From b90e3531e8a96fc351484f125d7076a4b4439bc6 Mon Sep 17 00:00:00 2001 From: Nate Prewitt Date: Fri, 18 Oct 2024 12:31:15 -0700 Subject: [PATCH 1/4] Fix flakey test by allowing arbitrary warnings during capture (#3282) --- tests/unit/test_parsers.py | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/unit/test_parsers.py b/tests/unit/test_parsers.py index 979a542f34..5d74ab62bb 100644 --- a/tests/unit/test_parsers.py +++ b/tests/unit/test_parsers.py @@ -429,16 +429,17 @@ def assert_tagged_union_response_with_unknown_member( expected_parsed_response, expected_log, ): + warning_message = ( + 'Received a tagged union response with member unknown to client' + ) with self.assertLogs() as captured_log: parsed = parser.parse(response, output_shape) self.assertEqual(parsed, expected_parsed_response) - self.assertEqual(len(captured_log.records), 1) - self.assertIn( - ( - 'Received a tagged union response with member ' - 'unknown to client' - ), - captured_log.records[0].getMessage(), + log_messages = [ + record.getMessage() for record in captured_log.records + ] + self.assertTrue( + any(warning_message in log for log in log_messages) ) def test_base_json_parser_handles_unknown_member(self): From d64e956439c4248e57707a5e805aab5473511f17 Mon Sep 17 00:00:00 2001 From: Alessandra Romero <24320222+alexgromero@users.noreply.github.com> Date: Mon, 21 Oct 2024 11:55:50 -0400 Subject: [PATCH 2/4] S3 200 errors implementation (#3276) --- .../next-release/enhancement-s3-47846.json | 5 ++ botocore/handlers.py | 49 ++++++++--- tests/functional/test_s3.py | 85 ++++++++++++++++--- tests/unit/test_handlers.py | 6 +- 4 files changed, 121 insertions(+), 24 deletions(-) create mode 100644 .changes/next-release/enhancement-s3-47846.json diff --git a/.changes/next-release/enhancement-s3-47846.json b/.changes/next-release/enhancement-s3-47846.json new file mode 100644 index 0000000000..a549b5e190 --- /dev/null +++ b/.changes/next-release/enhancement-s3-47846.json @@ -0,0 +1,5 @@ +{ + "type": "enhancement", + "category": "``s3``", + "description": "Handle HTTP 200 responses with error information for all supported s3 operations." +} diff --git a/botocore/handlers.py b/botocore/handlers.py index 9cb1d052c0..9a7f78acef 100644 --- a/botocore/handlers.py +++ b/botocore/handlers.py @@ -132,6 +132,7 @@ def escape_xml_payload(params, **kwargs): def check_for_200_error(response, **kwargs): + """This function has been deprecated, but is kept for backwards compatibility.""" # From: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html # There are two opportunities for a copy request to return an error. One # can occur when Amazon S3 receives the copy request and the other can @@ -152,7 +153,9 @@ def check_for_200_error(response, **kwargs): # trying to retrieve the response. See Endpoint._get_response(). return http_response, parsed = response - if _looks_like_special_case_error(http_response): + if _looks_like_special_case_error( + http_response.status_code, http_response.content + ): logger.debug( "Error found for response with 200 status code, " "errors: %s, changing status code to " @@ -162,13 +165,13 @@ def check_for_200_error(response, **kwargs): http_response.status_code = 500 -def _looks_like_special_case_error(http_response): - if http_response.status_code == 200: +def _looks_like_special_case_error(status_code, body): + if status_code == 200 and body: try: parser = ETree.XMLParser( target=ETree.TreeBuilder(), encoding='utf-8' ) - parser.feed(http_response.content) + parser.feed(body) root = parser.close() except XMLParseError: # In cases of network disruptions, we may end up with a partial @@ -1239,6 +1242,35 @@ def document_expires_shape(section, event_name, **kwargs): ) +def _handle_200_error(operation_model, response_dict, **kwargs): + # S3 can return a 200 response with an error embedded in the body. + # Convert the 200 to a 500 for retry resolution in ``_update_status_code``. + if not response_dict or operation_model.has_streaming_output: + # Operations with streaming response blobs are excluded as they + # can't be reliably distinguished from an S3 error. + return + if _looks_like_special_case_error( + response_dict['status_code'], response_dict['body'] + ): + response_dict['status_code'] = 500 + logger.debug( + f"Error found for response with 200 status code: {response_dict['body']}." + ) + + +def _update_status_code(response, **kwargs): + # Update the http_response status code when the parsed response has been + # modified in a handler. This enables retries for cases like ``_handle_200_error``. + if response is None: + return + http_response, parsed = response + parsed_status_code = parsed.get('ResponseMetadata', {}).get( + 'HTTPStatusCode', http_response.status_code + ) + if http_response.status_code != parsed_status_code: + http_response.status_code = parsed_status_code + + # This is a list of (event_name, handler). # When a Session is created, everything in this list will be # automatically registered with that Session. @@ -1269,6 +1301,7 @@ def document_expires_shape(section, event_name, **kwargs): ('after-call.cloudformation.GetTemplate', json_decode_template_body), ('after-call.s3.GetBucketLocation', parse_get_bucket_location), ('before-parse.s3.*', handle_expires_header), + ('before-parse.s3.*', _handle_200_error, REGISTER_FIRST), ('before-parameter-build', generate_idempotent_uuid), ('before-parameter-build.s3', validate_bucket_name), ('before-parameter-build.s3', remove_bucket_from_url_paths_from_model), @@ -1312,13 +1345,7 @@ def document_expires_shape(section, event_name, **kwargs): ('before-call.ec2.CopySnapshot', inject_presigned_url_ec2), ('request-created', add_retry_headers), ('request-created.machinelearning.Predict', switch_host_machinelearning), - ('needs-retry.s3.UploadPartCopy', check_for_200_error, REGISTER_FIRST), - ('needs-retry.s3.CopyObject', check_for_200_error, REGISTER_FIRST), - ( - 'needs-retry.s3.CompleteMultipartUpload', - check_for_200_error, - REGISTER_FIRST, - ), + ('needs-retry.s3.*', _update_status_code, REGISTER_FIRST), ('choose-signer.cognito-identity.GetId', disable_signing), ('choose-signer.cognito-identity.GetOpenIdToken', disable_signing), ('choose-signer.cognito-identity.UnlinkIdentity', disable_signing), diff --git a/tests/functional/test_s3.py b/tests/functional/test_s3.py index 04fc32aa7b..613ef1c016 100644 --- a/tests/functional/test_s3.py +++ b/tests/functional/test_s3.py @@ -28,7 +28,6 @@ UnsupportedS3AccesspointConfigurationError, UnsupportedS3ConfigurationError, ) -from botocore.parsers import ResponseParserError from tests import ( BaseSessionTest, ClientHTTPStubber, @@ -435,12 +434,12 @@ def create_stubbed_s3_client(self, **kwargs): http_stubber.start() return client, http_stubber - def test_s3_copy_object_with_empty_response(self): + def test_s3_copy_object_with_incomplete_response(self): self.client, self.http_stubber = self.create_stubbed_s3_client( region_name="us-east-1" ) - empty_body = b"" + incomplete_body = b'\n\n\n' complete_body = ( b'\n\n' b"2020-04-21T21:03:31.000Z" b""s0mEcH3cK5uM"" ) - - self.http_stubber.add_response(status=200, body=empty_body) + self.http_stubber.add_response(status=200, body=incomplete_body) self.http_stubber.add_response(status=200, body=complete_body) response = self.client.copy_object( Bucket="bucket", @@ -462,19 +460,86 @@ def test_s3_copy_object_with_empty_response(self): self.assertEqual(response["ResponseMetadata"]["HTTPStatusCode"], 200) self.assertTrue("CopyObjectResult" in response) - def test_s3_copy_object_with_incomplete_response(self): + +class TestS3200ErrorResponse(BaseS3OperationTest): + def create_s3_client(self, **kwargs): + client_kwargs = {"region_name": self.region} + client_kwargs.update(kwargs) + return self.session.create_client("s3", **client_kwargs) + + def create_stubbed_s3_client(self, **kwargs): + client = self.create_s3_client(**kwargs) + http_stubber = ClientHTTPStubber(client) + http_stubber.start() + return client, http_stubber + + def test_s3_200_with_error_response(self): self.client, self.http_stubber = self.create_stubbed_s3_client( region_name="us-east-1" ) - - incomplete_body = b'\n\n\n' - self.http_stubber.add_response(status=200, body=incomplete_body) - with self.assertRaises(ResponseParserError): + error_body = ( + b"" + b"SlowDown" + b"Please reduce your request rate." + b"" + ) + # Populate 5 attempts for SlowDown to validate + # we reached four max retries and raised an exception. + for i in range(5): + self.http_stubber.add_response(status=200, body=error_body) + with self.assertRaises(botocore.exceptions.ClientError) as context: self.client.copy_object( Bucket="bucket", CopySource="other-bucket/test.txt", Key="test.txt", ) + self.assertEqual(len(self.http_stubber.requests), 5) + self.assertEqual( + context.exception.response["ResponseMetadata"]["HTTPStatusCode"], + 500, + ) + self.assertEqual( + context.exception.response["Error"]["Code"], "SlowDown" + ) + + def test_s3_200_with_no_error_response(self): + self.client, self.http_stubber = self.create_stubbed_s3_client( + region_name="us-east-1" + ) + self.http_stubber.add_response(status=200, body=b"") + + response = self.client.copy_object( + Bucket="bucket", + CopySource="other-bucket/test.txt", + Key="test.txt", + ) + + # Validate that the status code remains 200. + self.assertEqual(len(self.http_stubber.requests), 1) + self.assertEqual(response["ResponseMetadata"]["HTTPStatusCode"], 200) + + def test_s3_200_with_error_response_on_streaming_operation(self): + self.client, self.http_stubber = self.create_stubbed_s3_client( + region_name="us-east-1" + ) + self.http_stubber.add_response(status=200, body=b"") + response = self.client.get_object(Bucket="bucket", Key="test.txt") + + # Validate that the status code remains 200 because we don't + # process 200-with-error responses on streaming operations. + self.assertEqual(len(self.http_stubber.requests), 1) + self.assertEqual(response["ResponseMetadata"]["HTTPStatusCode"], 200) + + def test_s3_200_response_with_no_body(self): + self.client, self.http_stubber = self.create_stubbed_s3_client( + region_name="us-east-1" + ) + self.http_stubber.add_response(status=200) + response = self.client.head_object(Bucket="bucket", Key="test.txt") + + # Validate that the status code remains 200 on operations without a body. + self.assertEqual(len(self.http_stubber.requests), 1) + self.assertEqual(response["ResponseMetadata"]["HTTPStatusCode"], 200) class TestAccesspointArn(BaseS3ClientConfigurationTest): diff --git a/tests/unit/test_handlers.py b/tests/unit/test_handlers.py index 7e28356442..924abed8af 100644 --- a/tests/unit/test_handlers.py +++ b/tests/unit/test_handlers.py @@ -1202,14 +1202,14 @@ def test_s3_special_case_is_before_other_retry(self): caught_exception=None, ) # This is implementation specific, but we're trying to verify that - # the check_for_200_error is before any of the retry logic in + # the _update_status_code is before any of the retry logic in # botocore.retryhandlers. # Technically, as long as the relative order is preserved, we don't # care about the absolute order. names = self.get_handler_names(responses) - self.assertIn('check_for_200_error', names) + self.assertIn('_update_status_code', names) self.assertIn('RetryHandler', names) - s3_200_handler = names.index('check_for_200_error') + s3_200_handler = names.index('_update_status_code') general_retry_handler = names.index('RetryHandler') self.assertTrue( s3_200_handler < general_retry_handler, From 4ee8f0c46b35bc7aa0d89c145a17582a591d1ffb Mon Sep 17 00:00:00 2001 From: aws-sdk-python-automation Date: Mon, 21 Oct 2024 18:06:55 +0000 Subject: [PATCH 3/4] Update to latest models --- .../api-change-applicationinsights-14705.json | 5 + .../api-change-autoscaling-58901.json | 5 + .../api-change-bedrockagentruntime-34706.json | 5 + .../next-release/api-change-dms-84953.json | 5 + .../next-release/api-change-ec2-49098.json | 5 + .../next-release/api-change-eks-35676.json | 5 + .../next-release/api-change-fms-39411.json | 5 + ...-change-paymentcryptographydata-25649.json | 5 + .../next-release/api-change-wafv2-18392.json | 5 + .../2018-11-25/service-2.json | 104 +++-- .../autoscaling/2011-01-01/service-2.json | 90 ++-- .../2023-07-26/service-2.json | 37 +- botocore/data/dms/2016-01-01/service-2.json | 46 ++ botocore/data/ec2/2016-11-15/service-2.json | 44 +- botocore/data/eks/2017-11-01/service-2.json | 42 +- botocore/data/fms/2018-01-01/service-2.json | 49 +- .../2022-02-03/service-2.json | 420 +++++++++++++++++- botocore/data/wafv2/2019-07-29/service-2.json | 14 +- 18 files changed, 763 insertions(+), 128 deletions(-) create mode 100644 .changes/next-release/api-change-applicationinsights-14705.json create mode 100644 .changes/next-release/api-change-autoscaling-58901.json create mode 100644 .changes/next-release/api-change-bedrockagentruntime-34706.json create mode 100644 .changes/next-release/api-change-dms-84953.json create mode 100644 .changes/next-release/api-change-ec2-49098.json create mode 100644 .changes/next-release/api-change-eks-35676.json create mode 100644 .changes/next-release/api-change-fms-39411.json create mode 100644 .changes/next-release/api-change-paymentcryptographydata-25649.json create mode 100644 .changes/next-release/api-change-wafv2-18392.json diff --git a/.changes/next-release/api-change-applicationinsights-14705.json b/.changes/next-release/api-change-applicationinsights-14705.json new file mode 100644 index 0000000000..d85788ab3a --- /dev/null +++ b/.changes/next-release/api-change-applicationinsights-14705.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``application-insights``", + "description": "This feature enables customers to specify SNS Topic ARN. CloudWatch Application Insights (CWAI) will utilize this ARN to send problem notifications." +} diff --git a/.changes/next-release/api-change-autoscaling-58901.json b/.changes/next-release/api-change-autoscaling-58901.json new file mode 100644 index 0000000000..3a28a010f7 --- /dev/null +++ b/.changes/next-release/api-change-autoscaling-58901.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``autoscaling``", + "description": "Adds support for removing the PlacementGroup setting on an Auto Scaling Group through the UpdateAutoScalingGroup API." +} diff --git a/.changes/next-release/api-change-bedrockagentruntime-34706.json b/.changes/next-release/api-change-bedrockagentruntime-34706.json new file mode 100644 index 0000000000..1dbbaac176 --- /dev/null +++ b/.changes/next-release/api-change-bedrockagentruntime-34706.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``bedrock-agent-runtime``", + "description": "Knowledge Bases for Amazon Bedrock now supports custom prompts and model parameters in the orchestrationConfiguration of the RetrieveAndGenerate API. The modelArn field accepts Custom Models and Imported Models ARNs." +} diff --git a/.changes/next-release/api-change-dms-84953.json b/.changes/next-release/api-change-dms-84953.json new file mode 100644 index 0000000000..7baf144146 --- /dev/null +++ b/.changes/next-release/api-change-dms-84953.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``dms``", + "description": "Added support for tagging in StartReplicationTaskAssessmentRun API and introduced IsLatestTaskAssessmentRun and ResultStatistic fields for enhanced tracking and assessment result statistics." +} diff --git a/.changes/next-release/api-change-ec2-49098.json b/.changes/next-release/api-change-ec2-49098.json new file mode 100644 index 0000000000..e49449beec --- /dev/null +++ b/.changes/next-release/api-change-ec2-49098.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``ec2``", + "description": "Amazon EC2 now allows you to create network interfaces with just the EFA driver and no ENA driver by specifying the network interface type as efa-only." +} diff --git a/.changes/next-release/api-change-eks-35676.json b/.changes/next-release/api-change-eks-35676.json new file mode 100644 index 0000000000..2020590e5a --- /dev/null +++ b/.changes/next-release/api-change-eks-35676.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``eks``", + "description": "This release adds support for Amazon Application Recovery Controller (ARC) zonal shift and zonal autoshift with EKS that enhances the resiliency of multi-AZ cluster environments" +} diff --git a/.changes/next-release/api-change-fms-39411.json b/.changes/next-release/api-change-fms-39411.json new file mode 100644 index 0000000000..e214a4bf1e --- /dev/null +++ b/.changes/next-release/api-change-fms-39411.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``fms``", + "description": "Update AWS WAF policy - add the option to retrofit existing web ACLs instead of creating all new web ACLs." +} diff --git a/.changes/next-release/api-change-paymentcryptographydata-25649.json b/.changes/next-release/api-change-paymentcryptographydata-25649.json new file mode 100644 index 0000000000..fe4a886820 --- /dev/null +++ b/.changes/next-release/api-change-paymentcryptographydata-25649.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``payment-cryptography-data``", + "description": "Adding new API to generate authenticated scripts for EMV pin change use cases." +} diff --git a/.changes/next-release/api-change-wafv2-18392.json b/.changes/next-release/api-change-wafv2-18392.json new file mode 100644 index 0000000000..268fe1e900 --- /dev/null +++ b/.changes/next-release/api-change-wafv2-18392.json @@ -0,0 +1,5 @@ +{ + "type": "api-change", + "category": "``wafv2``", + "description": "Add a property to WebACL to indicate whether it's been retrofitted by Firewall Manager." +} diff --git a/botocore/data/application-insights/2018-11-25/service-2.json b/botocore/data/application-insights/2018-11-25/service-2.json index 8db361e928..b0242a0e36 100644 --- a/botocore/data/application-insights/2018-11-25/service-2.json +++ b/botocore/data/application-insights/2018-11-25/service-2.json @@ -5,13 +5,15 @@ "endpointPrefix":"applicationinsights", "jsonVersion":"1.1", "protocol":"json", + "protocols":["json"], "serviceAbbreviation":"Application Insights", "serviceFullName":"Amazon CloudWatch Application Insights", "serviceId":"Application Insights", "signatureVersion":"v4", "signingName":"applicationinsights", "targetPrefix":"EC2WindowsBarleyService", - "uid":"application-insights-2018-11-25" + "uid":"application-insights-2018-11-25", + "auth":["aws.auth#sigv4"] }, "operations":{ "AddWorkload":{ @@ -618,7 +620,7 @@ "members":{ "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the owner of the application.

" + "documentation":"

The Amazon Web Services account ID for the owner of the application.

" }, "ResourceGroupName":{ "shape":"ResourceGroupName", @@ -632,6 +634,10 @@ "shape":"OpsItemSNSTopicArn", "documentation":"

The SNS topic provided to Application Insights that is associated to the created opsItems to receive SNS notifications for opsItem updates.

" }, + "SNSNotificationArn":{ + "shape":"SNSNotificationArn", + "documentation":"

The SNS topic ARN that is associated with SNS notifications for updates or issues.

" + }, "OpsCenterEnabled":{ "shape":"OpsCenterEnabled", "documentation":"

Indicates whether Application Insights will create opsItems for any problem detected by Application Insights for an application.

" @@ -712,7 +718,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the owner of the application to which the configuration event belongs.

" + "documentation":"

The Amazon Web Services account ID for the owner of the application to which the configuration event belongs.

" }, "MonitoredResourceARN":{ "shape":"ConfigurationEventMonitoredResourceARN", @@ -785,6 +791,10 @@ "shape":"OpsItemSNSTopicArn", "documentation":"

The SNS topic provided to Application Insights that is associated to the created opsItem. Allows you to receive notifications for updates to the opsItem.

" }, + "SNSNotificationArn":{ + "shape":"SNSNotificationArn", + "documentation":"

The SNS notification topic ARN.

" + }, "Tags":{ "shape":"TagList", "documentation":"

List of tags to add to the application. tag key (Key) and an associated tag value (Value). The maximum length of a tag key is 128 characters. The maximum length of a tag value is 256 characters.

" @@ -871,7 +881,7 @@ }, "Rank":{ "shape":"LogPatternRank", - "documentation":"

Rank of the log pattern. Must be a value between 1 and 1,000,000. The patterns are sorted by rank, so we recommend that you set your highest priority patterns with the lowest rank. A pattern of rank 1 will be the first to get matched to a log line. A pattern of rank 1,000,000 will be last to get matched. When you configure custom log patterns from the console, a Low severity pattern translates to a 750,000 rank. A Medium severity pattern translates to a 500,000 rank. And a High severity pattern translates to a 250,000 rank. Rank values less than 1 or greater than 1,000,000 are reserved for AWS-provided patterns.

" + "documentation":"

Rank of the log pattern. Must be a value between 1 and 1,000,000. The patterns are sorted by rank, so we recommend that you set your highest priority patterns with the lowest rank. A pattern of rank 1 will be the first to get matched to a log line. A pattern of rank 1,000,000 will be last to get matched. When you configure custom log patterns from the console, a Low severity pattern translates to a 750,000 rank. A Medium severity pattern translates to a 500,000 rank. And a High severity pattern translates to a 250,000 rank. Rank values less than 1 or greater than 1,000,000 are reserved for Amazon Web Services provided patterns.

" } } }, @@ -968,7 +978,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1003,7 +1013,7 @@ }, "WorkloadName":{ "shape":"WorkloadName", - "documentation":"

The name of the workload.

" + "documentation":"

The name of the workload. The name of the workload is required when the tier of the application component is SAP_ASE_SINGLE_NODE or SAP_ASE_HIGH_AVAILABILITY.

" }, "RecommendationType":{ "shape":"RecommendationType", @@ -1037,7 +1047,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1075,7 +1085,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1111,7 +1121,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1124,7 +1134,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" }, "LogPattern":{ "shape":"LogPattern", @@ -1142,7 +1152,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1165,7 +1175,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1188,7 +1198,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the owner of the resource group affected by the problem.

" + "documentation":"

The Amazon Web Services account ID for the owner of the resource group affected by the problem.

" } } }, @@ -1198,6 +1208,10 @@ "Problem":{ "shape":"Problem", "documentation":"

Information about the problem.

" + }, + "SNSNotificationArn":{ + "shape":"SNSNotificationArn", + "documentation":"

The SNS notification topic ARN of the problem.

" } } }, @@ -1223,7 +1237,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the workload owner.

" + "documentation":"

The Amazon Web Services account ID for the workload owner.

" } } }, @@ -1316,7 +1330,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1351,7 +1365,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1397,7 +1411,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1432,7 +1446,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1445,7 +1459,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" }, "LogPatternSets":{ "shape":"LogPatternSetList", @@ -1479,7 +1493,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1492,7 +1506,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" }, "LogPatterns":{ "shape":"LogPatternList", @@ -1509,7 +1523,7 @@ "members":{ "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" }, "ResourceGroupName":{ "shape":"ResourceGroupName", @@ -1558,7 +1572,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the resource group owner.

" + "documentation":"

The Amazon Web Services account ID for the resource group owner.

" } } }, @@ -1606,7 +1620,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID of the owner of the workload.

" + "documentation":"

The Amazon Web Services account ID of the owner of the workload.

" } } }, @@ -1649,7 +1663,7 @@ }, "Rank":{ "shape":"LogPatternRank", - "documentation":"

Rank of the log pattern. Must be a value between 1 and 1,000,000. The patterns are sorted by rank, so we recommend that you set your highest priority patterns with the lowest rank. A pattern of rank 1 will be the first to get matched to a log line. A pattern of rank 1,000,000 will be last to get matched. When you configure custom log patterns from the console, a Low severity pattern translates to a 750,000 rank. A Medium severity pattern translates to a 500,000 rank. And a High severity pattern translates to a 250,000 rank. Rank values less than 1 or greater than 1,000,000 are reserved for AWS-provided patterns.

" + "documentation":"

Rank of the log pattern. Must be a value between 1 and 1,000,000. The patterns are sorted by rank, so we recommend that you set your highest priority patterns with the lowest rank. A pattern of rank 1 will be the first to get matched to a log line. A pattern of rank 1,000,000 will be last to get matched. When you configure custom log patterns from the console, a Low severity pattern translates to a 750,000 rank. A Medium severity pattern translates to a 500,000 rank. And a High severity pattern translates to a 250,000 rank. Rank values less than 1 or greater than 1,000,000 are reserved for Amazon Web Services provided patterns.

" } }, "documentation":"

An object that defines the log patterns that belongs to a LogPatternSet.

" @@ -1691,6 +1705,7 @@ "MetaDataValue":{"type":"string"}, "MetricName":{"type":"string"}, "MetricNamespace":{"type":"string"}, + "MissingWorkloadConfig":{"type":"boolean"}, "Monitor":{"type":"boolean"}, "Observation":{ "type":"structure", @@ -1761,23 +1776,23 @@ }, "HealthEventArn":{ "shape":"HealthEventArn", - "documentation":"

The Amazon Resource Name (ARN) of the AWS Health Event-based observation.

" + "documentation":"

The Amazon Resource Name (ARN) of the Health Event-based observation.

" }, "HealthService":{ "shape":"HealthService", - "documentation":"

The service to which the AWS Health Event belongs, such as EC2.

" + "documentation":"

The service to which the Health Event belongs, such as EC2.

" }, "HealthEventTypeCode":{ "shape":"HealthEventTypeCode", - "documentation":"

The type of the AWS Health event, for example, AWS_EC2_POWER_CONNECTIVITY_ISSUE.

" + "documentation":"

The type of the Health event, for example, AWS_EC2_POWER_CONNECTIVITY_ISSUE.

" }, "HealthEventTypeCategory":{ "shape":"HealthEventTypeCategory", - "documentation":"

The category of the AWS Health event, such as issue.

" + "documentation":"

The category of the Health event, such as issue.

" }, "HealthEventDescription":{ "shape":"HealthEventDescription", - "documentation":"

The description of the AWS Health event provided by the service, such as Amazon EC2.

" + "documentation":"

The description of the Health event provided by the service, such as Amazon EC2.

" }, "CodeDeployDeploymentId":{ "shape":"CodeDeployDeploymentId", @@ -1919,6 +1934,10 @@ "shape":"Title", "documentation":"

The name of the problem.

" }, + "ShortName":{ + "shape":"ShortName", + "documentation":"

The short name of the problem associated with the SNS notification.

" + }, "Insights":{ "shape":"Insights", "documentation":"

A detailed analysis of the problem using machine learning.

" @@ -1945,7 +1964,7 @@ }, "AccountId":{ "shape":"AccountId", - "documentation":"

The AWS account ID for the owner of the resource group affected by the problem.

" + "documentation":"

The Amazon Web Services account ID for the owner of the resource group affected by the problem.

" }, "ResourceGroupName":{ "shape":"ResourceGroupName", @@ -2081,6 +2100,12 @@ "pattern":"[0-9a-zA-Z:_]*" }, "S3EventName":{"type":"string"}, + "SNSNotificationArn":{ + "type":"string", + "max":300, + "min":20, + "pattern":"^arn:aws(-\\w+)*:[\\w\\d-]+:([\\w\\d-]*)?:[\\w\\d_-]*([:/].+)*$" + }, "SeverityLevel":{ "type":"string", "enum":[ @@ -2090,6 +2115,7 @@ "High" ] }, + "ShortName":{"type":"string"}, "SourceARN":{"type":"string"}, "SourceType":{"type":"string"}, "StartTime":{"type":"timestamp"}, @@ -2123,7 +2149,7 @@ "documentation":"

The optional part of a key-value pair that defines a tag. The maximum length of a tag value is 256 characters. The minimum length is 0 characters. If you don't want an application to have a specific tag value, don't specify a value for this parameter.

" } }, - "documentation":"

An object that defines the tags associated with an application. A tag is a label that you optionally define and associate with an application. Tags can help you categorize and manage resources in different ways, such as by purpose, owner, environment, or other criteria.

Each tag consists of a required tag key and an associated tag value, both of which you define. A tag key is a general label that acts as a category for a more specific tag value. A tag value acts as a descriptor within a tag key. A tag key can contain as many as 128 characters. A tag value can contain as many as 256 characters. The characters can be Unicode letters, digits, white space, or one of the following symbols: _ . : / = + -. The following additional restrictions apply to tags:

  • Tag keys and values are case sensitive.

  • For each associated resource, each tag key must be unique and it can have only one value.

  • The aws: prefix is reserved for use by AWS; you can’t use it in any tag keys or values that you define. In addition, you can't edit or remove tag keys or values that use this prefix.

" + "documentation":"

An object that defines the tags associated with an application. A tag is a label that you optionally define and associate with an application. Tags can help you categorize and manage resources in different ways, such as by purpose, owner, environment, or other criteria.

Each tag consists of a required tag key and an associated tag value, both of which you define. A tag key is a general label that acts as a category for a more specific tag value. A tag value acts as a descriptor within a tag key. A tag key can contain as many as 128 characters. A tag value can contain as many as 256 characters. The characters can be Unicode letters, digits, white space, or one of the following symbols: _ . : / = + -. The following additional restrictions apply to tags:

  • Tag keys and values are case sensitive.

  • For each associated resource, each tag key must be unique and it can have only one value.

  • The aws: prefix is reserved for use by Amazon Web Services; you can’t use it in any tag keys or values that you define. In addition, you can't edit or remove tag keys or values that use this prefix.

" }, "TagKey":{ "type":"string", @@ -2197,6 +2223,8 @@ "SAP_HANA_MULTI_NODE", "SAP_HANA_SINGLE_NODE", "SAP_HANA_HIGH_AVAILABILITY", + "SAP_ASE_SINGLE_NODE", + "SAP_ASE_HIGH_AVAILABILITY", "SQL_SERVER_FAILOVER_CLUSTER_INSTANCE", "SHAREPOINT", "ACTIVE_DIRECTORY", @@ -2263,6 +2291,10 @@ "shape":"OpsItemSNSTopicArn", "documentation":"

The SNS topic provided to Application Insights that is associated to the created opsItem. Allows you to receive notifications for updates to the opsItem.

" }, + "SNSNotificationArn":{ + "shape":"SNSNotificationArn", + "documentation":"

The SNS topic ARN. Allows you to receive SNS notifications for updates and issues with an application.

" + }, "RemoveSNSTopic":{ "shape":"RemoveSNSTopic", "documentation":"

Disassociates the SNS topic from the opsItem created for detected problems.

" @@ -2380,7 +2412,7 @@ }, "Rank":{ "shape":"LogPatternRank", - "documentation":"

Rank of the log pattern. Must be a value between 1 and 1,000,000. The patterns are sorted by rank, so we recommend that you set your highest priority patterns with the lowest rank. A pattern of rank 1 will be the first to get matched to a log line. A pattern of rank 1,000,000 will be last to get matched. When you configure custom log patterns from the console, a Low severity pattern translates to a 750,000 rank. A Medium severity pattern translates to a 500,000 rank. And a High severity pattern translates to a 250,000 rank. Rank values less than 1 or greater than 1,000,000 are reserved for AWS-provided patterns.

" + "documentation":"

Rank of the log pattern. Must be a value between 1 and 1,000,000. The patterns are sorted by rank, so we recommend that you set your highest priority patterns with the lowest rank. A pattern of rank 1 will be the first to get matched to a log line. A pattern of rank 1,000,000 will be last to get matched. When you configure custom log patterns from the console, a Low severity pattern translates to a 750,000 rank. A Medium severity pattern translates to a 500,000 rank. And a High severity pattern translates to a 250,000 rank. Rank values less than 1 or greater than 1,000,000 are reserved for Amazon Web Services provided patterns.

" } } }, @@ -2501,6 +2533,10 @@ "WorkloadRemarks":{ "shape":"Remarks", "documentation":"

If logging is supported for the resource type, shows whether the component has configured logs to be monitored.

" + }, + "MissingWorkloadConfig":{ + "shape":"MissingWorkloadConfig", + "documentation":"

Indicates whether all of the component configurations required to monitor a workload were provided.

" } }, "documentation":"

Describes the workloads on a component.

" @@ -2540,7 +2576,7 @@ }, "WorkloadName":{ "type":"string", - "max":8, + "max":12, "min":1, "pattern":"[a-zA-Z0-9\\.\\-_]*" }, diff --git a/botocore/data/autoscaling/2011-01-01/service-2.json b/botocore/data/autoscaling/2011-01-01/service-2.json index d9b4c75eec..04b3760248 100644 --- a/botocore/data/autoscaling/2011-01-01/service-2.json +++ b/botocore/data/autoscaling/2011-01-01/service-2.json @@ -41,7 +41,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"ServiceLinkedRoleFailure"} ], - "documentation":"

This API operation is superseded by AttachTrafficSources, which can attach multiple traffic sources types. We recommend using AttachTrafficSources to simplify how you manage traffic sources. However, we continue to support AttachLoadBalancerTargetGroups. You can use both the original AttachLoadBalancerTargetGroups API operation and AttachTrafficSources on the same Auto Scaling group.

Attaches one or more target groups to the specified Auto Scaling group.

This operation is used with the following load balancer types:

  • Application Load Balancer - Operates at the application layer (layer 7) and supports HTTP and HTTPS.

  • Network Load Balancer - Operates at the transport layer (layer 4) and supports TCP, TLS, and UDP.

  • Gateway Load Balancer - Operates at the network layer (layer 3).

To describe the target groups for an Auto Scaling group, call the DescribeLoadBalancerTargetGroups API. To detach the target group from the Auto Scaling group, call the DetachLoadBalancerTargetGroups API.

This operation is additive and does not detach existing target groups or Classic Load Balancers from the Auto Scaling group.

For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

This API operation is superseded by AttachTrafficSources, which can attach multiple traffic sources types. We recommend using AttachTrafficSources to simplify how you manage traffic sources. However, we continue to support AttachLoadBalancerTargetGroups. You can use both the original AttachLoadBalancerTargetGroups API operation and AttachTrafficSources on the same Auto Scaling group.

Attaches one or more target groups to the specified Auto Scaling group.

This operation is used with the following load balancer types:

  • Application Load Balancer - Operates at the application layer (layer 7) and supports HTTP and HTTPS.

  • Network Load Balancer - Operates at the transport layer (layer 4) and supports TCP, TLS, and UDP.

  • Gateway Load Balancer - Operates at the network layer (layer 3).

To describe the target groups for an Auto Scaling group, call the DescribeLoadBalancerTargetGroups API. To detach the target group from the Auto Scaling group, call the DetachLoadBalancerTargetGroups API.

This operation is additive and does not detach existing target groups or Classic Load Balancers from the Auto Scaling group.

For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

" }, "AttachLoadBalancers":{ "name":"AttachLoadBalancers", @@ -58,7 +58,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"ServiceLinkedRoleFailure"} ], - "documentation":"

This API operation is superseded by AttachTrafficSources, which can attach multiple traffic sources types. We recommend using AttachTrafficSources to simplify how you manage traffic sources. However, we continue to support AttachLoadBalancers. You can use both the original AttachLoadBalancers API operation and AttachTrafficSources on the same Auto Scaling group.

Attaches one or more Classic Load Balancers to the specified Auto Scaling group. Amazon EC2 Auto Scaling registers the running instances with these Classic Load Balancers.

To describe the load balancers for an Auto Scaling group, call the DescribeLoadBalancers API. To detach a load balancer from the Auto Scaling group, call the DetachLoadBalancers API.

This operation is additive and does not detach existing Classic Load Balancers or target groups from the Auto Scaling group.

For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

This API operation is superseded by https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_AttachTrafficSources.html, which can attach multiple traffic sources types. We recommend using AttachTrafficSources to simplify how you manage traffic sources. However, we continue to support AttachLoadBalancers. You can use both the original AttachLoadBalancers API operation and AttachTrafficSources on the same Auto Scaling group.

Attaches one or more Classic Load Balancers to the specified Auto Scaling group. Amazon EC2 Auto Scaling registers the running instances with these Classic Load Balancers.

To describe the load balancers for an Auto Scaling group, call the DescribeLoadBalancers API. To detach a load balancer from the Auto Scaling group, call the DetachLoadBalancers API.

This operation is additive and does not detach existing Classic Load Balancers or target groups from the Auto Scaling group.

For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

" }, "AttachTrafficSources":{ "name":"AttachTrafficSources", @@ -75,7 +75,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"ServiceLinkedRoleFailure"} ], - "documentation":"

Attaches one or more traffic sources to the specified Auto Scaling group.

You can use any of the following as traffic sources for an Auto Scaling group:

  • Application Load Balancer

  • Classic Load Balancer

  • Gateway Load Balancer

  • Network Load Balancer

  • VPC Lattice

This operation is additive and does not detach existing traffic sources from the Auto Scaling group.

After the operation completes, use the DescribeTrafficSources API to return details about the state of the attachments between traffic sources and your Auto Scaling group. To detach a traffic source from the Auto Scaling group, call the DetachTrafficSources API.

" + "documentation":"

Attaches one or more traffic sources to the specified Auto Scaling group.

You can use any of the following as traffic sources for an Auto Scaling group:

  • Application Load Balancer

  • Classic Load Balancer

  • Gateway Load Balancer

  • Network Load Balancer

  • VPC Lattice

This operation is additive and does not detach existing traffic sources from the Auto Scaling group.

After the operation completes, use the DescribeTrafficSources API to return details about the state of the attachments between traffic sources and your Auto Scaling group. To detach a traffic source from the Auto Scaling group, call the DetachTrafficSources API.

" }, "BatchDeleteScheduledAction":{ "name":"BatchDeleteScheduledAction", @@ -127,7 +127,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"ActiveInstanceRefreshNotFoundFault"} ], - "documentation":"

Cancels an instance refresh or rollback that is in progress. If an instance refresh or rollback is not in progress, an ActiveInstanceRefreshNotFound error occurs.

This operation is part of the instance refresh feature in Amazon EC2 Auto Scaling, which helps you update instances in your Auto Scaling group after you make configuration changes.

When you cancel an instance refresh, this does not roll back any changes that it made. Use the RollbackInstanceRefresh API to roll back instead.

" + "documentation":"

Cancels an instance refresh or rollback that is in progress. If an instance refresh or rollback is not in progress, an ActiveInstanceRefreshNotFound error occurs.

This operation is part of the instance refresh feature in Amazon EC2 Auto Scaling, which helps you update instances in your Auto Scaling group after you make configuration changes.

When you cancel an instance refresh, this does not roll back any changes that it made. Use the RollbackInstanceRefresh API to roll back instead.

" }, "CompleteLifecycleAction":{ "name":"CompleteLifecycleAction", @@ -143,7 +143,7 @@ "errors":[ {"shape":"ResourceContentionFault"} ], - "documentation":"

Completes the lifecycle action for the specified token or instance with the specified result.

This step is a part of the procedure for adding a lifecycle hook to an Auto Scaling group:

  1. (Optional) Create a launch template or launch configuration with a user data script that runs while an instance is in a wait state due to a lifecycle hook.

  2. (Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke your Lambda function when an instance is put into a wait state due to a lifecycle hook.

  3. (Optional) Create a notification target and an IAM role. The target can be either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish lifecycle notifications to the target.

  4. Create the lifecycle hook. Specify whether the hook is used when the instances launch or terminate.

  5. If you need more time, record the lifecycle action heartbeat to keep the instance in a wait state.

  6. If you finish before the timeout period ends, send a callback by using the CompleteLifecycleAction API call.

For more information, see Complete a lifecycle action in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

Completes the lifecycle action for the specified token or instance with the specified result.

This step is a part of the procedure for adding a lifecycle hook to an Auto Scaling group:

  1. (Optional) Create a launch template or launch configuration with a user data script that runs while an instance is in a wait state due to a lifecycle hook.

  2. (Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke your Lambda function when an instance is put into a wait state due to a lifecycle hook.

  3. (Optional) Create a notification target and an IAM role. The target can be either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish lifecycle notifications to the target.

  4. Create the lifecycle hook. Specify whether the hook is used when the instances launch or terminate.

  5. If you need more time, record the lifecycle action heartbeat to keep the instance in a wait state.

  6. If you finish before the timeout period ends, send a callback by using the CompleteLifecycleAction API call.

For more information, see Complete a lifecycle action in the Amazon EC2 Auto Scaling User Guide.

" }, "CreateAutoScalingGroup":{ "name":"CreateAutoScalingGroup", @@ -158,7 +158,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"ServiceLinkedRoleFailure"} ], - "documentation":"

We strongly recommend using a launch template when calling this operation to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.

Creates an Auto Scaling group with the specified name and attributes.

If you exceed your maximum limit of Auto Scaling groups, the call fails. To query this limit, call the DescribeAccountLimits API. For information about updating this limit, see Quotas for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

If you're new to Amazon EC2 Auto Scaling, see the introductory tutorials in Get started with Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

Every Auto Scaling group has three size properties (DesiredCapacity, MaxSize, and MinSize). Usually, you set these sizes based on a specific number of instances. However, if you configure a mixed instances policy that defines weights for the instance types, you must specify these sizes with the same units that you use for weighting instances.

" + "documentation":"

We strongly recommend using a launch template when calling this operation to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.

Creates an Auto Scaling group with the specified name and attributes.

If you exceed your maximum limit of Auto Scaling groups, the call fails. To query this limit, call the DescribeAccountLimits API. For information about updating this limit, see Quotas for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

If you're new to Amazon EC2 Auto Scaling, see the introductory tutorials in Get started with Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

Every Auto Scaling group has three size properties (DesiredCapacity, MaxSize, and MinSize). Usually, you set these sizes based on a specific number of instances. However, if you configure a mixed instances policy that defines weights for the instance types, you must specify these sizes with the same units that you use for weighting instances.

" }, "CreateLaunchConfiguration":{ "name":"CreateLaunchConfiguration", @@ -172,7 +172,7 @@ {"shape":"LimitExceededFault"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Creates a launch configuration.

If you exceed your maximum limit of launch configurations, the call fails. To query this limit, call the DescribeAccountLimits API. For information about updating this limit, see Quotas for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

For more information, see Launch configurations in the Amazon EC2 Auto Scaling User Guide.

Amazon EC2 Auto Scaling configures instances launched as part of an Auto Scaling group using either a launch template or a launch configuration. We strongly recommend that you do not use launch configurations. They do not provide full functionality for Amazon EC2 Auto Scaling or Amazon EC2. For information about using launch templates, see Launch templates in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

Creates a launch configuration.

If you exceed your maximum limit of launch configurations, the call fails. To query this limit, call the DescribeAccountLimits API. For information about updating this limit, see Quotas for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

For more information, see Launch configurations in the Amazon EC2 Auto Scaling User Guide.

Amazon EC2 Auto Scaling configures instances launched as part of an Auto Scaling group using either a launch template or a launch configuration. We strongly recommend that you do not use launch configurations. They do not provide full functionality for Amazon EC2 Auto Scaling or Amazon EC2. For information about using launch templates, see Launch templates in the Amazon EC2 Auto Scaling User Guide.

" }, "CreateOrUpdateTags":{ "name":"CreateOrUpdateTags", @@ -201,7 +201,7 @@ {"shape":"ResourceInUseFault"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Deletes the specified Auto Scaling group.

If the group has instances or scaling activities in progress, you must specify the option to force the deletion in order for it to succeed. The force delete operation will also terminate the EC2 instances. If the group has a warm pool, the force delete option also deletes the warm pool.

To remove instances from the Auto Scaling group before deleting it, call the DetachInstances API with the list of instances and the option to decrement the desired capacity. This ensures that Amazon EC2 Auto Scaling does not launch replacement instances.

To terminate all instances before deleting the Auto Scaling group, call the UpdateAutoScalingGroup API and set the minimum size and desired capacity of the Auto Scaling group to zero.

If the group has scaling policies, deleting the group deletes the policies, the underlying alarm actions, and any alarm that no longer has an associated action.

For more information, see Delete your Auto Scaling infrastructure in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

Deletes the specified Auto Scaling group.

If the group has instances or scaling activities in progress, you must specify the option to force the deletion in order for it to succeed. The force delete operation will also terminate the EC2 instances. If the group has a warm pool, the force delete option also deletes the warm pool.

To remove instances from the Auto Scaling group before deleting it, call the DetachInstances API with the list of instances and the option to decrement the desired capacity. This ensures that Amazon EC2 Auto Scaling does not launch replacement instances.

To terminate all instances before deleting the Auto Scaling group, call the UpdateAutoScalingGroup API and set the minimum size and desired capacity of the Auto Scaling group to zero.

If the group has scaling policies, deleting the group deletes the policies, the underlying alarm actions, and any alarm that no longer has an associated action.

For more information, see Delete your Auto Scaling infrastructure in the Amazon EC2 Auto Scaling User Guide.

" }, "DeleteLaunchConfiguration":{ "name":"DeleteLaunchConfiguration", @@ -346,7 +346,7 @@ {"shape":"InvalidNextToken"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Gets information about the Auto Scaling groups in the account and Region.

If you specify Auto Scaling group names, the output includes information for only the specified Auto Scaling groups. If you specify filters, the output includes information for only those Auto Scaling groups that meet the filter criteria. If you do not specify group names or filters, the output includes information for all Auto Scaling groups.

This operation also returns information about instances in Auto Scaling groups. To retrieve information about the instances in a warm pool, you must call the DescribeWarmPool API.

" + "documentation":"

Gets information about the Auto Scaling groups in the account and Region.

If you specify Auto Scaling group names, the output includes information for only the specified Auto Scaling groups. If you specify filters, the output includes information for only those Auto Scaling groups that meet the filter criteria. If you do not specify group names or filters, the output includes information for all Auto Scaling groups.

This operation also returns information about instances in Auto Scaling groups. To retrieve information about the instances in a warm pool, you must call the DescribeWarmPool API.

" }, "DescribeAutoScalingInstances":{ "name":"DescribeAutoScalingInstances", @@ -460,7 +460,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"InvalidNextToken"} ], - "documentation":"

This API operation is superseded by DescribeTrafficSources, which can describe multiple traffic sources types. We recommend using DetachTrafficSources to simplify how you manage traffic sources. However, we continue to support DescribeLoadBalancerTargetGroups. You can use both the original DescribeLoadBalancerTargetGroups API operation and DescribeTrafficSources on the same Auto Scaling group.

Gets information about the Elastic Load Balancing target groups for the specified Auto Scaling group.

To determine the attachment status of the target group, use the State element in the response. When you attach a target group to an Auto Scaling group, the initial State value is Adding. The state transitions to Added after all Auto Scaling instances are registered with the target group. If Elastic Load Balancing health checks are enabled for the Auto Scaling group, the state transitions to InService after at least one Auto Scaling instance passes the health check. When the target group is in the InService state, Amazon EC2 Auto Scaling can terminate and replace any instances that are reported as unhealthy. If no registered instances pass the health checks, the target group doesn't enter the InService state.

Target groups also have an InService state if you attach them in the CreateAutoScalingGroup API call. If your target group state is InService, but it is not working properly, check the scaling activities by calling DescribeScalingActivities and take any corrective actions necessary.

For help with failed health checks, see Troubleshooting Amazon EC2 Auto Scaling: Health checks in the Amazon EC2 Auto Scaling User Guide. For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

You can use this operation to describe target groups that were attached by using AttachLoadBalancerTargetGroups, but not for target groups that were attached by using AttachTrafficSources.

" + "documentation":"

This API operation is superseded by DescribeTrafficSources, which can describe multiple traffic sources types. We recommend using DetachTrafficSources to simplify how you manage traffic sources. However, we continue to support DescribeLoadBalancerTargetGroups. You can use both the original DescribeLoadBalancerTargetGroups API operation and DescribeTrafficSources on the same Auto Scaling group.

Gets information about the Elastic Load Balancing target groups for the specified Auto Scaling group.

To determine the attachment status of the target group, use the State element in the response. When you attach a target group to an Auto Scaling group, the initial State value is Adding. The state transitions to Added after all Auto Scaling instances are registered with the target group. If Elastic Load Balancing health checks are enabled for the Auto Scaling group, the state transitions to InService after at least one Auto Scaling instance passes the health check. When the target group is in the InService state, Amazon EC2 Auto Scaling can terminate and replace any instances that are reported as unhealthy. If no registered instances pass the health checks, the target group doesn't enter the InService state.

Target groups also have an InService state if you attach them in the CreateAutoScalingGroup API call. If your target group state is InService, but it is not working properly, check the scaling activities by calling DescribeScalingActivities and take any corrective actions necessary.

For help with failed health checks, see Troubleshooting Amazon EC2 Auto Scaling: Health checks in the Amazon EC2 Auto Scaling User Guide. For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

You can use this operation to describe target groups that were attached by using AttachLoadBalancerTargetGroups, but not for target groups that were attached by using AttachTrafficSources.

" }, "DescribeLoadBalancers":{ "name":"DescribeLoadBalancers", @@ -477,7 +477,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"InvalidNextToken"} ], - "documentation":"

This API operation is superseded by DescribeTrafficSources, which can describe multiple traffic sources types. We recommend using DescribeTrafficSources to simplify how you manage traffic sources. However, we continue to support DescribeLoadBalancers. You can use both the original DescribeLoadBalancers API operation and DescribeTrafficSources on the same Auto Scaling group.

Gets information about the load balancers for the specified Auto Scaling group.

This operation describes only Classic Load Balancers. If you have Application Load Balancers, Network Load Balancers, or Gateway Load Balancers, use the DescribeLoadBalancerTargetGroups API instead.

To determine the attachment status of the load balancer, use the State element in the response. When you attach a load balancer to an Auto Scaling group, the initial State value is Adding. The state transitions to Added after all Auto Scaling instances are registered with the load balancer. If Elastic Load Balancing health checks are enabled for the Auto Scaling group, the state transitions to InService after at least one Auto Scaling instance passes the health check. When the load balancer is in the InService state, Amazon EC2 Auto Scaling can terminate and replace any instances that are reported as unhealthy. If no registered instances pass the health checks, the load balancer doesn't enter the InService state.

Load balancers also have an InService state if you attach them in the CreateAutoScalingGroup API call. If your load balancer state is InService, but it is not working properly, check the scaling activities by calling DescribeScalingActivities and take any corrective actions necessary.

For help with failed health checks, see Troubleshooting Amazon EC2 Auto Scaling: Health checks in the Amazon EC2 Auto Scaling User Guide. For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

This API operation is superseded by DescribeTrafficSources, which can describe multiple traffic sources types. We recommend using DescribeTrafficSources to simplify how you manage traffic sources. However, we continue to support DescribeLoadBalancers. You can use both the original DescribeLoadBalancers API operation and DescribeTrafficSources on the same Auto Scaling group.

Gets information about the load balancers for the specified Auto Scaling group.

This operation describes only Classic Load Balancers. If you have Application Load Balancers, Network Load Balancers, or Gateway Load Balancers, use the DescribeLoadBalancerTargetGroups API instead.

To determine the attachment status of the load balancer, use the State element in the response. When you attach a load balancer to an Auto Scaling group, the initial State value is Adding. The state transitions to Added after all Auto Scaling instances are registered with the load balancer. If Elastic Load Balancing health checks are enabled for the Auto Scaling group, the state transitions to InService after at least one Auto Scaling instance passes the health check. When the load balancer is in the InService state, Amazon EC2 Auto Scaling can terminate and replace any instances that are reported as unhealthy. If no registered instances pass the health checks, the load balancer doesn't enter the InService state.

Load balancers also have an InService state if you attach them in the CreateAutoScalingGroup API call. If your load balancer state is InService, but it is not working properly, check the scaling activities by calling DescribeScalingActivities and take any corrective actions necessary.

For help with failed health checks, see Troubleshooting Amazon EC2 Auto Scaling: Health checks in the Amazon EC2 Auto Scaling User Guide. For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

" }, "DescribeMetricCollectionTypes":{ "name":"DescribeMetricCollectionTypes", @@ -559,7 +559,7 @@ "errors":[ {"shape":"ResourceContentionFault"} ], - "documentation":"

Describes the scaling process types for use with the ResumeProcesses and SuspendProcesses APIs.

" + "documentation":"

Describes the scaling process types for use with the ResumeProcesses and SuspendProcesses APIs.

" }, "DescribeScheduledActions":{ "name":"DescribeScheduledActions", @@ -576,7 +576,7 @@ {"shape":"InvalidNextToken"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Gets information about the scheduled actions that haven't run or that have not reached their end time.

To describe the scaling activities for scheduled actions that have already run, call the DescribeScalingActivities API.

" + "documentation":"

Gets information about the scheduled actions that haven't run or that have not reached their end time.

To describe the scaling activities for scheduled actions that have already run, call the DescribeScalingActivities API.

" }, "DescribeTags":{ "name":"DescribeTags", @@ -675,7 +675,7 @@ "errors":[ {"shape":"ResourceContentionFault"} ], - "documentation":"

This API operation is superseded by DetachTrafficSources, which can detach multiple traffic sources types. We recommend using DetachTrafficSources to simplify how you manage traffic sources. However, we continue to support DetachLoadBalancerTargetGroups. You can use both the original DetachLoadBalancerTargetGroups API operation and DetachTrafficSources on the same Auto Scaling group.

Detaches one or more target groups from the specified Auto Scaling group.

When you detach a target group, it enters the Removing state while deregistering the instances in the group. When all instances are deregistered, then you can no longer describe the target group using the DescribeLoadBalancerTargetGroups API call. The instances remain running.

You can use this operation to detach target groups that were attached by using AttachLoadBalancerTargetGroups, but not for target groups that were attached by using AttachTrafficSources.

" + "documentation":"

This API operation is superseded by DetachTrafficSources, which can detach multiple traffic sources types. We recommend using DetachTrafficSources to simplify how you manage traffic sources. However, we continue to support DetachLoadBalancerTargetGroups. You can use both the original DetachLoadBalancerTargetGroups API operation and DetachTrafficSources on the same Auto Scaling group.

Detaches one or more target groups from the specified Auto Scaling group.

When you detach a target group, it enters the Removing state while deregistering the instances in the group. When all instances are deregistered, then you can no longer describe the target group using the DescribeLoadBalancerTargetGroups API call. The instances remain running.

You can use this operation to detach target groups that were attached by using AttachLoadBalancerTargetGroups, but not for target groups that were attached by using AttachTrafficSources.

" }, "DetachLoadBalancers":{ "name":"DetachLoadBalancers", @@ -691,7 +691,7 @@ "errors":[ {"shape":"ResourceContentionFault"} ], - "documentation":"

This API operation is superseded by DetachTrafficSources, which can detach multiple traffic sources types. We recommend using DetachTrafficSources to simplify how you manage traffic sources. However, we continue to support DetachLoadBalancers. You can use both the original DetachLoadBalancers API operation and DetachTrafficSources on the same Auto Scaling group.

Detaches one or more Classic Load Balancers from the specified Auto Scaling group.

This operation detaches only Classic Load Balancers. If you have Application Load Balancers, Network Load Balancers, or Gateway Load Balancers, use the DetachLoadBalancerTargetGroups API instead.

When you detach a load balancer, it enters the Removing state while deregistering the instances in the group. When all instances are deregistered, then you can no longer describe the load balancer using the DescribeLoadBalancers API call. The instances remain running.

" + "documentation":"

This API operation is superseded by DetachTrafficSources, which can detach multiple traffic sources types. We recommend using DetachTrafficSources to simplify how you manage traffic sources. However, we continue to support DetachLoadBalancers. You can use both the original DetachLoadBalancers API operation and DetachTrafficSources on the same Auto Scaling group.

Detaches one or more Classic Load Balancers from the specified Auto Scaling group.

This operation detaches only Classic Load Balancers. If you have Application Load Balancers, Network Load Balancers, or Gateway Load Balancers, use the DetachLoadBalancerTargetGroups API instead.

When you detach a load balancer, it enters the Removing state while deregistering the instances in the group. When all instances are deregistered, then you can no longer describe the load balancer using the DescribeLoadBalancers API call. The instances remain running.

" }, "DetachTrafficSources":{ "name":"DetachTrafficSources", @@ -707,7 +707,7 @@ "errors":[ {"shape":"ResourceContentionFault"} ], - "documentation":"

Detaches one or more traffic sources from the specified Auto Scaling group.

When you detach a traffic source, it enters the Removing state while deregistering the instances in the group. When all instances are deregistered, then you can no longer describe the traffic source using the DescribeTrafficSources API call. The instances continue to run.

" + "documentation":"

Detaches one or more traffic sources from the specified Auto Scaling group.

When you detach a traffic source, it enters the Removing state while deregistering the instances in the group. When all instances are deregistered, then you can no longer describe the traffic source using the DescribeTrafficSources API call. The instances continue to run.

" }, "DisableMetricsCollection":{ "name":"DisableMetricsCollection", @@ -809,7 +809,7 @@ {"shape":"LimitExceededFault"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Creates or updates a lifecycle hook for the specified Auto Scaling group.

Lifecycle hooks let you create solutions that are aware of events in the Auto Scaling instance lifecycle, and then perform a custom action on instances when the corresponding lifecycle event occurs.

This step is a part of the procedure for adding a lifecycle hook to an Auto Scaling group:

  1. (Optional) Create a launch template or launch configuration with a user data script that runs while an instance is in a wait state due to a lifecycle hook.

  2. (Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke your Lambda function when an instance is put into a wait state due to a lifecycle hook.

  3. (Optional) Create a notification target and an IAM role. The target can be either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish lifecycle notifications to the target.

  4. Create the lifecycle hook. Specify whether the hook is used when the instances launch or terminate.

  5. If you need more time, record the lifecycle action heartbeat to keep the instance in a wait state using the RecordLifecycleActionHeartbeat API call.

  6. If you finish before the timeout period ends, send a callback by using the CompleteLifecycleAction API call.

For more information, see Amazon EC2 Auto Scaling lifecycle hooks in the Amazon EC2 Auto Scaling User Guide.

If you exceed your maximum limit of lifecycle hooks, which by default is 50 per Auto Scaling group, the call fails.

You can view the lifecycle hooks for an Auto Scaling group using the DescribeLifecycleHooks API call. If you are no longer using a lifecycle hook, you can delete it by calling the DeleteLifecycleHook API.

" + "documentation":"

Creates or updates a lifecycle hook for the specified Auto Scaling group.

Lifecycle hooks let you create solutions that are aware of events in the Auto Scaling instance lifecycle, and then perform a custom action on instances when the corresponding lifecycle event occurs.

This step is a part of the procedure for adding a lifecycle hook to an Auto Scaling group:

  1. (Optional) Create a launch template or launch configuration with a user data script that runs while an instance is in a wait state due to a lifecycle hook.

  2. (Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke your Lambda function when an instance is put into a wait state due to a lifecycle hook.

  3. (Optional) Create a notification target and an IAM role. The target can be either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish lifecycle notifications to the target.

  4. Create the lifecycle hook. Specify whether the hook is used when the instances launch or terminate.

  5. If you need more time, record the lifecycle action heartbeat to keep the instance in a wait state using the RecordLifecycleActionHeartbeat API call.

  6. If you finish before the timeout period ends, send a callback by using the CompleteLifecycleAction API call.

For more information, see Amazon EC2 Auto Scaling lifecycle hooks in the Amazon EC2 Auto Scaling User Guide.

If you exceed your maximum limit of lifecycle hooks, which by default is 50 per Auto Scaling group, the call fails.

You can view the lifecycle hooks for an Auto Scaling group using the DescribeLifecycleHooks API call. If you are no longer using a lifecycle hook, you can delete it by calling the DeleteLifecycleHook API.

" }, "PutNotificationConfiguration":{ "name":"PutNotificationConfiguration", @@ -841,7 +841,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"ServiceLinkedRoleFailure"} ], - "documentation":"

Creates or updates a scaling policy for an Auto Scaling group. Scaling policies are used to scale an Auto Scaling group based on configurable metrics. If no policies are defined, the dynamic scaling and predictive scaling features are not used.

For more information about using dynamic scaling, see Target tracking scaling policies and Step and simple scaling policies in the Amazon EC2 Auto Scaling User Guide.

For more information about using predictive scaling, see Predictive scaling for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

You can view the scaling policies for an Auto Scaling group using the DescribePolicies API call. If you are no longer using a scaling policy, you can delete it by calling the DeletePolicy API.

" + "documentation":"

Creates or updates a scaling policy for an Auto Scaling group. Scaling policies are used to scale an Auto Scaling group based on configurable metrics. If no policies are defined, the dynamic scaling and predictive scaling features are not used.

For more information about using dynamic scaling, see Target tracking scaling policies and Step and simple scaling policies in the Amazon EC2 Auto Scaling User Guide.

For more information about using predictive scaling, see Predictive scaling for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

You can view the scaling policies for an Auto Scaling group using the DescribePolicies API call. If you are no longer using a scaling policy, you can delete it by calling the DeletePolicy API.

" }, "PutScheduledUpdateGroupAction":{ "name":"PutScheduledUpdateGroupAction", @@ -855,7 +855,7 @@ {"shape":"LimitExceededFault"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Creates or updates a scheduled scaling action for an Auto Scaling group.

For more information, see Scheduled scaling in the Amazon EC2 Auto Scaling User Guide.

You can view the scheduled actions for an Auto Scaling group using the DescribeScheduledActions API call. If you are no longer using a scheduled action, you can delete it by calling the DeleteScheduledAction API.

If you try to schedule your action in the past, Amazon EC2 Auto Scaling returns an error message.

" + "documentation":"

Creates or updates a scheduled scaling action for an Auto Scaling group.

For more information, see Scheduled scaling in the Amazon EC2 Auto Scaling User Guide.

You can view the scheduled actions for an Auto Scaling group using the DescribeScheduledActions API call. If you are no longer using a scheduled action, you can delete it by calling the DeleteScheduledAction API.

If you try to schedule your action in the past, Amazon EC2 Auto Scaling returns an error message.

" }, "PutWarmPool":{ "name":"PutWarmPool", @@ -872,7 +872,7 @@ {"shape":"LimitExceededFault"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Creates or updates a warm pool for the specified Auto Scaling group. A warm pool is a pool of pre-initialized EC2 instances that sits alongside the Auto Scaling group. Whenever your application needs to scale out, the Auto Scaling group can draw on the warm pool to meet its new desired capacity.

This operation must be called from the Region in which the Auto Scaling group was created.

You can view the instances in the warm pool using the DescribeWarmPool API call. If you are no longer using a warm pool, you can delete it by calling the DeleteWarmPool API.

For more information, see Warm pools for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

Creates or updates a warm pool for the specified Auto Scaling group. A warm pool is a pool of pre-initialized EC2 instances that sits alongside the Auto Scaling group. Whenever your application needs to scale out, the Auto Scaling group can draw on the warm pool to meet its new desired capacity.

This operation must be called from the Region in which the Auto Scaling group was created.

You can view the instances in the warm pool using the DescribeWarmPool API call. If you are no longer using a warm pool, you can delete it by calling the DeleteWarmPool API.

For more information, see Warm pools for Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.

" }, "RecordLifecycleActionHeartbeat":{ "name":"RecordLifecycleActionHeartbeat", @@ -888,7 +888,7 @@ "errors":[ {"shape":"ResourceContentionFault"} ], - "documentation":"

Records a heartbeat for the lifecycle action associated with the specified token or instance. This extends the timeout by the length of time defined using the PutLifecycleHook API call.

This step is a part of the procedure for adding a lifecycle hook to an Auto Scaling group:

  1. (Optional) Create a launch template or launch configuration with a user data script that runs while an instance is in a wait state due to a lifecycle hook.

  2. (Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke your Lambda function when an instance is put into a wait state due to a lifecycle hook.

  3. (Optional) Create a notification target and an IAM role. The target can be either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish lifecycle notifications to the target.

  4. Create the lifecycle hook. Specify whether the hook is used when the instances launch or terminate.

  5. If you need more time, record the lifecycle action heartbeat to keep the instance in a wait state.

  6. If you finish before the timeout period ends, send a callback by using the CompleteLifecycleAction API call.

For more information, see Amazon EC2 Auto Scaling lifecycle hooks in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

Records a heartbeat for the lifecycle action associated with the specified token or instance. This extends the timeout by the length of time defined using the PutLifecycleHook API call.

This step is a part of the procedure for adding a lifecycle hook to an Auto Scaling group:

  1. (Optional) Create a launch template or launch configuration with a user data script that runs while an instance is in a wait state due to a lifecycle hook.

  2. (Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke your Lambda function when an instance is put into a wait state due to a lifecycle hook.

  3. (Optional) Create a notification target and an IAM role. The target can be either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish lifecycle notifications to the target.

  4. Create the lifecycle hook. Specify whether the hook is used when the instances launch or terminate.

  5. If you need more time, record the lifecycle action heartbeat to keep the instance in a wait state.

  6. If you finish before the timeout period ends, send a callback by using the CompleteLifecycleAction API call.

For more information, see Amazon EC2 Auto Scaling lifecycle hooks in the Amazon EC2 Auto Scaling User Guide.

" }, "ResumeProcesses":{ "name":"ResumeProcesses", @@ -920,7 +920,7 @@ {"shape":"ActiveInstanceRefreshNotFoundFault"}, {"shape":"IrreversibleInstanceRefreshFault"} ], - "documentation":"

Cancels an instance refresh that is in progress and rolls back any changes that it made. Amazon EC2 Auto Scaling replaces any instances that were replaced during the instance refresh. This restores your Auto Scaling group to the configuration that it was using before the start of the instance refresh.

This operation is part of the instance refresh feature in Amazon EC2 Auto Scaling, which helps you update instances in your Auto Scaling group after you make configuration changes.

A rollback is not supported in the following situations:

  • There is no desired configuration specified for the instance refresh.

  • The Auto Scaling group has a launch template that uses an Amazon Web Services Systems Manager parameter instead of an AMI ID for the ImageId property.

  • The Auto Scaling group uses the launch template's $Latest or $Default version.

When you receive a successful response from this operation, Amazon EC2 Auto Scaling immediately begins replacing instances. You can check the status of this operation through the DescribeInstanceRefreshes API operation.

" + "documentation":"

Cancels an instance refresh that is in progress and rolls back any changes that it made. Amazon EC2 Auto Scaling replaces any instances that were replaced during the instance refresh. This restores your Auto Scaling group to the configuration that it was using before the start of the instance refresh.

This operation is part of the instance refresh feature in Amazon EC2 Auto Scaling, which helps you update instances in your Auto Scaling group after you make configuration changes.

A rollback is not supported in the following situations:

  • There is no desired configuration specified for the instance refresh.

  • The Auto Scaling group has a launch template that uses an Amazon Web Services Systems Manager parameter instead of an AMI ID for the ImageId property.

  • The Auto Scaling group uses the launch template's $Latest or $Default version.

When you receive a successful response from this operation, Amazon EC2 Auto Scaling immediately begins replacing instances. You can check the status of this operation through the DescribeInstanceRefreshes API operation.

" }, "SetDesiredCapacity":{ "name":"SetDesiredCapacity", @@ -980,7 +980,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"InstanceRefreshInProgressFault"} ], - "documentation":"

Starts an instance refresh.

This operation is part of the instance refresh feature in Amazon EC2 Auto Scaling, which helps you update instances in your Auto Scaling group. This feature is helpful, for example, when you have a new AMI or a new user data script. You just need to create a new launch template that specifies the new AMI or user data script. Then start an instance refresh to immediately begin the process of updating instances in the group.

If successful, the request's response contains a unique ID that you can use to track the progress of the instance refresh. To query its status, call the DescribeInstanceRefreshes API. To describe the instance refreshes that have already run, call the DescribeInstanceRefreshes API. To cancel an instance refresh that is in progress, use the CancelInstanceRefresh API.

An instance refresh might fail for several reasons, such as EC2 launch failures, misconfigured health checks, or not ignoring or allowing the termination of instances that are in Standby state or protected from scale in. You can monitor for failed EC2 launches using the scaling activities. To find the scaling activities, call the DescribeScalingActivities API.

If you enable auto rollback, your Auto Scaling group will be rolled back automatically when the instance refresh fails. You can enable this feature before starting an instance refresh by specifying the AutoRollback property in the instance refresh preferences. Otherwise, to roll back an instance refresh before it finishes, use the RollbackInstanceRefresh API.

" + "documentation":"

Starts an instance refresh.

This operation is part of the instance refresh feature in Amazon EC2 Auto Scaling, which helps you update instances in your Auto Scaling group. This feature is helpful, for example, when you have a new AMI or a new user data script. You just need to create a new launch template that specifies the new AMI or user data script. Then start an instance refresh to immediately begin the process of updating instances in the group.

If successful, the request's response contains a unique ID that you can use to track the progress of the instance refresh. To query its status, call the DescribeInstanceRefreshes API. To describe the instance refreshes that have already run, call the DescribeInstanceRefreshes API. To cancel an instance refresh that is in progress, use the CancelInstanceRefresh API.

An instance refresh might fail for several reasons, such as EC2 launch failures, misconfigured health checks, or not ignoring or allowing the termination of instances that are in Standby state or protected from scale in. You can monitor for failed EC2 launches using the scaling activities. To find the scaling activities, call the DescribeScalingActivities API.

If you enable auto rollback, your Auto Scaling group will be rolled back automatically when the instance refresh fails. You can enable this feature before starting an instance refresh by specifying the AutoRollback property in the instance refresh preferences. Otherwise, to roll back an instance refresh before it finishes, use the RollbackInstanceRefresh API.

" }, "SuspendProcesses":{ "name":"SuspendProcesses", @@ -993,7 +993,7 @@ {"shape":"ResourceInUseFault"}, {"shape":"ResourceContentionFault"} ], - "documentation":"

Suspends the specified auto scaling processes, or all processes, for the specified Auto Scaling group.

If you suspend either the Launch or Terminate process types, it can prevent other process types from functioning properly. For more information, see Suspend and resume Amazon EC2 Auto Scaling processes in the Amazon EC2 Auto Scaling User Guide.

To resume processes that have been suspended, call the ResumeProcesses API.

" + "documentation":"

Suspends the specified auto scaling processes, or all processes, for the specified Auto Scaling group.

If you suspend either the Launch or Terminate process types, it can prevent other process types from functioning properly. For more information, see Suspend and resume Amazon EC2 Auto Scaling processes in the Amazon EC2 Auto Scaling User Guide.

To resume processes that have been suspended, call the ResumeProcesses API.

" }, "TerminateInstanceInAutoScalingGroup":{ "name":"TerminateInstanceInAutoScalingGroup", @@ -1024,7 +1024,7 @@ {"shape":"ResourceContentionFault"}, {"shape":"ServiceLinkedRoleFailure"} ], - "documentation":"

We strongly recommend that all Auto Scaling groups use launch templates to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.

Updates the configuration for the specified Auto Scaling group.

To update an Auto Scaling group, specify the name of the group and the property that you want to change. Any properties that you don't specify are not changed by this update request. The new settings take effect on any scaling activities after this call returns.

If you associate a new launch configuration or template with an Auto Scaling group, all new instances will get the updated configuration. Existing instances continue to run with the configuration that they were originally launched with. When you update a group to specify a mixed instances policy instead of a launch configuration or template, existing instances may be replaced to match the new purchasing options that you specified in the policy. For example, if the group currently has 100% On-Demand capacity and the policy specifies 50% Spot capacity, this means that half of your instances will be gradually terminated and relaunched as Spot Instances. When replacing instances, Amazon EC2 Auto Scaling launches new instances before terminating the old ones, so that updating your group does not compromise the performance or availability of your application.

Note the following about changing DesiredCapacity, MaxSize, or MinSize:

  • If a scale-in activity occurs as a result of a new DesiredCapacity value that is lower than the current size of the group, the Auto Scaling group uses its termination policy to determine which instances to terminate.

  • If you specify a new value for MinSize without specifying a value for DesiredCapacity, and the new MinSize is larger than the current size of the group, this sets the group's DesiredCapacity to the new MinSize value.

  • If you specify a new value for MaxSize without specifying a value for DesiredCapacity, and the new MaxSize is smaller than the current size of the group, this sets the group's DesiredCapacity to the new MaxSize value.

To see which properties have been set, call the DescribeAutoScalingGroups API. To view the scaling policies for an Auto Scaling group, call the DescribePolicies API. If the group has scaling policies, you can update them by calling the PutScalingPolicy API.

" + "documentation":"

We strongly recommend that all Auto Scaling groups use launch templates to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.

Updates the configuration for the specified Auto Scaling group.

To update an Auto Scaling group, specify the name of the group and the property that you want to change. Any properties that you don't specify are not changed by this update request. The new settings take effect on any scaling activities after this call returns.

If you associate a new launch configuration or template with an Auto Scaling group, all new instances will get the updated configuration. Existing instances continue to run with the configuration that they were originally launched with. When you update a group to specify a mixed instances policy instead of a launch configuration or template, existing instances may be replaced to match the new purchasing options that you specified in the policy. For example, if the group currently has 100% On-Demand capacity and the policy specifies 50% Spot capacity, this means that half of your instances will be gradually terminated and relaunched as Spot Instances. When replacing instances, Amazon EC2 Auto Scaling launches new instances before terminating the old ones, so that updating your group does not compromise the performance or availability of your application.

Note the following about changing DesiredCapacity, MaxSize, or MinSize:

  • If a scale-in activity occurs as a result of a new DesiredCapacity value that is lower than the current size of the group, the Auto Scaling group uses its termination policy to determine which instances to terminate.

  • If you specify a new value for MinSize without specifying a value for DesiredCapacity, and the new MinSize is larger than the current size of the group, this sets the group's DesiredCapacity to the new MinSize value.

  • If you specify a new value for MaxSize without specifying a value for DesiredCapacity, and the new MaxSize is smaller than the current size of the group, this sets the group's DesiredCapacity to the new MaxSize value.

To see which properties have been set, call the DescribeAutoScalingGroups API. To view the scaling policies for an Auto Scaling group, call the DescribePolicies API. If the group has scaling policies, you can update them by calling the PutScalingPolicy API.

" } }, "shapes":{ @@ -1040,7 +1040,7 @@ "documentation":"

The maximum value.

" } }, - "documentation":"

Specifies the minimum and maximum for the AcceleratorCount object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the AcceleratorCount object when you specify InstanceRequirements for an Auto Scaling group.

" }, "AcceleratorManufacturer":{ "type":"string", @@ -1083,7 +1083,7 @@ "documentation":"

The memory maximum in MiB.

" } }, - "documentation":"

Specifies the minimum and maximum for the AcceleratorTotalMemoryMiB object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the AcceleratorTotalMemoryMiB object when you specify InstanceRequirements for an Auto Scaling group.

" }, "AcceleratorType":{ "type":"string", @@ -1468,7 +1468,7 @@ }, "Status":{ "shape":"XmlStringMaxLen255", - "documentation":"

The current state of the group when the DeleteAutoScalingGroup operation is in progress.

" + "documentation":"

The current state of the group when the DeleteAutoScalingGroup operation is in progress.

" }, "Tags":{ "shape":"TagDescriptionList", @@ -1676,7 +1676,7 @@ "documentation":"

The maximum value in Mbps.

" } }, - "documentation":"

Specifies the minimum and maximum for the BaselineEbsBandwidthMbps object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the BaselineEbsBandwidthMbps object when you specify InstanceRequirements for an Auto Scaling group.

" }, "BatchDeleteScheduledActionAnswer":{ "type":"structure", @@ -2967,7 +2967,7 @@ "members":{ "Name":{ "shape":"XmlString", - "documentation":"

The name of the filter.

The valid values for Name depend on which API operation you're using with the filter (DescribeAutoScalingGroups or DescribeTags).

DescribeAutoScalingGroups

Valid values for Name include the following:

  • tag-key - Accepts tag keys. The results only include information about the Auto Scaling groups associated with these tag keys.

  • tag-value - Accepts tag values. The results only include information about the Auto Scaling groups associated with these tag values.

  • tag:<key> - Accepts the key/value combination of the tag. Use the tag key in the filter name and the tag value as the filter value. The results only include information about the Auto Scaling groups associated with the specified key/value combination.

DescribeTags

Valid values for Name include the following:

  • auto-scaling-group - Accepts the names of Auto Scaling groups. The results only include information about the tags associated with these Auto Scaling groups.

  • key - Accepts tag keys. The results only include information about the tags associated with these tag keys.

  • value - Accepts tag values. The results only include information about the tags associated with these tag values.

  • propagate-at-launch - Accepts a Boolean value, which specifies whether tags propagate to instances at launch. The results only include information about the tags associated with the specified Boolean value.

" + "documentation":"

The name of the filter.

The valid values for Name depend on which API operation you're using with the filter (DescribeAutoScalingGroups or DescribeTags).

DescribeAutoScalingGroups

Valid values for Name include the following:

  • tag-key - Accepts tag keys. The results only include information about the Auto Scaling groups associated with these tag keys.

  • tag-value - Accepts tag values. The results only include information about the Auto Scaling groups associated with these tag values.

  • tag:<key> - Accepts the key/value combination of the tag. Use the tag key in the filter name and the tag value as the filter value. The results only include information about the Auto Scaling groups associated with the specified key/value combination.

DescribeTags

Valid values for Name include the following:

  • auto-scaling-group - Accepts the names of Auto Scaling groups. The results only include information about the tags associated with these Auto Scaling groups.

  • key - Accepts tag keys. The results only include information about the tags associated with these tag keys.

  • value - Accepts tag values. The results only include information about the tags associated with these tag values.

  • propagate-at-launch - Accepts a Boolean value, which specifies whether tags propagate to instances at launch. The results only include information about the tags associated with the specified Boolean value.

" }, "Values":{ "shape":"Values", @@ -3417,7 +3417,7 @@ "members":{ "OnDemandAllocationStrategy":{ "shape":"XmlString", - "documentation":"

The allocation strategy to apply to your On-Demand Instances when they are launched. Possible instance types are determined by the launch template overrides that you specify.

The following lists the valid values:

lowest-price

Uses price to determine which instance types are the highest priority, launching the lowest priced instance types within an Availability Zone first. This is the default value for Auto Scaling groups that specify InstanceRequirements.

prioritized

You set the order of instance types for the launch template overrides from highest to lowest priority (from first to last in the list). Amazon EC2 Auto Scaling launches your highest priority instance types first. If all your On-Demand capacity cannot be fulfilled using your highest priority instance type, then Amazon EC2 Auto Scaling launches the remaining capacity using the second priority instance type, and so on. This is the default value for Auto Scaling groups that don't specify InstanceRequirements and cannot be used for groups that do.

" + "documentation":"

The allocation strategy to apply to your On-Demand Instances when they are launched. Possible instance types are determined by the launch template overrides that you specify.

The following lists the valid values:

lowest-price

Uses price to determine which instance types are the highest priority, launching the lowest priced instance types within an Availability Zone first. This is the default value for Auto Scaling groups that specify InstanceRequirements.

prioritized

You set the order of instance types for the launch template overrides from highest to lowest priority (from first to last in the list). Amazon EC2 Auto Scaling launches your highest priority instance types first. If all your On-Demand capacity cannot be fulfilled using your highest priority instance type, then Amazon EC2 Auto Scaling launches the remaining capacity using the second priority instance type, and so on. This is the default value for Auto Scaling groups that don't specify InstanceRequirements and cannot be used for groups that do.

" }, "OnDemandBaseCapacity":{ "shape":"OnDemandBaseCapacity", @@ -3429,7 +3429,7 @@ }, "SpotAllocationStrategy":{ "shape":"XmlString", - "documentation":"

The allocation strategy to apply to your Spot Instances when they are launched. Possible instance types are determined by the launch template overrides that you specify.

The following lists the valid values:

capacity-optimized

Requests Spot Instances using pools that are optimally chosen based on the available Spot capacity. This strategy has the lowest risk of interruption. To give certain instance types a higher chance of launching first, use capacity-optimized-prioritized.

capacity-optimized-prioritized

You set the order of instance types for the launch template overrides from highest to lowest priority (from first to last in the list). Amazon EC2 Auto Scaling honors the instance type priorities on a best effort basis but optimizes for capacity first. Note that if the On-Demand allocation strategy is set to prioritized, the same priority is applied when fulfilling On-Demand capacity. This is not a valid value for Auto Scaling groups that specify InstanceRequirements.

lowest-price

Requests Spot Instances using the lowest priced pools within an Availability Zone, across the number of Spot pools that you specify for the SpotInstancePools property. To ensure that your desired capacity is met, you might receive Spot Instances from several pools. This is the default value, but it might lead to high interruption rates because this strategy only considers instance price and not available capacity.

price-capacity-optimized (recommended)

The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price.

" + "documentation":"

The allocation strategy to apply to your Spot Instances when they are launched. Possible instance types are determined by the launch template overrides that you specify.

The following lists the valid values:

capacity-optimized

Requests Spot Instances using pools that are optimally chosen based on the available Spot capacity. This strategy has the lowest risk of interruption. To give certain instance types a higher chance of launching first, use capacity-optimized-prioritized.

capacity-optimized-prioritized

You set the order of instance types for the launch template overrides from highest to lowest priority (from first to last in the list). Amazon EC2 Auto Scaling honors the instance type priorities on a best effort basis but optimizes for capacity first. Note that if the On-Demand allocation strategy is set to prioritized, the same priority is applied when fulfilling On-Demand capacity. This is not a valid value for Auto Scaling groups that specify InstanceRequirements.

lowest-price

Requests Spot Instances using the lowest priced pools within an Availability Zone, across the number of Spot pools that you specify for the SpotInstancePools property. To ensure that your desired capacity is met, you might receive Spot Instances from several pools. This is the default value, but it might lead to high interruption rates because this strategy only considers instance price and not available capacity.

price-capacity-optimized (recommended)

The price and capacity optimized allocation strategy looks at both price and capacity to select the Spot Instance pools that are the least likely to be interrupted and have the lowest possible price.

" }, "SpotInstancePools":{ "shape":"SpotInstancePools", @@ -3946,7 +3946,7 @@ "documentation":"

The memory maximum in GiB.

" } }, - "documentation":"

Specifies the minimum and maximum for the MemoryGiBPerVCpu object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the MemoryGiBPerVCpu object when you specify InstanceRequirements for an Auto Scaling group.

" }, "MemoryMiBRequest":{ "type":"structure", @@ -3961,7 +3961,7 @@ "documentation":"

The memory maximum in MiB.

" } }, - "documentation":"

Specifies the minimum and maximum for the MemoryMiB object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the MemoryMiB object when you specify InstanceRequirements for an Auto Scaling group.

" }, "Metric":{ "type":"structure", @@ -4154,7 +4154,7 @@ "documentation":"

The maximum amount of network bandwidth, in gigabits per second (Gbps).

" } }, - "documentation":"

Specifies the minimum and maximum for the NetworkBandwidthGbps object when you specify InstanceRequirements for an Auto Scaling group.

Setting the minimum bandwidth does not guarantee that your instance will achieve the minimum bandwidth. Amazon EC2 will identify instance types that support the specified minimum bandwidth, but the actual bandwidth of your instance might go below the specified minimum at times. For more information, see Available instance bandwidth in the Amazon EC2 User Guide for Linux Instances.

" + "documentation":"

Specifies the minimum and maximum for the NetworkBandwidthGbps object when you specify InstanceRequirements for an Auto Scaling group.

Setting the minimum bandwidth does not guarantee that your instance will achieve the minimum bandwidth. Amazon EC2 will identify instance types that support the specified minimum bandwidth, but the actual bandwidth of your instance might go below the specified minimum at times. For more information, see Available instance bandwidth in the Amazon EC2 User Guide for Linux Instances.

" }, "NetworkInterfaceCountRequest":{ "type":"structure", @@ -4168,7 +4168,7 @@ "documentation":"

The maximum number of network interfaces.

" } }, - "documentation":"

Specifies the minimum and maximum for the NetworkInterfaceCount object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the NetworkInterfaceCount object when you specify InstanceRequirements for an Auto Scaling group.

" }, "NoDevice":{"type":"boolean"}, "NonZeroIntPercent":{ @@ -4569,7 +4569,7 @@ }, "NotificationTypes":{ "shape":"AutoScalingNotificationTypes", - "documentation":"

The type of event that causes the notification to be sent. To query the notification types supported by Amazon EC2 Auto Scaling, call the DescribeAutoScalingNotificationTypes API.

" + "documentation":"

The type of event that causes the notification to be sent. To query the notification types supported by Amazon EC2 Auto Scaling, call the DescribeAutoScalingNotificationTypes API.

" } } }, @@ -5122,7 +5122,7 @@ "documentation":"

Specifies the time zone for a cron expression. If a time zone is not provided, UTC is used by default.

Valid values are the canonical names of the IANA time zones, derived from the IANA Time Zone Database (such as Etc/GMT+9 or Pacific/Tahiti). For more information, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.

" } }, - "documentation":"

Describes information used for one or more scheduled scaling action updates in a BatchPutScheduledUpdateGroupAction operation.

" + "documentation":"

Describes information used for one or more scheduled scaling action updates in a BatchPutScheduledUpdateGroupAction operation.

" }, "ScheduledUpdateGroupActionRequests":{ "type":"list", @@ -5507,7 +5507,7 @@ "documentation":"

The storage maximum in GB.

" } }, - "documentation":"

Specifies the minimum and maximum for the TotalLocalStorageGB object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the TotalLocalStorageGB object when you specify InstanceRequirements for an Auto Scaling group.

" }, "TrafficSourceIdentifier":{ "type":"structure", @@ -5605,8 +5605,8 @@ "documentation":"

The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service and marking it unhealthy due to a failed health check. This is useful if your instances do not immediately pass their health checks after they enter the InService state. For more information, see Set the health check grace period for an Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

" }, "PlacementGroup":{ - "shape":"XmlStringMaxLen255", - "documentation":"

The name of an existing placement group into which to launch your instances. For more information, see Placement groups in the Amazon EC2 User Guide for Linux Instances.

A cluster placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.

" + "shape":"UpdatePlacementGroupParam", + "documentation":"

The name of an existing placement group into which to launch your instances. To remove the placement group setting, pass an empty string for placement-group. For more information about placement groups, see Placement groups in the Amazon EC2 User Guide for Linux Instances.

A cluster placement group is a logical grouping of instances within a single Availability Zone. You cannot specify multiple Availability Zones and a cluster placement group.

" }, "VPCZoneIdentifier":{ "shape":"XmlStringMaxLen5000", @@ -5650,6 +5650,12 @@ } } }, + "UpdatePlacementGroupParam":{ + "type":"string", + "max":255, + "min":0, + "pattern":"[\\u0020-\\uD7FF\\uE000-\\uFFFD\\uD800\\uDC00-\\uDBFF\\uDFFF\\r\\n\\t]*" + }, "VCpuCountRequest":{ "type":"structure", "required":["Min"], @@ -5663,7 +5669,7 @@ "documentation":"

The maximum number of vCPUs.

" } }, - "documentation":"

Specifies the minimum and maximum for the VCpuCount object when you specify InstanceRequirements for an Auto Scaling group.

" + "documentation":"

Specifies the minimum and maximum for the VCpuCount object when you specify InstanceRequirements for an Auto Scaling group.

" }, "Values":{ "type":"list", diff --git a/botocore/data/bedrock-agent-runtime/2023-07-26/service-2.json b/botocore/data/bedrock-agent-runtime/2023-07-26/service-2.json index c639c4d7af..cb83299431 100644 --- a/botocore/data/bedrock-agent-runtime/2023-07-26/service-2.json +++ b/botocore/data/bedrock-agent-runtime/2023-07-26/service-2.json @@ -394,7 +394,7 @@ "type":"string", "max":2048, "min":1, - "pattern":"^(arn:aws(-[^:]+)?:bedrock:[a-z0-9-]{1,20}:(([0-9]{12}:custom-model/[a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}/[a-z0-9]{12})|(:foundation-model/[a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}([.:]?[a-z0-9-]{1,63}))))|(arn:aws(|-us-gov|-cn|-iso|-iso-b):bedrock:(|[0-9a-z-]{1,20}):(|[0-9]{12}):inference-profile/[a-zA-Z0-9-:.]+)|([a-z0-9-]{1,63}[.]{1}[a-z0-9-]{1,63}([.:]?[a-z0-9-]{1,63}))|(([0-9a-zA-Z][_-]?)+)$" + "pattern":"^(arn:aws(-[^:]{1,10})?:bedrock:[a-z0-9-]{1,20}:([0-9]{12})?:([a-z-]{1,20}/)?)?([a-z0-9.-]{1,63}){0,2}(([:][a-z0-9-]{1,63}){0,2})?(/[a-z0-9]{1,12})?$" }, "Boolean":{ "type":"boolean", @@ -2144,8 +2144,19 @@ }, "OrchestrationConfiguration":{ "type":"structure", - "required":["queryTransformationConfiguration"], "members":{ + "additionalModelRequestFields":{ + "shape":"AdditionalModelRequestFields", + "documentation":"

Additional model parameters and corresponding values not included in the textInferenceConfig structure for a knowledge base. This allows users to provide custom model parameters specific to the language model being used.

" + }, + "inferenceConfig":{ + "shape":"InferenceConfig", + "documentation":"

Configuration settings for inference when using RetrieveAndGenerate to generate responses while using a knowledge base as a source.

" + }, + "promptTemplate":{ + "shape":"PromptTemplate", + "documentation":"

Contains the template for the prompt that's sent to the model for response generation.

" + }, "queryTransformationConfiguration":{ "shape":"QueryTransformationConfiguration", "documentation":"

To split up the prompt and retrieve multiple sources, set the transformation type to QUERY_DECOMPOSITION.

" @@ -2158,7 +2169,7 @@ "members":{ "metadata":{ "shape":"Metadata", - "documentation":"

Contains information about the foundation model output.

" + "documentation":"

Contains information about the foundation model output from the orchestration step.

" }, "rawResponse":{ "shape":"RawResponse", @@ -2280,12 +2291,18 @@ "PostProcessingModelInvocationOutput":{ "type":"structure", "members":{ - "metadata":{"shape":"Metadata"}, + "metadata":{ + "shape":"Metadata", + "documentation":"

Contains information about the foundation model output from the post-processing step.

" + }, "parsedResponse":{ "shape":"PostProcessingParsedResponse", "documentation":"

Details about the response from the Lambda parsing of the output of the post-processing step.

" }, - "rawResponse":{"shape":"RawResponse"}, + "rawResponse":{ + "shape":"RawResponse", + "documentation":"

Details of the raw response from the foundation model output.

" + }, "traceId":{ "shape":"TraceId", "documentation":"

The unique identifier of the trace.

" @@ -2324,12 +2341,18 @@ "PreProcessingModelInvocationOutput":{ "type":"structure", "members":{ - "metadata":{"shape":"Metadata"}, + "metadata":{ + "shape":"Metadata", + "documentation":"

Contains information about the foundation model output from the pre-processing step.

" + }, "parsedResponse":{ "shape":"PreProcessingParsedResponse", "documentation":"

Details about the response from the Lambda parsing of the output of the pre-processing step.

" }, - "rawResponse":{"shape":"RawResponse"}, + "rawResponse":{ + "shape":"RawResponse", + "documentation":"

Details of the raw response from the foundation model output.

" + }, "traceId":{ "shape":"TraceId", "documentation":"

The unique identifier of the trace.

" diff --git a/botocore/data/dms/2016-01-01/service-2.json b/botocore/data/dms/2016-01-01/service-2.json index d6f963db0e..fd5bcba50d 100644 --- a/botocore/data/dms/2016-01-01/service-2.json +++ b/botocore/data/dms/2016-01-01/service-2.json @@ -2937,6 +2937,10 @@ "shape":"PublicIpAddressList", "documentation":"

The IP addresses of the endpoints for the data migration.

" }, + "DataMigrationCidrBlocks":{ + "shape":"DataMigrationCidrBlock", + "documentation":"

The CIDR blocks of the endpoints for the data migration.

" + }, "LastFailureMessage":{ "shape":"String", "documentation":"

Information about the data migration's most recent error or failure.

" @@ -2948,6 +2952,10 @@ }, "documentation":"

This object provides information about a DMS data migration.

" }, + "DataMigrationCidrBlock":{ + "type":"list", + "member":{"shape":"String"} + }, "DataMigrationSettings":{ "type":"structure", "members":{ @@ -8907,6 +8915,14 @@ "AssessmentRunName":{ "shape":"String", "documentation":"

Unique name of the assessment run.

" + }, + "IsLatestTaskAssessmentRun":{ + "shape":"Boolean", + "documentation":"

Indicates that the following PreflightAssessmentRun is the latest for the ReplicationTask. The status is either true or false.

" + }, + "ResultStatistic":{ + "shape":"ReplicationTaskAssessmentRunResultStatistic", + "documentation":"

Result statistics for a completed assessment run, showing aggregated statistics of IndividualAssessments for how many assessments were passed, failed, or encountered issues such as errors or warnings.

" } }, "documentation":"

Provides information that describes a premigration assessment run that you have started using the StartReplicationTaskAssessmentRun operation.

Some of the information appears based on other operations that can return the ReplicationTaskAssessmentRun object.

" @@ -8929,6 +8945,32 @@ }, "documentation":"

The progress values reported by the AssessmentProgress response element.

" }, + "ReplicationTaskAssessmentRunResultStatistic":{ + "type":"structure", + "members":{ + "Passed":{ + "shape":"Integer", + "documentation":"

The number of individual assessments that successfully passed all checks in the assessment run.

" + }, + "Failed":{ + "shape":"Integer", + "documentation":"

The number of individual assessments that failed to meet the criteria defined in the assessment run.

" + }, + "Error":{ + "shape":"Integer", + "documentation":"

The number of individual assessments that encountered a critical error and could not complete properly.

" + }, + "Warning":{ + "shape":"Integer", + "documentation":"

Indicates that the recent completed AssessmentRun triggered a warning.

" + }, + "Cancelled":{ + "shape":"Integer", + "documentation":"

The number of individual assessments that were cancelled during the assessment run.

" + } + }, + "documentation":"

The object containing the result statistics for a completed assessment run.

" + }, "ReplicationTaskIndividualAssessment":{ "type":"structure", "members":{ @@ -9813,6 +9855,10 @@ "Exclude":{ "shape":"ExcludeTestList", "documentation":"

Space-separated list of names for specific individual assessments that you want to exclude. These names come from the default list of individual assessments that DMS supports for the associated migration task. This task is specified by ReplicationTaskArn.

You can't set a value for Exclude if you also set a value for IncludeOnly in the API operation.

To identify the names of the default individual assessments that DMS supports for the associated migration task, run the DescribeApplicableIndividualAssessments operation using its own ReplicationTaskArn request parameter.

" + }, + "Tags":{ + "shape":"TagList", + "documentation":"

One or more tags to be assigned to the premigration assessment run that you want to start.

" } }, "documentation":"

" diff --git a/botocore/data/ec2/2016-11-15/service-2.json b/botocore/data/ec2/2016-11-15/service-2.json index 7a4ee2d5fc..4706be5746 100644 --- a/botocore/data/ec2/2016-11-15/service-2.json +++ b/botocore/data/ec2/2016-11-15/service-2.json @@ -172,7 +172,7 @@ }, "input":{"shape":"AssignPrivateNatGatewayAddressRequest"}, "output":{"shape":"AssignPrivateNatGatewayAddressResult"}, - "documentation":"

Assigns private IPv4 addresses to a private NAT gateway. For more information, see Work with NAT gateways in the Amazon VPC User Guide.

" + "documentation":"

Assigns private IPv4 addresses to a private NAT gateway. For more information, see Work with NAT gateways in the Amazon VPC User Guide.

" }, "AssociateAddress":{ "name":"AssociateAddress", @@ -271,7 +271,7 @@ }, "input":{"shape":"AssociateNatGatewayAddressRequest"}, "output":{"shape":"AssociateNatGatewayAddressResult"}, - "documentation":"

Associates Elastic IP addresses (EIPs) and private IPv4 addresses with a public NAT gateway. For more information, see Work with NAT gateways in the Amazon VPC User Guide.

By default, you can associate up to 2 Elastic IP addresses per public NAT gateway. You can increase the limit by requesting a quota adjustment. For more information, see Elastic IP address quotas in the Amazon VPC User Guide.

When you associate an EIP or secondary EIPs with a public NAT gateway, the network border group of the EIPs must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. If it's not the same, the EIP will fail to associate. You can see the network border group for the subnet's AZ by viewing the details of the subnet. Similarly, you can view the network border group of an EIP by viewing the details of the EIP address. For more information about network border groups and EIPs, see Allocate an Elastic IP address in the Amazon VPC User Guide.

" + "documentation":"

Associates Elastic IP addresses (EIPs) and private IPv4 addresses with a public NAT gateway. For more information, see Work with NAT gateways in the Amazon VPC User Guide.

By default, you can associate up to 2 Elastic IP addresses per public NAT gateway. You can increase the limit by requesting a quota adjustment. For more information, see Elastic IP address quotas in the Amazon VPC User Guide.

When you associate an EIP or secondary EIPs with a public NAT gateway, the network border group of the EIPs must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. If it's not the same, the EIP will fail to associate. You can see the network border group for the subnet's AZ by viewing the details of the subnet. Similarly, you can view the network border group of an EIP by viewing the details of the EIP address. For more information about network border groups and EIPs, see Allocate an Elastic IP address in the Amazon VPC User Guide.

" }, "AssociateRouteTable":{ "name":"AssociateRouteTable", @@ -678,7 +678,7 @@ }, "input":{"shape":"CreateDefaultSubnetRequest"}, "output":{"shape":"CreateDefaultSubnetResult"}, - "documentation":"

Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your default VPC. You can have only one default subnet per Availability Zone. For more information, see Create a default subnet in the Amazon VPC User Guide.

" + "documentation":"

Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your default VPC. You can have only one default subnet per Availability Zone. For more information, see Create a default subnet in the Amazon VPC User Guide.

" }, "CreateDefaultVpc":{ "name":"CreateDefaultVpc", @@ -728,7 +728,7 @@ }, "input":{"shape":"CreateFlowLogsRequest"}, "output":{"shape":"CreateFlowLogsResult"}, - "documentation":"

Creates one or more flow logs to capture information about IP traffic for a specific network interface, subnet, or VPC.

Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting of fields that describe the traffic flow. For more information, see Flow log records in the Amazon VPC User Guide.

When publishing to CloudWatch Logs, flow log records are published to a log group, and each network interface has a unique log stream in the log group. When publishing to Amazon S3, flow log records for all of the monitored network interfaces are published to a single log file object that is stored in the specified bucket.

For more information, see VPC Flow Logs in the Amazon VPC User Guide.

" + "documentation":"

Creates one or more flow logs to capture information about IP traffic for a specific network interface, subnet, or VPC.

Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting of fields that describe the traffic flow. For more information, see Flow log records in the Amazon VPC User Guide.

When publishing to CloudWatch Logs, flow log records are published to a log group, and each network interface has a unique log stream in the log group. When publishing to Amazon S3, flow log records for all of the monitored network interfaces are published to a single log file object that is stored in the specified bucket.

For more information, see VPC Flow Logs in the Amazon VPC User Guide.

" }, "CreateFpgaImage":{ "name":"CreateFpgaImage", @@ -928,7 +928,7 @@ }, "input":{"shape":"CreateNatGatewayRequest"}, "output":{"shape":"CreateNatGatewayResult"}, - "documentation":"

Creates a NAT gateway in the specified subnet. This action creates a network interface in the specified subnet with a private IP address from the IP address range of the subnet. You can create either a public NAT gateway or a private NAT gateway.

With a public NAT gateway, internet-bound traffic from a private subnet can be routed to the NAT gateway, so that instances in a private subnet can connect to the internet.

With a private NAT gateway, private communication is routed across VPCs and on-premises networks through a transit gateway or virtual private gateway. Common use cases include running large workloads behind a small pool of allowlisted IPv4 addresses, preserving private IPv4 addresses, and communicating between overlapping networks.

For more information, see NAT gateways in the Amazon VPC User Guide.

When you create a public NAT gateway and assign it an EIP or secondary EIPs, the network border group of the EIPs must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. If it's not the same, the NAT gateway will fail to launch. You can see the network border group for the subnet's AZ by viewing the details of the subnet. Similarly, you can view the network border group of an EIP by viewing the details of the EIP address. For more information about network border groups and EIPs, see Allocate an Elastic IP address in the Amazon VPC User Guide.

" + "documentation":"

Creates a NAT gateway in the specified subnet. This action creates a network interface in the specified subnet with a private IP address from the IP address range of the subnet. You can create either a public NAT gateway or a private NAT gateway.

With a public NAT gateway, internet-bound traffic from a private subnet can be routed to the NAT gateway, so that instances in a private subnet can connect to the internet.

With a private NAT gateway, private communication is routed across VPCs and on-premises networks through a transit gateway or virtual private gateway. Common use cases include running large workloads behind a small pool of allowlisted IPv4 addresses, preserving private IPv4 addresses, and communicating between overlapping networks.

For more information, see NAT gateways in the Amazon VPC User Guide.

When you create a public NAT gateway and assign it an EIP or secondary EIPs, the network border group of the EIPs must match the network border group of the Availability Zone (AZ) that the public NAT gateway is in. If it's not the same, the NAT gateway will fail to launch. You can see the network border group for the subnet's AZ by viewing the details of the subnet. Similarly, you can view the network border group of an EIP by viewing the details of the EIP address. For more information about network border groups and EIPs, see Allocate an Elastic IP address in the Amazon VPC User Guide.

" }, "CreateNetworkAcl":{ "name":"CreateNetworkAcl", @@ -1127,7 +1127,7 @@ }, "input":{"shape":"CreateSubnetCidrReservationRequest"}, "output":{"shape":"CreateSubnetCidrReservationResult"}, - "documentation":"

Creates a subnet CIDR reservation. For more information, see Subnet CIDR reservations in the Amazon VPC User Guide and Assign prefixes to network interfaces in the Amazon EC2 User Guide.

" + "documentation":"

Creates a subnet CIDR reservation. For more information, see Subnet CIDR reservations in the Amazon VPC User Guide and Manage prefixes for your network interfaces in the Amazon EC2 User Guide.

" }, "CreateTags":{ "name":"CreateTags", @@ -2079,7 +2079,7 @@ "requestUri":"/" }, "input":{"shape":"DeleteVpcRequest"}, - "documentation":"

Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. For example, you must terminate all instances running in the VPC, delete all security groups associated with the VPC (except the default one), delete all route tables associated with the VPC (except the default one), and so on. When you delete the VPC, it deletes the VPC's default security group, network ACL, and route table.

" + "documentation":"

Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC before you can delete it. For example, you must terminate all instances running in the VPC, delete all security groups associated with the VPC (except the default one), delete all route tables associated with the VPC (except the default one), and so on. When you delete the VPC, it deletes the default security group, network ACL, and route table for the VPC.

If you created a flow log for the VPC that you are deleting, note that flow logs for deleted VPCs are eventually automatically removed.

" }, "DeleteVpcEndpointConnectionNotifications":{ "name":"DeleteVpcEndpointConnectionNotifications", @@ -3872,7 +3872,7 @@ }, "input":{"shape":"DisableImageRequest"}, "output":{"shape":"DisableImageResult"}, - "documentation":"

Sets the AMI state to disabled and removes all launch permissions from the AMI. A disabled AMI can't be used for instance launches.

A disabled AMI can't be shared. If an AMI was public or previously shared, it is made private. If an AMI was shared with an Amazon Web Services account, organization, or Organizational Unit, they lose access to the disabled AMI.

A disabled AMI does not appear in DescribeImages API calls by default.

Only the AMI owner can disable an AMI.

You can re-enable a disabled AMI using EnableImage.

For more information, see Disable an AMI in the Amazon EC2 User Guide.

" + "documentation":"

Sets the AMI state to disabled and removes all launch permissions from the AMI. A disabled AMI can't be used for instance launches.

A disabled AMI can't be shared. If an AMI was public or previously shared, it is made private. If an AMI was shared with an Amazon Web Services account, organization, or Organizational Unit, they lose access to the disabled AMI.

A disabled AMI does not appear in DescribeImages API calls by default.

Only the AMI owner can disable an AMI.

You can re-enable a disabled AMI using EnableImage.

For more information, see Disable an AMI in the Amazon EC2 User Guide.

" }, "DisableImageBlockPublicAccess":{ "name":"DisableImageBlockPublicAccess", @@ -4060,7 +4060,7 @@ }, "input":{"shape":"DisassociateNatGatewayAddressRequest"}, "output":{"shape":"DisassociateNatGatewayAddressResult"}, - "documentation":"

Disassociates secondary Elastic IP addresses (EIPs) from a public NAT gateway. You cannot disassociate your primary EIP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.

While disassociating is in progress, you cannot associate/disassociate additional EIPs while the connections are being drained. You are, however, allowed to delete the NAT gateway.

An EIP is released only at the end of MaxDrainDurationSeconds. It stays associated and supports the existing connections but does not support any new connections (new connections are distributed across the remaining associated EIPs). As the existing connections drain out, the EIPs (and the corresponding private IP addresses mapped to them) are released.

" + "documentation":"

Disassociates secondary Elastic IP addresses (EIPs) from a public NAT gateway. You cannot disassociate your primary EIP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.

While disassociating is in progress, you cannot associate/disassociate additional EIPs while the connections are being drained. You are, however, allowed to delete the NAT gateway.

An EIP is released only at the end of MaxDrainDurationSeconds. It stays associated and supports the existing connections but does not support any new connections (new connections are distributed across the remaining associated EIPs). As the existing connections drain out, the EIPs (and the corresponding private IP addresses mapped to them) are released.

" }, "DisassociateRouteTable":{ "name":"DisassociateRouteTable", @@ -4517,7 +4517,7 @@ }, "input":{"shape":"GetInstanceTypesFromInstanceRequirementsRequest"}, "output":{"shape":"GetInstanceTypesFromInstanceRequirementsResult"}, - "documentation":"

Returns a list of instance types with the specified instance attributes. You can use the response to preview the instance types without launching instances. Note that the response does not consider capacity.

When you specify multiple parameters, you get instance types that satisfy all of the specified parameters. If you specify multiple values for a parameter, you get instance types that satisfy any of the specified values.

For more information, see Preview instance types with specified attributes, Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot placement score in the Amazon EC2 User Guide, and Creating an Auto Scaling group using attribute-based instance type selection in the Amazon EC2 Auto Scaling User Guide.

" + "documentation":"

Returns a list of instance types with the specified instance attributes. You can use the response to preview the instance types without launching instances. Note that the response does not consider capacity.

When you specify multiple parameters, you get instance types that satisfy all of the specified parameters. If you specify multiple values for a parameter, you get instance types that satisfy any of the specified values.

For more information, see Preview instance types with specified attributes, Specify attributes for instance type selection for EC2 Fleet or Spot Fleet, and Spot placement score in the Amazon EC2 User Guide, and Creating mixed instance groups using attribute-based instance type selection in the Amazon EC2 Auto Scaling User Guide.

" }, "GetInstanceUefiData":{ "name":"GetInstanceUefiData", @@ -6237,7 +6237,7 @@ }, "input":{"shape":"UnassignPrivateNatGatewayAddressRequest"}, "output":{"shape":"UnassignPrivateNatGatewayAddressResult"}, - "documentation":"

Unassigns secondary private IPv4 addresses from a private NAT gateway. You cannot unassign your primary private IP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.

While unassigning is in progress, you cannot assign/unassign additional IP addresses while the connections are being drained. You are, however, allowed to delete the NAT gateway.

A private IP address will only be released at the end of MaxDrainDurationSeconds. The private IP addresses stay associated and support the existing connections, but do not support any new connections (new connections are distributed across the remaining assigned private IP address). After the existing connections drain out, the private IP addresses are released.

" + "documentation":"

Unassigns secondary private IPv4 addresses from a private NAT gateway. You cannot unassign your primary private IP. For more information, see Edit secondary IP address associations in the Amazon VPC User Guide.

While unassigning is in progress, you cannot assign/unassign additional IP addresses while the connections are being drained. You are, however, allowed to delete the NAT gateway.

A private IP address will only be released at the end of MaxDrainDurationSeconds. The private IP addresses stay associated and support the existing connections, but do not support any new connections (new connections are distributed across the remaining assigned private IP address). After the existing connections drain out, the private IP addresses are released.

" }, "UnlockSnapshot":{ "name":"UnlockSnapshot", @@ -8149,7 +8149,7 @@ }, "UnusedReservationBillingOwnerId":{ "shape":"AccountID", - "documentation":"

The ID of the consumer account to which assign billing.

" + "documentation":"

The ID of the consumer account to which to assign billing.

" } } }, @@ -13235,7 +13235,7 @@ }, "LogFormat":{ "shape":"String", - "documentation":"

The fields to include in the flow log record. List the fields in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see Flow log records in the Amazon VPC User Guide or Transit Gateway Flow Log records in the Amazon Web Services Transit Gateway Guide.

Specify the fields using the ${field-id} format, separated by spaces.

" + "documentation":"

The fields to include in the flow log record. List the fields in the order in which they should appear. If you omit this parameter, the flow log is created using the default format. If you specify this parameter, you must include at least one field. For more information about the available fields, see Flow log records in the Amazon VPC User Guide or Transit Gateway Flow Log records in the Amazon Web Services Transit Gateway Guide.

Specify the fields using the ${field-id} format, separated by spaces.

" }, "TagSpecifications":{ "shape":"TagSpecificationList", @@ -14139,17 +14139,17 @@ }, "SecondaryAllocationIds":{ "shape":"AllocationIdList", - "documentation":"

Secondary EIP allocation IDs. For more information, see Create a NAT gateway in the Amazon VPC User Guide.

", + "documentation":"

Secondary EIP allocation IDs. For more information, see Create a NAT gateway in the Amazon VPC User Guide.

", "locationName":"SecondaryAllocationId" }, "SecondaryPrivateIpAddresses":{ "shape":"IpList", - "documentation":"

Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon VPC User Guide.

", + "documentation":"

Secondary private IPv4 addresses. For more information about secondary addresses, see Create a NAT gateway in the Amazon VPC User Guide.

", "locationName":"SecondaryPrivateIpAddress" }, "SecondaryPrivateIpAddressCount":{ "shape":"PrivateIpAddressCount", - "documentation":"

[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see Create a NAT gateway in the Amazon VPC User Guide.

" + "documentation":"

[Private NAT gateway only] The number of secondary private IPv4 addresses you want to assign to the NAT gateway. For more information about secondary addresses, see Create a NAT gateway in the Amazon VPC User Guide.

" } } }, @@ -27705,7 +27705,7 @@ }, "KmsKeyId":{ "shape":"String", - "documentation":"

Identifier (key ID, key alias, ID ARN, or alias ARN) for a customer managed CMK under which the EBS volume is encrypted.

This parameter is only supported on BlockDeviceMapping objects called by RunInstances, RequestSpotFleet, and RequestSpotInstances.

", + "documentation":"

Identifier (key ID, key alias, key ARN, or alias ARN) of the customer managed KMS key to use for EBS encryption.

This parameter is only supported on BlockDeviceMapping objects called by RunInstances, RequestSpotFleet, and RequestSpotInstances.

", "locationName":"kmsKeyId" }, "Throughput":{ @@ -36506,7 +36506,7 @@ "locationName":"maxSpotPriceAsPercentageOfOptimalOnDemandPrice" } }, - "documentation":"

The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.

You must specify VCpuCount and MemoryMiB. All other attributes are optional. Any unspecified optional attribute is set to its default.

When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.

To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:

  • AllowedInstanceTypes - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.

  • ExcludedInstanceTypes - The instance types to exclude from the list, even if they match your specified attributes.

If you specify InstanceRequirements, you can't specify InstanceType.

Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the launch instance wizard or with the RunInstances API, you can't specify InstanceRequirements.

For more information, see Create a mixed instances group using attribute-based instance type selection in the Amazon EC2 Auto Scaling User Guide, and also Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot placement score in the Amazon EC2 User Guide.

" + "documentation":"

The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.

You must specify VCpuCount and MemoryMiB. All other attributes are optional. Any unspecified optional attribute is set to its default.

When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.

To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:

  • AllowedInstanceTypes - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.

  • ExcludedInstanceTypes - The instance types to exclude from the list, even if they match your specified attributes.

If you specify InstanceRequirements, you can't specify InstanceType.

Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the launch instance wizard or with the RunInstances API, you can't specify InstanceRequirements.

For more information, see Create mixed instances group using attribute-based instance type selection in the Amazon EC2 Auto Scaling User Guide, and also Specify attributes for instance type selection for EC2 Fleet or Spot Fleet and Spot placement score in the Amazon EC2 User Guide.

" }, "InstanceRequirementsRequest":{ "type":"structure", @@ -36620,7 +36620,7 @@ "documentation":"

[Price protection] The price protection threshold for Spot Instances, as a percentage of an identified On-Demand price. The identified On-Demand price is the price of the lowest priced current generation C, M, or R instance type with your specified attributes. If no current generation C, M, or R instance type matches your attributes, then the identified price is from the lowest priced current generation instance types, and failing that, from the lowest priced previous generation instance types that match your attributes. When Amazon EC2 selects instance types with your attributes, it will exclude instance types whose price exceeds your specified threshold.

The parameter accepts an integer, which Amazon EC2 interprets as a percentage.

If you set TargetCapacityUnitType to vcpu or memory-mib, the price protection threshold is based on the per vCPU or per memory price instead of the per instance price.

Only one of SpotMaxPricePercentageOverLowestPrice or MaxSpotPriceAsPercentageOfOptimalOnDemandPrice can be specified. If you don't specify either, Amazon EC2 will automatically apply optimal price protection to consistently select from a wide range of instance types. To indicate no price protection threshold for Spot Instances, meaning you want to consider all instance types that match your attributes, include one of these parameters and specify a high value, such as 999999.

" } }, - "documentation":"

The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.

You must specify VCpuCount and MemoryMiB. All other attributes are optional. Any unspecified optional attribute is set to its default.

When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.

To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:

  • AllowedInstanceTypes - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.

  • ExcludedInstanceTypes - The instance types to exclude from the list, even if they match your specified attributes.

If you specify InstanceRequirements, you can't specify InstanceType.

Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the launch instance wizard, or with the RunInstances API or AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify InstanceRequirements.

For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot placement score in the Amazon EC2 User Guide.

" + "documentation":"

The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.

You must specify VCpuCount and MemoryMiB. All other attributes are optional. Any unspecified optional attribute is set to its default.

When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.

To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:

  • AllowedInstanceTypes - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.

  • ExcludedInstanceTypes - The instance types to exclude from the list, even if they match your specified attributes.

If you specify InstanceRequirements, you can't specify InstanceType.

Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the launch instance wizard, or with the RunInstances API or AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify InstanceRequirements.

For more information, see Specify attributes for instance type selection for EC2 Fleet or Spot Fleet and Spot placement score in the Amazon EC2 User Guide.

" }, "InstanceRequirementsWithMetadataRequest":{ "type":"structure", @@ -44285,7 +44285,7 @@ }, "EnableDns64":{ "shape":"AttributeBooleanValue", - "documentation":"

Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations.

You must first configure a NAT gateway in a public subnet (separate from the subnet containing the IPv6-only workloads). For example, the subnet containing the NAT gateway should have a 0.0.0.0/0 route pointing to the internet gateway. For more information, see Configure DNS64 and NAT64 in the Amazon VPC User Guide.

" + "documentation":"

Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations.

You must first configure a NAT gateway in a public subnet (separate from the subnet containing the IPv6-only workloads). For example, the subnet containing the NAT gateway should have a 0.0.0.0/0 route pointing to the internet gateway. For more information, see Configure DNS64 and NAT64 in the Amazon VPC User Guide.

" }, "PrivateDnsHostnameTypeOnLaunch":{ "shape":"HostnameType", @@ -46932,6 +46932,7 @@ "type":"string", "enum":[ "efa", + "efa-only", "branch", "trunk" ] @@ -47103,6 +47104,7 @@ "interface", "natGateway", "efa", + "efa-only", "trunk", "load_balancer", "network_load_balancer", @@ -50689,7 +50691,7 @@ }, "InstanceRequirements":{ "shape":"InstanceRequirementsRequest", - "documentation":"

The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.

You must specify VCpuCount and MemoryMiB. All other attributes are optional. Any unspecified optional attribute is set to its default.

When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.

To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:

  • AllowedInstanceTypes - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.

  • ExcludedInstanceTypes - The instance types to exclude from the list, even if they match your specified attributes.

If you specify InstanceRequirements, you can't specify InstanceType.

Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the launch instance wizard, or with the RunInstances API or AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify InstanceRequirements.

For more information, see Attribute-based instance type selection for EC2 Fleet, Attribute-based instance type selection for Spot Fleet, and Spot placement score in the Amazon EC2 User Guide.

" + "documentation":"

The attributes for the instance types. When you specify instance attributes, Amazon EC2 will identify instance types with these attributes.

You must specify VCpuCount and MemoryMiB. All other attributes are optional. Any unspecified optional attribute is set to its default.

When you specify multiple attributes, you get instance types that satisfy all of the specified attributes. If you specify multiple values for an attribute, you get instance types that satisfy any of the specified values.

To limit the list of instance types from which Amazon EC2 can identify matching instance types, you can use one of the following parameters, but not both in the same request:

  • AllowedInstanceTypes - The instance types to include in the list. All other instance types are ignored, even if they match your specified attributes.

  • ExcludedInstanceTypes - The instance types to exclude from the list, even if they match your specified attributes.

If you specify InstanceRequirements, you can't specify InstanceType.

Attribute-based instance type selection is only supported when using Auto Scaling groups, EC2 Fleet, and Spot Fleet to launch instances. If you plan to use the launch template in the launch instance wizard, or with the RunInstances API or AWS::EC2::Instance Amazon Web Services CloudFormation resource, you can't specify InstanceRequirements.

For more information, see Specify attributes for instance type selection for EC2 Fleet or Spot Fleet and Spot placement score in the Amazon EC2 User Guide.

" }, "PrivateDnsNameOptions":{ "shape":"LaunchTemplatePrivateDnsNameOptionsRequest", diff --git a/botocore/data/eks/2017-11-01/service-2.json b/botocore/data/eks/2017-11-01/service-2.json index 840ed07ec3..6fa05b7709 100644 --- a/botocore/data/eks/2017-11-01/service-2.json +++ b/botocore/data/eks/2017-11-01/service-2.json @@ -855,7 +855,7 @@ {"shape":"ResourceNotFoundException"}, {"shape":"InvalidRequestException"} ], - "documentation":"

Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with DescribeUpdate\"/>.

You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the Amazon EKS User Guide .

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.

You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .

You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the Amazon EKS User Guide .

Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful), the cluster status moves to Active.

" + "documentation":"

Updates an Amazon EKS cluster configuration. Your cluster continues to function during the update. The response output includes an update ID that you can use to track the status of your cluster update with DescribeUpdate\"/>.

You can use this API operation to enable or disable exporting the Kubernetes control plane logs for your cluster to CloudWatch Logs. By default, cluster control plane logs aren't exported to CloudWatch Logs. For more information, see Amazon EKS Cluster control plane logs in the Amazon EKS User Guide .

CloudWatch Logs ingestion, archive storage, and data scanning rates apply to exported control plane logs. For more information, see CloudWatch Pricing.

You can also use this API operation to enable or disable public and private access to your cluster's Kubernetes API server endpoint. By default, public access is enabled, and private access is disabled. For more information, see Amazon EKS cluster endpoint access control in the Amazon EKS User Guide .

You can also use this API operation to choose different subnets and security groups for the cluster. You must specify at least two subnets that are in different Availability Zones. You can't change which VPC the subnets are from, the subnets must be in the same VPC as the subnets that the cluster was created with. For more information about the VPC requirements, see https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html in the Amazon EKS User Guide .

You can also use this API operation to enable or disable ARC zonal shift. If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.

Cluster updates are asynchronous, and they should finish within a few minutes. During an update, the cluster status moves to UPDATING (this status transition is eventually consistent). When the update is complete (either Failed or Successful), the cluster status moves to Active.

" }, "UpdateClusterVersion":{ "name":"UpdateClusterVersion", @@ -1665,6 +1665,10 @@ "upgradePolicy":{ "shape":"UpgradePolicyResponse", "documentation":"

This value indicates if extended support is enabled or disabled for the cluster.

Learn more about EKS Extended Support in the EKS User Guide.

" + }, + "zonalShiftConfig":{ + "shape":"ZonalShiftConfigResponse", + "documentation":"

The configuration for zonal shift for the cluster.

" } }, "documentation":"

An object representing an Amazon EKS cluster.

" @@ -1966,7 +1970,7 @@ "members":{ "name":{ "shape":"ClusterName", - "documentation":"

The unique name to give to your cluster.

" + "documentation":"

The unique name to give to your cluster. The name can contain only alphanumeric characters (case-sensitive), hyphens, and underscores. It must start with an alphanumeric character and can't be longer than 100 characters. The name must be unique within the Amazon Web Services Region and Amazon Web Services account that you're creating the cluster in.

" }, "version":{ "shape":"String", @@ -2016,6 +2020,10 @@ "upgradePolicy":{ "shape":"UpgradePolicyRequest", "documentation":"

New clusters, by default, have extended support enabled. You can disable extended support when creating a cluster by setting this value to STANDARD.

" + }, + "zonalShiftConfig":{ + "shape":"ZonalShiftConfigRequest", + "documentation":"

Enable or disable ARC zonal shift for the cluster. If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.

Zonal shift is a feature of Amazon Application Recovery Controller (ARC). ARC zonal shift is designed to be a temporary measure that allows you to move traffic for a resource away from an impaired AZ until the zonal shift expires or you cancel it. You can extend the zonal shift if necessary.

You can start a zonal shift for an EKS cluster, or you can allow Amazon Web Services to do it for you by enabling zonal autoshift. This shift updates the flow of east-to-west network traffic in your cluster to only consider network endpoints for Pods running on worker nodes in healthy AZs. Additionally, any ALB or NLB handling ingress traffic for applications in your EKS cluster will automatically route traffic to targets in the healthy AZs. For more information about zonal shift in EKS, see Learn about Amazon Application Recovery Controller (ARC) Zonal Shift in Amazon EKS in the Amazon EKS User Guide .

" } } }, @@ -5204,6 +5212,10 @@ "upgradePolicy":{ "shape":"UpgradePolicyRequest", "documentation":"

You can enable or disable extended support for clusters currently on standard support. You cannot disable extended support once it starts. You must enable extended support before your cluster exits standard support.

" + }, + "zonalShiftConfig":{ + "shape":"ZonalShiftConfigRequest", + "documentation":"

Enable or disable ARC zonal shift for the cluster. If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.

Zonal shift is a feature of Amazon Application Recovery Controller (ARC). ARC zonal shift is designed to be a temporary measure that allows you to move traffic for a resource away from an impaired AZ until the zonal shift expires or you cancel it. You can extend the zonal shift if necessary.

You can start a zonal shift for an EKS cluster, or you can allow Amazon Web Services to do it for you by enabling zonal autoshift. This shift updates the flow of east-to-west network traffic in your cluster to only consider network endpoints for Pods running on worker nodes in healthy AZs. Additionally, any ALB or NLB handling ingress traffic for applications in your EKS cluster will automatically route traffic to targets in the healthy AZs. For more information about zonal shift in EKS, see Learn about Amazon Application Recovery Controller (ARC) Zonal Shift in Amazon EKS in the Amazon EKS User Guide .

" } } }, @@ -5434,7 +5446,8 @@ "Subnets", "AuthenticationMode", "PodIdentityAssociations", - "UpgradePolicy" + "UpgradePolicy", + "ZonalShiftConfig" ] }, "UpdateParams":{ @@ -5516,7 +5529,8 @@ "AddonUpdate", "VpcConfigUpdate", "AccessConfigUpdate", - "UpgradePolicyUpdate" + "UpgradePolicyUpdate", + "ZonalShiftConfigUpdate" ] }, "UpgradePolicyRequest":{ @@ -5604,6 +5618,26 @@ "box":true, "min":0 }, + "ZonalShiftConfigRequest":{ + "type":"structure", + "members":{ + "enabled":{ + "shape":"BoxedBoolean", + "documentation":"

If zonal shift is enabled, Amazon Web Services configures zonal autoshift for the cluster.

" + } + }, + "documentation":"

The configuration for zonal shift for the cluster.

" + }, + "ZonalShiftConfigResponse":{ + "type":"structure", + "members":{ + "enabled":{ + "shape":"BoxedBoolean", + "documentation":"

Whether the zonal shift is enabled.

" + } + }, + "documentation":"

The status of zonal shift configuration for the cluster

" + }, "configStatus":{ "type":"string", "enum":[ diff --git a/botocore/data/fms/2018-01-01/service-2.json b/botocore/data/fms/2018-01-01/service-2.json index a2dc2137e6..8dbb9fdef9 100644 --- a/botocore/data/fms/2018-01-01/service-2.json +++ b/botocore/data/fms/2018-01-01/service-2.json @@ -2055,7 +2055,7 @@ "members":{ "PolicyId":{ "shape":"PolicyId", - "documentation":"

The ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:

  • DNS Firewall

  • Imported Network Firewall

  • Network Firewall

  • Security group content audit

  • Network ACL

  • Third-party firewall

" + "documentation":"

The ID of the Firewall Manager policy that you want the details for. You can get violation details for the following policy types:

  • WAF

  • DNS Firewall

  • Imported Network Firewall

  • Network Firewall

  • Security group content audit

  • Network ACL

  • Third-party firewall

" }, "MemberAccount":{ "shape":"AWSAccountId", @@ -2067,7 +2067,7 @@ }, "ResourceType":{ "shape":"ResourceType", - "documentation":"

The resource type. This is in the format shown in the Amazon Web Services Resource Types Reference. Supported resource types are: AWS::EC2::Instance, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::NetworkFirewall::FirewallPolicy, and AWS::EC2::Subnet.

" + "documentation":"

The resource type. This is in the format shown in the Amazon Web Services Resource Types Reference. Supported resource types are: AWS::WAFv2::WebACL, AWS::EC2::Instance, AWS::EC2::NetworkInterface, AWS::EC2::SecurityGroup, AWS::NetworkFirewall::FirewallPolicy, and AWS::EC2::Subnet.

" } } }, @@ -3792,6 +3792,10 @@ "min":1, "pattern":"^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$" }, + "ResourceArnList":{ + "type":"list", + "member":{"shape":"ResourceArn"} + }, "ResourceCount":{ "type":"long", "min":0 @@ -4045,6 +4049,14 @@ "PossibleRemediationActions":{ "shape":"PossibleRemediationActions", "documentation":"

A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.

" + }, + "WebACLHasIncompatibleConfigurationViolation":{ + "shape":"WebACLHasIncompatibleConfigurationViolation", + "documentation":"

The violation details for a web ACL whose configuration is incompatible with the Firewall Manager policy.

" + }, + "WebACLHasOutOfScopeResourcesViolation":{ + "shape":"WebACLHasOutOfScopeResourcesViolation", + "documentation":"

The violation details for a web ACL that's associated with at least one resource that's out of scope of the Firewall Manager policy.

" } }, "documentation":"

Violation detail based on resource type.

" @@ -4206,7 +4218,7 @@ }, "ManagedServiceData":{ "shape":"ManagedServiceData", - "documentation":"

Details about the service that are specific to the service type, in JSON format.

  • Example: DNS_FIREWALL

    \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"

    Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.

  • Example: IMPORT_NETWORK_FIREWALL

    \"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"

    \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"

    Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.

  • Example: NETWORK_FIREWALL - Centralized deployment model

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"

    To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.

  • Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"

    With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"

    To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"

    With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.

    To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"

    To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: SECURITY_GROUPS_COMMON

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"

  • Example: SECURITY_GROUPS_COMMON - Security group tag distribution

    \"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"

    Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.

    Firewall Manager won't distribute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.

  • Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"

  • Example: SECURITY_GROUPS_CONTENT_AUDIT

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"

    The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.

  • Example: SECURITY_GROUPS_USAGE_AUDIT

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"

  • Example: SHIELD_ADVANCED with web ACL management

    \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"

    If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.

    Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.

    If you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.

  • Specification for SHIELD_ADVANCED for Amazon CloudFront distributions

    \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"

    For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"

    The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.

    For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.

  • Example: THIRD_PARTY_FIREWALL

    Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.

    \"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"

  • Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override

    \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"

    • Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.

    • Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.

    • Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.

      Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.

      If you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.

    • Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.

  • Example: WAFV2 - CAPTCHA and Challenge configs

    \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"

    • CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.

    • defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.

  • Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning

    \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"

    To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.

  • Example: WAFV2 - Logging configurations

    \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"

    Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference

    In the loggingConfiguration, you can specify one logDestinationConfigs. Optionally provide as many as 20 redactedFields. The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.

  • Example: WAF Classic

    \"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"

" + "documentation":"

Details about the service that are specific to the service type, in JSON format.

  • Example: DNS_FIREWALL

    \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"

    Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.

  • Example: IMPORT_NETWORK_FIREWALL

    \"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"

    \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"

    Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.

  • Example: NETWORK_FIREWALL - Centralized deployment model

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"

    To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.

  • Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"

    With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"

    To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"

    With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.

    To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management

    \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"

    To use the distributed deployment model, you must set PolicyOption to NULL.

  • Example: SECURITY_GROUPS_COMMON

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-03b1f67d69ed00197\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":true,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"enableSecurityGroupReferencesDistribution\\\":true}\"

  • Example: SECURITY_GROUPS_COMMON - Security group tag distribution

    \"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"

    Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.

    Firewall Manager won't distribute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.

  • Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"

  • Example: SECURITY_GROUPS_CONTENT_AUDIT

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"preManagedOptions\\\":[{\\\"denyProtocolAllValue\\\":true},{\\\"auditSgDirection\\\":{\\\"type\\\":\\\"ALL\\\"}}],\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-049b2393a25468971\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"

    The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.

  • Example: SECURITY_GROUPS_USAGE_AUDIT

    \"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true,\\\"optionalDelayForUnusedInMinutes\\\":60}\"

  • Example: SHIELD_ADVANCED with web ACL management

    \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"optimizeUnassociatedWebACL\\\":true}\"

    If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.

    Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager doesn't disassociate the resource from the web ACL. If you want Firewall Manager to clean up the web ACL, you must first manually disassociate the resources from the web ACL, and then enable the manage unused web ACLs option in your policy.

    If you set optimizeUnassociatedWebACL to false, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.

  • Specification for SHIELD_ADVANCED for Amazon CloudFront distributions

    \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false, \\\"optimizeUnassociatedWebACL\\\":true|false}\"

    For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"

    The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.

    For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.

  • Example: THIRD_PARTY_FIREWALL

    Replace THIRD_PARTY_FIREWALL_NAME with the name of the third-party firewall.

    \"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"THIRD_PARTY_FIREWALL_NAME\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"

  • Example: WAFV2 - Account takeover prevention, Bot Control managed rule groups, optimize unassociated web ACL, and rule action override

    \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true}\"

    • Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.

    • Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.

    • Optimize unassociated web ACL - If you set optimizeUnassociatedWebACL to true, Firewall Manager creates web ACLs in accounts within the policy scope if the web ACLs will be used by at least one resource. Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL.

      Upon enablement, Firewall Manager performs a one-time cleanup of unused web ACLs in your account. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unused web ACL. Firewall Manager only cleans up unused web ACLs when you first enable management of unused web ACLs in a policy.

      If you set optimizeUnassociatedWebACL to false Firewall Manager doesn't manage unused web ACLs, and Firewall Manager automatically creates an empty web ACL in each account that's within policy scope.

    • Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.

  • Example: WAFV2 - CAPTCHA and Challenge configs

    \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"],\\\"associationConfig\\\":{\\\"requestBody\\\":{\\\"CLOUDFRONT\\\":{\\\"defaultSizeInspectionLimit\\\":\\\"KB_16\\\"}}}}\"

    • CAPTCHA and Challenge configs - If you update the policy's values for associationConfig, captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's associationConfig, captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about association configs, see AssociationConfig. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.

    • defaultSizeInspectionLimit - Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to WAF for inspection. For more information, see DefaultSizeInspectionLimit in the WAF API Reference.

  • Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning

    \"{\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"sampledRequestsEnabled\\\":true,\\\"managedRuleGroupIdentifier\\\":{\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupConfigs\\\":null}}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"tokenDomains\\\":null,\\\"customResponse\\\":null,\\\"type\\\":\\\"WAFV2\\\",\\\"overrideCustomerWebACLAssociation\\\":false,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"optimizeUnassociatedWebACL\\\":true,\\\"webACLSource\\\":\\\"RETROFIT_EXISTING\\\"}\"

    To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.

  • Example: WAFV2 - Logging configurations

    \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"

    Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference

    In the loggingConfiguration, you can specify one logDestinationConfigs. Optionally provide as many as 20 redactedFields. The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.

  • Example: WAF Classic

    \"{\\\"ruleGroups\\\":[{\\\"id\\\":\\\"78cb36c0-1b5e-4d7d-82b2-cf48d3ad9659\\\",\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"}}],\\\"overrideCustomerWebACLAssociation\\\":true,\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"type\\\":\\\"WAF\\\"}\"

" }, "PolicyOption":{ "shape":"PolicyOption", @@ -4618,7 +4630,8 @@ "RESOURCE_MISSING_DNS_FIREWALL", "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT", "FIREWALL_SUBNET_MISSING_VPCE_ENDPOINT", - "INVALID_NETWORK_ACL_ENTRY" + "INVALID_NETWORK_ACL_ENTRY", + "WEB_ACL_CONFIGURATION_OR_SCOPE_OF_USE" ] }, "ViolationTarget":{ @@ -4626,6 +4639,34 @@ "max":1024, "min":0, "pattern":".*" + }, + "WebACLHasIncompatibleConfigurationViolation":{ + "type":"structure", + "members":{ + "WebACLArn":{ + "shape":"ResourceArn", + "documentation":"

The Amazon Resource Name (ARN) of the web ACL.

" + }, + "Description":{ + "shape":"LengthBoundedString", + "documentation":"

Information about the problems that Firewall Manager encountered with the web ACL configuration.

" + } + }, + "documentation":"

The violation details for a web ACL whose configuration is incompatible with the Firewall Manager policy.

" + }, + "WebACLHasOutOfScopeResourcesViolation":{ + "type":"structure", + "members":{ + "WebACLArn":{ + "shape":"ResourceArn", + "documentation":"

The Amazon Resource Name (ARN) of the web ACL.

" + }, + "OutOfScopeResourceList":{ + "shape":"ResourceArnList", + "documentation":"

An array of Amazon Resource Name (ARN) for the resources that are out of scope of the policy and are associated with the web ACL.

" + } + }, + "documentation":"

The violation details for a web ACL that's associated with at least one resource that's out of scope of the Firewall Manager policy.

" } }, "documentation":"

This is the Firewall Manager API Reference. This guide is for developers who need detailed information about the Firewall Manager API actions, data types, and errors. For detailed information about Firewall Manager features, see the Firewall Manager Developer Guide.

Some API actions require explicit resource permissions. For information, see the developer guide topic Service roles for Firewall Manager.

" diff --git a/botocore/data/payment-cryptography-data/2022-02-03/service-2.json b/botocore/data/payment-cryptography-data/2022-02-03/service-2.json index 38b9b967e5..56a7bd5a0e 100644 --- a/botocore/data/payment-cryptography-data/2022-02-03/service-2.json +++ b/botocore/data/payment-cryptography-data/2022-02-03/service-2.json @@ -29,7 +29,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServerException"} ], - "documentation":"

Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can use an encryption key generated within Amazon Web Services Payment Cryptography, or you can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, Amazon Web Services Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of Amazon Web Services Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV decryption, Amazon Web Services Payment Cryptography supports TDES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" + "documentation":"

Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can use an decryption key generated within Amazon Web Services Payment Cryptography, or you can import your own decryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, Amazon Web Services Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of Amazon Web Services Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

This operation also supports dynamic keys, allowing you to pass a dynamic decryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To decrypt using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped decryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the Amazon Web Services Payment Cryptography User Guide.

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV decryption, Amazon Web Services Payment Cryptography supports TDES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" }, "EncryptData":{ "name":"EncryptData", @@ -47,7 +47,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServerException"} ], - "documentation":"

Encrypts plaintext data to ciphertext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey.

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV encryption, Amazon Web Services Payment Cryptography supports TDES algorithms.For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the plaintext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the plaintext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

To encrypt using DUKPT, you must already have a BDK (Base Derivation Key) key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey. To encrypt using EMV, you must already have an IMK (Issuer Master Key) key in your account with KeyModesOfUse set to DeriveKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" + "documentation":"

Encrypts plaintext data to ciphertext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey.

For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey.

This operation also supports dynamic keys, allowing you to pass a dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To encrypt using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped encryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the Amazon Web Services Payment Cryptography User Guide.

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV encryption, Amazon Web Services Payment Cryptography supports TDES algorithms.For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the plaintext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the plaintext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

To encrypt using DUKPT, you must already have a BDK (Base Derivation Key) key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey. To encrypt using EMV, you must already have an IMK (Issuer Master Key) key in your account with KeyModesOfUse set to DeriveKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" }, "GenerateCardValidationData":{ "name":"GenerateCardValidationData", @@ -85,6 +85,24 @@ ], "documentation":"

Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography.

You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.

You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse set to Generate and Verify.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" }, + "GenerateMacEmvPinChange":{ + "name":"GenerateMacEmvPinChange", + "http":{ + "method":"POST", + "requestUri":"/macemvpinchange/generate", + "responseCode":200 + }, + "input":{"shape":"GenerateMacEmvPinChangeInput"}, + "output":{"shape":"GenerateMacEmvPinChangeOutput"}, + "errors":[ + {"shape":"ValidationException"}, + {"shape":"AccessDeniedException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ThrottlingException"}, + {"shape":"InternalServerException"} + ], + "documentation":"

Generates an issuer script mac for EMV payment cards that use offline PINs as the cardholder verification method (CVM).

This operation generates an authenticated issuer script response by appending the incoming message data (APDU command) with the target encrypted PIN block in ISO2 format. The command structure and method to send the issuer script update to the card is not defined by this operation and is typically determined by the applicable payment card scheme.

The primary inputs to this operation include the incoming new encrypted pinblock, PIN encryption key (PEK), issuer master key (IMK), primary account number (PAN), and the payment card derivation method.

The operation uses two issuer master keys - secure messaging for confidentiality (IMK-SMC) and secure messaging for integrity (IMK-SMI). The SMC key is used to internally derive a key to secure the pin, while SMI key is used to internally derive a key to authenticate the script reponse as per the EMV 4.4 - Book 2 - Security and Key Management specification.

This operation supports Amex, EMV2000, EMVCommon, Mastercard and Visa derivation methods, each requiring specific input parameters. Users must follow the specific derivation method and input parameters defined by the respective payment card scheme.

Use GenerateMac operation when sending a script update to an EMV card that does not involve PIN change. When assigning IAM permissions, it is important to understand that EncryptData using EMV keys and GenerateMac perform similar functions to this command.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" + }, "GeneratePinData":{ "name":"GeneratePinData", "http":{ @@ -119,7 +137,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServerException"} ], - "documentation":"

Re-encrypt ciphertext using DUKPT or Symmetric data encryption keys.

You can either generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey or import your own encryption key by calling ImportKey. The KeyArn for use with this operation must be in a compatible key state with KeyModesOfUse set to Encrypt.

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. To encrypt using DUKPT, a DUKPT key must already exist within your account with KeyModesOfUse set to DeriveKey or a new DUKPT can be generated by calling CreateKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" + "documentation":"

Re-encrypt ciphertext using DUKPT or Symmetric data encryption keys.

You can either generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey or import your own encryption key by calling ImportKey. The KeyArn for use with this operation must be in a compatible key state with KeyModesOfUse set to Encrypt.

This operation also supports dynamic keys, allowing you to pass a dynamic encryption key as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To re-encrypt using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped encryption key material. The incoming wrapped key shall have a key purpose of D0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the Amazon Web Services Payment Cryptography User Guide.

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. To encrypt using DUKPT, a DUKPT key must already exist within your account with KeyModesOfUse set to DeriveKey or a new DUKPT can be generated by calling CreateKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" }, "TranslatePinData":{ "name":"TranslatePinData", @@ -137,7 +155,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServerException"} ], - "documentation":"

Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see Translate PIN data in the Amazon Web Services Payment Cryptography User Guide.

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT translations.

The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" + "documentation":"

Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see Translate PIN data in the Amazon Web Services Payment Cryptography User Guide.

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT translations.

This operation also supports dynamic keys, allowing you to pass a dynamic PEK as a TR-31 WrappedKeyBlock. This can be used when key material is frequently rotated, such as during every card transaction, and there is need to avoid importing short-lived keys into Amazon Web Services Payment Cryptography. To translate PIN block using dynamic keys, the keyARN is the Key Encryption Key (KEK) of the TR-31 wrapped PEK. The incoming wrapped key shall have a key purpose of P0 with a mode of use of B or D. For more information, see Using Dynamic Keys in the Amazon Web Services Payment Cryptography User Guide.

The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" }, "VerifyAuthRequestCryptogram":{ "name":"VerifyAuthRequestCryptogram", @@ -229,6 +247,43 @@ }, "exception":true }, + "AmexAttributes":{ + "type":"structure", + "required":[ + "MajorKeyDerivationMode", + "PrimaryAccountNumber", + "PanSequenceNumber", + "ApplicationTransactionCounter", + "AuthorizationRequestKeyIdentifier" + ], + "members":{ + "MajorKeyDerivationMode":{ + "shape":"MajorKeyDerivationMode", + "documentation":"

The method to use when deriving the master key for a payment card using Amex derivation.

" + }, + "PrimaryAccountNumber":{ + "shape":"PrimaryAccountNumberType", + "documentation":"

The Primary Account Number (PAN) of the cardholder.

" + }, + "PanSequenceNumber":{ + "shape":"NumberLengthEquals2", + "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN). Typically 00 is used, if no value is provided by the terminal.

" + }, + "ApplicationTransactionCounter":{ + "shape":"HexLengthEquals4", + "documentation":"

The transaction counter of the current transaction that is provided by the terminal during transaction processing.

" + }, + "AuthorizationRequestKeyIdentifier":{ + "shape":"KeyArnOrKeyAliasType", + "documentation":"

The keyArn of the issuer master key for cryptogram (IMK-AC) for the payment card.

" + }, + "CurrentPinAttributes":{ + "shape":"CurrentPinAttributes", + "documentation":"

The encrypted pinblock of the old pin stored on the chip card.

" + } + }, + "documentation":"

Parameters to derive the confidentiality and integrity keys for a payment card using Amex derivation method.

" + }, "AmexCardSecurityCodeVersion1":{ "type":"structure", "required":["CardExpiryDate"], @@ -419,6 +474,13 @@ "CipherTextType":{ "type":"string", "max":4096, + "min":2, + "pattern":"(?:[0-9a-fA-F][0-9a-fA-F])+", + "sensitive":true + }, + "CommandMessageDataType":{ + "type":"string", + "max":1024, "min":16, "pattern":"(?:[0-9a-fA-F][0-9a-fA-F])+", "sensitive":true @@ -464,6 +526,24 @@ }, "documentation":"

Parameters that are required for ARPC response generation using method2 after ARQC verification is successful.

" }, + "CurrentPinAttributes":{ + "type":"structure", + "required":[ + "CurrentPinPekIdentifier", + "CurrentEncryptedPinBlock" + ], + "members":{ + "CurrentPinPekIdentifier":{ + "shape":"KeyArnOrKeyAliasType", + "documentation":"

The keyArn of the current PIN PEK.

" + }, + "CurrentEncryptedPinBlock":{ + "shape":"PinBlockLengthEquals16", + "documentation":"

The encrypted pinblock of the current pin stored on the chip card.

" + } + }, + "documentation":"

The parameter values of the current PIN to be changed on the EMV chip card.

" + }, "DecimalizationTableType":{ "type":"string", "max":16, @@ -521,6 +601,33 @@ } } }, + "DerivationMethodAttributes":{ + "type":"structure", + "members":{ + "EmvCommon":{ + "shape":"EmvCommonAttributes", + "documentation":"

Parameters to derive the confidentiality and integrity keys for a payment card using Emv common derivation method.

" + }, + "Amex":{ + "shape":"AmexAttributes", + "documentation":"

Parameters to derive the confidentiality and integrity keys for a payment card using Amex derivation method.

" + }, + "Visa":{ + "shape":"VisaAttributes", + "documentation":"

Parameters to derive the confidentiality and integrity keys for a a payment card using Visa derivation method.

" + }, + "Emv2000":{ + "shape":"Emv2000Attributes", + "documentation":"

Parameters to derive the confidentiality and integrity keys for a payment card using Emv2000 derivation method.

" + }, + "Mastercard":{ + "shape":"MasterCardAttributes", + "documentation":"

Parameters to derive the confidentiality and integrity keys for a payment card using Mastercard derivation method.

" + } + }, + "documentation":"

Parameters to derive the payment card specific confidentiality and integrity keys.

", + "union":true + }, "DiscoverDynamicCardVerificationCode":{ "type":"structure", "required":[ @@ -689,6 +796,77 @@ }, "documentation":"

Parameters that are required to generate or verify Dynamic Card Verification Value (dCVV).

" }, + "Emv2000Attributes":{ + "type":"structure", + "required":[ + "MajorKeyDerivationMode", + "PrimaryAccountNumber", + "PanSequenceNumber", + "ApplicationTransactionCounter" + ], + "members":{ + "MajorKeyDerivationMode":{ + "shape":"MajorKeyDerivationMode", + "documentation":"

The method to use when deriving the master key for the payment card.

" + }, + "PrimaryAccountNumber":{ + "shape":"PrimaryAccountNumberType", + "documentation":"

The Primary Account Number (PAN) of the cardholder.

" + }, + "PanSequenceNumber":{ + "shape":"NumberLengthEquals2", + "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN). Typically 00 is used, if no value is provided by the terminal.

" + }, + "ApplicationTransactionCounter":{ + "shape":"HexLengthEquals4", + "documentation":"

The transaction counter of the current transaction that is provided by the terminal during transaction processing.

" + } + }, + "documentation":"

Parameters to derive the confidentiality and integrity keys for a payment card using EMV2000 deruv.

" + }, + "EmvCommonAttributes":{ + "type":"structure", + "required":[ + "MajorKeyDerivationMode", + "PrimaryAccountNumber", + "PanSequenceNumber", + "ApplicationCryptogram", + "Mode", + "PinBlockPaddingType", + "PinBlockLengthPosition" + ], + "members":{ + "MajorKeyDerivationMode":{ + "shape":"MajorKeyDerivationMode", + "documentation":"

The method to use when deriving the master key for the payment card.

" + }, + "PrimaryAccountNumber":{ + "shape":"PrimaryAccountNumberType", + "documentation":"

The Primary Account Number (PAN) of the cardholder.

" + }, + "PanSequenceNumber":{ + "shape":"NumberLengthEquals2", + "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN). Typically 00 is used, if no value is provided by the terminal.

" + }, + "ApplicationCryptogram":{ + "shape":"ApplicationCryptogramType", + "documentation":"

The application cryptogram for the current transaction that is provided by the terminal during transaction processing.

" + }, + "Mode":{ + "shape":"EmvEncryptionMode", + "documentation":"

The block cipher method to use for encryption.

" + }, + "PinBlockPaddingType":{ + "shape":"PinBlockPaddingType", + "documentation":"

The padding to be added to the PIN block prior to encryption.

Padding type should be ISO_IEC_7816_4, if PinBlockLengthPosition is set to FRONT_OF_PIN_BLOCK. No padding is required, if PinBlockLengthPosition is set to NONE.

" + }, + "PinBlockLengthPosition":{ + "shape":"PinBlockLengthPosition", + "documentation":"

Specifies if PIN block length should be added to front of the pin block.

If value is set to FRONT_OF_PIN_BLOCK, then PIN block padding type should be ISO_IEC_7816_4.

" + } + }, + "documentation":"

Parameters to derive the confidentiality and integrity keys for an Emv common payment card.

" + }, "EmvEncryptionAttributes":{ "type":"structure", "required":[ @@ -708,7 +886,7 @@ }, "PanSequenceNumber":{ "shape":"NumberLengthEquals2", - "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

" + "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN). Typically 00 is used, if no value is provided by the terminal.

" }, "SessionDerivationData":{ "shape":"SessionDerivationDataType", @@ -873,6 +1051,99 @@ } } }, + "GenerateMacEmvPinChangeInput":{ + "type":"structure", + "required":[ + "NewPinPekIdentifier", + "NewEncryptedPinBlock", + "PinBlockFormat", + "SecureMessagingIntegrityKeyIdentifier", + "SecureMessagingConfidentialityKeyIdentifier", + "MessageData", + "DerivationMethodAttributes" + ], + "members":{ + "NewPinPekIdentifier":{ + "shape":"KeyArnOrKeyAliasType", + "documentation":"

The keyARN of the PEK protecting the incoming new encrypted PIN block.

" + }, + "NewEncryptedPinBlock":{ + "shape":"PinBlockLengthEquals16", + "documentation":"

The incoming new encrypted PIN block data for offline pin change on an EMV card.

" + }, + "PinBlockFormat":{ + "shape":"PinBlockFormatForEmvPinChange", + "documentation":"

The PIN encoding format of the incoming new encrypted PIN block as specified in ISO 9564.

" + }, + "SecureMessagingIntegrityKeyIdentifier":{ + "shape":"KeyArnOrKeyAliasType", + "documentation":"

The keyARN of the issuer master key (IMK-SMI) used to authenticate the issuer script response.

" + }, + "SecureMessagingConfidentialityKeyIdentifier":{ + "shape":"KeyArnOrKeyAliasType", + "documentation":"

The keyARN of the issuer master key (IMK-SMC) used to protect the PIN block data in the issuer script response.

" + }, + "MessageData":{ + "shape":"CommandMessageDataType", + "documentation":"

The message data is the APDU command from the card reader or terminal. The target encrypted PIN block, after translation to ISO2 format, is appended to this message data to generate an issuer script response.

" + }, + "DerivationMethodAttributes":{ + "shape":"DerivationMethodAttributes", + "documentation":"

The attributes and data values to derive payment card specific confidentiality and integrity keys.

" + } + } + }, + "GenerateMacEmvPinChangeOutput":{ + "type":"structure", + "required":[ + "NewPinPekArn", + "SecureMessagingIntegrityKeyArn", + "SecureMessagingConfidentialityKeyArn", + "Mac", + "EncryptedPinBlock", + "NewPinPekKeyCheckValue", + "SecureMessagingIntegrityKeyCheckValue", + "SecureMessagingConfidentialityKeyCheckValue" + ], + "members":{ + "NewPinPekArn":{ + "shape":"KeyArn", + "documentation":"

Returns the keyArn of the PEK protecting the incoming new encrypted PIN block.

" + }, + "SecureMessagingIntegrityKeyArn":{ + "shape":"KeyArn", + "documentation":"

Returns the keyArn of the IMK-SMI used by the operation.

" + }, + "SecureMessagingConfidentialityKeyArn":{ + "shape":"KeyArn", + "documentation":"

Returns the keyArn of the IMK-SMC used by the operation.

" + }, + "Mac":{ + "shape":"PinChangeMacOutputType", + "documentation":"

Returns the mac of the issuer script containing message data and appended target encrypted pin block in ISO2 format.

" + }, + "EncryptedPinBlock":{ + "shape":"EncryptedPinBlockType", + "documentation":"

Returns the incoming new encrpted PIN block.

" + }, + "NewPinPekKeyCheckValue":{ + "shape":"KeyCheckValue", + "documentation":"

The key check value (KCV) of the PEK uprotecting the incoming new encrypted PIN block.

" + }, + "SecureMessagingIntegrityKeyCheckValue":{ + "shape":"KeyCheckValue", + "documentation":"

The key check value (KCV) of the SMI issuer master key used by the operation.

" + }, + "SecureMessagingConfidentialityKeyCheckValue":{ + "shape":"KeyCheckValue", + "documentation":"

The key check value (KCV) of the SMC issuer master key used by the operation.

" + }, + "VisaAmexDerivationOutputs":{ + "shape":"VisaAmexDerivationOutputs", + "documentation":"

The attribute values used for Amex and Visa derivation methods.

" + } + } + }, "GenerateMacInput":{ "type":"structure", "required":[ @@ -1348,6 +1619,34 @@ "EMV_OPTION_B" ] }, + "MasterCardAttributes":{ + "type":"structure", + "required":[ + "MajorKeyDerivationMode", + "PrimaryAccountNumber", + "PanSequenceNumber", + "ApplicationCryptogram" + ], + "members":{ + "MajorKeyDerivationMode":{ + "shape":"MajorKeyDerivationMode", + "documentation":"

The method to use when deriving the master key for the payment card.

" + }, + "PrimaryAccountNumber":{ + "shape":"PrimaryAccountNumberType", + "documentation":"

The Primary Account Number (PAN) of the cardholder.

" + }, + "PanSequenceNumber":{ + "shape":"NumberLengthEquals2", + "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN). Typically 00 is used, if no value is provided by the terminal.

" + }, + "ApplicationCryptogram":{ + "shape":"ApplicationCryptogramType", + "documentation":"

The application cryptogram for the current transaction that is provided by the terminal during transaction processing.

" + } + }, + "documentation":"

Parameters to derive the confidentiality and integrity keys for a Mastercard payment card.

" + }, "MessageDataType":{ "type":"string", "max":4096, @@ -1370,6 +1669,14 @@ "OAEP_SHA512" ] }, + "PinBlockFormatForEmvPinChange":{ + "type":"string", + "enum":[ + "ISO_FORMAT_0", + "ISO_FORMAT_1", + "ISO_FORMAT_3" + ] + }, "PinBlockFormatForPinData":{ "type":"string", "enum":[ @@ -1377,6 +1684,34 @@ "ISO_FORMAT_3" ] }, + "PinBlockLengthEquals16":{ + "type":"string", + "max":16, + "min":16, + "pattern":"[0-9a-fA-F]+", + "sensitive":true + }, + "PinBlockLengthPosition":{ + "type":"string", + "enum":[ + "NONE", + "FRONT_OF_PIN_BLOCK" + ] + }, + "PinBlockPaddingType":{ + "type":"string", + "enum":[ + "NO_PADDING", + "ISO_IEC_7816_4" + ] + }, + "PinChangeMacOutputType":{ + "type":"string", + "max":16, + "min":8, + "pattern":"[0-9a-fA-F]+", + "sensitive":true + }, "PinData":{ "type":"structure", "members":{ @@ -1455,14 +1790,14 @@ "PlainTextOutputType":{ "type":"string", "max":4096, - "min":16, + "min":2, "pattern":"(?:[0-9a-fA-F][0-9a-fA-F])+", "sensitive":true }, "PlainTextType":{ "type":"string", "max":4064, - "min":16, + "min":2, "pattern":"(?:[0-9a-fA-F][0-9a-fA-F])+", "sensitive":true }, @@ -1648,7 +1983,7 @@ "documentation":"

The cryptogram provided by the terminal during transaction processing.

" }, "ApplicationTransactionCounter":{ - "shape":"HexLengthBetween2And4", + "shape":"HexLengthEquals4", "documentation":"

The transaction counter that is provided by the terminal during transaction processing.

" } }, @@ -1672,7 +2007,7 @@ "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

" }, "ApplicationTransactionCounter":{ - "shape":"HexLengthBetween2And4", + "shape":"HexLengthEquals4", "documentation":"

The transaction counter that is provided by the terminal during transaction processing.

" } }, @@ -1695,7 +2030,7 @@ "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

" }, "ApplicationTransactionCounter":{ - "shape":"HexLengthBetween2And4", + "shape":"HexLengthEquals4", "documentation":"

The transaction counter that is provided by the terminal during transaction processing.

" } }, @@ -1719,7 +2054,7 @@ "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

" }, "ApplicationTransactionCounter":{ - "shape":"HexLengthBetween2And4", + "shape":"HexLengthEquals4", "documentation":"

The transaction counter that is provided by the terminal during transaction processing.

" }, "UnpredictableNumber":{ @@ -2209,6 +2544,69 @@ } } }, + "VisaAmexDerivationOutputs":{ + "type":"structure", + "required":[ + "AuthorizationRequestKeyArn", + "AuthorizationRequestKeyCheckValue" + ], + "members":{ + "AuthorizationRequestKeyArn":{ + "shape":"KeyArn", + "documentation":"

The keyArn of the issuer master key for cryptogram (IMK-AC) used by the operation.

" + }, + "AuthorizationRequestKeyCheckValue":{ + "shape":"KeyCheckValue", + "documentation":"

The key check value (KCV) of the issuer master key for cryptogram (IMK-AC) used by the operation.

" + }, + "CurrentPinPekArn":{ + "shape":"KeyArn", + "documentation":"

The keyArn of the current PIN PEK.

" + }, + "CurrentPinPekKeyCheckValue":{ + "shape":"KeyCheckValue", + "documentation":"

The key check value (KCV) of the current PIN PEK.

" + } + }, + "documentation":"

The attributes values used for Amex and Visa derivation methods.

" + }, + "VisaAttributes":{ + "type":"structure", + "required":[ + "MajorKeyDerivationMode", + "PrimaryAccountNumber", + "PanSequenceNumber", + "ApplicationTransactionCounter", + "AuthorizationRequestKeyIdentifier" + ], + "members":{ + "MajorKeyDerivationMode":{ + "shape":"MajorKeyDerivationMode", + "documentation":"

The method to use when deriving the master key for the payment card.

" + }, + "PrimaryAccountNumber":{ + "shape":"PrimaryAccountNumberType", + "documentation":"

The Primary Account Number (PAN) of the cardholder.

" + }, + "PanSequenceNumber":{ + "shape":"NumberLengthEquals2", + "documentation":"

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN). Typically 00 is used, if no value is provided by the terminal.

" + }, + "ApplicationTransactionCounter":{ + "shape":"HexLengthEquals4", + "documentation":"

The transaction counter of the current transaction that is provided by the terminal during transaction processing.

" + }, + "AuthorizationRequestKeyIdentifier":{ + "shape":"KeyArnOrKeyAliasType", + "documentation":"

The keyArn of the issuer master key for cryptogram (IMK-AC) for the payment card.

" + }, + "CurrentPinAttributes":{ + "shape":"CurrentPinAttributes", + "documentation":"

The encrypted pinblock of the old pin stored on the chip card.

" + } + }, + "documentation":"

Parameters to derive the confidentiality and integrity keys for a Visa payment card.

" + }, "VisaPin":{ "type":"structure", "required":["PinVerificationKeyIndex"], diff --git a/botocore/data/wafv2/2019-07-29/service-2.json b/botocore/data/wafv2/2019-07-29/service-2.json index 3d705697c1..a46861c83e 100644 --- a/botocore/data/wafv2/2019-07-29/service-2.json +++ b/botocore/data/wafv2/2019-07-29/service-2.json @@ -190,7 +190,7 @@ {"shape":"WAFOptimisticLockException"}, {"shape":"WAFInvalidOperationException"} ], - "documentation":"

Deletes all rule groups that are managed by Firewall Manager for the specified web ACL.

You can only use this if ManagedByFirewallManager is false in the specified WebACL.

" + "documentation":"

Deletes all rule groups that are managed by Firewall Manager from the specified WebACL.

You can only use this if ManagedByFirewallManager and RetrofittedByFirewallManager are both false in the web ACL.

" }, "DeleteIPSet":{ "name":"DeleteIPSet", @@ -302,7 +302,7 @@ {"shape":"WAFTagOperationInternalErrorException"}, {"shape":"WAFInvalidOperationException"} ], - "documentation":"

Deletes the specified WebACL.

You can only use this if ManagedByFirewallManager is false in the specified WebACL.

Before deleting any web ACL, first disassociate it from all resources.

  • To retrieve a list of the resources that are associated with a web ACL, use the following calls:

  • To disassociate a resource from a web ACL, use the following calls:

    • For regional resources, call DisassociateWebACL.

    • For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call UpdateDistribution. For information, see UpdateDistribution in the Amazon CloudFront API Reference.

" + "documentation":"

Deletes the specified WebACL.

You can only use this if ManagedByFirewallManager is false in the web ACL.

Before deleting any web ACL, first disassociate it from all resources.

  • To retrieve a list of the resources that are associated with a web ACL, use the following calls:

  • To disassociate a resource from a web ACL, use the following calls:

    • For regional resources, call DisassociateWebACL.

    • For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call UpdateDistribution. For information, see UpdateDistribution in the Amazon CloudFront API Reference.

" }, "DescribeAllManagedProducts":{ "name":"DescribeAllManagedProducts", @@ -3906,7 +3906,7 @@ }, "ManagedByFirewallManager":{ "shape":"Boolean", - "documentation":"

Indicates whether the logging configuration was created by Firewall Manager, as part of an WAF policy configuration. If true, only Firewall Manager can modify or delete the configuration.

" + "documentation":"

Indicates whether the logging configuration was created by Firewall Manager, as part of an WAF policy configuration. If true, only Firewall Manager can modify or delete the configuration.

The logging configuration can be created by Firewall Manager for use with any web ACL that Firewall Manager is using for an WAF policy. Web ACLs that Firewall Manager creates and uses have their ManagedByFirewallManager property set to true. Web ACLs that were created by a customer account and then retrofitted by Firewall Manager for use by a policy have their RetrofittedByFirewallManager property set to true. For either case, any corresponding logging configuration will indicate ManagedByFirewallManager.

" }, "LoggingFilter":{ "shape":"LoggingFilter", @@ -6457,7 +6457,7 @@ }, "ManagedByFirewallManager":{ "shape":"Boolean", - "documentation":"

Indicates whether this web ACL is managed by Firewall Manager. If true, then only Firewall Manager can delete the web ACL or any Firewall Manager rule groups in the web ACL.

" + "documentation":"

Indicates whether this web ACL was created by Firewall Manager and is being managed by Firewall Manager. If true, then only Firewall Manager can delete the web ACL or any Firewall Manager rule groups in the web ACL. See also the properties RetrofittedByFirewallManager, PreProcessFirewallManagerRuleGroups, and PostProcessFirewallManagerRuleGroups.

" }, "LabelNamespace":{ "shape":"LabelName", @@ -6482,6 +6482,10 @@ "AssociationConfig":{ "shape":"AssociationConfig", "documentation":"

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected resources forward to WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

" + }, + "RetrofittedByFirewallManager":{ + "shape":"Boolean", + "documentation":"

Indicates whether this web ACL was created by a customer account and then retrofitted by Firewall Manager. If true, then the web ACL is currently being managed by a Firewall Manager WAF policy, and only Firewall Manager can manage any Firewall Manager rule groups in the web ACL. See also the properties ManagedByFirewallManager, PreProcessFirewallManagerRuleGroups, and PostProcessFirewallManagerRuleGroups.

" } }, "documentation":"

A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

" @@ -6535,5 +6539,5 @@ "documentation":"

A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.

" } }, - "documentation":"WAF

This is the latest version of the WAF API, released in November, 2019. The names of the entities that you use to access this API, like endpoints and namespaces, all have the versioning information added, like \"V2\" or \"v2\", to distinguish from the prior version. We recommend migrating your resources to this version, because it has a number of significant improvements.

If you used WAF prior to this release, you can't use this WAFV2 API to access any WAF resources that you created before. You can access your old rules, web ACLs, and other WAF resources only through the WAF Classic APIs. The WAF Classic APIs have retained the prior names, endpoints, and namespaces.

For information, including how to migrate your WAF resources to this version, see the WAF Developer Guide.

WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync GraphQL API, Amazon Cognito user pool, App Runner service, or Amazon Web Services Verified Access instance. WAF also lets you control access to your content, to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code (Forbidden), or with a custom response.

This API guide is for developers who need detailed information about WAF API actions, data types, and errors. For detailed information about WAF features and guidance for configuring and using WAF, see the WAF Developer Guide.

You can make calls using the endpoints listed in WAF endpoints and quotas.

  • For regional applications, you can use any of the endpoints in the list. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

  • For Amazon CloudFront applications, you must use the API endpoint listed for US East (N. Virginia): us-east-1.

Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.

We currently provide two versions of the WAF API: this API and the prior versions, the classic WAF APIs. This new API provides the same functionality as the older versions, with the following major improvements:

  • You use one API for both global and regional applications. Where you need to distinguish the scope, you specify a Scope parameter and set it to CLOUDFRONT or REGIONAL.

  • You can define a web ACL or rule group with a single call, and update it with a single call. You define all rule specifications in JSON format, and pass them to your rule group or web ACL calls.

  • The limits WAF places on the use of rules more closely reflects the cost of running each type of rule. Rule groups include capacity settings, so you know the maximum cost of a rule group when you use it.

" + "documentation":"WAF

This is the latest version of the WAF API, released in November, 2019. The names of the entities that you use to access this API, like endpoints and namespaces, all have the versioning information added, like \"V2\" or \"v2\", to distinguish from the prior version. We recommend migrating your resources to this version, because it has a number of significant improvements.

If you used WAF prior to this release, you can't use this WAFV2 API to access any WAF resources that you created before. WAF Classic support will end on September 30, 2025.

For information about WAF, including how to migrate your WAF Classic resources to this version, see the WAF Developer Guide.

WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync GraphQL API, Amazon Cognito user pool, App Runner service, or Amazon Web Services Verified Access instance. WAF also lets you control access to your content, to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code (Forbidden), or with a custom response.

This API guide is for developers who need detailed information about WAF API actions, data types, and errors. For detailed information about WAF features and guidance for configuring and using WAF, see the WAF Developer Guide.

You can make calls using the endpoints listed in WAF endpoints and quotas.

  • For regional applications, you can use any of the endpoints in the list. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

  • For Amazon CloudFront applications, you must use the API endpoint listed for US East (N. Virginia): us-east-1.

Alternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the programming language or platform that you're using. For more information, see Amazon Web Services SDKs.

" } From 38b3e6dd2bbd391e178b2636db350c2af6bf3b77 Mon Sep 17 00:00:00 2001 From: aws-sdk-python-automation Date: Mon, 21 Oct 2024 18:08:05 +0000 Subject: [PATCH 4/4] Bumping version to 1.35.45 --- .changes/1.35.45.json | 52 +++++++++++++++++++ .../api-change-applicationinsights-14705.json | 5 -- .../api-change-autoscaling-58901.json | 5 -- .../api-change-bedrockagentruntime-34706.json | 5 -- .../next-release/api-change-dms-84953.json | 5 -- .../next-release/api-change-ec2-49098.json | 5 -- .../next-release/api-change-eks-35676.json | 5 -- .../next-release/api-change-fms-39411.json | 5 -- ...-change-paymentcryptographydata-25649.json | 5 -- .../next-release/api-change-wafv2-18392.json | 5 -- .../next-release/enhancement-s3-47846.json | 5 -- CHANGELOG.rst | 15 ++++++ botocore/__init__.py | 2 +- docs/source/conf.py | 2 +- 14 files changed, 69 insertions(+), 52 deletions(-) create mode 100644 .changes/1.35.45.json delete mode 100644 .changes/next-release/api-change-applicationinsights-14705.json delete mode 100644 .changes/next-release/api-change-autoscaling-58901.json delete mode 100644 .changes/next-release/api-change-bedrockagentruntime-34706.json delete mode 100644 .changes/next-release/api-change-dms-84953.json delete mode 100644 .changes/next-release/api-change-ec2-49098.json delete mode 100644 .changes/next-release/api-change-eks-35676.json delete mode 100644 .changes/next-release/api-change-fms-39411.json delete mode 100644 .changes/next-release/api-change-paymentcryptographydata-25649.json delete mode 100644 .changes/next-release/api-change-wafv2-18392.json delete mode 100644 .changes/next-release/enhancement-s3-47846.json diff --git a/.changes/1.35.45.json b/.changes/1.35.45.json new file mode 100644 index 0000000000..00e031de32 --- /dev/null +++ b/.changes/1.35.45.json @@ -0,0 +1,52 @@ +[ + { + "category": "``application-insights``", + "description": "This feature enables customers to specify SNS Topic ARN. CloudWatch Application Insights (CWAI) will utilize this ARN to send problem notifications.", + "type": "api-change" + }, + { + "category": "``autoscaling``", + "description": "Adds support for removing the PlacementGroup setting on an Auto Scaling Group through the UpdateAutoScalingGroup API.", + "type": "api-change" + }, + { + "category": "``bedrock-agent-runtime``", + "description": "Knowledge Bases for Amazon Bedrock now supports custom prompts and model parameters in the orchestrationConfiguration of the RetrieveAndGenerate API. The modelArn field accepts Custom Models and Imported Models ARNs.", + "type": "api-change" + }, + { + "category": "``dms``", + "description": "Added support for tagging in StartReplicationTaskAssessmentRun API and introduced IsLatestTaskAssessmentRun and ResultStatistic fields for enhanced tracking and assessment result statistics.", + "type": "api-change" + }, + { + "category": "``ec2``", + "description": "Amazon EC2 now allows you to create network interfaces with just the EFA driver and no ENA driver by specifying the network interface type as efa-only.", + "type": "api-change" + }, + { + "category": "``eks``", + "description": "This release adds support for Amazon Application Recovery Controller (ARC) zonal shift and zonal autoshift with EKS that enhances the resiliency of multi-AZ cluster environments", + "type": "api-change" + }, + { + "category": "``fms``", + "description": "Update AWS WAF policy - add the option to retrofit existing web ACLs instead of creating all new web ACLs.", + "type": "api-change" + }, + { + "category": "``payment-cryptography-data``", + "description": "Adding new API to generate authenticated scripts for EMV pin change use cases.", + "type": "api-change" + }, + { + "category": "``wafv2``", + "description": "Add a property to WebACL to indicate whether it's been retrofitted by Firewall Manager.", + "type": "api-change" + }, + { + "category": "``s3``", + "description": "Handle HTTP 200 responses with error information for all supported s3 operations.", + "type": "enhancement" + } +] \ No newline at end of file diff --git a/.changes/next-release/api-change-applicationinsights-14705.json b/.changes/next-release/api-change-applicationinsights-14705.json deleted file mode 100644 index d85788ab3a..0000000000 --- a/.changes/next-release/api-change-applicationinsights-14705.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``application-insights``", - "description": "This feature enables customers to specify SNS Topic ARN. CloudWatch Application Insights (CWAI) will utilize this ARN to send problem notifications." -} diff --git a/.changes/next-release/api-change-autoscaling-58901.json b/.changes/next-release/api-change-autoscaling-58901.json deleted file mode 100644 index 3a28a010f7..0000000000 --- a/.changes/next-release/api-change-autoscaling-58901.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``autoscaling``", - "description": "Adds support for removing the PlacementGroup setting on an Auto Scaling Group through the UpdateAutoScalingGroup API." -} diff --git a/.changes/next-release/api-change-bedrockagentruntime-34706.json b/.changes/next-release/api-change-bedrockagentruntime-34706.json deleted file mode 100644 index 1dbbaac176..0000000000 --- a/.changes/next-release/api-change-bedrockagentruntime-34706.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``bedrock-agent-runtime``", - "description": "Knowledge Bases for Amazon Bedrock now supports custom prompts and model parameters in the orchestrationConfiguration of the RetrieveAndGenerate API. The modelArn field accepts Custom Models and Imported Models ARNs." -} diff --git a/.changes/next-release/api-change-dms-84953.json b/.changes/next-release/api-change-dms-84953.json deleted file mode 100644 index 7baf144146..0000000000 --- a/.changes/next-release/api-change-dms-84953.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``dms``", - "description": "Added support for tagging in StartReplicationTaskAssessmentRun API and introduced IsLatestTaskAssessmentRun and ResultStatistic fields for enhanced tracking and assessment result statistics." -} diff --git a/.changes/next-release/api-change-ec2-49098.json b/.changes/next-release/api-change-ec2-49098.json deleted file mode 100644 index e49449beec..0000000000 --- a/.changes/next-release/api-change-ec2-49098.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``ec2``", - "description": "Amazon EC2 now allows you to create network interfaces with just the EFA driver and no ENA driver by specifying the network interface type as efa-only." -} diff --git a/.changes/next-release/api-change-eks-35676.json b/.changes/next-release/api-change-eks-35676.json deleted file mode 100644 index 2020590e5a..0000000000 --- a/.changes/next-release/api-change-eks-35676.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``eks``", - "description": "This release adds support for Amazon Application Recovery Controller (ARC) zonal shift and zonal autoshift with EKS that enhances the resiliency of multi-AZ cluster environments" -} diff --git a/.changes/next-release/api-change-fms-39411.json b/.changes/next-release/api-change-fms-39411.json deleted file mode 100644 index e214a4bf1e..0000000000 --- a/.changes/next-release/api-change-fms-39411.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``fms``", - "description": "Update AWS WAF policy - add the option to retrofit existing web ACLs instead of creating all new web ACLs." -} diff --git a/.changes/next-release/api-change-paymentcryptographydata-25649.json b/.changes/next-release/api-change-paymentcryptographydata-25649.json deleted file mode 100644 index fe4a886820..0000000000 --- a/.changes/next-release/api-change-paymentcryptographydata-25649.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``payment-cryptography-data``", - "description": "Adding new API to generate authenticated scripts for EMV pin change use cases." -} diff --git a/.changes/next-release/api-change-wafv2-18392.json b/.changes/next-release/api-change-wafv2-18392.json deleted file mode 100644 index 268fe1e900..0000000000 --- a/.changes/next-release/api-change-wafv2-18392.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "api-change", - "category": "``wafv2``", - "description": "Add a property to WebACL to indicate whether it's been retrofitted by Firewall Manager." -} diff --git a/.changes/next-release/enhancement-s3-47846.json b/.changes/next-release/enhancement-s3-47846.json deleted file mode 100644 index a549b5e190..0000000000 --- a/.changes/next-release/enhancement-s3-47846.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "type": "enhancement", - "category": "``s3``", - "description": "Handle HTTP 200 responses with error information for all supported s3 operations." -} diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a755447f33..93589871c2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,21 @@ CHANGELOG ========= +1.35.45 +======= + +* api-change:``application-insights``: This feature enables customers to specify SNS Topic ARN. CloudWatch Application Insights (CWAI) will utilize this ARN to send problem notifications. +* api-change:``autoscaling``: Adds support for removing the PlacementGroup setting on an Auto Scaling Group through the UpdateAutoScalingGroup API. +* api-change:``bedrock-agent-runtime``: Knowledge Bases for Amazon Bedrock now supports custom prompts and model parameters in the orchestrationConfiguration of the RetrieveAndGenerate API. The modelArn field accepts Custom Models and Imported Models ARNs. +* api-change:``dms``: Added support for tagging in StartReplicationTaskAssessmentRun API and introduced IsLatestTaskAssessmentRun and ResultStatistic fields for enhanced tracking and assessment result statistics. +* api-change:``ec2``: Amazon EC2 now allows you to create network interfaces with just the EFA driver and no ENA driver by specifying the network interface type as efa-only. +* api-change:``eks``: This release adds support for Amazon Application Recovery Controller (ARC) zonal shift and zonal autoshift with EKS that enhances the resiliency of multi-AZ cluster environments +* api-change:``fms``: Update AWS WAF policy - add the option to retrofit existing web ACLs instead of creating all new web ACLs. +* api-change:``payment-cryptography-data``: Adding new API to generate authenticated scripts for EMV pin change use cases. +* api-change:``wafv2``: Add a property to WebACL to indicate whether it's been retrofitted by Firewall Manager. +* enhancement:``s3``: Handle HTTP 200 responses with error information for all supported s3 operations. + + 1.35.44 ======= diff --git a/botocore/__init__.py b/botocore/__init__.py index b4b57ec03a..276d102ff5 100644 --- a/botocore/__init__.py +++ b/botocore/__init__.py @@ -16,7 +16,7 @@ import os import re -__version__ = '1.35.44' +__version__ = '1.35.45' class NullHandler(logging.Handler): diff --git a/docs/source/conf.py b/docs/source/conf.py index d03b3d1709..be9f4d02f6 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -59,7 +59,7 @@ # The short X.Y version. version = '1.35.' # The full version, including alpha/beta/rc tags. -release = '1.35.44' +release = '1.35.45' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.