Security Hub provides you with a comprehensive view of the security state of your Amazon Web Services environment and resources. It also provides you with the readiness status -of your environment based on controls from supported security standards. Security Hub collects -security data from Amazon Web Services accounts, services, and integrated third-party products and helps -you analyze security trends in your environment to identify the highest priority security -issues. For more information about Security Hub, see the -Security HubUser -Guide -.
-When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services -Region that is currently active or in the specific Amazon Web Services Region that you specify in your -request. Any configuration or settings change that results from the operation is applied -only to that Region. To make the same change in other Regions, execute the same command for -each Region to apply the change to.
+Security Hub provides you with a comprehensive view of the security state of +your Amazon Web Services environment and resources. It also provides you with the readiness +status of your environment based on controls from supported security standards. Security Hub collects security data from Amazon Web Services accounts, services, and +integrated third-party products and helps you analyze security trends in your environment +to identify the highest priority security issues. For more information about Security Hub, see the Security HubUser +Guide.
+When you use operations in the Security Hub API, the requests are executed only in +the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change +that results from the operation is applied only to that Region. To make the same change in +other Regions, run the same command for each Region in which you want to apply the change.
For example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of
the member account with the administrator account is created only in the us-west-2
Region. Security Hub must be enabled for the member account in the same Region that the invitation
@@ -30,8 +27,8 @@ was sent from.
-BatchEnableStandards - RateLimit of 1
-request per second, BurstLimit of 1 request per second.
BatchEnableStandards - RateLimit of 1 request per
+second. BurstLimit of 1 request per second.
@@ -50,8 +47,8 @@ request per second, BurstLimit of 1 request per second.
-UpdateStandardsControl - RateLimit of
-1 request per second, BurstLimit of 5 requests per second.
UpdateStandardsControl - RateLimit of 1 request per
+second. BurstLimit of 5 requests per second.
All other operations - RateLimit of 10 requests per second.
diff --git a/clients/client-securityhub/src/SecurityHub.ts b/clients/client-securityhub/src/SecurityHub.ts
index 874349655cda..b2bb628c09e1 100644
--- a/clients/client-securityhub/src/SecurityHub.ts
+++ b/clients/client-securityhub/src/SecurityHub.ts
@@ -21,6 +21,16 @@ import {
BatchEnableStandardsCommandInput,
BatchEnableStandardsCommandOutput,
} from "./commands/BatchEnableStandardsCommand";
+import {
+ BatchGetSecurityControlsCommand,
+ BatchGetSecurityControlsCommandInput,
+ BatchGetSecurityControlsCommandOutput,
+} from "./commands/BatchGetSecurityControlsCommand";
+import {
+ BatchGetStandardsControlAssociationsCommand,
+ BatchGetStandardsControlAssociationsCommandInput,
+ BatchGetStandardsControlAssociationsCommandOutput,
+} from "./commands/BatchGetStandardsControlAssociationsCommand";
import {
BatchImportFindingsCommand,
BatchImportFindingsCommandInput,
@@ -31,6 +41,11 @@ import {
BatchUpdateFindingsCommandInput,
BatchUpdateFindingsCommandOutput,
} from "./commands/BatchUpdateFindingsCommand";
+import {
+ BatchUpdateStandardsControlAssociationsCommand,
+ BatchUpdateStandardsControlAssociationsCommandInput,
+ BatchUpdateStandardsControlAssociationsCommandOutput,
+} from "./commands/BatchUpdateStandardsControlAssociationsCommand";
import {
CreateActionTargetCommand,
CreateActionTargetCommandInput,
@@ -211,6 +226,16 @@ import {
ListOrganizationAdminAccountsCommandInput,
ListOrganizationAdminAccountsCommandOutput,
} from "./commands/ListOrganizationAdminAccountsCommand";
+import {
+ ListSecurityControlDefinitionsCommand,
+ ListSecurityControlDefinitionsCommandInput,
+ ListSecurityControlDefinitionsCommandOutput,
+} from "./commands/ListSecurityControlDefinitionsCommand";
+import {
+ ListStandardsControlAssociationsCommand,
+ ListStandardsControlAssociationsCommandInput,
+ ListStandardsControlAssociationsCommandOutput,
+} from "./commands/ListStandardsControlAssociationsCommand";
import {
ListTagsForResourceCommand,
ListTagsForResourceCommandInput,
@@ -260,19 +285,16 @@ import {
import { SecurityHubClient } from "./SecurityHubClient";
/**
- *
Security Hub provides you with a comprehensive view of the security state of your Amazon Web Services environment and resources. It also provides you with the readiness status - * of your environment based on controls from supported security standards. Security Hub collects - * security data from Amazon Web Services accounts, services, and integrated third-party products and helps - * you analyze security trends in your environment to identify the highest priority security - * issues. For more information about Security Hub, see the - * Security HubUser - * Guide - * .
- *When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services - * Region that is currently active or in the specific Amazon Web Services Region that you specify in your - * request. Any configuration or settings change that results from the operation is applied - * only to that Region. To make the same change in other Regions, execute the same command for - * each Region to apply the change to.
+ *Security Hub provides you with a comprehensive view of the security state of + * your Amazon Web Services environment and resources. It also provides you with the readiness + * status of your environment based on controls from supported security standards. Security Hub collects security data from Amazon Web Services accounts, services, and + * integrated third-party products and helps you analyze security trends in your environment + * to identify the highest priority security issues. For more information about Security Hub, see the Security HubUser + * Guide.
+ *When you use operations in the Security Hub API, the requests are executed only in + * the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change + * that results from the operation is applied only to that Region. To make the same change in + * other Regions, run the same command for each Region in which you want to apply the change.
*For example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of
* the member account with the administrator account is created only in the us-west-2
* Region. Security Hub must be enabled for the member account in the same Region that the invitation
@@ -281,8 +303,8 @@ import { SecurityHubClient } from "./SecurityHubClient";
*
- * BatchEnableStandards - RateLimit of 1
- * request per second, BurstLimit of 1 request per second.
BatchEnableStandards - RateLimit of 1 request per
+ * second. BurstLimit of 1 request per second.
* @@ -301,8 +323,8 @@ import { SecurityHubClient } from "./SecurityHubClient"; *
- * UpdateStandardsControl - RateLimit of
- * 1 request per second, BurstLimit of 5 requests per second.
UpdateStandardsControl - RateLimit of 1 request per
+ * second. BurstLimit of 5 requests per second.
* All other operations - RateLimit of 10 requests per second.
@@ -460,6 +482,74 @@ export class SecurityHub extends SecurityHubClient {
}
}
+ /**
+ *
+ * Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region. + *
+ */ + public batchGetSecurityControls( + args: BatchGetSecurityControlsCommandInput, + options?: __HttpHandlerOptions + ): Promise+ * For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard. + *
+ */ + public batchGetStandardsControlAssociations( + args: BatchGetStandardsControlAssociationsCommandInput, + options?: __HttpHandlerOptions + ): PromiseImports security findings generated by a finding provider into Security Hub. * This action is requested by the finding provider to import its findings into @@ -656,6 +746,42 @@ export class SecurityHub extends SecurityHubClient { } } + /** + *
+ * For a batch of security controls and standards, this operation updates the enablement status of a control in a standard. + *
+ */ + public batchUpdateStandardsControlAssociations( + args: BatchUpdateStandardsControlAssociationsCommandInput, + options?: __HttpHandlerOptions + ): PromiseCreates a custom action target in Security Hub.
*You can use custom actions on findings and insights in Security Hub to trigger target actions @@ -2040,6 +2166,74 @@ export class SecurityHub extends SecurityHubClient { } } + /** + *
+ * Lists all of the security controls that apply to a specified standard. + *
+ */ + public listSecurityControlDefinitions( + args: ListSecurityControlDefinitionsCommandInput, + options?: __HttpHandlerOptions + ): Promise+ * Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account. + *
+ */ + public listStandardsControlAssociations( + args: ListStandardsControlAssociationsCommandInput, + options?: __HttpHandlerOptions + ): PromiseReturns a list of tags associated with a resource.
*/ diff --git a/clients/client-securityhub/src/SecurityHubClient.ts b/clients/client-securityhub/src/SecurityHubClient.ts index 4c33bb3c8ca4..df0cde2b7e4b 100644 --- a/clients/client-securityhub/src/SecurityHubClient.ts +++ b/clients/client-securityhub/src/SecurityHubClient.ts @@ -62,6 +62,14 @@ import { BatchEnableStandardsCommandInput, BatchEnableStandardsCommandOutput, } from "./commands/BatchEnableStandardsCommand"; +import { + BatchGetSecurityControlsCommandInput, + BatchGetSecurityControlsCommandOutput, +} from "./commands/BatchGetSecurityControlsCommand"; +import { + BatchGetStandardsControlAssociationsCommandInput, + BatchGetStandardsControlAssociationsCommandOutput, +} from "./commands/BatchGetStandardsControlAssociationsCommand"; import { BatchImportFindingsCommandInput, BatchImportFindingsCommandOutput, @@ -70,6 +78,10 @@ import { BatchUpdateFindingsCommandInput, BatchUpdateFindingsCommandOutput, } from "./commands/BatchUpdateFindingsCommand"; +import { + BatchUpdateStandardsControlAssociationsCommandInput, + BatchUpdateStandardsControlAssociationsCommandOutput, +} from "./commands/BatchUpdateStandardsControlAssociationsCommand"; import { CreateActionTargetCommandInput, CreateActionTargetCommandOutput } from "./commands/CreateActionTargetCommand"; import { CreateFindingAggregatorCommandInput, @@ -167,6 +179,14 @@ import { ListOrganizationAdminAccountsCommandInput, ListOrganizationAdminAccountsCommandOutput, } from "./commands/ListOrganizationAdminAccountsCommand"; +import { + ListSecurityControlDefinitionsCommandInput, + ListSecurityControlDefinitionsCommandOutput, +} from "./commands/ListSecurityControlDefinitionsCommand"; +import { + ListStandardsControlAssociationsCommandInput, + ListStandardsControlAssociationsCommandOutput, +} from "./commands/ListStandardsControlAssociationsCommand"; import { ListTagsForResourceCommandInput, ListTagsForResourceCommandOutput, @@ -205,8 +225,11 @@ export type ServiceInputTypes = | AcceptInvitationCommandInput | BatchDisableStandardsCommandInput | BatchEnableStandardsCommandInput + | BatchGetSecurityControlsCommandInput + | BatchGetStandardsControlAssociationsCommandInput | BatchImportFindingsCommandInput | BatchUpdateFindingsCommandInput + | BatchUpdateStandardsControlAssociationsCommandInput | CreateActionTargetCommandInput | CreateFindingAggregatorCommandInput | CreateInsightCommandInput @@ -247,6 +270,8 @@ export type ServiceInputTypes = | ListInvitationsCommandInput | ListMembersCommandInput | ListOrganizationAdminAccountsCommandInput + | ListSecurityControlDefinitionsCommandInput + | ListStandardsControlAssociationsCommandInput | ListTagsForResourceCommandInput | TagResourceCommandInput | UntagResourceCommandInput @@ -263,8 +288,11 @@ export type ServiceOutputTypes = | AcceptInvitationCommandOutput | BatchDisableStandardsCommandOutput | BatchEnableStandardsCommandOutput + | BatchGetSecurityControlsCommandOutput + | BatchGetStandardsControlAssociationsCommandOutput | BatchImportFindingsCommandOutput | BatchUpdateFindingsCommandOutput + | BatchUpdateStandardsControlAssociationsCommandOutput | CreateActionTargetCommandOutput | CreateFindingAggregatorCommandOutput | CreateInsightCommandOutput @@ -305,6 +333,8 @@ export type ServiceOutputTypes = | ListInvitationsCommandOutput | ListMembersCommandOutput | ListOrganizationAdminAccountsCommandOutput + | ListSecurityControlDefinitionsCommandOutput + | ListStandardsControlAssociationsCommandOutput | ListTagsForResourceCommandOutput | TagResourceCommandOutput | UntagResourceCommandOutput @@ -466,19 +496,16 @@ type SecurityHubClientResolvedConfigType = __SmithyResolvedConfiguration<__HttpH export interface SecurityHubClientResolvedConfig extends SecurityHubClientResolvedConfigType {} /** - *Security Hub provides you with a comprehensive view of the security state of your Amazon Web Services environment and resources. It also provides you with the readiness status - * of your environment based on controls from supported security standards. Security Hub collects - * security data from Amazon Web Services accounts, services, and integrated third-party products and helps - * you analyze security trends in your environment to identify the highest priority security - * issues. For more information about Security Hub, see the - * Security HubUser - * Guide - * .
- *When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services - * Region that is currently active or in the specific Amazon Web Services Region that you specify in your - * request. Any configuration or settings change that results from the operation is applied - * only to that Region. To make the same change in other Regions, execute the same command for - * each Region to apply the change to.
+ *Security Hub provides you with a comprehensive view of the security state of + * your Amazon Web Services environment and resources. It also provides you with the readiness + * status of your environment based on controls from supported security standards. Security Hub collects security data from Amazon Web Services accounts, services, and + * integrated third-party products and helps you analyze security trends in your environment + * to identify the highest priority security issues. For more information about Security Hub, see the Security HubUser + * Guide.
+ *When you use operations in the Security Hub API, the requests are executed only in + * the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change + * that results from the operation is applied only to that Region. To make the same change in + * other Regions, run the same command for each Region in which you want to apply the change.
*For example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of
* the member account with the administrator account is created only in the us-west-2
* Region. Security Hub must be enabled for the member account in the same Region that the invitation
@@ -487,8 +514,8 @@ export interface SecurityHubClientResolvedConfig extends SecurityHubClientResolv
*
- * BatchEnableStandards - RateLimit of 1
- * request per second, BurstLimit of 1 request per second.
BatchEnableStandards - RateLimit of 1 request per
+ * second. BurstLimit of 1 request per second.
* @@ -507,8 +534,8 @@ export interface SecurityHubClientResolvedConfig extends SecurityHubClientResolv *
- * UpdateStandardsControl - RateLimit of
- * 1 request per second, BurstLimit of 5 requests per second.
UpdateStandardsControl - RateLimit of 1 request per
+ * second. BurstLimit of 5 requests per second.
* All other operations - RateLimit of 10 requests per second.
diff --git a/clients/client-securityhub/src/commands/BatchGetSecurityControlsCommand.ts b/clients/client-securityhub/src/commands/BatchGetSecurityControlsCommand.ts
new file mode 100644
index 000000000000..74ec1c20da7d
--- /dev/null
+++ b/clients/client-securityhub/src/commands/BatchGetSecurityControlsCommand.ts
@@ -0,0 +1,116 @@
+// smithy-typescript generated code
+import { EndpointParameterInstructions, getEndpointPlugin } from "@aws-sdk/middleware-endpoint";
+import { getSerdePlugin } from "@aws-sdk/middleware-serde";
+import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
+import { Command as $Command } from "@aws-sdk/smithy-client";
+import {
+ FinalizeHandlerArguments,
+ Handler,
+ HandlerExecutionContext,
+ HttpHandlerOptions as __HttpHandlerOptions,
+ MetadataBearer as __MetadataBearer,
+ MiddlewareStack,
+ SerdeContext as __SerdeContext,
+} from "@aws-sdk/types";
+
+import {
+ BatchGetSecurityControlsRequest,
+ BatchGetSecurityControlsRequestFilterSensitiveLog,
+ BatchGetSecurityControlsResponse,
+ BatchGetSecurityControlsResponseFilterSensitiveLog,
+} from "../models/models_1";
+import {
+ deserializeAws_restJson1BatchGetSecurityControlsCommand,
+ serializeAws_restJson1BatchGetSecurityControlsCommand,
+} from "../protocols/Aws_restJson1";
+import { SecurityHubClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../SecurityHubClient";
+
+export interface BatchGetSecurityControlsCommandInput extends BatchGetSecurityControlsRequest {}
+export interface BatchGetSecurityControlsCommandOutput extends BatchGetSecurityControlsResponse, __MetadataBearer {}
+
+/**
+ *
+ * Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region. + *
+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { SecurityHubClient, BatchGetSecurityControlsCommand } from "@aws-sdk/client-securityhub"; // ES Modules import + * // const { SecurityHubClient, BatchGetSecurityControlsCommand } = require("@aws-sdk/client-securityhub"); // CommonJS import + * const client = new SecurityHubClient(config); + * const command = new BatchGetSecurityControlsCommand(input); + * const response = await client.send(command); + * ``` + * + * @see {@link BatchGetSecurityControlsCommandInput} for command's `input` shape. + * @see {@link BatchGetSecurityControlsCommandOutput} for command's `response` shape. + * @see {@link SecurityHubClientResolvedConfig | config} for SecurityHubClient's `config` shape. + * + */ +export class BatchGetSecurityControlsCommand extends $Command< + BatchGetSecurityControlsCommandInput, + BatchGetSecurityControlsCommandOutput, + SecurityHubClientResolvedConfig +> { + // Start section: command_properties + // End section: command_properties + + public static getEndpointParameterInstructions(): EndpointParameterInstructions { + return { + UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" }, + Endpoint: { type: "builtInParams", name: "endpoint" }, + Region: { type: "builtInParams", name: "region" }, + UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" }, + }; + } + + constructor(readonly input: BatchGetSecurityControlsCommandInput) { + // Start section: command_constructor + super(); + // End section: command_constructor + } + + /** + * @internal + */ + resolveMiddleware( + clientStack: MiddlewareStack+ * For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard. + *
+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { SecurityHubClient, BatchGetStandardsControlAssociationsCommand } from "@aws-sdk/client-securityhub"; // ES Modules import + * // const { SecurityHubClient, BatchGetStandardsControlAssociationsCommand } = require("@aws-sdk/client-securityhub"); // CommonJS import + * const client = new SecurityHubClient(config); + * const command = new BatchGetStandardsControlAssociationsCommand(input); + * const response = await client.send(command); + * ``` + * + * @see {@link BatchGetStandardsControlAssociationsCommandInput} for command's `input` shape. + * @see {@link BatchGetStandardsControlAssociationsCommandOutput} for command's `response` shape. + * @see {@link SecurityHubClientResolvedConfig | config} for SecurityHubClient's `config` shape. + * + */ +export class BatchGetStandardsControlAssociationsCommand extends $Command< + BatchGetStandardsControlAssociationsCommandInput, + BatchGetStandardsControlAssociationsCommandOutput, + SecurityHubClientResolvedConfig +> { + // Start section: command_properties + // End section: command_properties + + public static getEndpointParameterInstructions(): EndpointParameterInstructions { + return { + UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" }, + Endpoint: { type: "builtInParams", name: "endpoint" }, + Region: { type: "builtInParams", name: "region" }, + UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" }, + }; + } + + constructor(readonly input: BatchGetStandardsControlAssociationsCommandInput) { + // Start section: command_constructor + super(); + // End section: command_constructor + } + + /** + * @internal + */ + resolveMiddleware( + clientStack: MiddlewareStack+ * For a batch of security controls and standards, this operation updates the enablement status of a control in a standard. + *
+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { SecurityHubClient, BatchUpdateStandardsControlAssociationsCommand } from "@aws-sdk/client-securityhub"; // ES Modules import + * // const { SecurityHubClient, BatchUpdateStandardsControlAssociationsCommand } = require("@aws-sdk/client-securityhub"); // CommonJS import + * const client = new SecurityHubClient(config); + * const command = new BatchUpdateStandardsControlAssociationsCommand(input); + * const response = await client.send(command); + * ``` + * + * @see {@link BatchUpdateStandardsControlAssociationsCommandInput} for command's `input` shape. + * @see {@link BatchUpdateStandardsControlAssociationsCommandOutput} for command's `response` shape. + * @see {@link SecurityHubClientResolvedConfig | config} for SecurityHubClient's `config` shape. + * + */ +export class BatchUpdateStandardsControlAssociationsCommand extends $Command< + BatchUpdateStandardsControlAssociationsCommandInput, + BatchUpdateStandardsControlAssociationsCommandOutput, + SecurityHubClientResolvedConfig +> { + // Start section: command_properties + // End section: command_properties + + public static getEndpointParameterInstructions(): EndpointParameterInstructions { + return { + UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" }, + Endpoint: { type: "builtInParams", name: "endpoint" }, + Region: { type: "builtInParams", name: "region" }, + UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" }, + }; + } + + constructor(readonly input: BatchUpdateStandardsControlAssociationsCommandInput) { + // Start section: command_constructor + super(); + // End section: command_constructor + } + + /** + * @internal + */ + resolveMiddleware( + clientStack: MiddlewareStack+ * Lists all of the security controls that apply to a specified standard. + *
+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { SecurityHubClient, ListSecurityControlDefinitionsCommand } from "@aws-sdk/client-securityhub"; // ES Modules import + * // const { SecurityHubClient, ListSecurityControlDefinitionsCommand } = require("@aws-sdk/client-securityhub"); // CommonJS import + * const client = new SecurityHubClient(config); + * const command = new ListSecurityControlDefinitionsCommand(input); + * const response = await client.send(command); + * ``` + * + * @see {@link ListSecurityControlDefinitionsCommandInput} for command's `input` shape. + * @see {@link ListSecurityControlDefinitionsCommandOutput} for command's `response` shape. + * @see {@link SecurityHubClientResolvedConfig | config} for SecurityHubClient's `config` shape. + * + */ +export class ListSecurityControlDefinitionsCommand extends $Command< + ListSecurityControlDefinitionsCommandInput, + ListSecurityControlDefinitionsCommandOutput, + SecurityHubClientResolvedConfig +> { + // Start section: command_properties + // End section: command_properties + + public static getEndpointParameterInstructions(): EndpointParameterInstructions { + return { + UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" }, + Endpoint: { type: "builtInParams", name: "endpoint" }, + Region: { type: "builtInParams", name: "region" }, + UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" }, + }; + } + + constructor(readonly input: ListSecurityControlDefinitionsCommandInput) { + // Start section: command_constructor + super(); + // End section: command_constructor + } + + /** + * @internal + */ + resolveMiddleware( + clientStack: MiddlewareStack+ * Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account. + *
+ * @example + * Use a bare-bones client and the command you need to make an API call. + * ```javascript + * import { SecurityHubClient, ListStandardsControlAssociationsCommand } from "@aws-sdk/client-securityhub"; // ES Modules import + * // const { SecurityHubClient, ListStandardsControlAssociationsCommand } = require("@aws-sdk/client-securityhub"); // CommonJS import + * const client = new SecurityHubClient(config); + * const command = new ListStandardsControlAssociationsCommand(input); + * const response = await client.send(command); + * ``` + * + * @see {@link ListStandardsControlAssociationsCommandInput} for command's `input` shape. + * @see {@link ListStandardsControlAssociationsCommandOutput} for command's `response` shape. + * @see {@link SecurityHubClientResolvedConfig | config} for SecurityHubClient's `config` shape. + * + */ +export class ListStandardsControlAssociationsCommand extends $Command< + ListStandardsControlAssociationsCommandInput, + ListStandardsControlAssociationsCommandOutput, + SecurityHubClientResolvedConfig +> { + // Start section: command_properties + // End section: command_properties + + public static getEndpointParameterInstructions(): EndpointParameterInstructions { + return { + UseFIPS: { type: "builtInParams", name: "useFipsEndpoint" }, + Endpoint: { type: "builtInParams", name: "endpoint" }, + Region: { type: "builtInParams", name: "region" }, + UseDualStack: { type: "builtInParams", name: "useDualstackEndpoint" }, + }; + } + + constructor(readonly input: ListStandardsControlAssociationsCommandInput) { + // Start section: command_constructor + super(); + // End section: command_constructor + } + + /** + * @internal + */ + resolveMiddleware( + clientStack: MiddlewareStackAn ARN that uniquely identifies the Amazon SNS topic for a backup vault’s events. - *
+ *The Amazon Resource Name (ARN) that uniquely identifies the Amazon SNS topic for + * a backup vault's events.
*/ SnsTopicArn?: string; } @@ -4914,8 +4919,11 @@ export interface AwsEc2LaunchTemplateDataInstanceRequirementsDetails { NetworkInterfaceCount?: AwsEc2LaunchTemplateDataInstanceRequirementsNetworkInterfaceCountDetails; /** - *- * The price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage above the least expensive current generation M, C, or R instance type with your specified attributes. When Amazon EC2 selects instance types with your attributes, it excludes instance types priced above your threshold.
+ *The price protection threshold for On-Demand Instances. This is the maximum you'll pay + * for an On-Demand Instance, expressed as a percentage above the least expensive current + * generation M, C, or R instance type with your specified attributes. When Amazon EC2 selects + * instance types with your attributes, it excludes instance types priced above your + * threshold.
*The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
*A high value, such as 999999, turns off price protection.
- * The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a - * percentage above the least expensive current generation M, C, or R instance type with your specified attributes. When - * Amazon EC2 selects instance types with your attributes, it excludes instance types priced above your threshold. - *
+ *The price protection threshold for Spot Instances. This is the maximum you'll pay for a + * Spot Instance, expressed as a percentage above the least expensive current generation M, C, + * or R instance type with your specified attributes. When Amazon EC2 selects instance + * types with your attributes, it excludes instance types priced above your threshold.
*The parameter accepts an integer, which Amazon EC2 interprets as a percentage.
*A high value, such as 999999, turns off price protection.
- * Enables or disables the HTTP metadata endpoint on your instances. If the parameter is not specified, the default state is enabled, and you won’t be able to access your instance metadata. - *
+ *Enables or disables the HTTP metadata endpoint on your instances. If the parameter is + * not specified, the default state is enabled, and you won't be able to access your instance + * metadata.
*/ HttpEndpoint?: string; @@ -10291,16 +10298,6 @@ export interface AwsIamAttachedManagedPolicy { PolicyArn?: string; } -/** - *A managed policy that is attached to the IAM group.
- */ -export interface AwsIamGroupPolicy { - /** - *The name of the policy.
- */ - PolicyName?: string; -} - /** * @internal */ @@ -12664,10 +12661,3 @@ export const AwsIamAccessKeyDetailsFilterSensitiveLog = (obj: AwsIamAccessKeyDet export const AwsIamAttachedManagedPolicyFilterSensitiveLog = (obj: AwsIamAttachedManagedPolicy): any => ({ ...obj, }); - -/** - * @internal - */ -export const AwsIamGroupPolicyFilterSensitiveLog = (obj: AwsIamGroupPolicy): any => ({ - ...obj, -}); diff --git a/clients/client-securityhub/src/models/models_1.ts b/clients/client-securityhub/src/models/models_1.ts index 6541c3f8a03d..1c8976e82350 100644 --- a/clients/client-securityhub/src/models/models_1.ts +++ b/clients/client-securityhub/src/models/models_1.ts @@ -4,10 +4,9 @@ import { ExceptionOptionType as __ExceptionOptionType } from "@aws-sdk/smithy-cl import { AccountDetails, Action, - ActionTarget, Adjustment, AssociatedStandard, - AutoEnableStandards, + AssociationStatus, AwsApiGatewayRestApiDetails, AwsApiGatewayStageDetails, AwsApiGatewayV2ApiDetails, @@ -52,10 +51,19 @@ import { AwsElbv2LoadBalancerDetails, AwsIamAccessKeyDetails, AwsIamAttachedManagedPolicy, - AwsIamGroupPolicy, } from "./models_0"; import { SecurityHubServiceException as __BaseException } from "./SecurityHubServiceException"; +/** + *A managed policy that is attached to the IAM group.
+ */ +export interface AwsIamGroupPolicy { + /** + *The name of the policy.
+ */ + PolicyName?: string; +} + /** *Contains details about an IAM group.
*/ @@ -3314,7 +3322,8 @@ export interface AwsRedshiftClusterClusterSecurityGroup { } /** - *Information about a cross-Region snapshot copy.
+ *You can configure Amazon Redshift to copy snapshots for a cluster to another Amazon Web Services Region. This parameter + * provides information about a cross-Region snapshot copy.
*/ export interface AwsRedshiftClusterClusterSnapshotCopyStatus { /** @@ -3324,8 +3333,8 @@ export interface AwsRedshiftClusterClusterSnapshotCopyStatus { DestinationRegion?: string; /** - *The number of days that manual snapshots are retained in the destination region after - * they are copied from a source region.
+ *The number of days that manual snapshots are retained in the destination Region after + * they are copied from a source Region.
*If the value is -1,
* then the manual snapshot is retained indefinitely.
Valid values: Either -1
@@ -7596,7 +7605,7 @@ export interface Resource {
/**
*
The severity of the finding.
*The finding provider can provide the initial severity. The finding provider can only
- * update the severity if it has not been updated using
+ * update the severity if it hasn't been updated using
* BatchUpdateFindings.
The finding must have either Label or Normalized populated. If
* only one of these attributes is populated, then Security Hub automatically populates the other
@@ -9353,6 +9362,291 @@ export interface BatchEnableStandardsResponse {
StandardsSubscriptions?: StandardsSubscription[];
}
+export interface BatchGetSecurityControlsRequest {
+ /**
+ *
A list of security controls (identified with SecurityControlId,
+ * SecurityControlArn, or a mix of both parameters). The security control ID
+ * or Amazon Resource Name (ARN) is the same across standards.
+ * A security control in Security Hub describes a security best practice related to a specific resource. + *
+ */ +export interface SecurityControl { + /** + *+ * The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a + * number, such as APIGateway.3. + *
+ */ + SecurityControlId: string | undefined; + + /** + * The Amazon Resource Name (ARN) for a security control across standards, such as
+ * arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This
+ * parameter doesn't mention a specific standard.
The title of a security control. + *
+ */ + Title: string | undefined; + + /** + *The description of a security control across standards. This typically summarizes how + * Security Hub evaluates the control and the conditions under which it produces a + * failed finding. This parameter doesn't reference a specific standard.
+ */ + Description: string | undefined; + + /** + *+ * A link to Security Hub documentation that explains how to remediate a failed finding for a security control. + *
+ */ + RemediationUrl: string | undefined; + + /** + *+ * The severity of a security control. For more information about how Security Hub determines control severity, see + * Assigning severity to control findings in the + * Security Hub User Guide. + *
+ */ + SeverityRating: SeverityRating | string | undefined; + + /** + *+ * The status of a security control based on the compliance status of its findings. For more information about how control + * status is determined, see Determining the overall status of a control from its findings in the + * Security Hub User Guide. + *
+ */ + SecurityControlStatus: ControlStatus | string | undefined; +} + +export enum UnprocessedErrorCode { + ACCESS_DENIED = "ACCESS_DENIED", + INVALID_INPUT = "INVALID_INPUT", + LIMIT_EXCEEDED = "LIMIT_EXCEEDED", + NOT_FOUND = "NOT_FOUND", +} + +/** + *Provides details about a security control for which a response couldn't be returned.
+ */ +export interface UnprocessedSecurityControl { + /** + * The control (identified with SecurityControlId,
+ * SecurityControlArn, or a mix of both parameters) for which a response
+ * couldn't be returned.
+ * The error code for the unprocessed security control. + *
+ */ + ErrorCode: UnprocessedErrorCode | string | undefined; + + /** + *+ * The reason why the security control was unprocessed. + *
+ */ + ErrorReason?: string; +} + +export interface BatchGetSecurityControlsResponse { + /** + *
+ * An array that returns the identifier, Amazon Resource Name (ARN), and other details about a security control.
+ * The same information is returned whether the request includes SecurityControlId or SecurityControlArn.
+ *
+ * A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which
+ * details cannot be returned.
+ *
+ * An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters)
+ * and the Amazon Resource Name (ARN) of a standard. The security control ID or ARN is the same across standards.
+ *
+ * The unique identifier (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) of a security
+ * control across standards.
+ *
+ * The ARN of a standard. + *
+ */ + StandardsArn: string | undefined; +} + +export interface BatchGetStandardsControlAssociationsRequest { + /** + *
+ * An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard.
+ * This field is used to query the enablement status of a control in a specified standard. The security control ID or ARN is the same across standards.
+ *
Provides details about a control's enablement status in a specified standard.
+ */ +export interface StandardsControlAssociationDetail { + /** + *+ * The Amazon Resource Name (ARN) of a security standard. + *
+ */ + StandardsArn: string | undefined; + + /** + *+ * The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service + * name and a number, such as APIGateway.3. + *
+ */ + SecurityControlId: string | undefined; + + /** + * The ARN of a security control across standards, such as
+ * arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This
+ * parameter doesn't mention a specific standard.
+ * Specifies whether a control is enabled or disabled in a specified standard. + *
+ */ + AssociationStatus: AssociationStatus | string | undefined; + + /** + *+ * The requirement that underlies a control in the compliance framework related to the standard. + *
+ */ + RelatedRequirements?: string[]; + + /** + *+ * The time at which the enablement status of the control in the specified standard was last updated. + *
+ */ + UpdatedAt?: Date; + + /** + *+ * The reason for updating the enablement status of a control in a specified standard. + *
+ */ + UpdatedReason?: string; + + /** + *+ * The title of a control. This field may reference a specific standard. + *
+ */ + StandardsControlTitle?: string; + + /** + *+ * The description of a control. This typically summarizes how Security Hub evaluates the control and the + * conditions under which it produces a failed finding. This parameter may reference a specific standard. + *
+ */ + StandardsControlDescription?: string; + + /** + *Provides the input parameter that Security Hub uses to call the UpdateStandardsControl API. This API can be used to enable or disable a control + * in a specified standard.
+ */ + StandardsControlArns?: string[]; +} + +/** + *Provides details about which + * control's enablement status couldn't be retrieved in a specified standard when calling BatchUpdateStandardsControlAssociations. This parameter also provides details + * about why the request was unprocessed.
+ */ +export interface UnprocessedStandardsControlAssociation { + /** + * An array with one or more objects that includes a security control (identified with
+ * SecurityControlId, SecurityControlArn, or a mix of both
+ * parameters) and the Amazon Resource Name (ARN) of a standard. This parameter shows the
+ * specific controls for which the enablement status couldn't be retrieved in specified standards when
+ * calling BatchUpdateStandardsControlAssociations.
The error code for the unprocessed standard and control association. + *
+ */ + ErrorCode: UnprocessedErrorCode | string | undefined; + + /** + *The reason why the standard and control association was unprocessed.
+ */ + ErrorReason?: string; +} + +export interface BatchGetStandardsControlAssociationsResponse { + /** + *Provides the enablement status of a security control in a specified standard and other details for the control in relation to + * the specified standard. + *
+ */ + StandardsControlAssociationDetails: StandardsControlAssociationDetail[] | undefined; + + /** + *
+ * A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement
+ * status in a specified standard cannot be returned.
+ *
A list of findings to import. To successfully import a finding, it must follow the @@ -9730,9 +10024,80 @@ export interface BatchUpdateFindingsResponse { UnprocessedFindings: BatchUpdateFindingsUnprocessedFinding[] | undefined; } -export enum ControlStatus { - DISABLED = "DISABLED", - ENABLED = "ENABLED", +/** + *
An array of requested updates to the enablement status of controls in specified + * standards. The objects in the array include a security control ID, the Amazon Resource Name (ARN) of the standard, the requested + * enablement status, and the reason for updating the enablement status.
+ */ +export interface StandardsControlAssociationUpdate { + /** + *The Amazon Resource Name (ARN) of the standard in which you want to update the + * control's enablement status.
+ */ + StandardsArn: string | undefined; + + /** + *The unique identifier for the security control whose enablement status you want to update.
+ */ + SecurityControlId: string | undefined; + + /** + *The desired enablement status of the control in the standard.
+ */ + AssociationStatus: AssociationStatus | string | undefined; + + /** + *The reason for updating the control's enablement status in the standard.
+ */ + UpdatedReason?: string; +} + +export interface BatchUpdateStandardsControlAssociationsRequest { + /** + *+ * Updates the enablement status of a security control in a specified standard. + *
+ */ + StandardsControlAssociationUpdates: StandardsControlAssociationUpdate[] | undefined; +} + +/** + *Provides details about which control's enablement status could not be updated in a + * specified standard when calling the BatchUpdateStandardsControlAssociations API. This parameter also provides + * details about why the request was unprocessed.
+ */ +export interface UnprocessedStandardsControlAssociationUpdate { + /** + *An array of control and standard associations for which an update failed when calling + * BatchUpdateStandardsControlAssociations. + *
+ */ + StandardsControlAssociationUpdate: StandardsControlAssociationUpdate | undefined; + + /** + *The error code for the unprocessed update of the control's enablement status in the + * specified standard.
+ */ + ErrorCode: UnprocessedErrorCode | string | undefined; + + /** + *The reason why a control's enablement status in the specified standard couldn't be updated.
+ */ + ErrorReason?: string; +} + +export interface BatchUpdateStandardsControlAssociationsResponse { + /** + *
+ * A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement status in a specified standard couldn't be updated.
+ *
The ARN for the custom action target.
+ *The Amazon Resource Name (ARN) for the custom action target.
*/ ActionTargetArn: string | undefined; } @@ -9914,7 +10279,7 @@ export interface DeclineInvitationsResponse { export interface DeleteActionTargetRequest { /** - *The ARN of the custom action target to delete.
+ *The Amazon Resource Name (ARN) of the custom action target to delete.
*/ ActionTargetArn: string | undefined; } @@ -9926,242 +10291,12 @@ export interface DeleteActionTargetResponse { ActionTargetArn: string | undefined; } -export interface DeleteFindingAggregatorRequest { - /** - *The ARN of the finding aggregator to delete. To obtain the ARN, use ListFindingAggregators.
The ARN of the insight to delete.
- */ - InsightArn: string | undefined; -} - -export interface DeleteInsightResponse { - /** - *The ARN of the insight that was deleted.
- */ - InsightArn: string | undefined; -} - -export interface DeleteInvitationsRequest { - /** - *The list of the account IDs that sent the invitations to delete.
- */ - AccountIds: string[] | undefined; -} - -export interface DeleteInvitationsResponse { - /** - *The list of Amazon Web Services accounts for which the invitations were not deleted. For each account, - * the list includes the account ID and the email address.
- */ - UnprocessedAccounts?: Result[]; -} - -export interface DeleteMembersRequest { - /** - *The list of account IDs for the member accounts to delete.
- */ - AccountIds: string[] | undefined; -} - -export interface DeleteMembersResponse { - /** - *The list of Amazon Web Services accounts that were not deleted. For each account, the list includes the - * account ID and the email address.
- */ - UnprocessedAccounts?: Result[]; -} - -export interface DescribeActionTargetsRequest { - /** - *A list of custom action target ARNs for the custom action targets to retrieve.
- */ - ActionTargetArns?: string[]; - - /** - *The token that is required for pagination. On your first call to the
- * DescribeActionTargets operation, set the value of this parameter to
- * NULL.
For subsequent calls to the operation, to continue listing data, set the value of this - * parameter to the value returned from the previous response.
- */ - NextToken?: string; - - /** - *The maximum number of results to return.
- */ - MaxResults?: number; -} - -export interface DescribeActionTargetsResponse { - /** - *A list of ActionTarget objects. Each object includes the ActionTargetArn,
- * Description, and Name of a custom action target available in
- * Security Hub.
The pagination token to use to request the next page of results.
- */ - NextToken?: string; -} - -export interface DescribeHubRequest { - /** - *The ARN of the Hub resource to retrieve.
- */ - HubArn?: string; -} - -export interface DescribeHubResponse { - /** - *The ARN of the Hub resource that was retrieved.
- */ - HubArn?: string; - - /** - *The date and time when Security Hub was enabled in the account.
- */ - SubscribedAt?: string; - - /** - *Whether to automatically enable new controls when they are added to standards that are - * enabled.
- *If set to true, then new controls for enabled standards are enabled
- * automatically. If set to false, then new controls are not enabled.
Whether to automatically enable Security Hub for new accounts in the organization.
- *If set to true, then Security Hub is enabled for new accounts. If set to false,
- * then new accounts are not added automatically.
Whether the maximum number of allowed member accounts are already associated with the - * Security Hub administrator account.
- */ - MemberAccountLimitReached?: boolean; - - /** - *Whether to automatically enable Security Hub default standards - * for new member accounts in the organization.
- *The default value of this parameter is equal to DEFAULT.
If equal to DEFAULT, then Security Hub default standards are automatically enabled for new member
- * accounts. If equal to NONE, then default standards are not automatically enabled for new member
- * accounts.
The token that is required for pagination. On your first call to the
- * DescribeProducts operation, set the value of this parameter to
- * NULL.
For subsequent calls to the operation, to continue listing data, set the value of this - * parameter to the value returned from the previous response.
- */ - NextToken?: string; - - /** - *The maximum number of results to return.
- */ - MaxResults?: number; - - /** - *The ARN of the integration to return.
- */ - ProductArn?: string; -} - -export enum IntegrationType { - RECEIVE_FINDINGS_FROM_SECURITY_HUB = "RECEIVE_FINDINGS_FROM_SECURITY_HUB", - SEND_FINDINGS_TO_SECURITY_HUB = "SEND_FINDINGS_TO_SECURITY_HUB", - UPDATE_FINDINGS_IN_SECURITY_HUB = "UPDATE_FINDINGS_IN_SECURITY_HUB", -} - /** - *Contains details about a product.
+ * @internal */ -export interface Product { - /** - *The ARN assigned to the product.
- */ - ProductArn: string | undefined; - - /** - *The name of the product.
- */ - ProductName?: string; - - /** - *The name of the company that provides the product.
- */ - CompanyName?: string; - - /** - *A description of the product.
- */ - Description?: string; - - /** - *The categories assigned to the product.
- */ - Categories?: string[]; - - /** - *The types of integration that the product supports. Available values are the - * following.
- *
- * SEND_FINDINGS_TO_SECURITY_HUB - The integration sends
- * findings to Security Hub.
- * RECEIVE_FINDINGS_FROM_SECURITY_HUB - The integration
- * receives findings from Security Hub.
- * UPDATE_FINDINGS_IN_SECURITY_HUB - The integration does not send new findings to Security Hub, but does make updates to the findings that it receives from Security Hub.
For integrations with Amazon Web Services services, the Amazon Web Services Console URL from which to activate the service.
- *For integrations with third-party products, the Amazon Web Services Marketplace URL from which to subscribe to or purchase the product.
- */ - MarketplaceUrl?: string; - - /** - *The URL to the service or product documentation about the integration with Security Hub, including how to activate the integration.
- */ - ActivationUrl?: string; - - /** - *The resource policy associated with the product.
- */ - ProductSubscriptionResourcePolicy?: string; -} +export const AwsIamGroupPolicyFilterSensitiveLog = (obj: AwsIamGroupPolicy): any => ({ + ...obj, +}); /** * @internal @@ -11998,57 +12133,43 @@ export const BatchEnableStandardsResponseFilterSensitiveLog = (obj: BatchEnableS /** * @internal */ -export const BatchImportFindingsRequestFilterSensitiveLog = (obj: BatchImportFindingsRequest): any => ({ +export const BatchGetSecurityControlsRequestFilterSensitiveLog = (obj: BatchGetSecurityControlsRequest): any => ({ ...obj, }); /** * @internal */ -export const ImportFindingsErrorFilterSensitiveLog = (obj: ImportFindingsError): any => ({ +export const SecurityControlFilterSensitiveLog = (obj: SecurityControl): any => ({ ...obj, }); /** * @internal */ -export const BatchImportFindingsResponseFilterSensitiveLog = (obj: BatchImportFindingsResponse): any => ({ +export const UnprocessedSecurityControlFilterSensitiveLog = (obj: UnprocessedSecurityControl): any => ({ ...obj, }); /** * @internal */ -export const NoteUpdateFilterSensitiveLog = (obj: NoteUpdate): any => ({ +export const BatchGetSecurityControlsResponseFilterSensitiveLog = (obj: BatchGetSecurityControlsResponse): any => ({ ...obj, }); /** * @internal */ -export const SeverityUpdateFilterSensitiveLog = (obj: SeverityUpdate): any => ({ +export const StandardsControlAssociationIdFilterSensitiveLog = (obj: StandardsControlAssociationId): any => ({ ...obj, }); /** * @internal */ -export const WorkflowUpdateFilterSensitiveLog = (obj: WorkflowUpdate): any => ({ - ...obj, -}); - -/** - * @internal - */ -export const BatchUpdateFindingsRequestFilterSensitiveLog = (obj: BatchUpdateFindingsRequest): any => ({ - ...obj, -}); - -/** - * @internal - */ -export const BatchUpdateFindingsUnprocessedFindingFilterSensitiveLog = ( - obj: BatchUpdateFindingsUnprocessedFinding +export const BatchGetStandardsControlAssociationsRequestFilterSensitiveLog = ( + obj: BatchGetStandardsControlAssociationsRequest ): any => ({ ...obj, }); @@ -12056,213 +12177,214 @@ export const BatchUpdateFindingsUnprocessedFindingFilterSensitiveLog = ( /** * @internal */ -export const BatchUpdateFindingsResponseFilterSensitiveLog = (obj: BatchUpdateFindingsResponse): any => ({ - ...obj, -}); - -/** - * @internal - */ -export const CreateActionTargetRequestFilterSensitiveLog = (obj: CreateActionTargetRequest): any => ({ +export const StandardsControlAssociationDetailFilterSensitiveLog = (obj: StandardsControlAssociationDetail): any => ({ ...obj, }); /** * @internal */ -export const CreateActionTargetResponseFilterSensitiveLog = (obj: CreateActionTargetResponse): any => ({ +export const UnprocessedStandardsControlAssociationFilterSensitiveLog = ( + obj: UnprocessedStandardsControlAssociation +): any => ({ ...obj, }); /** * @internal */ -export const CreateFindingAggregatorRequestFilterSensitiveLog = (obj: CreateFindingAggregatorRequest): any => ({ +export const BatchGetStandardsControlAssociationsResponseFilterSensitiveLog = ( + obj: BatchGetStandardsControlAssociationsResponse +): any => ({ ...obj, }); /** * @internal */ -export const CreateFindingAggregatorResponseFilterSensitiveLog = (obj: CreateFindingAggregatorResponse): any => ({ +export const BatchImportFindingsRequestFilterSensitiveLog = (obj: BatchImportFindingsRequest): any => ({ ...obj, }); /** * @internal */ -export const CreateInsightRequestFilterSensitiveLog = (obj: CreateInsightRequest): any => ({ +export const ImportFindingsErrorFilterSensitiveLog = (obj: ImportFindingsError): any => ({ ...obj, }); /** * @internal */ -export const CreateInsightResponseFilterSensitiveLog = (obj: CreateInsightResponse): any => ({ +export const BatchImportFindingsResponseFilterSensitiveLog = (obj: BatchImportFindingsResponse): any => ({ ...obj, }); /** * @internal */ -export const CreateMembersRequestFilterSensitiveLog = (obj: CreateMembersRequest): any => ({ +export const NoteUpdateFilterSensitiveLog = (obj: NoteUpdate): any => ({ ...obj, }); /** * @internal */ -export const ResultFilterSensitiveLog = (obj: Result): any => ({ +export const SeverityUpdateFilterSensitiveLog = (obj: SeverityUpdate): any => ({ ...obj, }); /** * @internal */ -export const CreateMembersResponseFilterSensitiveLog = (obj: CreateMembersResponse): any => ({ +export const WorkflowUpdateFilterSensitiveLog = (obj: WorkflowUpdate): any => ({ ...obj, }); /** * @internal */ -export const DeclineInvitationsRequestFilterSensitiveLog = (obj: DeclineInvitationsRequest): any => ({ +export const BatchUpdateFindingsRequestFilterSensitiveLog = (obj: BatchUpdateFindingsRequest): any => ({ ...obj, }); /** * @internal */ -export const DeclineInvitationsResponseFilterSensitiveLog = (obj: DeclineInvitationsResponse): any => ({ +export const BatchUpdateFindingsUnprocessedFindingFilterSensitiveLog = ( + obj: BatchUpdateFindingsUnprocessedFinding +): any => ({ ...obj, }); /** * @internal */ -export const DeleteActionTargetRequestFilterSensitiveLog = (obj: DeleteActionTargetRequest): any => ({ +export const BatchUpdateFindingsResponseFilterSensitiveLog = (obj: BatchUpdateFindingsResponse): any => ({ ...obj, }); /** * @internal */ -export const DeleteActionTargetResponseFilterSensitiveLog = (obj: DeleteActionTargetResponse): any => ({ +export const StandardsControlAssociationUpdateFilterSensitiveLog = (obj: StandardsControlAssociationUpdate): any => ({ ...obj, }); /** * @internal */ -export const DeleteFindingAggregatorRequestFilterSensitiveLog = (obj: DeleteFindingAggregatorRequest): any => ({ +export const BatchUpdateStandardsControlAssociationsRequestFilterSensitiveLog = ( + obj: BatchUpdateStandardsControlAssociationsRequest +): any => ({ ...obj, }); /** * @internal */ -export const DeleteFindingAggregatorResponseFilterSensitiveLog = (obj: DeleteFindingAggregatorResponse): any => ({ +export const UnprocessedStandardsControlAssociationUpdateFilterSensitiveLog = ( + obj: UnprocessedStandardsControlAssociationUpdate +): any => ({ ...obj, }); /** * @internal */ -export const DeleteInsightRequestFilterSensitiveLog = (obj: DeleteInsightRequest): any => ({ +export const BatchUpdateStandardsControlAssociationsResponseFilterSensitiveLog = ( + obj: BatchUpdateStandardsControlAssociationsResponse +): any => ({ ...obj, }); /** * @internal */ -export const DeleteInsightResponseFilterSensitiveLog = (obj: DeleteInsightResponse): any => ({ +export const CreateActionTargetRequestFilterSensitiveLog = (obj: CreateActionTargetRequest): any => ({ ...obj, }); /** * @internal */ -export const DeleteInvitationsRequestFilterSensitiveLog = (obj: DeleteInvitationsRequest): any => ({ +export const CreateActionTargetResponseFilterSensitiveLog = (obj: CreateActionTargetResponse): any => ({ ...obj, }); /** * @internal */ -export const DeleteInvitationsResponseFilterSensitiveLog = (obj: DeleteInvitationsResponse): any => ({ +export const CreateFindingAggregatorRequestFilterSensitiveLog = (obj: CreateFindingAggregatorRequest): any => ({ ...obj, }); /** * @internal */ -export const DeleteMembersRequestFilterSensitiveLog = (obj: DeleteMembersRequest): any => ({ +export const CreateFindingAggregatorResponseFilterSensitiveLog = (obj: CreateFindingAggregatorResponse): any => ({ ...obj, }); /** * @internal */ -export const DeleteMembersResponseFilterSensitiveLog = (obj: DeleteMembersResponse): any => ({ +export const CreateInsightRequestFilterSensitiveLog = (obj: CreateInsightRequest): any => ({ ...obj, }); /** * @internal */ -export const DescribeActionTargetsRequestFilterSensitiveLog = (obj: DescribeActionTargetsRequest): any => ({ +export const CreateInsightResponseFilterSensitiveLog = (obj: CreateInsightResponse): any => ({ ...obj, }); /** * @internal */ -export const DescribeActionTargetsResponseFilterSensitiveLog = (obj: DescribeActionTargetsResponse): any => ({ +export const CreateMembersRequestFilterSensitiveLog = (obj: CreateMembersRequest): any => ({ ...obj, }); /** * @internal */ -export const DescribeHubRequestFilterSensitiveLog = (obj: DescribeHubRequest): any => ({ +export const ResultFilterSensitiveLog = (obj: Result): any => ({ ...obj, }); /** * @internal */ -export const DescribeHubResponseFilterSensitiveLog = (obj: DescribeHubResponse): any => ({ +export const CreateMembersResponseFilterSensitiveLog = (obj: CreateMembersResponse): any => ({ ...obj, }); /** * @internal */ -export const DescribeOrganizationConfigurationRequestFilterSensitiveLog = ( - obj: DescribeOrganizationConfigurationRequest -): any => ({ +export const DeclineInvitationsRequestFilterSensitiveLog = (obj: DeclineInvitationsRequest): any => ({ ...obj, }); /** * @internal */ -export const DescribeOrganizationConfigurationResponseFilterSensitiveLog = ( - obj: DescribeOrganizationConfigurationResponse -): any => ({ +export const DeclineInvitationsResponseFilterSensitiveLog = (obj: DeclineInvitationsResponse): any => ({ ...obj, }); /** * @internal */ -export const DescribeProductsRequestFilterSensitiveLog = (obj: DescribeProductsRequest): any => ({ +export const DeleteActionTargetRequestFilterSensitiveLog = (obj: DeleteActionTargetRequest): any => ({ ...obj, }); /** * @internal */ -export const ProductFilterSensitiveLog = (obj: Product): any => ({ +export const DeleteActionTargetResponseFilterSensitiveLog = (obj: DeleteActionTargetResponse): any => ({ ...obj, }); diff --git a/clients/client-securityhub/src/models/models_2.ts b/clients/client-securityhub/src/models/models_2.ts index 89326ecfc890..eee09884dfb0 100644 --- a/clients/client-securityhub/src/models/models_2.ts +++ b/clients/client-securityhub/src/models/models_2.ts @@ -1,16 +1,267 @@ // smithy-typescript generated code -import { AdminAccount, AutoEnableStandards } from "./models_0"; +import { ActionTarget, AdminAccount, AssociationStatus, AutoEnableStandards } from "./models_0"; import { AwsSecurityFinding, AwsSecurityFindingFilters, + ControlFindingGenerator, ControlStatus, NoteUpdate, - Product, RecordState, Result, + SeverityRating, StandardsSubscription, } from "./models_1"; +export interface DeleteFindingAggregatorRequest { + /** + *The ARN of the finding aggregator to delete. To obtain the ARN, use ListFindingAggregators.
The ARN of the insight to delete.
+ */ + InsightArn: string | undefined; +} + +export interface DeleteInsightResponse { + /** + *The ARN of the insight that was deleted.
+ */ + InsightArn: string | undefined; +} + +export interface DeleteInvitationsRequest { + /** + *The list of the account IDs that sent the invitations to delete.
+ */ + AccountIds: string[] | undefined; +} + +export interface DeleteInvitationsResponse { + /** + *The list of Amazon Web Services accounts for which the invitations were not deleted. For each account, + * the list includes the account ID and the email address.
+ */ + UnprocessedAccounts?: Result[]; +} + +export interface DeleteMembersRequest { + /** + *The list of account IDs for the member accounts to delete.
+ */ + AccountIds: string[] | undefined; +} + +export interface DeleteMembersResponse { + /** + *The list of Amazon Web Services accounts that were not deleted. For each account, the list includes the + * account ID and the email address.
+ */ + UnprocessedAccounts?: Result[]; +} + +export interface DescribeActionTargetsRequest { + /** + *A list of custom action target ARNs for the custom action targets to retrieve.
+ */ + ActionTargetArns?: string[]; + + /** + *The token that is required for pagination. On your first call to the
+ * DescribeActionTargets operation, set the value of this parameter to
+ * NULL.
For subsequent calls to the operation, to continue listing data, set the value of this + * parameter to the value returned from the previous response.
+ */ + NextToken?: string; + + /** + *The maximum number of results to return.
+ */ + MaxResults?: number; +} + +export interface DescribeActionTargetsResponse { + /** + *A list of ActionTarget objects. Each object includes the ActionTargetArn,
+ * Description, and Name of a custom action target available in
+ * Security Hub.
The pagination token to use to request the next page of results.
+ */ + NextToken?: string; +} + +export interface DescribeHubRequest { + /** + *The ARN of the Hub resource to retrieve.
+ */ + HubArn?: string; +} + +export interface DescribeHubResponse { + /** + *The ARN of the Hub resource that was retrieved.
+ */ + HubArn?: string; + + /** + *The date and time when Security Hub was enabled in the account.
+ */ + SubscribedAt?: string; + + /** + *Whether to automatically enable new controls when they are added to standards that are + * enabled.
+ *If set to true, then new controls for enabled standards are enabled
+ * automatically. If set to false, then new controls are not enabled.
Specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to
+ * SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check
+ * applies to multiple enabled standards.
If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings
+ * for a control check when the check applies to multiple enabled standards.
The value for this field in a member account matches the value in the administrator
+ * account. For accounts that aren't part of an organization, the default value of this field
+ * is SECURITY_CONTROL if you enabled Security Hub on or after February 9,
+ * 2023.
Whether to automatically enable Security Hub for new accounts in the organization.
+ *If set to true, then Security Hub is enabled for new accounts. If set to false,
+ * then new accounts are not added automatically.
Whether the maximum number of allowed member accounts are already associated with the + * Security Hub administrator account.
+ */ + MemberAccountLimitReached?: boolean; + + /** + *Whether to automatically enable Security Hub default standards + * for new member accounts in the organization.
+ *The default value of this parameter is equal to DEFAULT.
If equal to DEFAULT, then Security Hub default standards are automatically enabled for new member
+ * accounts. If equal to NONE, then default standards are not automatically enabled for new member
+ * accounts.
The token that is required for pagination. On your first call to the
+ * DescribeProducts operation, set the value of this parameter to
+ * NULL.
For subsequent calls to the operation, to continue listing data, set the value of this + * parameter to the value returned from the previous response.
+ */ + NextToken?: string; + + /** + *The maximum number of results to return.
+ */ + MaxResults?: number; + + /** + *The ARN of the integration to return.
+ */ + ProductArn?: string; +} + +export enum IntegrationType { + RECEIVE_FINDINGS_FROM_SECURITY_HUB = "RECEIVE_FINDINGS_FROM_SECURITY_HUB", + SEND_FINDINGS_TO_SECURITY_HUB = "SEND_FINDINGS_TO_SECURITY_HUB", + UPDATE_FINDINGS_IN_SECURITY_HUB = "UPDATE_FINDINGS_IN_SECURITY_HUB", +} + +/** + *Contains details about a product.
+ */ +export interface Product { + /** + *The ARN assigned to the product.
+ */ + ProductArn: string | undefined; + + /** + *The name of the product.
+ */ + ProductName?: string; + + /** + *The name of the company that provides the product.
+ */ + CompanyName?: string; + + /** + *A description of the product.
+ */ + Description?: string; + + /** + *The categories assigned to the product.
+ */ + Categories?: string[]; + + /** + *The types of integration that the product supports. Available values are the + * following.
+ *
+ * SEND_FINDINGS_TO_SECURITY_HUB - The integration sends
+ * findings to Security Hub.
+ * RECEIVE_FINDINGS_FROM_SECURITY_HUB - The integration
+ * receives findings from Security Hub.
+ * UPDATE_FINDINGS_IN_SECURITY_HUB - The integration does not send new findings to Security Hub, but does make updates to the findings that it receives from Security Hub.
For integrations with Amazon Web Services services, the Amazon Web Services Console URL from which to activate the service.
+ *For integrations with third-party products, the Amazon Web Services Marketplace URL from which to subscribe to or purchase the product.
+ */ + MarketplaceUrl?: string; + + /** + *The URL to the service or product documentation about the integration with Security Hub, including how to activate the integration.
+ */ + ActivationUrl?: string; + + /** + *The resource policy associated with the product.
+ */ + ProductSubscriptionResourcePolicy?: string; +} + export interface DescribeProductsResponse { /** *A list of products, including details for each product.
@@ -127,13 +378,6 @@ export interface DescribeStandardsControlsRequest { MaxResults?: number; } -export enum SeverityRating { - CRITICAL = "CRITICAL", - HIGH = "HIGH", - LOW = "LOW", - MEDIUM = "MEDIUM", -} - /** *Details for an individual security standard control.
*/ @@ -283,6 +527,20 @@ export interface EnableSecurityHubRequest { *EnableDefaultStandards to false.
*/
EnableDefaultStandards?: boolean;
+
+ /**
+ * This field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on.
+ * If the value for this field is set to
+ * SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check
+ * applies to multiple enabled standards.
If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings
+ * for a control check when the check applies to multiple enabled standards.
The value for this field in a member account matches the value in the administrator
+ * account. For accounts that aren't part of an organization, the default value of this field
+ * is SECURITY_CONTROL if you enabled Security Hub on or after February 9,
+ * 2023.
+ * The Amazon Resource Name (ARN) of the standard that you want to view controls for. + *
+ */ + StandardsArn?: string; + + /** + *+ * Optional pagination parameter. + *
+ */ + NextToken?: string; + + /** + * An optional parameter that limits the total results of the API response to the
+ * specified number. If this parameter isn't provided in the request, the results include the
+ * first 25 security controls that apply to the specified standard. The results also include a
+ * NextToken parameter that you can use in a subsequent API call to get the
+ * next 25 controls. This repeats until all controls for the standard are returned.
+ * Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, + * severity, availability in Amazon Web Services Regions, and a link to remediation steps. + *
+ */ +export interface SecurityControlDefinition { + /** + *
+ * The unique identifier of a security control across standards. Values for this field typically consist of an
+ * Amazon Web Service name and a number (for example, APIGateway.3). This parameter differs from
+ * SecurityControlArn, which is a unique Amazon Resource Name (ARN) assigned to a control. The
+ * ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).
+ *
+ * The title of a security control. + *
+ */ + Title: string | undefined; + + /** + *The description of a security control across standards. This typically summarizes how + * Security Hub evaluates the control and the conditions under which it produces a + * failed finding. This parameter doesn't reference a specific standard.
+ */ + Description: string | undefined; + + /** + *+ * A link to Security Hub documentation that explains how to remediate a failed finding for a security control. + *
+ */ + RemediationUrl: string | undefined; + + /** + *+ * The severity of a security control. For more information about how Security Hub determines control severity, + * see Assigning severity to control findings in the + * Security Hub User Guide. + *
+ */ + SeverityRating: SeverityRating | string | undefined; + + /** + *+ * Specifies whether a security control is available in the current Amazon Web Services Region. + *
+ */ + CurrentRegionAvailability: RegionAvailabilityStatus | string | undefined; +} + +export interface ListSecurityControlDefinitionsResponse { + /** + *+ * An array of controls that apply to the specified standard. + *
+ */ + SecurityControlDefinitions: SecurityControlDefinition[] | undefined; + + /** + *A pagination parameter that's included in the response only if it was included in the + * request.
+ */ + NextToken?: string; +} + +export interface ListStandardsControlAssociationsRequest { + /** + *
+ * The identifier of the control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) that you
+ * want to determine the enablement status of in each enabled standard.
+ *
+ * Optional pagination parameter. + *
+ */ + NextToken?: string; + + /** + * An optional parameter that limits the total results of the API response to the
+ * specified number. If this parameter isn't provided in the request, the results include the
+ * first 25 standard and control associations. The results also include a
+ * NextToken parameter that you can use in a subsequent API call to get the
+ * next 25 associations. This repeats until all associations for the specified control are
+ * returned. The number of results is limited by the number of supported Security Hub
+ * standards that you've enabled in the calling account.
An array that provides the enablement status and other details for each control that + * applies to each enabled standard.
+ */ +export interface StandardsControlAssociationSummary { + /** + *+ * The Amazon Resource Name (ARN) of a standard. + *
+ */ + StandardsArn: string | undefined; + + /** + *+ * A unique standard-agnostic identifier for a control. Values for this field typically consist of an + * Amazon Web Service and a number, such as APIGateway.5. This field doesn't reference a specific standard. + *
+ */ + SecurityControlId: string | undefined; + + /** + * The ARN of a control, such as
+ * arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This
+ * parameter doesn't mention a specific standard.
+ * The enablement status of a control in a specific standard. + *
+ */ + AssociationStatus: AssociationStatus | string | undefined; + + /** + *+ * The requirement that underlies this control in the compliance framework related to the standard. + *
+ */ + RelatedRequirements?: string[]; + + /** + *The last time that a control's enablement status in a specified standard was updated.
+ */ + UpdatedAt?: Date; + + /** + *The reason for updating the control's enablement status in a specified standard.
+ */ + UpdatedReason?: string; + + /** + *+ * The title of a control. + *
+ */ + StandardsControlTitle?: string; + + /** + *+ * The description of a control. This typically summarizes how Security Hub evaluates the control and the + * conditions under which it produces a failed finding. The parameter may reference a specific standard. + *
+ */ + StandardsControlDescription?: string; +} + +export interface ListStandardsControlAssociationsResponse { + /** + *An array that provides the enablement status and other details for each security + * control that applies to each enabled standard.
+ */ + StandardsControlAssociationSummaries: StandardsControlAssociationSummary[] | undefined; + + /** + *A pagination parameter that's included in the response only if it was included in the + * request.
+ */ + NextToken?: string; +} + export interface ListTagsForResourceRequest { /** *The ARN of the resource to retrieve tags for.
@@ -1052,6 +1519,17 @@ export interface UpdateSecurityHubConfigurationRequest { * */ AutoEnableControls?: boolean; + + /** + *Updates whether the calling account has consolidated control findings turned on.
+ * If the value for this field is set to
+ * SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check
+ * applies to multiple enabled standards.
If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings
+ * for a control check when the check applies to multiple enabled standards.
For accounts that are part of an organization, this value can only be updated in the administrator account.
+ */ + ControlFindingGenerator?: ControlFindingGenerator | string; } export interface UpdateSecurityHubConfigurationResponse {} @@ -1076,6 +1554,122 @@ export interface UpdateStandardsControlRequest { export interface UpdateStandardsControlResponse {} +/** + * @internal + */ +export const DeleteFindingAggregatorRequestFilterSensitiveLog = (obj: DeleteFindingAggregatorRequest): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DeleteFindingAggregatorResponseFilterSensitiveLog = (obj: DeleteFindingAggregatorResponse): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DeleteInsightRequestFilterSensitiveLog = (obj: DeleteInsightRequest): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DeleteInsightResponseFilterSensitiveLog = (obj: DeleteInsightResponse): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DeleteInvitationsRequestFilterSensitiveLog = (obj: DeleteInvitationsRequest): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DeleteInvitationsResponseFilterSensitiveLog = (obj: DeleteInvitationsResponse): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DeleteMembersRequestFilterSensitiveLog = (obj: DeleteMembersRequest): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DeleteMembersResponseFilterSensitiveLog = (obj: DeleteMembersResponse): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DescribeActionTargetsRequestFilterSensitiveLog = (obj: DescribeActionTargetsRequest): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DescribeActionTargetsResponseFilterSensitiveLog = (obj: DescribeActionTargetsResponse): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DescribeHubRequestFilterSensitiveLog = (obj: DescribeHubRequest): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DescribeHubResponseFilterSensitiveLog = (obj: DescribeHubResponse): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DescribeOrganizationConfigurationRequestFilterSensitiveLog = ( + obj: DescribeOrganizationConfigurationRequest +): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DescribeOrganizationConfigurationResponseFilterSensitiveLog = ( + obj: DescribeOrganizationConfigurationResponse +): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const DescribeProductsRequestFilterSensitiveLog = (obj: DescribeProductsRequest): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ProductFilterSensitiveLog = (obj: Product): any => ({ + ...obj, +}); + /** * @internal */ @@ -1549,6 +2143,56 @@ export const ListOrganizationAdminAccountsResponseFilterSensitiveLog = ( ...obj, }); +/** + * @internal + */ +export const ListSecurityControlDefinitionsRequestFilterSensitiveLog = ( + obj: ListSecurityControlDefinitionsRequest +): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const SecurityControlDefinitionFilterSensitiveLog = (obj: SecurityControlDefinition): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ListSecurityControlDefinitionsResponseFilterSensitiveLog = ( + obj: ListSecurityControlDefinitionsResponse +): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ListStandardsControlAssociationsRequestFilterSensitiveLog = ( + obj: ListStandardsControlAssociationsRequest +): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const StandardsControlAssociationSummaryFilterSensitiveLog = (obj: StandardsControlAssociationSummary): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ListStandardsControlAssociationsResponseFilterSensitiveLog = ( + obj: ListStandardsControlAssociationsResponse +): any => ({ + ...obj, +}); + /** * @internal */ diff --git a/clients/client-securityhub/src/pagination/ListSecurityControlDefinitionsPaginator.ts b/clients/client-securityhub/src/pagination/ListSecurityControlDefinitionsPaginator.ts new file mode 100644 index 000000000000..2366cedfc24f --- /dev/null +++ b/clients/client-securityhub/src/pagination/ListSecurityControlDefinitionsPaginator.ts @@ -0,0 +1,61 @@ +// smithy-typescript generated code +import { Paginator } from "@aws-sdk/types"; + +import { + ListSecurityControlDefinitionsCommand, + ListSecurityControlDefinitionsCommandInput, + ListSecurityControlDefinitionsCommandOutput, +} from "../commands/ListSecurityControlDefinitionsCommand"; +import { SecurityHub } from "../SecurityHub"; +import { SecurityHubClient } from "../SecurityHubClient"; +import { SecurityHubPaginationConfiguration } from "./Interfaces"; + +/** + * @private + */ +const makePagedClientRequest = async ( + client: SecurityHubClient, + input: ListSecurityControlDefinitionsCommandInput, + ...args: any +): PromiseAn ARN that uniquely identifies the Amazon SNS topic for a backup vault’s events.\n
" + "smithy.api#documentation": "The Amazon Resource Name (ARN) that uniquely identifies the Amazon SNS topic for\n a backup vault's events.
" } } }, @@ -5098,7 +5115,7 @@ "target": "com.amazonaws.securityhub#Integer", "traits": { "smithy.api#default": 0, - "smithy.api#documentation": "\n The price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage above the least expensive current generation M, C, or R instance type with your specified attributes. When Amazon EC2 selects instance types with your attributes, it excludes instance types priced above your threshold.
\nThe parameter accepts an integer, which Amazon EC2 interprets as a percentage.
\nA high value, such as 999999, turns off price protection.
The price protection threshold for On-Demand Instances. This is the maximum you'll pay\n for an On-Demand Instance, expressed as a percentage above the least expensive current\n generation M, C, or R instance type with your specified attributes. When Amazon EC2 selects\n instance types with your attributes, it excludes instance types priced above your\n threshold.
\nThe parameter accepts an integer, which Amazon EC2 interprets as a percentage.
\nA high value, such as 999999, turns off price protection.
\n The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a \n percentage above the least expensive current generation M, C, or R instance type with your specified attributes. When \n Amazon EC2 selects instance types with your attributes, it excludes instance types priced above your threshold.\n
\nThe parameter accepts an integer, which Amazon EC2 interprets as a percentage.
\nA high value, such as 999999, turns off price protection.
The price protection threshold for Spot Instances. This is the maximum you'll pay for a\n Spot Instance, expressed as a percentage above the least expensive current generation M, C,\n or R instance type with your specified attributes. When Amazon EC2 selects instance\n types with your attributes, it excludes instance types priced above your threshold.
\nThe parameter accepts an integer, which Amazon EC2 interprets as a percentage.
\nA high value, such as 999999, turns off price protection.
\n Enables or disables the HTTP metadata endpoint on your instances. If the parameter is not specified, the default state is enabled, and you won’t be able to access your instance metadata.\n
" + "smithy.api#documentation": "Enables or disables the HTTP metadata endpoint on your instances. If the parameter is\n not specified, the default state is enabled, and you won't be able to access your instance\n metadata.
" } }, "HttpProtocolIpv6": { @@ -13979,7 +13996,7 @@ "target": "com.amazonaws.securityhub#Integer", "traits": { "smithy.api#default": 0, - "smithy.api#documentation": "The number of days that manual snapshots are retained in the destination region after\n they are copied from a source region.
\nIf the value is -1,\n then the manual snapshot is retained indefinitely.
Valid values: Either -1\n or an integer between 1 and 3,653
The number of days that manual snapshots are retained in the destination Region after\n they are copied from a source Region.
\nIf the value is -1,\n then the manual snapshot is retained indefinitely.
Valid values: Either -1\n or an integer between 1 and 3,653
Information about a cross-Region snapshot copy.
" + "smithy.api#documentation": "You can configure Amazon Redshift to copy snapshots for a cluster to another Amazon Web Services Region. This parameter \n provides information about a cross-Region snapshot copy.
" } }, "com.amazonaws.securityhub#AwsRedshiftClusterDeferredMaintenanceWindow": { @@ -18042,6 +18059,140 @@ "smithy.api#output": {} } }, + "com.amazonaws.securityhub#BatchGetSecurityControls": { + "type": "operation", + "input": { + "target": "com.amazonaws.securityhub#BatchGetSecurityControlsRequest" + }, + "output": { + "target": "com.amazonaws.securityhub#BatchGetSecurityControlsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.securityhub#InternalException" + }, + { + "target": "com.amazonaws.securityhub#InvalidAccessException" + }, + { + "target": "com.amazonaws.securityhub#InvalidInputException" + }, + { + "target": "com.amazonaws.securityhub#LimitExceededException" + } + ], + "traits": { + "smithy.api#documentation": "\n Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.\n
", + "smithy.api#http": { + "method": "POST", + "uri": "/securityControls/batchGet", + "code": 200 + } + } + }, + "com.amazonaws.securityhub#BatchGetSecurityControlsRequest": { + "type": "structure", + "members": { + "SecurityControlIds": { + "target": "com.amazonaws.securityhub#StringList", + "traits": { + "smithy.api#documentation": " A list of security controls (identified with SecurityControlId,\n SecurityControlArn, or a mix of both parameters). The security control ID\n or Amazon Resource Name (ARN) is the same across standards.
\n An array that returns the identifier, Amazon Resource Name (ARN), and other details about a security control. \n The same information is returned whether the request includes SecurityControlId or SecurityControlArn.\n
\n A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which \n details cannot be returned.\n
\n For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard.\n
", + "smithy.api#http": { + "method": "POST", + "uri": "/associations/batchGet", + "code": 200 + } + } + }, + "com.amazonaws.securityhub#BatchGetStandardsControlAssociationsRequest": { + "type": "structure", + "members": { + "StandardsControlAssociationIds": { + "target": "com.amazonaws.securityhub#StandardsControlAssociationIds", + "traits": { + "smithy.api#documentation": "\n An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. \n This field is used to query the enablement status of a control in a specified standard. The security control ID or ARN is the same across standards.\n
Provides the enablement status of a security control in a specified standard and other details for the control in relation to \n the specified standard.\n
", + "smithy.api#required": {} + } + }, + "UnprocessedAssociations": { + "target": "com.amazonaws.securityhub#UnprocessedStandardsControlAssociations", + "traits": { + "smithy.api#documentation": "\n A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement \n status in a specified standard cannot be returned.\n
\n For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.\n
", + "smithy.api#http": { + "method": "PATCH", + "uri": "/associations", + "code": 200 + } + } + }, + "com.amazonaws.securityhub#BatchUpdateStandardsControlAssociationsRequest": { + "type": "structure", + "members": { + "StandardsControlAssociationUpdates": { + "target": "com.amazonaws.securityhub#StandardsControlAssociationUpdates", + "traits": { + "smithy.api#documentation": "\n Updates the enablement status of a security control in a specified standard.\n
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.securityhub#BatchUpdateStandardsControlAssociationsResponse": { + "type": "structure", + "members": { + "UnprocessedAssociationUpdates": { + "target": "com.amazonaws.securityhub#UnprocessedStandardsControlAssociationUpdates", + "traits": { + "smithy.api#documentation": "\n A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) whose enablement status in a specified standard couldn't be updated.\n
Container details related to a finding.
" } }, + "com.amazonaws.securityhub#ControlFindingGenerator": { + "type": "enum", + "members": { + "STANDARD_CONTROL": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "STANDARD_CONTROL" + } + }, + "SECURITY_CONTROL": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "SECURITY_CONTROL" + } + } + } + }, "com.amazonaws.securityhub#ControlStatus": { "type": "enum", "members": { @@ -18695,7 +18923,7 @@ "ActionTargetArn": { "target": "com.amazonaws.securityhub#NonEmptyString", "traits": { - "smithy.api#documentation": "The ARN for the custom action target.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) for the custom action target.
", "smithy.api#required": {} } } @@ -19228,7 +19456,7 @@ "ActionTargetArn": { "target": "com.amazonaws.securityhub#NonEmptyString", "traits": { - "smithy.api#documentation": "The ARN of the custom action target to delete.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the custom action target to delete.
", "smithy.api#httpLabel": {}, "smithy.api#required": {} } @@ -19659,6 +19887,12 @@ "smithy.api#default": false, "smithy.api#documentation": "Whether to automatically enable new controls when they are added to standards that are\n enabled.
\nIf set to true, then new controls for enabled standards are enabled\n automatically. If set to false, then new controls are not enabled.
Specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to \n SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check \n applies to multiple enabled standards.
If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings \n for a control check when the check applies to multiple enabled standards.
The value for this field in a member account matches the value in the administrator\n account. For accounts that aren't part of an organization, the default value of this field\n is SECURITY_CONTROL if you enabled Security Hub on or after February 9,\n 2023.
Whether to enable the security standards that Security Hub has designated as automatically\n enabled. If you do not provide a value for EnableDefaultStandards, it is set\n to true. To not enable the automatically enabled standards, set\n EnableDefaultStandards to false.
This field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on. \n If the value for this field is set to \n SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check \n applies to multiple enabled standards.
If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings \n for a control check when the check applies to multiple enabled standards.
The value for this field in a member account matches the value in the administrator\n account. For accounts that aren't part of an organization, the default value of this field\n is SECURITY_CONTROL if you enabled Security Hub on or after February 9,\n 2023.
Returns a list of tags associated with a resource.
", + "smithy.api#documentation": "\n Lists all of the security controls that apply to a specified standard. \n
", "smithy.api#http": { "method": "GET", - "uri": "/tags/{ResourceArn}", + "uri": "/securityControls/definitions", "code": 200 + }, + "smithy.api#paginated": { + "inputToken": "NextToken", + "outputToken": "NextToken", + "items": "SecurityControlDefinitions", + "pageSize": "MaxResults" } } }, - "com.amazonaws.securityhub#ListTagsForResourceRequest": { + "com.amazonaws.securityhub#ListSecurityControlDefinitionsRequest": { "type": "structure", "members": { - "ResourceArn": { - "target": "com.amazonaws.securityhub#ResourceArn", + "StandardsArn": { + "target": "com.amazonaws.securityhub#NonEmptyString", "traits": { - "smithy.api#documentation": "The ARN of the resource to retrieve tags for.
", - "smithy.api#httpLabel": {}, - "smithy.api#required": {} + "smithy.api#documentation": "\n The Amazon Resource Name (ARN) of the standard that you want to view controls for.\n
", + "smithy.api#httpQuery": "StandardsArn" } - } - }, - "traits": { - "smithy.api#input": {} - } - }, - "com.amazonaws.securityhub#ListTagsForResourceResponse": { - "type": "structure", - "members": { - "Tags": { - "target": "com.amazonaws.securityhub#TagMap", + }, + "NextToken": { + "target": "com.amazonaws.securityhub#NextToken", "traits": { - "smithy.api#documentation": "The tags associated with a resource.
" + "smithy.api#documentation": "\n Optional pagination parameter.\n
", + "smithy.api#httpQuery": "NextToken" + } + }, + "MaxResults": { + "target": "com.amazonaws.securityhub#MaxResults", + "traits": { + "smithy.api#default": 0, + "smithy.api#documentation": " An optional parameter that limits the total results of the API response to the\n specified number. If this parameter isn't provided in the request, the results include the\n first 25 security controls that apply to the specified standard. The results also include a\n NextToken parameter that you can use in a subsequent API call to get the\n next 25 controls. This repeats until all controls for the standard are returned.
The state code. The initial state of the load balancer is provisioning.
\nAfter the load balancer is fully set up and ready to route traffic, its state is\n active.
\nIf the load balancer could not be set up, its state is failed.
" + "smithy.api#documentation": "\n An array of controls that apply to the specified standard.\n
", + "smithy.api#required": {} } }, - "Reason": { - "target": "com.amazonaws.securityhub#NonEmptyString", + "NextToken": { + "target": "com.amazonaws.securityhub#NextToken", "traits": { - "smithy.api#documentation": "A description of the state.
" + "smithy.api#documentation": "A pagination parameter that's included in the response only if it was included in the\n request.
" } } }, "traits": { - "smithy.api#documentation": "Information about the state of the load balancer.
" - } - }, - "com.amazonaws.securityhub#Long": { - "type": "long", - "traits": { - "smithy.api#default": 0 + "smithy.api#output": {} } }, - "com.amazonaws.securityhub#Malware": { - "type": "structure", - "members": { - "Name": { - "target": "com.amazonaws.securityhub#NonEmptyString", - "traits": { + "com.amazonaws.securityhub#ListStandardsControlAssociations": { + "type": "operation", + "input": { + "target": "com.amazonaws.securityhub#ListStandardsControlAssociationsRequest" + }, + "output": { + "target": "com.amazonaws.securityhub#ListStandardsControlAssociationsResponse" + }, + "errors": [ + { + "target": "com.amazonaws.securityhub#InternalException" + }, + { + "target": "com.amazonaws.securityhub#InvalidAccessException" + }, + { + "target": "com.amazonaws.securityhub#InvalidInputException" + }, + { + "target": "com.amazonaws.securityhub#LimitExceededException" + } + ], + "traits": { + "smithy.api#documentation": "\n Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account.\n
", + "smithy.api#http": { + "method": "GET", + "uri": "/associations", + "code": 200 + }, + "smithy.api#paginated": { + "inputToken": "NextToken", + "outputToken": "NextToken", + "items": "StandardsControlAssociationSummaries", + "pageSize": "MaxResults" + } + } + }, + "com.amazonaws.securityhub#ListStandardsControlAssociationsRequest": { + "type": "structure", + "members": { + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The identifier of the control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) that you \n want to determine the enablement status of in each enabled standard. \n
\n Optional pagination parameter.\n
", + "smithy.api#httpQuery": "NextToken" + } + }, + "MaxResults": { + "target": "com.amazonaws.securityhub#MaxResults", + "traits": { + "smithy.api#default": 0, + "smithy.api#documentation": " An optional parameter that limits the total results of the API response to the\n specified number. If this parameter isn't provided in the request, the results include the\n first 25 standard and control associations. The results also include a\n NextToken parameter that you can use in a subsequent API call to get the\n next 25 associations. This repeats until all associations for the specified control are\n returned. The number of results is limited by the number of supported Security Hub\n standards that you've enabled in the calling account.
An array that provides the enablement status and other details for each security\n control that applies to each enabled standard.
", + "smithy.api#required": {} + } + }, + "NextToken": { + "target": "com.amazonaws.securityhub#NextToken", + "traits": { + "smithy.api#documentation": "A pagination parameter that's included in the response only if it was included in the\n request.
" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, + "com.amazonaws.securityhub#ListTagsForResource": { + "type": "operation", + "input": { + "target": "com.amazonaws.securityhub#ListTagsForResourceRequest" + }, + "output": { + "target": "com.amazonaws.securityhub#ListTagsForResourceResponse" + }, + "errors": [ + { + "target": "com.amazonaws.securityhub#InternalException" + }, + { + "target": "com.amazonaws.securityhub#InvalidInputException" + }, + { + "target": "com.amazonaws.securityhub#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "Returns a list of tags associated with a resource.
", + "smithy.api#http": { + "method": "GET", + "uri": "/tags/{ResourceArn}", + "code": 200 + } + } + }, + "com.amazonaws.securityhub#ListTagsForResourceRequest": { + "type": "structure", + "members": { + "ResourceArn": { + "target": "com.amazonaws.securityhub#ResourceArn", + "traits": { + "smithy.api#documentation": "The ARN of the resource to retrieve tags for.
", + "smithy.api#httpLabel": {}, + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#input": {} + } + }, + "com.amazonaws.securityhub#ListTagsForResourceResponse": { + "type": "structure", + "members": { + "Tags": { + "target": "com.amazonaws.securityhub#TagMap", + "traits": { + "smithy.api#documentation": "The tags associated with a resource.
" + } + } + }, + "traits": { + "smithy.api#output": {} + } + }, + "com.amazonaws.securityhub#LoadBalancerState": { + "type": "structure", + "members": { + "Code": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The state code. The initial state of the load balancer is provisioning.
\nAfter the load balancer is fully set up and ready to route traffic, its state is\n active.
\nIf the load balancer could not be set up, its state is failed.
" + } + }, + "Reason": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "A description of the state.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Information about the state of the load balancer.
" + } + }, + "com.amazonaws.securityhub#Long": { + "type": "long", + "traits": { + "smithy.api#default": 0 + } + }, + "com.amazonaws.securityhub#Malware": { + "type": "structure", + "members": { + "Name": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { "smithy.api#documentation": "The name of the malware that was observed.
", "smithy.api#required": {} } @@ -23482,6 +23899,23 @@ "target": "com.amazonaws.securityhub#Record" } }, + "com.amazonaws.securityhub#RegionAvailabilityStatus": { + "type": "enum", + "members": { + "AVAILABLE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "AVAILABLE" + } + }, + "UNAVAILABLE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "UNAVAILABLE" + } + } + } + }, "com.amazonaws.securityhub#RelatedFinding": { "type": "structure", "members": { @@ -24651,42 +25085,170 @@ "smithy.api#documentation": "A list of port ranges.
" } }, - "com.amazonaws.securityhub#SecurityGroups": { - "type": "list", - "member": { - "target": "com.amazonaws.securityhub#NonEmptyString" - } - }, - "com.amazonaws.securityhub#SecurityHubAPIService": { - "type": "service", - "version": "2018-10-26", - "operations": [ - { - "target": "com.amazonaws.securityhub#AcceptAdministratorInvitation" - }, - { - "target": "com.amazonaws.securityhub#AcceptInvitation" + "com.amazonaws.securityhub#SecurityControl": { + "type": "structure", + "members": { + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a \n number, such as APIGateway.3.\n
", + "smithy.api#required": {} + } }, - { - "target": "com.amazonaws.securityhub#BatchDisableStandards" + "SecurityControlArn": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": " The Amazon Resource Name (ARN) for a security control across standards, such as\n arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This\n parameter doesn't mention a specific standard.
The title of a security control.\n
", + "smithy.api#required": {} + } }, - { - "target": "com.amazonaws.securityhub#BatchImportFindings" + "Description": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The description of a security control across standards. This typically summarizes how\n Security Hub evaluates the control and the conditions under which it produces a\n failed finding. This parameter doesn't reference a specific standard.
", + "smithy.api#required": {} + } }, - { - "target": "com.amazonaws.securityhub#BatchUpdateFindings" + "RemediationUrl": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n A link to Security Hub documentation that explains how to remediate a failed finding for a security control.\n
", + "smithy.api#required": {} + } }, - { - "target": "com.amazonaws.securityhub#CreateActionTarget" + "SeverityRating": { + "target": "com.amazonaws.securityhub#SeverityRating", + "traits": { + "smithy.api#documentation": "\n The severity of a security control. For more information about how Security Hub determines control severity, see \n Assigning severity to control findings in the \n Security Hub User Guide.\n
", + "smithy.api#required": {} + } }, - { - "target": "com.amazonaws.securityhub#CreateFindingAggregator" + "SecurityControlStatus": { + "target": "com.amazonaws.securityhub#ControlStatus", + "traits": { + "smithy.api#documentation": "\n The status of a security control based on the compliance status of its findings. For more information about how control \n status is determined, see Determining the overall status of a control from its findings in the \n Security Hub User Guide.\n
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "\n A security control in Security Hub describes a security best practice related to a specific resource. \n
" + } + }, + "com.amazonaws.securityhub#SecurityControlDefinition": { + "type": "structure", + "members": { + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The unique identifier of a security control across standards. Values for this field typically consist of an \n Amazon Web Service name and a number (for example, APIGateway.3). This parameter differs from \n SecurityControlArn, which is a unique Amazon Resource Name (ARN) assigned to a control. The \n ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).\n
\n The title of a security control.\n
", + "smithy.api#required": {} + } + }, + "Description": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The description of a security control across standards. This typically summarizes how\n Security Hub evaluates the control and the conditions under which it produces a\n failed finding. This parameter doesn't reference a specific standard.
", + "smithy.api#required": {} + } + }, + "RemediationUrl": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n A link to Security Hub documentation that explains how to remediate a failed finding for a security control.\n
", + "smithy.api#required": {} + } + }, + "SeverityRating": { + "target": "com.amazonaws.securityhub#SeverityRating", + "traits": { + "smithy.api#documentation": "\n The severity of a security control. For more information about how Security Hub determines control severity, \n see Assigning severity to control findings in the \n Security Hub User Guide.\n
", + "smithy.api#required": {} + } + }, + "CurrentRegionAvailability": { + "target": "com.amazonaws.securityhub#RegionAvailabilityStatus", + "traits": { + "smithy.api#documentation": "\n Specifies whether a security control is available in the current Amazon Web Services Region.\n
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "\n Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, \n severity, availability in Amazon Web Services Regions, and a link to remediation steps.\n
" + } + }, + "com.amazonaws.securityhub#SecurityControlDefinitions": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#SecurityControlDefinition" + } + }, + "com.amazonaws.securityhub#SecurityControls": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#SecurityControl" + } + }, + "com.amazonaws.securityhub#SecurityGroups": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#NonEmptyString" + } + }, + "com.amazonaws.securityhub#SecurityHubAPIService": { + "type": "service", + "version": "2018-10-26", + "operations": [ + { + "target": "com.amazonaws.securityhub#AcceptAdministratorInvitation" + }, + { + "target": "com.amazonaws.securityhub#AcceptInvitation" + }, + { + "target": "com.amazonaws.securityhub#BatchDisableStandards" + }, + { + "target": "com.amazonaws.securityhub#BatchEnableStandards" + }, + { + "target": "com.amazonaws.securityhub#BatchGetSecurityControls" + }, + { + "target": "com.amazonaws.securityhub#BatchGetStandardsControlAssociations" + }, + { + "target": "com.amazonaws.securityhub#BatchImportFindings" + }, + { + "target": "com.amazonaws.securityhub#BatchUpdateFindings" + }, + { + "target": "com.amazonaws.securityhub#BatchUpdateStandardsControlAssociations" + }, + { + "target": "com.amazonaws.securityhub#CreateActionTarget" + }, + { + "target": "com.amazonaws.securityhub#CreateFindingAggregator" + }, + { + "target": "com.amazonaws.securityhub#CreateInsight" }, { "target": "com.amazonaws.securityhub#CreateMembers" @@ -24799,6 +25361,12 @@ { "target": "com.amazonaws.securityhub#ListOrganizationAdminAccounts" }, + { + "target": "com.amazonaws.securityhub#ListSecurityControlDefinitions" + }, + { + "target": "com.amazonaws.securityhub#ListStandardsControlAssociations" + }, { "target": "com.amazonaws.securityhub#ListTagsForResource" }, @@ -24842,7 +25410,7 @@ "name": "securityhub" }, "aws.protocols#restJson1": {}, - "smithy.api#documentation": "Security Hub provides you with a comprehensive view of the security state of your Amazon Web Services environment and resources. It also provides you with the readiness status\n of your environment based on controls from supported security standards. Security Hub collects\n security data from Amazon Web Services accounts, services, and integrated third-party products and helps\n you analyze security trends in your environment to identify the highest priority security\n issues. For more information about Security Hub, see the \n Security HubUser\n Guide\n .
\nWhen you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services\n Region that is currently active or in the specific Amazon Web Services Region that you specify in your\n request. Any configuration or settings change that results from the operation is applied\n only to that Region. To make the same change in other Regions, execute the same command for\n each Region to apply the change to.
\nFor example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of\n the member account with the administrator account is created only in the us-west-2\n Region. Security Hub must be enabled for the member account in the same Region that the invitation\n was sent from.
The following throttling limits apply to using Security Hub API operations.
\n\n BatchEnableStandards - RateLimit of 1\n request per second, BurstLimit of 1 request per second.
\n GetFindings - RateLimit of 3 requests per second.\n BurstLimit of 6 requests per second.
\n BatchImportFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n BatchUpdateFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n UpdateStandardsControl - RateLimit of\n 1 request per second, BurstLimit of 5 requests per second.
All other operations - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
Security Hub provides you with a comprehensive view of the security state of\n your Amazon Web Services environment and resources. It also provides you with the readiness\n status of your environment based on controls from supported security standards. Security Hub collects security data from Amazon Web Services accounts, services, and\n integrated third-party products and helps you analyze security trends in your environment\n to identify the highest priority security issues. For more information about Security Hub, see the Security HubUser\n Guide.
\nWhen you use operations in the Security Hub API, the requests are executed only in\n the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change\n that results from the operation is applied only to that Region. To make the same change in\n other Regions, run the same command for each Region in which you want to apply the change.
\nFor example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of\n the member account with the administrator account is created only in the us-west-2\n Region. Security Hub must be enabled for the member account in the same Region that the invitation\n was sent from.
The following throttling limits apply to using Security Hub API operations.
\n\n BatchEnableStandards - RateLimit of 1 request per\n second. BurstLimit of 1 request per second.
\n GetFindings - RateLimit of 3 requests per second.\n BurstLimit of 6 requests per second.
\n BatchImportFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n BatchUpdateFindings - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
\n UpdateStandardsControl - RateLimit of 1 request per\n second. BurstLimit of 5 requests per second.
All other operations - RateLimit of 10 requests per second.\n BurstLimit of 30 requests per second.
The severity of the finding.
\nThe finding provider can provide the initial severity. The finding provider can only\n update the severity if it has not been updated using\n BatchUpdateFindings.
The finding must have either Label or Normalized populated. If\n only one of these attributes is populated, then Security Hub automatically populates the other\n one. If neither attribute is populated, then the finding is invalid. Label is\n the preferred attribute.
The severity of the finding.
\nThe finding provider can provide the initial severity. The finding provider can only\n update the severity if it hasn't been updated using\n BatchUpdateFindings.
The finding must have either Label or Normalized populated. If\n only one of these attributes is populated, then Security Hub automatically populates the other\n one. If neither attribute is populated, then the finding is invalid. Label is\n the preferred attribute.
Details for an individual security standard control.
" } }, + "com.amazonaws.securityhub#StandardsControlArnList": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#NonEmptyString" + } + }, + "com.amazonaws.securityhub#StandardsControlAssociationDetail": { + "type": "structure", + "members": { + "StandardsArn": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The Amazon Resource Name (ARN) of a security standard.\n
", + "smithy.api#required": {} + } + }, + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service \n name and a number, such as APIGateway.3.\n
", + "smithy.api#required": {} + } + }, + "SecurityControlArn": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": " The ARN of a security control across standards, such as\n arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This\n parameter doesn't mention a specific standard.
\n Specifies whether a control is enabled or disabled in a specified standard.\n
", + "smithy.api#required": {} + } + }, + "RelatedRequirements": { + "target": "com.amazonaws.securityhub#RelatedRequirementsList", + "traits": { + "smithy.api#documentation": "\n The requirement that underlies a control in the compliance framework related to the standard.\n
" + } + }, + "UpdatedAt": { + "target": "com.amazonaws.securityhub#Timestamp", + "traits": { + "smithy.api#documentation": "\n The time at which the enablement status of the control in the specified standard was last updated.\n
" + } + }, + "UpdatedReason": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The reason for updating the enablement status of a control in a specified standard.\n
" + } + }, + "StandardsControlTitle": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The title of a control. This field may reference a specific standard.\n
" + } + }, + "StandardsControlDescription": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The description of a control. This typically summarizes how Security Hub evaluates the control and the \n conditions under which it produces a failed finding. This parameter may reference a specific standard. \n
" + } + }, + "StandardsControlArns": { + "target": "com.amazonaws.securityhub#StandardsControlArnList", + "traits": { + "smithy.api#documentation": "Provides the input parameter that Security Hub uses to call the UpdateStandardsControl API. This API can be used to enable or disable a control\n in a specified standard.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Provides details about a control's enablement status in a specified standard.
" + } + }, + "com.amazonaws.securityhub#StandardsControlAssociationDetails": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#StandardsControlAssociationDetail" + } + }, + "com.amazonaws.securityhub#StandardsControlAssociationId": { + "type": "structure", + "members": { + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The unique identifier (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) of a security \n control across standards.\n
\n The ARN of a standard.\n
", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "\n An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) \n and the Amazon Resource Name (ARN) of a standard. The security control ID or ARN is the same across standards.\n
\n The Amazon Resource Name (ARN) of a standard.\n
", + "smithy.api#required": {} + } + }, + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n A unique standard-agnostic identifier for a control. Values for this field typically consist of an \n Amazon Web Service and a number, such as APIGateway.5. This field doesn't reference a specific standard.\n
", + "smithy.api#required": {} + } + }, + "SecurityControlArn": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": " The ARN of a control, such as\n arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This\n parameter doesn't mention a specific standard.
\n The enablement status of a control in a specific standard.\n
", + "smithy.api#required": {} + } + }, + "RelatedRequirements": { + "target": "com.amazonaws.securityhub#RelatedRequirementsList", + "traits": { + "smithy.api#documentation": "\n The requirement that underlies this control in the compliance framework related to the standard.\n
" + } + }, + "UpdatedAt": { + "target": "com.amazonaws.securityhub#Timestamp", + "traits": { + "smithy.api#documentation": "The last time that a control's enablement status in a specified standard was updated.
" + } + }, + "UpdatedReason": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The reason for updating the control's enablement status in a specified standard.
" + } + }, + "StandardsControlTitle": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The title of a control. \n
" + } + }, + "StandardsControlDescription": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The description of a control. This typically summarizes how Security Hub evaluates the control and the \n conditions under which it produces a failed finding. The parameter may reference a specific standard.\n
" + } + } + }, + "traits": { + "smithy.api#documentation": "An array that provides the enablement status and other details for each control that\n applies to each enabled standard.
" + } + }, + "com.amazonaws.securityhub#StandardsControlAssociationUpdate": { + "type": "structure", + "members": { + "StandardsArn": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the standard in which you want to update the\n control's enablement status.
", + "smithy.api#required": {} + } + }, + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The unique identifier for the security control whose enablement status you want to update.
", + "smithy.api#required": {} + } + }, + "AssociationStatus": { + "target": "com.amazonaws.securityhub#AssociationStatus", + "traits": { + "smithy.api#documentation": "The desired enablement status of the control in the standard.
", + "smithy.api#required": {} + } + }, + "UpdatedReason": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The reason for updating the control's enablement status in the standard.
" + } + } + }, + "traits": { + "smithy.api#documentation": "An array of requested updates to the enablement status of controls in specified\n standards. The objects in the array include a security control ID, the Amazon Resource Name (ARN) of the standard, the requested\n enablement status, and the reason for updating the enablement status.
" + } + }, + "com.amazonaws.securityhub#StandardsControlAssociationUpdates": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#StandardsControlAssociationUpdate" + } + }, "com.amazonaws.securityhub#StandardsControls": { "type": "list", "member": { @@ -26893,6 +27686,137 @@ "target": "com.amazonaws.securityhub#NonEmptyString" } }, + "com.amazonaws.securityhub#UnprocessedErrorCode": { + "type": "enum", + "members": { + "INVALID_INPUT": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "INVALID_INPUT" + } + }, + "ACCESS_DENIED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ACCESS_DENIED" + } + }, + "NOT_FOUND": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "NOT_FOUND" + } + }, + "LIMIT_EXCEEDED": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "LIMIT_EXCEEDED" + } + } + } + }, + "com.amazonaws.securityhub#UnprocessedSecurityControl": { + "type": "structure", + "members": { + "SecurityControlId": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": " The control (identified with SecurityControlId,\n SecurityControlArn, or a mix of both parameters) for which a response\n couldn't be returned.
\n The error code for the unprocessed security control.\n
", + "smithy.api#required": {} + } + }, + "ErrorReason": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "\n The reason why the security control was unprocessed.\n
" + } + } + }, + "traits": { + "smithy.api#documentation": "Provides details about a security control for which a response couldn't be returned.
" + } + }, + "com.amazonaws.securityhub#UnprocessedSecurityControls": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#UnprocessedSecurityControl" + } + }, + "com.amazonaws.securityhub#UnprocessedStandardsControlAssociation": { + "type": "structure", + "members": { + "StandardsControlAssociationId": { + "target": "com.amazonaws.securityhub#StandardsControlAssociationId", + "traits": { + "smithy.api#documentation": " An array with one or more objects that includes a security control (identified with\n SecurityControlId, SecurityControlArn, or a mix of both\n parameters) and the Amazon Resource Name (ARN) of a standard. This parameter shows the\n specific controls for which the enablement status couldn't be retrieved in specified standards when\n calling BatchUpdateStandardsControlAssociations.
The error code for the unprocessed standard and control association.\n
", + "smithy.api#required": {} + } + }, + "ErrorReason": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The reason why the standard and control association was unprocessed.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Provides details about which\n control's enablement status couldn't be retrieved in a specified standard when calling BatchUpdateStandardsControlAssociations. This parameter also provides details\n about why the request was unprocessed.
" + } + }, + "com.amazonaws.securityhub#UnprocessedStandardsControlAssociationUpdate": { + "type": "structure", + "members": { + "StandardsControlAssociationUpdate": { + "target": "com.amazonaws.securityhub#StandardsControlAssociationUpdate", + "traits": { + "smithy.api#documentation": "An array of control and standard associations for which an update failed when calling \n BatchUpdateStandardsControlAssociations.\n
", + "smithy.api#required": {} + } + }, + "ErrorCode": { + "target": "com.amazonaws.securityhub#UnprocessedErrorCode", + "traits": { + "smithy.api#documentation": "The error code for the unprocessed update of the control's enablement status in the\n specified standard.
", + "smithy.api#required": {} + } + }, + "ErrorReason": { + "target": "com.amazonaws.securityhub#NonEmptyString", + "traits": { + "smithy.api#documentation": "The reason why a control's enablement status in the specified standard couldn't be updated.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Provides details about which control's enablement status could not be updated in a\n specified standard when calling the BatchUpdateStandardsControlAssociations API. This parameter also provides\n details about why the request was unprocessed.
" + } + }, + "com.amazonaws.securityhub#UnprocessedStandardsControlAssociationUpdates": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#UnprocessedStandardsControlAssociationUpdate" + } + }, + "com.amazonaws.securityhub#UnprocessedStandardsControlAssociations": { + "type": "list", + "member": { + "target": "com.amazonaws.securityhub#UnprocessedStandardsControlAssociation" + } + }, "com.amazonaws.securityhub#UntagResource": { "type": "operation", "input": { @@ -27361,6 +28285,12 @@ "smithy.api#default": false, "smithy.api#documentation": "Whether to automatically enable new controls when they are added to standards that are\n enabled.
\nBy default, this is set to true, and new controls are enabled\n automatically. To not automatically enable new controls, set this to false.\n
Updates whether the calling account has consolidated control findings turned on. \n If the value for this field is set to \n SECURITY_CONTROL, Security Hub generates a single finding for a control check even when the check \n applies to multiple enabled standards.
If the value for this field is set to STANDARD_CONTROL, Security Hub generates separate findings \n for a control check when the check applies to multiple enabled standards.
For accounts that are part of an organization, this value can only be updated in the administrator account.
" + } } }, "traits": {