\n            <li>\n               <p>\n                  <code>LOW</code> - 1</p>\n            </li>\n            <li>\n               <p>\n                  <code>MEDIUM</code> - 40</p>\n            </li>\n            <li>\n               <p>\n                  <code>HIGH</code> - 70</p>\n            </li>\n            <li>\n               <p>\n                  <code>CRITICAL</code> - 90</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>Deprecated. The normalized severity of a finding.\n         Instead of providing <code>Normalized</code>, provide <code>Label</code>.</p>\n         <p>The value of <code>Normalized</code> can be an integer between <code>0</code> and <code>100</code>.</p>\n         <p>If you provide <code>Label</code> and don't provide <code>Normalized</code>, then\n            <code>Normalized</code> is set automatically as follows.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>INFORMATIONAL</code> - 0</p>\n            </li>\n            <li>\n               <p>\n                  <code>LOW</code> - 1</p>\n            </li>\n            <li>\n               <p>\n                  <code>MEDIUM</code> - 40</p>\n            </li>\n            <li>\n               <p>\n                  <code>HIGH</code> - 70</p>\n            </li>\n            <li>\n               <p>\n                  <code>CRITICAL</code> - 90</p>\n            </li>\n         </ul>"
           }
         },
         "Original": {
@@ -33161,7 +33161,7 @@
         "Normalized": {
           "target": "com.amazonaws.securityhub#RatioScale",
           "traits": {
-            "smithy.api#documentation": "<p>The normalized severity for the finding. This attribute is to be deprecated in favor of\n            <code>Label</code>.</p>\n         <p>If you provide <code>Normalized</code> and do not provide <code>Label</code>,\n            <code>Label</code> is set automatically as follows.</p>\n         <ul>\n            <li>\n               <p>0 - <code>INFORMATIONAL</code>\n               </p>\n            </li>\n            <li>\n               <p>1–39 - <code>LOW</code>\n               </p>\n            </li>\n            <li>\n               <p>40–69 - <code>MEDIUM</code>\n               </p>\n            </li>\n            <li>\n               <p>70–89 - <code>HIGH</code>\n               </p>\n            </li>\n            <li>\n               <p>90–100 - <code>CRITICAL</code>\n               </p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The normalized severity for the finding. This attribute is to be deprecated in favor of\n            <code>Label</code>.</p>\n         <p>If you provide <code>Normalized</code> and don't provide <code>Label</code>,\n            <code>Label</code> is set automatically as follows.</p>\n         <ul>\n            <li>\n               <p>0 - <code>INFORMATIONAL</code>\n               </p>\n            </li>\n            <li>\n               <p>1–39 - <code>LOW</code>\n               </p>\n            </li>\n            <li>\n               <p>40–69 - <code>MEDIUM</code>\n               </p>\n            </li>\n            <li>\n               <p>70–89 - <code>HIGH</code>\n               </p>\n            </li>\n            <li>\n               <p>90–100 - <code>CRITICAL</code>\n               </p>\n            </li>\n         </ul>"
           }
         },
         "Product": {
@@ -33440,7 +33440,7 @@
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
             "smithy.api#clientOptional": {},
-            "smithy.api#documentation": "<p>\n         The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Servicesservice \n         name and a number, such as APIGateway.3.\n      </p>",
+            "smithy.api#documentation": "<p>\n         The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service \n         name and a number, such as APIGateway.3.\n      </p>",
             "smithy.api#required": {}
           }
         },
@@ -33558,7 +33558,7 @@
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
             "smithy.api#clientOptional": {},
-            "smithy.api#documentation": "<p>\n         A unique standard-agnostic identifier for a control. Values for this field typically consist of an \n         Amazon Web Servicesservice and a number, such as APIGateway.5. This field doesn't reference a specific standard.\n      </p>",
+            "smithy.api#documentation": "<p>\n         A unique standard-agnostic identifier for a control. Values for this field typically consist of an \n         Amazon Web Services service and a number, such as APIGateway.5. This field doesn't reference a specific standard.\n      </p>",
             "smithy.api#required": {}
           }
         },
@@ -35301,7 +35301,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Updates the finding aggregation configuration. Used to update the Region linking mode and the list of included or excluded Regions. You cannot use <code>UpdateFindingAggregator</code> to change the aggregation Region.</p>\n         <p>You must run <code>UpdateFindingAggregator</code> from the current aggregation Region.\n      </p>",
+        "smithy.api#documentation": "<note>\n            <p>The <i>aggregation Region</i> is now called the <i>home Region</i>.</p>\n         </note>\n         <p>Updates cross-Region aggregation settings. You can use this operation to update the Region linking mode and the list \n        of included or excluded Amazon Web Services Regions. However, you can't use this operation to change the home Region.</p>\n         <p>You can invoke this operation from the current home Region only.\n      </p>",
         "smithy.api#examples": [
           {
             "title": "To update cross-Region aggregation settings",
@@ -35348,7 +35348,7 @@
         "Regions": {
           "target": "com.amazonaws.securityhub#StringList",
           "traits": {
-            "smithy.api#documentation": "<p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.</p>\n         <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.</p>\n         <p>An <code>InvalidInputException</code> error results if you populate this field while <code>RegionLinkingMode</code> is \n        <code>NO_REGIONS</code>.</p>"
+            "smithy.api#documentation": "<p>If <code>RegionLinkingMode</code> is <code>ALL_REGIONS_EXCEPT_SPECIFIED</code>, then this is a space-separated list of Regions that don't replicate and send findings to the home Region.</p>\n         <p>If <code>RegionLinkingMode</code> is <code>SPECIFIED_REGIONS</code>, then this is a space-separated list of Regions that do replicate and send findings to the home Region.</p>\n         <p>An <code>InvalidInputException</code> error results if you populate this field while <code>RegionLinkingMode</code> is \n        <code>NO_REGIONS</code>.</p>"
           }
         }
       },
@@ -35368,7 +35368,7 @@
         "FindingAggregationRegion": {
           "target": "com.amazonaws.securityhub#NonEmptyString",
           "traits": {
-            "smithy.api#documentation": "<p>The aggregation Region.</p>"
+            "smithy.api#documentation": "<p>The home Region. Findings generated in linked Regions are replicated and sent to the home Region.</p>"
           }
         },
         "RegionLinkingMode": {
@@ -36277,7 +36277,7 @@
         "Status": {
           "target": "com.amazonaws.securityhub#WorkflowStatus",
           "traits": {
-            "smithy.api#documentation": "<p>The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to <code>SUPPRESSED</code> or <code>RESOLVED</code> does not prevent a new finding for the same issue.</p>\n         <p>The allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>NEW</code> - The initial state of a finding, before it is reviewed.</p>\n               <p>Security Hub also resets the workflow status from <code>NOTIFIED</code> or\n                  <code>RESOLVED</code> to <code>NEW</code> in the following cases:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to\n                        <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>ComplianceStatus</code> changes from <code>PASSED</code> to either\n                        <code>WARNING</code>, <code>FAILED</code>, or\n                     <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>NOTIFIED</code> - Indicates that you notified the resource owner about the\n               security issue. Used when the initial reviewer is not the resource owner, and needs\n               intervention from the resource owner.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SUPPRESSED</code> - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.</p>\n            </li>\n            <li>\n               <p>\n                  <code>RESOLVED</code> - The finding was reviewed and remediated and is now\n               considered resolved. </p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to <code>SUPPRESSED</code> or <code>RESOLVED</code> does not prevent a new finding for the same issue.</p>\n         <p>The allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>NEW</code> - The initial state of a finding, before it is reviewed.</p>\n               <p>Security Hub also resets the workflow status from <code>NOTIFIED</code> or\n                  <code>RESOLVED</code> to <code>NEW</code> in the following cases:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>RecordState</code> changes from <code>ARCHIVED</code> to\n                        <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>ComplianceStatus</code> changes from <code>PASSED</code> to either\n                        <code>WARNING</code>, <code>FAILED</code>, or\n                     <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>NOTIFIED</code> - Indicates that you notified the resource owner about the\n               security issue. Used when the initial reviewer is not the resource owner, and needs\n               intervention from the resource owner.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SUPPRESSED</code> - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated.</p>\n            </li>\n            <li>\n               <p>\n                  <code>RESOLVED</code> - The finding was reviewed and remediated and is now\n               considered resolved. </p>\n            </li>\n         </ul>"
           }
         }
       },
@@ -36360,7 +36360,7 @@
         "Status": {
           "target": "com.amazonaws.securityhub#WorkflowStatus",
           "traits": {
-            "smithy.api#documentation": "<p>The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to <code>SUPPRESSED</code> or <code>RESOLVED</code> does not prevent a new finding for the same issue.</p>\n         <p>The allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>NEW</code> - The initial state of a finding, before it is reviewed.</p>\n               <p>Security Hub also resets <code>WorkFlowStatus</code> from <code>NOTIFIED</code> or\n                  <code>RESOLVED</code> to <code>NEW</code> in the following cases:</p>\n               <ul>\n                  <li>\n                     <p>The record state changes from <code>ARCHIVED</code> to\n                     <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>The compliance status changes from <code>PASSED</code> to either\n                        <code>WARNING</code>, <code>FAILED</code>, or\n                     <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>NOTIFIED</code> - Indicates that you notified the resource owner about the\n               security issue. Used when the initial reviewer is not the resource owner, and needs\n               intervention from the resource owner.</p>\n            </li>\n            <li>\n               <p>\n                  <code>RESOLVED</code> - The finding was reviewed and remediated and is now\n               considered resolved.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SUPPRESSED</code> - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to <code>SUPPRESSED</code> or <code>RESOLVED</code> does not prevent a new finding for the same issue.</p>\n         <p>The allowed values are the following.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>NEW</code> - The initial state of a finding, before it is reviewed.</p>\n               <p>Security Hub also resets <code>WorkFlowStatus</code> from <code>NOTIFIED</code> or\n                  <code>RESOLVED</code> to <code>NEW</code> in the following cases:</p>\n               <ul>\n                  <li>\n                     <p>The record state changes from <code>ARCHIVED</code> to\n                     <code>ACTIVE</code>.</p>\n                  </li>\n                  <li>\n                     <p>The compliance status changes from <code>PASSED</code> to either\n                        <code>WARNING</code>, <code>FAILED</code>, or\n                     <code>NOT_AVAILABLE</code>.</p>\n                  </li>\n               </ul>\n            </li>\n            <li>\n               <p>\n                  <code>NOTIFIED</code> - Indicates that you notified the resource owner about the\n               security issue. Used when the initial reviewer is not the resource owner, and needs\n               intervention from the resource owner.</p>\n            </li>\n            <li>\n               <p>\n                  <code>RESOLVED</code> - The finding was reviewed and remediated and is now\n               considered resolved.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SUPPRESSED</code> - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated.</p>\n            </li>\n         </ul>"
           }
         }
       },