Awso_securityhub.ValuesSourceval structure_to_value_aux :
('a * 'b option) list ->
f:(('a * 'b) list -> 'c) ->
[> `Structure of 'c ]val structure_to_wrapped_value :
wrapper:'a ->
response:'a ->
('b * 'c option) list ->
[> `Structure of ('a * [> `Structure of ('b * 'c) list ]) list ]We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Accepts the invitation to be a member account and be monitored by the Security Hub CSPM administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.
The request was rejected because we can't find the specified resource.
The request was rejected because it attempted to create resources beyond the current Amazon Web Services account or throttling limits. The error code describes the limit exceeded.
The request was rejected because you supplied an invalid or out-of-range value for an input parameter.
The account doesn't have permission to perform this action.
Internal server error.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Accepts the invitation to be a member account and be monitored by the Security Hub CSPM administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.
This method is deprecated. Instead, use AcceptAdministratorInvitation. The Security Hub CSPM console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that specifically control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation. Accepts the invitation to be a member account and be monitored by the Security Hub CSPM administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.
This method is deprecated. Instead, use AcceptAdministratorInvitation. The Security Hub CSPM console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that specifically control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation. Accepts the invitation to be a member account and be monitored by the Security Hub CSPM administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.
You don't have permission to perform the action specified in the request.
The details of an Amazon Web Services account.
Provides information about an internet provider.
Provides the latitude and longitude coordinates of a location.
For AwsApiAction, NetworkConnectionAction, and PortProbeAction, RemoteIpDetails provides information about the remote IP address that was involved in the action.
For NetworkConnectionAction and PortProbeDetails, LocalPortDetails provides information about the local port that was involved in the action.
Provides information about the IP address where the scanned port is located.
A port scan that was part of the port probe. For each scan, PortProbeDetails provides information about the local IP address and port that were scanned, and the remote IP address that the scan originated from.
Provided if ActionType is PORT_PROBE. It provides details about the attempted port probe that was detected.
Provides information about the remote port that was involved in an attempted network connection.
Provided if ActionType is NETWORK_CONNECTION. It provides details about the attempted network connection that was detected.
Provided if ActionType is DNS_REQUEST. It provides details about the DNS request that was detected.
Provided if CallerType is domain. It provides information about the DNS domain that issued the API call.
Provided if ActionType is AWS_API_CALL. It provides details about the API call that was detected.
Provides details about one of the following actions that affects or that was taken on a resource: A remote IP address issued an Amazon Web Services API call A DNS request was received A remote IP address attempted to connect to an EC2 instance A remote IP address attempted a port probe on an EC2 instance
Used to update information about the investigation into the finding.
Updates to the severity information for a finding.
Details about a related finding.
The updated note.
Identifies the finding fields that the automation rule action updates when a finding matches the defined criteria.
One or more actions that Security Hub CSPM takes when a finding matches the defined criteria of a rule.
An ActionTarget object.
Provides Amazon Web Services account information of the user involved in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Contains information about the credentials used by the threat actor identified in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Contains information about the authenticated session used by the threat actor identified in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Information about the threat actor identified in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
An adjustment to the CVSS metric.
Represents a Security Hub CSPM administrator account designated by an organization management account.
Specifies a cross-Region data aggregation configuration, including the aggregation Region and any linked Regions.
Information about an enabled security standard in which a security control is enabled.
Options for filtering the ListConfigurationPolicyAssociations response. You can filter by the Amazon Resource Name (ARN) or universally unique identifier (UUID) of a configuration policy, AssociationType, or AssociationStatus.
Describes the state of an association between a route table and a subnet or gateway.
The associations between a route table and one or more subnets or a gateway.
Defines the settings and parameters required for integrating external security tools and services.
Allows you to define the structure for modifying specific fields in security findings.
Allows you to configure automated responses.
Allows you to customize security response workflows.
A string filter for filtering Security Hub CSPM findings.
A number filter for querying findings.
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
A date filter for querying findings.
The criteria that determine which findings a rule applies to.
Defines the configuration of an automation rule.
Metadata for automation rules in the calling account. The response includes rules with a RuleStatus of ENABLED and DISABLED.
Includes essential metadata information about automation rules.
Information about an Availability Zone.
Provides details about the broker usernames for the specified broker. Doesn't apply to RabbitMQ brokers.
The scheduled time period (UTC) during which Amazon MQ begins to apply pending updates or patches to the broker.
Provides information about logs to be activated for the specified broker.
Provides information about logs to be activated for the specified broker.
The metadata of the Lightweight Directory Access Protocol (LDAP) server used to authenticate and authorize connections to the broker. This is an optional failover server.
Provides details about broker encryption options.
Provides details about an Amazon MQ message broker. A message broker allows software applications and components to communicate using various programming languages, operating systems, and formal messaging protocols.
Contains information about settings for logging access for the stage.
Contains information about settings for canary deployment in the stage.
Contains information about the endpoints for the API.
Defines settings for a method for the stage.
Contains information about a REST API in version 1 of Amazon API Gateway.
Provides information about a version 1 Amazon API Gateway stage.
Contains the cross-origin resource sharing (CORS) configuration for the API. CORS is only supported for HTTP APIs.
Contains information about a version 2 API in Amazon API Gateway.
Contains route settings for a stage.
Contains information about a version 2 stage for Amazon API Gateway.
Specifies the authorization configuration for using Amazon Cognito user pools with your AppSync GraphQL API endpoint.
Specifies the authorization configuration for using an OpenID Connect compliant service with your AppSync GraphQL API endpoint.
Specifies the authorization configuration for using an Lambda function with your AppSync GraphQL API endpoint.
A list of additional authentication providers for the GraphqlApi API.
Specifies the logging configuration when writing GraphQL operations and tracing to Amazon CloudWatch for an AppSync GraphQL API.
Provides details about an AppSync Graph QL API, which lets you query multiple databases, microservices, and APIs from a single GraphQL endpoint.
module AwsAthenaWorkGroupConfigurationResultConfigurationEncryptionConfigurationDetails :
sig ... endSpecifies the method used to encrypt the user’s data stores in the Athena workgroup.
The location in Amazon Simple Storage Service (Amazon S3) where query and calculation results are stored and the encryption option, if any, used for query and calculation results. These are known as client-side settings. If workgroup settings override client-side settings, then the query uses the workgroup settings.
The configuration of the workgroup, which includes the location in Amazon Simple Storage Service (Amazon S3) where query results are stored, the encryption option, if any, used for query results, whether Amazon CloudWatch metrics are enabled for the workgroup, and the limit for the amount of bytes scanned (cutoff) per query, if it is specified.
Provides information about an Amazon Athena workgroup.
An Availability Zone for the automatic scaling group.
module AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateOverridesListDetails :
sig ... endProperty values to use to override the values in the launch template.
module AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateOverridesList :
sig ... endmodule AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateLaunchTemplateSpecification :
sig ... endDetails about the launch template to use for a mixed instances policy.
Describes a launch template and overrides for a mixed instances policy.
module AwsAutoScalingAutoScalingGroupMixedInstancesPolicyInstancesDistributionDetails :
sig ... endInformation about the instances distribution.
The mixed instances policy for the automatic scaling group.
Details about the launch template to use.
Provides details about an auto scaling group.
Parameters that are used to automatically set up EBS volumes when an instance is launched.
A block device for the instance.
The metadata options for the instances.
Information about the type of monitoring for instances in the group.
Details about a launch configuration.
Provides a list of backup options for each resource type.
Provides lifecycle details for the backup plan. A lifecycle defines when a backup is transitioned to cold storage and when it expires.
An array of CopyAction objects, each of which contains details of the copy operation.
Provides details about an array of BackupRule objects, each of which specifies a scheduled task that is used to back up a selection of resources.
Provides details about an Backup backup plan and an array of BackupRule objects, each of which specifies a backup rule.
Provides details about an Backup backup plan and an array of BackupRule objects, each of which specifies a backup rule.
Provides details about the Amazon SNS event notifications for the specified backup vault.
Provides details about an Backup backup vault. In Backup, a backup vault is a container that stores and organizes your backups.
Specifies how long in days before a recovery point transitions to cold storage or is deleted.
Contains information about the backup plan and rule that Backup used to initiate the recovery point backup.
Contains an array of Transition objects specifying how long in days before a recovery point transitions to cold storage or is deleted.
Contains detailed information about the recovery points stored in an Backup backup vault. A backup, or recovery point, represents the content of a resource at a specified time.
Provides details about the CNAME record that is added to the DNS database for domain validation.
Contains information about one of the following: The initial validation of each domain name that occurs as a result of the RequestCertificate request The validation of each domain name in the certificate, as it pertains to Certificate Manager managed renewal
Contains information about the Certificate Manager managed renewal for an AMAZON_ISSUED certificate.
Contains other options for the certificate.
Contains information about a key usage X.509 v3 extension object.
Contains information about an extended key usage X.509 v3 extension object.
Provides details about an Certificate Manager certificate.
Provides information about the CloudFormation stack output.
Provides information about the stack's conformity to its expected template configuration.
Nests a stack as a resource in a top-level template. Nested stacks are stacks created as resources for another stack.
Information about a cache behavior for the distribution.
Provides information about caching for the CloudFront distribution.
Contains information about the default cache configuration for the CloudFront distribution.
Provides information about the TLS/SSL configuration that the CloudFront distribution uses to communicate with viewers.
Information about an origin that is an Amazon S3 bucket that is not configured with static website hosting.
A complex type that contains information about the SSL/TLS protocols that CloudFront can use when establishing an HTTPS connection with your origin.
A custom origin. A custom origin is any origin that is not an Amazon S3 bucket, with one exception. An Amazon S3 bucket that is configured with static website hosting is a custom origin.
A complex type that describes the Amazon S3 bucket, HTTP server (for example, a web server), or other server from which CloudFront gets your files.
A complex type that contains information about origins and origin groups for this CloudFront distribution.
The status codes that cause an origin group to fail over.
Provides information about when an origin group fails over.
Information about an origin group for the CloudFront distribution.
Provides information about origin groups that are associated with the CloudFront distribution.
A complex type that controls whether access logs are written for the CloudFront distribution.
A CloudFront distribution configuration.
Provides details about a CloudTrail trail.
Details about the dimensions for the metric associated with the alarm.
Specifies an alarm and associates it with the specified metric or metric math expression.
Information about the build artifacts for the CodeBuild project.
Information about the VPC configuration that CodeBuild accesses.
Information about the build input source code for this build project.
Information about logs built to an S3 bucket for a build project.
Information about CloudWatch Logs for the build project.
Information about logs for the build project.
The credentials for access to a private registry.
Information about an environment variable that is available to builds for the build project.
Information about the build environment for this build project.
Information about an CodeBuild project.
Provides details about an Database Migration Service (DMS) endpoint. An endpoint provides connection, data store type, and location information about your data store.
Provides details about the virtual private cloud (VPC) security group that’s associated with the replication instance.
Provides details about the replication subnet group.
Provides details about an Database Migration Service (DMS) replication instance. DMS uses a replication instance to connect to your source data store, read the source data, and format the data for consumption by the target data store.
Provides details about an Database Migration Service (DMS) replication task. A replication task moves a set of data from the source endpoint to the target endpoint.
Contains a definition of an attribute for the table.
Provides information about the billing for read/write capacity on the table.
The current DynamoDB Streams configuration for the table.
Information about the server-side encryption for the table.
Information about the restore for the table.
Replica-specific configuration for the provisioned throughput.
Information about a global secondary index for a DynamoDB table replica.
Information about a replica of a DynamoDB table.
Information about the provisioned throughput for the table or for a global secondary index.
For global and local secondary indexes, identifies the attributes that are copied from the table into the index.
A component of the key schema for the DynamoDB table, a global secondary index, or a local secondary index.
Information about a local secondary index for a DynamoDB table.
Information abut a global secondary index for the table.
Provides details about a DynamoDB table.
Provides details about an Active Directory that’s used to authenticate an Client VPN endpoint.
Information about the client certificate used for authentication.
module AwsEc2ClientVpnEndpointAuthenticationOptionsFederatedAuthenticationDetails :
sig ... endDescribes the IAM SAML identity providers used for federated authentication.
Information about the authentication method used by the Client VPN endpoint.
Describes the status of the Client VPN endpoint attribute.
The options for managing connection authorization for new client connections.
Options for enabling a customizable text banner that will be displayed on Amazon Web Services provided clients when a VPN session is established.
Information about the client connection logging options for the Client VPN endpoint.
Describes an Client VPN endpoint. A Client VPN endpoint is the resource that you create and configure to enable and manage client VPN sessions. It's the termination point for all client VPN sessions.
Information about an Elastic IP address.
Identifies a network interface for the Amazon EC2 instance.
The type of monitoring that’s turned on for an Amazon EC2 instance.
Metadata options that allow you to configure and secure the Amazon EC2 instance.
The details of an Amazon EC2 instance.
Parameters for a block device for an Amazon Elastic Block Store (Amazon EBS) volume in an Amazon EC2 launch template.
Information about a block device mapping for an Amazon Elastic Compute Cloud (Amazon EC2) launch template.
module AwsEc2LaunchTemplateDataCapacityReservationSpecificationCapacityReservationTargetDetails :
sig ... endInformation about the target Capacity Reservation or Capacity Reservation group in which to run an Amazon EC2 instance.
Specifies the Capacity Reservation targeting option of an Amazon EC2 instance.
Specifies the CPU options for an Amazon EC2 instance. For more information, see Optimize CPU options in the Amazon Elastic Compute Cloud User Guide.
Specifies the credit option for CPU usage of a T2, T3, or T3a Amazon EC2 instance.
Describes the options for Amazon EC2 instance hostnames.
Provides details about the placement of an Amazon EC2 instance.
One or more private IPv4 addresses.
Provides details on one or more IPv6 prefixes to be assigned to the network interface.
Specifies an IPv6 address in an Amazon EC2 launch template.
Provides details on one or more IPv4 prefixes for a network interface.
One or more network interfaces to attach to an Amazon EC2 instance. If you specify a network interface, you must specify security groups and subnets as part of the network interface.
The monitoring for an Amazon EC2 instance.
Specifies the metadata options for an Amazon EC2 instance.
The maintenance options of an Amazon EC2 instance.
Provides details about the license configuration for an Amazon EC2 instance.
The minimum and maximum number of vCPUs for an Amazon EC2 instance.
The minimum and maximum amount of total local storage, in GB, that an Amazon EC2 instance uses.
The minimum and maximum number of network interfaces to be attached to an Amazon EC2 instance.
The minimum and maximum amount of memory, in MiB, for an Amazon EC2 instance.
The minimum and maximum amount of memory per vCPU, in GiB.
module AwsEc2LaunchTemplateDataInstanceRequirementsBaselineEbsBandwidthMbpsDetails :
sig ... endThe minimum and maximum baseline bandwidth to Amazon Elastic Block Store (Amazon EBS), in Mbps. For more information, see Amazon EBS–optimized instances in the Amazon EC2 User Guide.
module AwsEc2LaunchTemplateDataInstanceRequirementsAcceleratorTotalMemoryMiBDetails :
sig ... endThe minimum and maximum amount of memory, in MiB, for the accelerators on an Amazon EC2 instance.
The minimum and maximum number of accelerators (GPUs, FPGAs, or Amazon Web Services Inferentia chips) on an Amazon EC2 instance.
The attributes for the Amazon EC2 instance types.
Provides details about the market (purchasing) options for Spot Instances.
Provides details about the market (purchasing) option for an Amazon EC2 instance.
Provides details for an Identity and Access Management (IAM) instance profile, which is a container for an IAM role for your instance.
Specifies whether your Amazon EC2 instance is configured for hibernation.
Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves.
Provides details for an Amazon Elastic Inference accelerator.
Provides details about an Elastic Graphics specification for an Amazon EC2 launch template.
The information to include in an Amazon Elastic Compute Cloud (Amazon EC2) launch template.
Specifies the properties for creating an Amazon Elastic Compute Cloud (Amazon EC2) launch template.
An association between the network ACL and a subnet.
A range of ports.
An Internet Control Message Protocol (ICMP) type and code.
A rule for the network ACL. Each rule allows or denies access based on the IP address, traffic direction, port, and protocol.
Contains details about an Amazon EC2 network access control list (ACL).
Information about the network interface attachment.
A security group associated with the network interface.
Provides information about a private IPv4 address that is with the network interface.
Provides information about an IPV6 address that is associated with the network interface.
Details about the network interface
Provides details about the routes in the route table.
Describes a virtual private gateway propagating route.
Provides details about a route table for the specified VPC.
A relationship between a security group and a user.
A prefix list ID.
A range of IPv6 addresses.
A range of IPv4 addresses.
An IP permission for an EC2 security group.
Details about an Amazon EC2 security group.
An IPV6 CIDR block association.
Contains information about a subnet in Amazon EC2.
Information about an Amazon Web Services Amazon EC2 Transit Gateway that interconnects virtual private clouds (VPCs) and on-premises networks.
An attachment to an Amazon EC2 volume.
Details about an EC2 volume.
An IPv4 CIDR block association.
Details about an EC2 VPC.
The service type information for a VPC endpoint service.
Contains details about the service configuration for a VPC endpoint service.
Provides information about the VPC peering connection options for the accepter or requester VPC.
Provides details about the IPv6 CIDR blocks for the VPC.
Provides details about the IPv4 CIDR blocks for the VPC.
Describes a VPC in a VPC peering connection.
Details about the status of the VPC peering connection.
Provides information about a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which to create the connection.
Information about the VPN tunnel.
A static routes associated with the VPN connection.
The VPN tunnel options.
VPN connection options.
Details about an Amazon EC2 VPN connection.
Information about an Amazon ECR image.
Information about the lifecycle policy for the repository.
The image scanning configuration for a repository.
Provides information about an Amazon Elastic Container Registry repository.
Indicates whether to enable CloudWatch Container Insights for the ECS cluster.
module AwsEcsClusterConfigurationExecuteCommandConfigurationLogConfigurationDetails :
sig ... endThe log configuration for the results of the run command actions.
Contains the run command configuration for the cluster.
The run command configuration for the cluster.
The default capacity provider strategy for the cluster. The default capacity provider strategy is used when services or tasks are run without a specified launch type or capacity provider strategy.
Provides details about an Amazon ECS cluster.
Details for a volume mount point that's used in a container definition.
Provides information about an Amazon ECS container.
Strategy item for the capacity provider strategy that the service uses.
Determines whether a service deployment fails if a service cannot reach a steady state.
Optional deployment parameters for the service.
Information about the deployment controller type that the service uses.
Information about a service discovery registry to assign to the service.
A placement strategy that determines how to place the tasks for the service.
A placement constraint for the tasks in the service.
For tasks that use the awsvpc networking mode, the VPC subnet and security group configuration.
For tasks that use the awsvpc networking mode, the VPC subnet and security group configuration.
Information about a load balancer that the service uses.
Provides details about a service within an ECS cluster.
A dependency that is defined for container startup and shutdown.
A data volume to mount from another container.
A ulimit to set in the container.
A namespaced kernel parameter to set in the container.
A secret to pass to the container.
A resource to assign to a container.
The private repository authentication credentials to use.
A port mapping for the container.
A mount point for the data volumes in the container.
module AwsEcsTaskDefinitionContainerDefinitionsLogConfigurationSecretOptionsDetails :
sig ... endA secret to pass to the log configuration.
module AwsEcsTaskDefinitionContainerDefinitionsLogConfigurationSecretOptionsList :
sig ... endThe log configuration specification for the container.
The container path, mount options, and size (in MiB) of a tmpfs mount.
A host device to expose to the container.
module AwsEcsTaskDefinitionContainerDefinitionsLinuxParametersCapabilitiesDetails :
sig ... endThe Linux capabilities for the container that are added to or dropped from the default configuration provided by Docker.
>Linux-specific modifications that are applied to the container, such as Linux kernel capabilities.
The container health check command and associated configuration parameters for the container.
The FireLens configuration for the container. The configuration specifies and configures a log router for container logs.
A hostname and IP address mapping to append to the /etc/hosts file on the container.
An environment variable to pass to the container.
A file that contain environment variables to pass to a container.
A container definition that describes a container in the task.
Information about a bind mount host volume.
module AwsEcsTaskDefinitionVolumesEfsVolumeConfigurationAuthorizationConfigDetails :
sig ... endInformation about the Amazon Elastic File System file system that is used for task storage.
Information about a Docker volume.
A data volume to mount from another container.
module AwsEcsTaskDefinitionProxyConfigurationProxyConfigurationPropertiesDetails :
sig ... endA network configuration parameter to provide to the Container Network Interface (CNI) plugin.
The configuration details for the App Mesh proxy.
A placement constraint object to use for tasks.
An Elastic Inference accelerator to use for the containers in the task.
Details about a task definition. A task definition describes the container and volume definitions of an Amazon Elastic Container Service task.
Provides details on a container instance bind mount host volume.
Provides information about a data volume that's used in a task definition.
Provides details about a task in a cluster.
Provides information about the settings that Amazon EFS uses to create the root directory when a client connects to an access point.
Provides information about the directory on the Amazon EFS file system that the access point exposes as the root directory to NFS clients using the access point.
Provides details for all file system operations using this Amazon EFS access point.
Provides information about an Amazon EFS access point.
Information about the VPC configuration used by the cluster control plane.
Details for a cluster logging configuration.
The logging configuration for an Amazon EKS cluster.
Provides details about an Amazon EKS cluster.
Contains information about the tier of the environment.
A configuration option setting for the environment.
Contains information about a link to another environment that is in the same group.
Contains details about an Elastic Beanstalk environment.
Information that OpenSearch derives based on VPCOptions for the domain.
Information about the state of the domain relative to the latest service software.
Details about the configuration for node-to-node encryption.
The log configuration.
configures the CloudWatch Logs to publish for the Elasticsearch domain.
Details about the configuration for encryption at rest.
module AwsElasticsearchDomainElasticsearchClusterConfigZoneAwarenessConfigDetails :
sig ... endConfiguration options for zone awareness.
details about the configuration of an OpenSearch cluster.
Additional options for the domain endpoint, such as whether to require HTTPS for all traffic.
Information about an Elasticsearch domain.
Contains information about a stickiness policy that was created using CreateAppCookieStickinessPolicy.
Contains information about a stickiness policy that was created using CreateLBCookieStickinessPolicy.
Contains information about the access log configuration for the load balancer.
Provides information about additional attributes for the load balancer.
Contains cross-zone load balancing settings for the load balancer.
Contains connection settings for the load balancer.
Contains information about the connection draining configuration for the load balancer.
Contains attributes for the load balancer.
Provides information about the configuration of an EC2 instance for the load balancer.
Contains information about the security group for the load balancer.
Contains information about the policies for a load balancer.
Information about a load balancer listener.
Lists the policies that are enabled for a load balancer listener.
Provides information about an EC2 instance for a load balancer.
Contains information about the health checks that are conducted on the load balancer.
Contains details about a Classic Load Balancer.
A load balancer attribute.
Information about the state of the load balancer.
Information about a load balancer.
A schema defines the structure of events that are sent to Amazon EventBridge. Schema registries are containers for schemas. They collect and organize schemas so that your schemas are in logical groups.
The Amazon Web Services Region that events are routed to when failover is triggered or event replication is enabled.
Provides details about the primary Amazon Web Services Region of the endpoint.
The failover configuration for an endpoint. This includes what triggers failover and what happens when it's triggered.
Provides details about the routing configuration of the endpoint.
Indicates whether replication is enabled or disabled for the endpoint. If enabled, the endpoint can replicate all events to a secondary Amazon Web Services Region.
Provides details about the Amazon EventBridge event buses that the endpoint is associated with.
Provides details about an Amazon EventBridge global endpoint. The endpoint can improve your application’s availability by making it Regional-fault tolerant.
Provides details about Amazon EventBridge event bus. An event bus is a router that receives events and delivers them to zero or more destinations, or targets. This can be a custom event bus which you can use to receive events from your custom applications and services, or it can be a partner event bus which can be matched to a partner event source.
An object that contains information on the status of CloudTrail as a data source for the detector.
An object that contains information on the status of S3 data event logs as a data source for the detector.
module AwsGuardDutyDetectorDataSourcesMalwareProtectionScanEc2InstanceWithFindingsEbsVolumesDetails :
sig ... endDescribes the configuration of scanning EBS volumes (Malware Protection) as a data source.
module AwsGuardDutyDetectorDataSourcesMalwareProtectionScanEc2InstanceWithFindingsDetails :
sig ... endDescribes the configuration of Malware Protection for EC2 instances with findings.
An object that contains information on the status of Malware Protection as a data source for the detector.
An object that contains information on the status of Kubernetes audit logs as a data source for the detector.
An object that contains information on the status of Kubernetes data sources for the detector.
An object that contains information on the status of VPC Flow Logs as a data source for the detector.
An object that contains information on the status of DNS logs as a data source for the detector.
Describes which data sources are activated for the detector.
Describes which features are activated for the detector.
Provides details about an Amazon GuardDuty detector. A detector is an object that represents the GuardDuty service. A detector is required for GuardDuty to become operational.
Information about the entity that created the session.
Attributes of the session that the key was used for.
Provides information about the session that the key was used for.
IAM access key details related to a finding.
A managed policy that is attached to an IAM principal.
A managed policy that is attached to the IAM group.
Contains details about an IAM group.
Information about a role associated with an instance profile.
Information about an instance profile.
Information about the policy used to set the permissions boundary for an IAM principal.
A version of an IAM policy.
Represents an IAM permissions policy.
An inline policy that is embedded in the role.
Contains information about an IAM role, including all of the role's policies.
Information about an inline policy that is embedded in the user.
Information about an IAM user.
Provides information about stream encryption.
Provides information about an Amazon Kinesis data stream.
Contains metadata about an KMS key.
The code for the Lambda function. You can specify either an object in Amazon S3, or upload a deployment package directly.
The dead-letter queue for failed asynchronous invocations.
The VPC security groups and subnets that are attached to a Lambda function.
The function's X-Ray tracing configuration.
An Lambda layer.
Error messages for environment variables that could not be applied.
A function's environment variable settings.
Details about an Lambda function's configuration.
Details about a Lambda layer version.
Provides details for allowing no client authentication.
Provides details for client authentication using TLS.
Details for SASL/SCRAM client authentication.
Details for SASL/IAM client authentication.
Provides details for client authentication using SASL.
Provides details about different modes of client authentication.
The settings for encrypting data in transit.
The data-volume encryption details. You can't update encryption at rest settings for existing clusters.
Includes encryption-related information, such as the KMS key used for encrypting data at rest and whether you want MSK to encrypt your data in transit.
Provide details about an Amazon Managed Streaming for Apache Kafka (Amazon MSK) cluster.
Provides details about an Amazon Managed Streaming for Apache Kafka (Amazon MSK) cluster.
A public subnet that Network Firewall uses for the firewall.
Details about an Network Firewall firewall.
A stateless rule group that is used by the firewall policy.
Defines a CloudWatch dimension value to publish.
Information about metrics to publish to CloudWatch.
The definition of a custom action that can be used for stateless packet handling.
A custom action that can be used for stateless packet handling.
A stateful rule group that is used by the firewall policy.
Defines the behavior of the firewall.
Details about a firewall policy. A firewall policy defines the behavior of a network firewall.
A list of port ranges.
A list of IP addresses and address ranges, in CIDR notation.
Additional settings to use in the specified rules.
A set of TCP flags and masks to inspect for.
A source IP addresses and address range to inspect for.
A port range to specify the source ports to inspect for.
A destination IP address or range.
A port range to specify the destination ports to inspect for.
Criteria for the stateless rule.
The definition of the stateless rule.
A stateless rule in the rule group.
A custom action definition. A custom action is an optional, non-standard action to use for stateless packet handling.
Stateless rules and custom actions for a stateless rule group.
A rule option for a stateful rule.
The inspection criteria for a stateful rule.
A Suricata rule specification.
Stateful inspection criteria for a domain list rule group.
The rules and actions for the rule group.
Details about the rule group.
Details about an Network Firewall rule group. Rule groups are used to inspect and control network traffic. Stateless rule groups apply to individual packets. Stateful rule groups apply to packets in the context of their traffic flow. Rule groups are referenced in firewall policies.
Specifies information about the master user of the domain.
Provides information about domain access control options.
Configuration options for zone awareness.
Details about the configuration of an OpenSearch cluster.
Contains information that OpenSearch Service derives based on the VPCOptions for the domain.
Provides information about the state of the domain relative to the latest service software.
Provides details about the configuration for node-to-node encryption.
Configuration details for a log publishing option.
Configures the CloudWatch Logs to publish for the OpenSearch domain.
Details about the configuration for encryption at rest for the OpenSearch domain.
Information about additional options for the domain endpoint.
Information about an Amazon OpenSearch Service domain.
Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response. To scope to a specific organizational unit, provide OrganizationalUnitId. You can optionally include OrganizationId. If you omit OrganizationId, Security Hub uses the caller's organization ID. To scope to the delegated administrator's entire organization, provide only OrganizationId. The organization ID and organizational unit must belong to the delegated administrator's own organization. Each request must use one scoping approach: either scope to the entire organization by providing an AwsOrganizationScope entry with only OrganizationId, or scope to specific organizational units by providing AwsOrganizationScope entries with OrganizationalUnitId. You can't combine both approaches in the same request.
An IAM role that is associated with the Amazon RDS DB cluster.
A VPC security groups that the DB instance belongs to.
Information about an Active Directory domain membership record associated with the DB instance.
Information about an option group membership for a DB cluster.
Information about an instance in the DB cluster.
Information about an Amazon RDS DB cluster.
Contains the name and values of a manual Amazon Relational Database Service (RDS) DB cluster snapshot attribute.
Information about an Amazon RDS DB cluster snapshot.
An IAM role associated with the DB instance.
An Availability Zone for a subnet in a subnet group.
Information about a subnet in a subnet group.
Information about the subnet group for the database instance.
Information about the status of a read replica.
A processor feature.
Identifies the log types to enable and disable.
Changes to a DB instance that are currently pending.
Provides information about a parameter group for a DB instance.
An option group membership.
Specifies the connection endpoint.
Contains the details of an Amazon RDS DB instance.
IP range information for an RDS DB security group.
EC2 security group information for an RDS DB security group.
Provides information about an Amazon RDS DB security group.
Provides details about an Amazon RDS DB cluster snapshot.
Details about an Amazon RDS event notification subscription. The subscription allows Amazon RDS to post events to an SNS topic.
A node in an Amazon Redshift cluster.
The status of a parameter in a cluster parameter group for an Amazon Redshift cluster.
A cluster parameter group that is associated with an Amazon Redshift cluster.
A security group that is associated with the cluster.
You can configure Amazon Redshift to copy snapshots for a cluster to another Amazon Web Services Region. This parameter provides information about a cross-Region snapshot copy.
A time windows during which maintenance was deferred for an Amazon Redshift cluster.
A VPC security group that the cluster belongs to, if the cluster is in a VPC.
Information about the status of a cluster restore action. It only applies if the cluster was created by restoring a snapshot.
Information about the resize operation for the cluster.
Changes to the Amazon Redshift cluster that are currently pending.
Provides information about the logging status of the cluster.
An IAM role that the cluster can use to access other Amazon Web Services services.
Information about whether an Amazon Redshift cluster finished applying any hardware changes to security module (HSM) settings that were specified in a modify cluster command.
The connection endpoint for an Amazon Redshift cluster.
The status of the elastic IP (EIP) address for an Amazon Redshift cluster.
Details about an Amazon Redshift cluster.
An object that contains an optional comment about your Amazon Route 53 hosted zone.
The Amazon Resource Name (ARN) and other details of the Amazon CloudWatch Logs log group that Amazon Route 53 is publishing logs to.
Provides details about a specified Amazon Route 53 configuration for DNS query logging.
For private hosted zones, this is a complex type that contains information about an Amazon VPC.
An object that contains information about an Amazon Route 53 hosted zone.
Provides details about a specified Amazon Route 53 hosted zone, including the four name servers assigned to the hosted zone. A hosted zone represents a collection of records that can be managed together, belonging to a single parent domain name.
provides information about the Amazon S3 Public Access Block configuration for accounts.
The virtual private cloud (VPC) configuration for an Amazon S3 access point.
Returns configuration information about the specified Amazon S3 access point. S3 access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations.
A rule for when objects transition to specific storage classes.
module AwsS3BucketBucketLifecycleConfigurationRulesNoncurrentVersionTransitionsDetails :
sig ... endA transition rule that describes when noncurrent objects transition to a specified storage class.
module AwsS3BucketBucketLifecycleConfigurationRulesNoncurrentVersionTransitionsList :
sig ... endA tag filter.
module AwsS3BucketBucketLifecycleConfigurationRulesFilterPredicateOperandsTagDetails :
sig ... endA tag that is assigned to matching objects.
module AwsS3BucketBucketLifecycleConfigurationRulesFilterPredicateOperandsDetails :
sig ... endA value to use for the filter.
The configuration for the filter.
Identifies the objects that a rule applies to.
module AwsS3BucketBucketLifecycleConfigurationRulesAbortIncompleteMultipartUploadDetails :
sig ... endInformation about what Amazon S3 does when a multipart upload is incomplete.
Configuration for a lifecycle rule.
The lifecycle configuration for the objects in the S3 bucket.
Describes the versioning state of an S3 bucket.
The rules to redirect the request if the condition in Condition is met.
The condition that must be met in order to apply the routing rule.
A rule for redirecting requests to the website.
The redirect behavior for requests to the website.
Website parameters for the S3 bucket.
Specifies the default server-side encryption to apply to new objects in the bucket.
An encryption rule to apply to the S3 bucket.
The encryption configuration for the S3 bucket.
The default S3 Object Lock retention mode and period that you want to apply to new objects placed in the specified Amazon S3 bucket.
Specifies the S3 Object Lock rule for the specified object. In Amazon S3, Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
The container element for S3 Object Lock configuration parameters. In Amazon S3, Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
Details for a filter rule.
Details for an Amazon S3 filter.
Filtering information for the notifications. The filtering is based on Amazon S3 key names.
Details for an S3 bucket notification configuration.
The notification configuration for the S3 bucket.
Information about logging for the S3 bucket
The details of an Amazon Simple Storage Service (Amazon S3) bucket.
Details about an Amazon S3 object.
Information on the instance metadata service (IMDS) configuration of the notebook instance.
Provides details about an Amazon SageMaker AI notebook instance.
Defines the rotation schedule for the secret.
Details about an Secrets Manager secret.
Provides details about the status of the investigation into a finding.
A vendor that generates a vulnerability report.
Provides details about where a code vulnerability is located in your Lambda function.
Provides details about the vulnerabilities found in your Lambda function code. This field pertains to findings that Security Hub CSPM receives from Amazon Inspector.
Information about a software package.
A vulnerability associated with a finding.
Provides information about the file paths that were affected by the threat.
Provides information about the threat detected in a security finding and the file paths that were affected by the threat.
Details about the threat intelligence related to a finding.
The severity of the finding. The finding provider can provide the initial severity. The finding provider can only update the severity if it hasn't been updated using BatchUpdateFindings. The finding must have either Label or Normalized populated. If only one of these attributes is populated, then Security Hub CSPM automatically populates the other one. If neither attribute is populated, then the finding is invalid. Label is the preferred attribute.
Describes the mounting of a volume in a container.
Container details related to a finding.
Details about an external code repository with which you can connect your Amazon Web Services resources. The connection is established through Amazon Inspector.
Information about the encryption configuration for X-Ray.
Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA or challenge timestamp remains valid after WAF updates it for a successful CAPTCHA or challenge response.
Specifies how WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings.
A custom header for custom request and response handling.
A custom response to send to the client. You can define a custom response for rule actions and default web ACL actions that are set to block.
Specifies that WAF should block the request and optionally defines additional custom handling for the response to the web request.
Custom request handling behavior that inserts custom headers into a web request. WAF uses custom request handling when the rule action doesn't block the request.
Specifies that WAF should allow the request and optionally defines additional custom handling for the request.
Specifies the action that Amazon CloudFront or WAF takes when a web request matches the conditions in the rule.
Defines and enables Amazon CloudWatch metrics and web request sample collection.
Specifies that WAF should count the request.
Specifies that WAF should run a CAPTCHA check against the request.
The action that WAF should take on a web request when it matches a rule's statement. Settings at the web ACL level can override the rule action setting.
Provides details about rules in a rule group. A rule identifies web requests that you want to allow, block, or count. Each rule includes one top-level Statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.
Details about an WAFv2 web Access Control List (ACL).
Details about an WAFv2 rule group.
Details about an override action for a rule.
Details about a rule to exclude from a rule group.
Details about the action that CloudFront or WAF takes when a web request matches the conditions in the rule.
Details for a rule in an WAF web ACL.
Provides information about an WAF web access control list (web ACL).
Provides information about what action WAF should take on a web request when it matches the criteria defined in the rule.
Provides information about the rules attached to the rule group. These rules identify the web requests that you want to allow, block, or count.
Provides information about an WAF rule group. A rule group is a collection of rules for inspecting and controlling web requests.
Provides details about the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, RegexMatchSet, GeoMatchSet, and SizeConstraintSet objects that you want to add to a rule and, for each object, indicates whether you want to negate the settings.
Provides information about a WAF rule. This rule specifies the web requests that you want to allow, block, or count.
Provides details about the action to use in the place of the action that results from the rule group evaluation.
The action that WAF takes when a web request matches all conditions in the rule, such as allow, block, or count the request.
A combination of ByteMatchSet, IPSet, and/or SqlInjectionMatchSet objects that identify the web requests that you want to allow, block, or count.
Provides information about the web access control list (web ACL). The web ACL contains the rules that identify the requests that you want to allow, block, or count.
Describes the action that WAF should take on a web request when it matches the criteria defined in the rule.
Provides information about the rules attached to a rule group
Provides information about an WAF Regional rule group. The rule group is a collection of rules for inspecting and controlling web requests.
Provides details about the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, RegexMatchSet, GeoMatchSet, and SizeConstraintSet objects that you want to add to a rule and, for each object, indicates whether you want to negate the settings.
Provides information about an WAF Regional rule. This rule identifies the web requests that you want to allow, block, or count.
Details for a match predicate. A predicate might look for characteristics such as specific IP addresses, geographic locations, or sizes.
contains details about a rate-based rule for Regional resources. A rate-based rule provides settings to indicate when to allow, block, or count a request. Rate-based rules include the number of requests that arrive over a specified period of time.
A match predicate. A predicate might look for characteristics such as specific IP addresses, geographic locations, or sizes.
Details about a rate-based rule for global resources. A rate-based rule provides settings to indicate when to allow, block, or count a request. Rate-based rules include the number of requests that arrive over a specified period of time.
Specifies whether X-Ray tracing is enabled.
module AwsStepFunctionStateMachineLoggingConfigurationDestinationsCloudWatchLogsLogGroupDetails :
sig ... endAn object describing a CloudWatch log group. For more information, see Amazon Web Services::Logs::LogGroup in the CloudFormation User Guide.
An array of objects that describes where your execution history events will be logged.
The LoggingConfiguration data type is used to set CloudWatch Logs options.
Provides details about an Step Functions state machine, which is a workflow consisting of a series of event- driven steps.
Provides the details about the compliance status for a patch.
Provides details about the compliance for a patch.
Provides information about the state of a patch on an instance based on the patch baseline that was used to patch the instance.
Data about a queue.
A wrapper type for the attributes of an Amazon SNS subscription.
Provides information about an Amazon SNS topic to which notifications can be published.
Additional details about a resource related to a finding. To provide the details, use the object that corresponds to the resource type. For example, if the resource type is AwsEc2Instance, then you use the AwsEc2Instance object to provide the details. If the type-specific object does not contain all of the fields you want to populate, then you use the Other object to populate those additional fields. You also use the Other object to populate the details when the selected type does not have a corresponding object.
An occurrence of sensitive data in an Apache Avro object container or an Apache Parquet file.
An occurrence of sensitive data in an Adobe Portable Document Format (PDF) file.
An occurrence of sensitive data detected in a Microsoft Excel workbook, comma-separated value (CSV) file, or tab-separated value (TSV) file.
The detected occurrences of sensitive data.
The list of detected instances of sensitive data.
Contains a detected instance of sensitive data that are based on built-in identifiers.
The list of detected instances of sensitive data.
Contains an instance of sensitive data that was detected by a customer-defined identifier.
Provides details about the current status of the sensitive data detection.
Details about the sensitive data that was detected on the resource.
Provides details about sensitive data that was detected on a resource.
A recommendation on how to remediate the issue identified in a finding.
Details about the remediation steps for a finding.
The details of process-related information about a finding.
Provides an overview of the patch compliance status for an instance against a selected compliance standard.
Information about the destination of the next component in the network path.
Details about a network path component that occurs before or after the current component.
Information about a network path component.
Provides metadata for the Amazon CodeGuru detector associated with a finding. This field pertains to findings that relate to Lambda functions. Amazon Inspector identifies policy violations and vulnerabilities in Lambda function code based on internal detectors developed in collaboration with Amazon CodeGuru. Security Hub CSPM receives those findings.
The severity assigned to a finding by the finding provider. This object may include one or more of the following attributes: Label Normalized Original Product If a BatchImportFindings request for a new finding only provides Label or only provides Normalized, Security Hub CSPM automatically populates the value of the other field. The Normalized and Product attributes are included in the FindingProviderSeverity structure to preserve the historical information associated with the finding, even if the top-level Severity object is later modified using the BatchUpdateFindings operation. If the top-level Finding.Severity object is present, but Finding.FindingProviderFields isn't present, Security Hub CSPM creates the FindingProviderFields.Severity object and copies the entire Finding.Severity object into it. This ensures that the original, provider-supplied details are retained within the FindingProviderFields.Severity object, even if the top-level Severity object is overwritten.
In a BatchImportFindings request, finding providers use FindingProviderFields to provide and update values for the following fields: Confidence Criticality RelatedFindings Severity Types The preceding fields are nested under the FindingProviderFields object, but also have analogues of the same name as top-level ASFF fields. When a new finding is sent to Security Hub CSPM by a finding provider, Security Hub CSPM populates the FindingProviderFields object automatically, if it is empty, based on the corresponding top-level fields. Finding providers can update FindingProviderFields only by using the BatchImportFindings operation. Finding providers can't update this object with the BatchUpdateFindings operation. Customers can update the top-level fields by using the BatchUpdateFindings operation. Customers can't update FindingProviderFields. For information about how Security Hub CSPM handles updates from BatchImportFindings to FindingProviderFields and to the corresponding top-level attributes, see Using FindingProviderFields in the Security Hub CSPM User Guide.
Contains information about the indicators observed in an Amazon GuardDuty Extended Threat Detection attack sequence. Indicators include a set of signals, which can be API activities or findings that GuardDuty uses to detect an attack sequence finding. GuardDuty generates an attack sequence finding when multiple signals align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty and GuardDuty S3 Protection enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Contains information about the signals involved in an Amazon GuardDuty Extended Threat Detection attack sequence. An attack sequence is a type of threat detected by GuardDuty. GuardDuty generates an attack sequence finding when multiple events, or signals, align to a potentially suspicious activity. When GuardDuty and Security Hub CSPM are integrated, GuardDuty sends attack sequence findings to Security Hub CSPM. A signal can be an API activity or a finding that GuardDuty uses to detect an attack sequence finding.
Contains information about the location of a network endpoint involved in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Contains information about the network connection involved in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Contains information about the Autonomous System (AS) of the network endpoints involved in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Contains information about network endpoints involved in an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide. This field can provide information about the network endpoints associated with the resource in the attack sequence finding, or about a specific network endpoint used for the attack.
Contains information about an Amazon GuardDuty Extended Threat Detection attack sequence finding. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
A top-level object field that provides details about an Amazon GuardDuty Extended Threat Detection attack sequence. GuardDuty generates an attack sequence finding when multiple events align to a potentially suspicious activity. To receive GuardDuty attack sequence findings in Security Hub CSPM, you must have GuardDuty enabled. For more information, see GuardDuty Extended Threat Detection in the Amazon GuardDuty User Guide.
Provides additional context for the value of Compliance.Status.
A parameter that a security control accepts.
This object typically provides details about a control finding, such as applicable standards and the status of control checks. While finding providers can add custom content in Compliance object fields, they are typically used to review details of Security Hub CSPM control findings.
Provides a consistent format for Security Hub CSPM findings. AwsSecurityFinding format allows you to share findings between Amazon Web Services security services and third-party solutions. A finding is a potential security issue generated either by Amazon Web Services services or by the integrated third-party solutions and standards checks.
A keyword filter for querying findings.
Boolean filter for querying findings.
A collection of filters that are applied to all active findings aggregated by Security Hub CSPM. You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
Identifies which finding to get the finding history for.
Deletes one or more automation rules.
A list of objects containing RuleArn, ErrorCode, and ErrorMessage. This parameter tells you which automation rules the request didn't process and why.
Deletes one or more automation rules.
Disables the standards specified by the provided StandardsSubscriptionArns. For more information, see Security Standards section of the Security Hub CSPM User Guide.
The reason for the current status of your subscription to the standard.
A resource that represents your subscription to a supported standard.
Disables the standards specified by the provided StandardsSubscriptionArns. For more information, see Security Standards section of the Security Hub CSPM User Guide.
The standard that you want to enable.
Enables the standards specified by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation. For more information, see the Security Standards section of the Security Hub CSPM User Guide.
Enables the standards specified by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation. For more information, see the Security Standards section of the Security Hub CSPM User Guide.
Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).
Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).
The target account, organizational unit, or the root that is associated with an Security Hub CSPM configuration. The configuration can be a configuration policy or self-managed behavior.
Provides details about the association between an Security Hub CSPM configuration and a target account, organizational unit, or the root. An association can exist between a target and a configuration policy, or between a target and self-managed behavior.
Returns associations between an Security Hub CSPM configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.
An array of configuration policy associations, one for each configuration policy association identifier, that was specified in a BatchGetConfigurationPolicyAssociations request but couldn’t be processed due to an error.
An object that contains the details of a configuration policy association that’s returned in a ListConfigurationPolicyAssociations request.
Returns associations between an Security Hub CSPM configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.
Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.
Provides details about a security control for which a response couldn't be returned.
An object that includes the data type of a security control parameter and its current value.
An object that provides the current value of a security control parameter and identifies whether it has been customized.
A security control in Security Hub CSPM describes a security best practice related to a specific resource.
Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.
An array with one or more objects that includes a security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. The security control ID or ARN is the same across standards.
For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard. Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the association has a NOT_READY_FOR_UPDATES value for StandardsControlsUpdatable.
Provides details about which control's enablement status couldn't be retrieved in a specified standard when calling BatchUpdateStandardsControlAssociations. This parameter also provides details about why the request was unprocessed.
Provides details about a control's enablement status in a specified standard.
For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard. Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the association has a NOT_READY_FOR_UPDATES value for StandardsControlsUpdatable.
Imports security findings generated by a finding provider into Security Hub CSPM. This action is requested by the finding provider to import its findings into Security Hub CSPM. BatchImportFindings must be called by one of the following: The Amazon Web Services account that is associated with a finding if you are using the default product ARN or are a partner sending findings from within a customer's Amazon Web Services account. In these cases, the identifier of the account that you are calling BatchImportFindings from needs to be the same as the AwsAccountId attribute for the finding. An Amazon Web Services account that Security Hub CSPM has allow-listed for an official partner integration. In this case, you can call BatchImportFindings from the allow-listed account and send findings from different customer accounts in the same batch. The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub CSPM customers use to manage their investigation workflow. Note UserDefinedFields VerificationState Workflow Finding providers also should not use BatchImportFindings to update the following attributes. Confidence Criticality RelatedFindings Severity Types Instead, finding providers use FindingProviderFields to provide values for these attributes.
The list of the findings that cannot be imported. For each finding, the list provides the error.
Imports security findings generated by a finding provider into Security Hub CSPM. This action is requested by the finding provider to import its findings into Security Hub CSPM. BatchImportFindings must be called by one of the following: The Amazon Web Services account that is associated with a finding if you are using the default product ARN or are a partner sending findings from within a customer's Amazon Web Services account. In these cases, the identifier of the account that you are calling BatchImportFindings from needs to be the same as the AwsAccountId attribute for the finding. An Amazon Web Services account that Security Hub CSPM has allow-listed for an official partner integration. In this case, you can call BatchImportFindings from the allow-listed account and send findings from different customer accounts in the same batch. The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub CSPM customers use to manage their investigation workflow. Note UserDefinedFields VerificationState Workflow Finding providers also should not use BatchImportFindings to update the following attributes. Confidence Criticality RelatedFindings Severity Types Instead, finding providers use FindingProviderFields to provide values for these attributes.
Specifies the parameters to update in an existing automation rule.
Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.
Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.
Used by Security Hub CSPM customers to update information about their investigation into one or more findings. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. A member account can update findings only for their own account. Administrator and member accounts can use this operation to update the following fields and objects for one or more findings: Confidence Criticality Note RelatedFindings Severity Types UserDefinedFields VerificationState Workflow If you use this operation to update a finding, your updates don’t affect the value for the UpdatedAt field of the finding. Also note that it can take several minutes for Security Hub CSPM to process your request and update each finding specified in the request. You can configure IAM policies to restrict access to fields and field values. For example, you might not want member accounts to be able to suppress findings or change the finding severity. For more information see Configuring access to BatchUpdateFindings in the Security Hub CSPM User Guide.
A finding from a BatchUpdateFindings request that Security Hub CSPM was unable to update.
Used by Security Hub CSPM customers to update information about their investigation into one or more findings. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. A member account can update findings only for their own account. Administrator and member accounts can use this operation to update the following fields and objects for one or more findings: Confidence Criticality Note RelatedFindings Severity Types UserDefinedFields VerificationState Workflow If you use this operation to update a finding, your updates don’t affect the value for the UpdatedAt field of the finding. Also note that it can take several minutes for Security Hub CSPM to process your request and update each finding specified in the request. You can configure IAM policies to restrict access to fields and field values. For example, you might not want member accounts to be able to suppress findings or change the finding severity. For more information see Configuring access to BatchUpdateFindings in the Security Hub CSPM User Guide.
Provides a standard to identify security findings using OCSF.
The list of findings that were updated.
Updates information about a customer's investigation into a finding. Delegated administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their own account. BatchUpdateFindings and BatchUpdateFindingsV2 both use securityhub:BatchUpdateFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:BatchUpdateFindings action. You can configure IAM policies to restrict access to specific finding fields or field values by using the securityhub:OCSFSyntaxPath/<fieldName> condition key, where <fieldName> is one of the following supported fields: SeverityId, StatusId, or Comment. To prevent a user from updating a specific field, use a Null condition with securityhub:OCSFSyntaxPath/<fieldName> set to "false". To prevent a user from setting a field to a specific value, use a StringEquals condition with securityhub:OCSFSyntaxPath/<fieldName> set to the disallowed value or list of values. Updates from BatchUpdateFindingsV2 don't affect the value of finding_info.modified_time, finding_info.modified_time_dt, time, or time_dt for a finding.
The request has failed validation because it's missing required fields or has invalid inputs.
The limit on the number of requests per second was exceeded.
The request has failed due to an internal failure of the service.
The request causes conflict with the current state of the service resource.
The list of findings that were not updated.
Updates information about a customer's investigation into a finding. Delegated administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their own account. BatchUpdateFindings and BatchUpdateFindingsV2 both use securityhub:BatchUpdateFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:BatchUpdateFindings action. You can configure IAM policies to restrict access to specific finding fields or field values by using the securityhub:OCSFSyntaxPath/<fieldName> condition key, where <fieldName> is one of the following supported fields: SeverityId, StatusId, or Comment. To prevent a user from updating a specific field, use a Null condition with securityhub:OCSFSyntaxPath/<fieldName> set to "false". To prevent a user from setting a field to a specific value, use a StringEquals condition with securityhub:OCSFSyntaxPath/<fieldName> set to the disallowed value or list of values. Updates from BatchUpdateFindingsV2 don't affect the value of finding_info.modified_time, finding_info.modified_time_dt, time, or time_dt for a finding.
An array of requested updates to the enablement status of controls in specified standards. The objects in the array include a security control ID, the Amazon Resource Name (ARN) of the standard, the requested enablement status, and the reason for updating the enablement status.
For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.
Provides details about which control's enablement status could not be updated in a specified standard when calling the BatchUpdateStandardsControlAssociations API. This parameter also provides details about why the request was unprocessed.
For a batch of security controls and standards, this operation updates the enablement status of a control in a standard.
The options for customizing a security control parameter with a boolean. For a boolean parameter, the options are true and false.
Enables filtering of security findings based on string field values in OCSF.
Enables filtering of security findings based on numerical field values in OCSF.
Enables filtering of security findings based on map field values in OCSF.
The structure for filtering findings based on IP address attributes.
Enables filtering of security findings based on date and timestamp fields in OCSF.
Enables filtering of security findings based on boolean field values in OCSF.
module CompositeFilter : sig ... endEnables the creation of filtering criteria for security findings.
module CompositeFilterList : sig ... endThe options for customizing a security control parameter that is a list of strings.
The options for customizing a security control parameter that is a string.
The options for customizing a security control parameter that is a list of integers.
The options for customizing a security control parameter that is an integer.
The options for customizing a security control parameter that is a list of enums.
The options for customizing a security control parameter that is an enum.
The options for customizing a security control parameter that is a double.
The options for customizing a security control parameter.
An object that contains the details of an Security Hub CSPM configuration policy that’s returned in a ListConfigurationPolicies request.
The connectorV2 third-party provider configuration summary.
A condensed overview of the connectorV2..
Creates a custom action target in Security Hub CSPM. You can use custom actions on findings and insights in Security Hub CSPM to trigger target actions in Amazon CloudWatch Events.
The resource specified in the request conflicts with an existing resource.
Creates a custom action target in Security Hub CSPM. You can use custom actions on findings and insights in Security Hub CSPM to trigger target actions in Amazon CloudWatch Events.
Enables aggregation across Amazon Web Services Regions.
The request was rejected because it would exceed the service quota limit.
Enables aggregation across Amazon Web Services Regions.
Creates an automation rule based on input parameters.
Creates an automation rule based on input parameters.
Specifies the filtering criteria for security findings using OCSF.
Defines the parameters and conditions used to evaluate and filter security findings.
Creates a V2 automation rule.
Creates a V2 automation rule.
A list of security controls and control parameter values that are included in a configuration policy.
An object that defines which security controls are enabled in an Security Hub CSPM configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
An object that defines how Security Hub CSPM is configured. The configuration policy includes whether Security Hub CSPM is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub CSPM disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub CSPM enables all other controls (including newly released controls).
An object that defines how Security Hub CSPM is configured. It includes whether Security Hub CSPM is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub CSPM disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub CSPM enables all other controls (including newly released controls).
Creates a configuration policy with the defined configuration. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Creates a configuration policy with the defined configuration. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
The initial configuration settings required to establish an integration between Security Hub and ServiceNow ITSM.
The initial configuration settings required to establish an integration between Security Hub and Jira Cloud.
The initial configuration settings required to establish an integration between Security Hub and third-party provider.
Grants permission to create a connectorV2 based on input parameters.
Grants permission to create a connectorV2 based on input parameters.
The aggregation Region is now called the home Region. Used to enable cross-Region aggregation. This operation can be invoked from the home Region only. For information about how cross-Region aggregation works, see Understanding cross-Region aggregation in Security Hub CSPM in the Security Hub CSPM User Guide.
The aggregation Region is now called the home Region. Used to enable cross-Region aggregation. This operation can be invoked from the home Region only. For information about how cross-Region aggregation works, see Understanding cross-Region aggregation in Security Hub CSPM in the Security Hub CSPM User Guide.
Creates a custom insight in Security Hub CSPM. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation. To group the related findings in the insight, use the GroupByAttribute.
Creates a custom insight in Security Hub CSPM. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation. To group the related findings in the insight, use the GroupByAttribute.
Creates a member association in Security Hub CSPM between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account. CreateMembers is always used to add accounts that are not organization members. For accounts that are managed using Organizations, CreateMembers is only used in the following cases: Security Hub CSPM is not configured to automatically add new organization accounts. The account was disassociated or deleted in Security Hub CSPM. This action can only be used by an account that has Security Hub CSPM enabled. To enable Security Hub CSPM, you can use the EnableSecurityHub operation. For accounts that are not organization members, you create the account association and then send an invitation to the member account. To send the invitation, you use the InviteMembers operation. If the account owner accepts the invitation, the account becomes a member account in Security Hub CSPM. Accounts that are managed using Organizations don't receive an invitation. They automatically become a member account in Security Hub CSPM. If the organization account does not have Security Hub CSPM enabled, then Security Hub CSPM and the default standards are automatically enabled. Note that Security Hub CSPM cannot be enabled automatically for the organization management account. The organization management account must enable Security Hub CSPM before the administrator account enables it as a member account. For organization accounts that already have Security Hub CSPM enabled, Security Hub CSPM does not make any other changes to those accounts. It does not change their enabled standards or controls. A permissions policy is added that permits the administrator account to view the findings generated in the member account. To remove the association between the administrator and member accounts, use the DisassociateFromMasterAccount or DisassociateMembers operation.
Creates a member association in Security Hub CSPM between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account. CreateMembers is always used to add accounts that are not organization members. For accounts that are managed using Organizations, CreateMembers is only used in the following cases: Security Hub CSPM is not configured to automatically add new organization accounts. The account was disassociated or deleted in Security Hub CSPM. This action can only be used by an account that has Security Hub CSPM enabled. To enable Security Hub CSPM, you can use the EnableSecurityHub operation. For accounts that are not organization members, you create the account association and then send an invitation to the member account. To send the invitation, you use the InviteMembers operation. If the account owner accepts the invitation, the account becomes a member account in Security Hub CSPM. Accounts that are managed using Organizations don't receive an invitation. They automatically become a member account in Security Hub CSPM. If the organization account does not have Security Hub CSPM enabled, then Security Hub CSPM and the default standards are automatically enabled. Note that Security Hub CSPM cannot be enabled automatically for the organization management account. The organization management account must enable Security Hub CSPM before the administrator account enables it as a member account. For organization accounts that already have Security Hub CSPM enabled, Security Hub CSPM does not make any other changes to those accounts. It does not change their enabled standards or controls. A permissions policy is added that permits the administrator account to view the findings generated in the member account. To remove the association between the administrator and member accounts, use the DisassociateFromMasterAccount or DisassociateMembers operation.
Grants permission to create a ticket in the chosen ITSM based on finding information for the provided finding metadata UID.
Grants permission to create a ticket in the chosen ITSM based on finding information for the provided finding metadata UID.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Declines invitations to become a Security Hub CSPM member account. A prospective member account uses this operation to decline an invitation to become a member. Only member accounts that aren't part of an Amazon Web Services organization should use this operation. Organization accounts don't receive invitations.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Declines invitations to become a Security Hub CSPM member account. A prospective member account uses this operation to decline an invitation to become a member. Only member accounts that aren't part of an Amazon Web Services organization should use this operation. Organization accounts don't receive invitations.
Deletes a custom action target from Security Hub CSPM. Deleting a custom action target does not affect any findings or insights that were already sent to Amazon CloudWatch Events using the custom action.
Deletes a custom action target from Security Hub CSPM. Deleting a custom action target does not affect any findings or insights that were already sent to Amazon CloudWatch Events using the custom action.
Deletes the Aggregator V2.
Deletes the Aggregator V2.
Deletes a V2 automation rule.
Deletes a V2 automation rule.
Deletes a configuration policy. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.
Deletes a configuration policy. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.
Grants permission to delete a connectorV2.
Grants permission to delete a connectorV2.
The aggregation Region is now called the home Region. Deletes a finding aggregator. When you delete the finding aggregator, you stop cross-Region aggregation. Finding replication stops occurring from the linked Regions to the home Region. When you stop cross-Region aggregation, findings that were already replicated and sent to the home Region are still visible from the home Region. However, new findings and finding updates are no longer replicated and sent to the home Region.
The aggregation Region is now called the home Region. Deletes a finding aggregator. When you delete the finding aggregator, you stop cross-Region aggregation. Finding replication stops occurring from the linked Regions to the home Region. When you stop cross-Region aggregation, findings that were already replicated and sent to the home Region are still visible from the home Region. However, new findings and finding updates are no longer replicated and sent to the home Region.
Deletes the insight specified by the InsightArn.
Deletes the insight specified by the InsightArn.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Deletes invitations to become a Security Hub CSPM member account. A Security Hub CSPM administrator account can use this operation to delete invitations sent to one or more prospective member accounts. This operation is only used to delete invitations that are sent to prospective member accounts that aren't part of an Amazon Web Services organization. Organization accounts don't receive invitations.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Deletes invitations to become a Security Hub CSPM member account. A Security Hub CSPM administrator account can use this operation to delete invitations sent to one or more prospective member accounts. This operation is only used to delete invitations that are sent to prospective member accounts that aren't part of an Amazon Web Services organization. Organization accounts don't receive invitations.
Deletes the specified member accounts from Security Hub CSPM. You can invoke this API only to delete accounts that became members through invitation. You can't invoke this API to delete accounts that belong to an Organizations organization.
Deletes the specified member accounts from Security Hub CSPM. You can invoke this API only to delete accounts that became members through invitation. You can't invoke this API to delete accounts that belong to an Organizations organization.
Returns a list of the custom action targets in Security Hub CSPM in your account.
Returns a list of the custom action targets in Security Hub CSPM in your account.
Returns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub CSPM.
Returns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub CSPM.
Returns information about the way your organization is configured in Security Hub CSPM. Only the Security Hub CSPM administrator account can invoke this operation.
Provides information about the way an organization is configured in Security Hub CSPM.
Returns information about the way your organization is configured in Security Hub CSPM. Only the Security Hub CSPM administrator account can invoke this operation.
Returns information about product integrations in Security Hub CSPM. You can optionally provide an integration ARN. If you provide an integration ARN, then the results only include that integration. If you don't provide an integration ARN, then the results include all of the available product integrations.
Returns information about product integrations in Security Hub CSPM. You can optionally provide an integration ARN. If you provide an integration ARN, then the results only include that integration. If you don't provide an integration ARN, then the results include all of the available product integrations.
Gets information about the product integration.
Gets information about the product integration.
Returns details about the service resource in your account.
Returns details about the service resource in your account.
Returns a list of security standards controls. For each control, the results include information about whether it is currently enabled, the severity, and a link to remediation information. This operation returns an empty list for standard subscriptions where StandardsControlsUpdatable has value NOT_READY_FOR_UPDATES.
Details for an individual security standard control.
Returns a list of security standards controls. For each control, the results include information about whether it is currently enabled, the severity, and a link to remediation information. This operation returns an empty list for standard subscriptions where StandardsControlsUpdatable has value NOT_READY_FOR_UPDATES.
Returns a list of the available standards in Security Hub CSPM. For each standard, the results include the standard ARN, the name, and a description.
Provides details about the management of a security standard.
Returns a list of the available standards in Security Hub CSPM. For each standard, the results include the standard ARN, the name, and a description.
Disables the integration of the specified product with Security Hub CSPM. After the integration is disabled, findings from that product are no longer sent to Security Hub CSPM.
Disables the integration of the specified product with Security Hub CSPM. After the integration is disabled, findings from that product are no longer sent to Security Hub CSPM.
Disables a Security Hub CSPM administrator account. Can only be called by the organization management account.
Disables a Security Hub CSPM administrator account. Can only be called by the organization management account.
Disables Security Hub CSPM in your account only in the current Amazon Web Services Region. To disable Security Hub CSPM in all Regions, you must submit one request per Region where you have enabled Security Hub CSPM. You can't disable Security Hub CSPM in an account that is currently the Security Hub CSPM administrator. When you disable Security Hub CSPM, your existing findings and insights and any Security Hub CSPM configuration settings are deleted after 90 days and cannot be recovered. Any standards that were enabled are disabled, and your administrator and member account associations are removed. If you want to save your existing findings, you must export them before you disable Security Hub CSPM.
Disables Security Hub CSPM in your account only in the current Amazon Web Services Region. To disable Security Hub CSPM in all Regions, you must submit one request per Region where you have enabled Security Hub CSPM. You can't disable Security Hub CSPM in an account that is currently the Security Hub CSPM administrator. When you disable Security Hub CSPM, your existing findings and insights and any Security Hub CSPM configuration settings are deleted after 90 days and cannot be recovered. Any standards that were enabled are disabled, and your administrator and member account associations are removed. If you want to save your existing findings, you must export them before you disable Security Hub CSPM.
Disable the service for the current Amazon Web Services Region or specified Amazon Web Services Region.
Disable the service for the current Amazon Web Services Region or specified Amazon Web Services Region.
Disassociates the current Security Hub CSPM member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account.
Disassociates the current Security Hub CSPM member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account.
This method is deprecated. Instead, use DisassociateFromAdministratorAccount. The Security Hub CSPM console continues to use DisassociateFromMasterAccount. It will eventually change to use DisassociateFromAdministratorAccount. Any IAM policies that specifically control access to this function must continue to use DisassociateFromMasterAccount. You should also add DisassociateFromAdministratorAccount to your policies to ensure that the correct permissions are in place after the console begins to use DisassociateFromAdministratorAccount. Disassociates the current Security Hub CSPM member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account.
This method is deprecated. Instead, use DisassociateFromAdministratorAccount. The Security Hub CSPM console continues to use DisassociateFromMasterAccount. It will eventually change to use DisassociateFromAdministratorAccount. Any IAM policies that specifically control access to this function must continue to use DisassociateFromMasterAccount. You should also add DisassociateFromAdministratorAccount to your policies to ensure that the correct permissions are in place after the console begins to use DisassociateFromAdministratorAccount. Disassociates the current Security Hub CSPM member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account.
Disassociates the specified member accounts from the associated administrator account. Can be used to disassociate both accounts that are managed using Organizations and accounts that were invited manually.
Disassociates the specified member accounts from the associated administrator account. Can be used to disassociate both accounts that are managed using Organizations and accounts that were invited manually.
Enables the integration of a partner product with Security Hub CSPM. Integrated products send findings to Security Hub CSPM. When you enable a product integration, a permissions policy that grants permission for the product to send findings to Security Hub CSPM is applied.
Enables the integration of a partner product with Security Hub CSPM. Integrated products send findings to Security Hub CSPM. When you enable a product integration, a permissions policy that grants permission for the product to send findings to Security Hub CSPM is applied.
Designates the Security Hub CSPM administrator account for an organization. Can only be called by the organization management account.
Designates the Security Hub CSPM administrator account for an organization. Can only be called by the organization management account.
Enables Security Hub CSPM for your account in the current Region or the Region you specify in the request. When you enable Security Hub CSPM, you grant to Security Hub CSPM the permissions necessary to gather findings from other services that are integrated with Security Hub CSPM. When you use the EnableSecurityHub operation to enable Security Hub CSPM, you also automatically enable the following standards: Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark v1.2.0 Amazon Web Services Foundational Security Best Practices Other standards are not automatically enabled. To opt out of automatically enabled standards, set EnableDefaultStandards to false. After you enable Security Hub CSPM, to enable a standard, use the BatchEnableStandards operation. To disable a standard, use the BatchDisableStandards operation. To learn more, see the setup information in the Security Hub CSPM User Guide.
Enables Security Hub CSPM for your account in the current Region or the Region you specify in the request. When you enable Security Hub CSPM, you grant to Security Hub CSPM the permissions necessary to gather findings from other services that are integrated with Security Hub CSPM. When you use the EnableSecurityHub operation to enable Security Hub CSPM, you also automatically enable the following standards: Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark v1.2.0 Amazon Web Services Foundational Security Best Practices Other standards are not automatically enabled. To opt out of automatically enabled standards, set EnableDefaultStandards to false. After you enable Security Hub CSPM, to enable a standard, use the BatchEnableStandards operation. To disable a standard, use the BatchDisableStandards operation. To learn more, see the setup information in the Security Hub CSPM User Guide.
Enables the service in account for the current Amazon Web Services Region or specified Amazon Web Services Region.
Enables the service in account for the current Amazon Web Services Region or specified Amazon Web Services Region.
A finding aggregator is a Security Hub CSPM resource that specifies cross-Region aggregation settings, including the home Region and any linked Regions.
An array of objects that provides details about a change to a finding, including the Amazon Web Services Security Finding Format (ASFF) field that changed, the value of the field before the change, and the value of the field after the change.
Identifies the source of the finding change event.
A list of events that changed the specified finding during the specified time period. Each record represents a single finding change event.
Defines the data boundary for a findings query. Scopes determine which organizational units or organizations to retrieve data from.
A filter for string-based fields in findings trend data.
module FindingsTrendsCompositeFilter : sig ... endA filter structure that contains a logical combination of string filters and nested composite filters for findings trend data.
module FindingsTrendsCompositeFilterList : sig ... endThe structure that defines filters to apply to findings trend data queries.
Begins the recommended policy generation to remediate a Security Hub finding. GenerateRecommendedPolicyV2 only supports findings for unused permissions.
Begins the recommended policy generation to remediate a Security Hub finding. GenerateRecommendedPolicyV2 only supports findings for unused permissions.
Provides the details for the Security Hub CSPM administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually.
Details about an invitation.
Provides the details for the Security Hub CSPM administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually.
Returns the configuration of the specified Aggregator V2.
Returns the configuration of the specified Aggregator V2.
Returns an automation rule for the V2 service.
Returns an automation rule for the V2 service.
Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Provides information about a configuration policy. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Provides information about a configuration policy. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Grants permission to retrieve details for a connectorV2 based on connector id.
Information about a ServiceNow ITSM integration.
Information about the configuration and status of a Jira Cloud integration.
The third-party provider detail for a service configuration.
Information about the operational status and health of a connectorV2.
Grants permission to retrieve details for a connectorV2 based on connector id.
Returns a list of the standards that are currently enabled.
Returns a list of the standards that are currently enabled.
The aggregation Region is now called the home Region. Returns the current configuration in the calling account for cross-Region aggregation. A finding aggregator is a resource that establishes the home Region and any linked Regions.
The aggregation Region is now called the home Region. Returns the current configuration in the calling account for cross-Region aggregation. A finding aggregator is a resource that establishes the home Region and any linked Regions.
Returns the history of a Security Hub CSPM finding. The history includes changes made to any fields in the Amazon Web Services Security Finding Format (ASFF) except top-level timestamp fields, such as the CreatedAt and UpdatedAt fields. This operation might return fewer results than the maximum number of results (MaxResults) specified in a request, even when more results are available. If this occurs, the response includes a NextToken value, which you should use to retrieve the next set of results in the response. The presence of a NextToken value in a response doesn't necessarily indicate that the results are incomplete. However, you should continue to specify a NextToken value until you receive a response that doesn't include this value.
Returns the history of a Security Hub CSPM finding. The history includes changes made to any fields in the Amazon Web Services Security Finding Format (ASFF) except top-level timestamp fields, such as the CreatedAt and UpdatedAt fields. This operation might return fewer results than the maximum number of results (MaxResults) specified in a request, even when more results are available. If this occurs, the response includes a NextToken value, which you should use to retrieve the next set of results in the response. The presence of a NextToken value in a response doesn't necessarily indicate that the results are incomplete. However, you should continue to specify a NextToken value until you receive a response that doesn't include this value.
Defines the how the finding attribute should be grouped.
Returns aggregated statistical data about findings. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you aggregate findings from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes. GetFindingStatisticsV2 uses securityhub:GetAdhocInsightResults in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetAdhocInsightResults action.
The request failed because one or more organizational units specified in the request don't exist within the caller's organization.
The request failed because one or more organizations specified in the request don't exist or don't belong to the caller's organization.
Represents individual aggregated results when grouping security findings for each GroupByField.
Represents finding statistics grouped by GroupedByField.
Returns aggregated statistical data about findings. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you aggregate findings from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes. GetFindingStatisticsV2 uses securityhub:GetAdhocInsightResults in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetAdhocInsightResults action.
A collection of finding attributes used to sort findings.
Returns a list of findings that match the specified criteria. If cross-Region aggregation is enabled, then when you call GetFindings from the home Region, the results include all of the matching findings from both the home Region and linked Regions.
Returns a list of findings that match the specified criteria. If cross-Region aggregation is enabled, then when you call GetFindings from the home Region, the results include all of the matching findings from both the home Region and linked Regions.
Returns findings trend data based on the specified criteria. This operation helps you analyze patterns and changes in findings over time.
Contains counts of findings grouped by severity level for trend analysis.
Contains the aggregated finding values for a specific point in the findings trend timeline.
Contains the findings trend metrics data for a specific time point in the requested time period.
Returns findings trend data based on the specified criteria. This operation helps you analyze patterns and changes in findings over time.
Returns a list of findings that match the specified criteria. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you retrieve findings from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes. You can use the Filters parameter to refine results based on finding attributes. You can use Scopes and Filters independently or together. When both are provided, Scopes narrows the data set first, and then Filters refines results within that scoped data set. GetFindings and GetFindingsV2 both use securityhub:GetFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetFindings action.
Returns a list of findings that match the specified criteria. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you retrieve findings from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes. You can use the Filters parameter to refine results based on finding attributes. You can use Scopes and Filters independently or together. When both are provided, Scopes narrows the data set first, and then Filters refines results within that scoped data set. GetFindings and GetFindingsV2 both use securityhub:GetFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetFindings action.
Lists the results of the Security Hub CSPM insight specified by the insight ARN.
The insight result values returned by the GetInsightResults operation.
The insight results returned by the GetInsightResults operation.
Lists the results of the Security Hub CSPM insight specified by the insight ARN.
Lists and describes insights for the specified insight ARNs.
Lists and describes insights for the specified insight ARNs.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Returns the count of all Security Hub CSPM membership invitations that were sent to the calling member account, not including the currently accepted invitation.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Returns the count of all Security Hub CSPM membership invitations that were sent to the calling member account, not including the currently accepted invitation.
This method is deprecated. Instead, use GetAdministratorAccount. The Security Hub CSPM console continues to use GetMasterAccount. It will eventually change to use GetAdministratorAccount. Any IAM policies that specifically control access to this function must continue to use GetMasterAccount. You should also add GetAdministratorAccount to your policies to ensure that the correct permissions are in place after the console begins to use GetAdministratorAccount. Provides the details for the Security Hub CSPM administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually.
This method is deprecated. Instead, use GetAdministratorAccount. The Security Hub CSPM console continues to use GetMasterAccount. It will eventually change to use GetAdministratorAccount. Any IAM policies that specifically control access to this function must continue to use GetMasterAccount. You should also add GetAdministratorAccount to your policies to ensure that the correct permissions are in place after the console begins to use GetAdministratorAccount. Provides the details for the Security Hub CSPM administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually.
Returns the details for the Security Hub CSPM member accounts for the specified account IDs. An administrator account can be either the delegated Security Hub CSPM administrator account for an organization or an administrator account that enabled Security Hub CSPM manually. The results include both member accounts that are managed using Organizations and accounts that were invited manually.
Returns the details for the Security Hub CSPM member accounts for the specified account IDs. An administrator account can be either the delegated Security Hub CSPM administrator account for an organization or an administrator account that enabled Security Hub CSPM manually. The results include both member accounts that are managed using Organizations and accounts that were invited manually.
Retrieves the recommended policy to remediate a Security Hub finding. GetRecommendedPolicyV2 only supports findings for unused permissions.
Contains information about the action to take for a policy in an unused permissions finding.
Contains information about a recommended step to remediate a Security Hub finding.
Contains information about the reason that the retrieval of a recommended policy for a finding failed.
Retrieves the recommended policy to remediate a Security Hub finding. GetRecommendedPolicyV2 only supports findings for unused permissions.
Defines the data boundary for a resources query. Scopes determine which organizational units or organizations to retrieve data from.
Enables filtering of Amazon Web Services resources based on string field values.
Enables filtering of Amazon Web Services resources based on numerical values.
Enables filtering of Amazon Web Services resources based on key-value map attributes.
Enables the filtering of Amazon Web Services resources based on date and timestamp attributes.
module ResourcesCompositeFilter : sig ... endEnables the creation of criteria for Amazon Web Services resources in Security Hub CSPM.
module ResourcesCompositeFilterList : sig ... endEnables filtering of Amazon Web Services resources based on data.
Defines the configuration for organizing and categorizing Amazon Web Services resources based on associated security findings.
Retrieves statistical information about Amazon Web Services resources and their associated security findings. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you aggregate resources from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes.
Retrieves statistical information about Amazon Web Services resources and their associated security findings. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you aggregate resources from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes.
A filter for string-based fields in resources trend data, such as resource type or account ID.
module ResourcesTrendsCompositeFilter : sig ... endA filter structure that contains a logical combination of string filters and nested composite filters for resources trend data.
module ResourcesTrendsCompositeFilterList : sig ... endThe structure that defines filters to apply to resources trend data queries.
Returns resource trend data based on the specified criteria. This operation helps you analyze patterns and changes in resource compliance over time.
Contains counts of resources for trend analysis.
Contains the aggregated resource count values for a specific point in the resources trend timeline.
Contains the resource trend metrics data for a specific time point in the requested time period.
Returns resource trend data based on the specified criteria. This operation helps you analyze patterns and changes in resource compliance over time.
Returns a list of resources. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you retrieve resources from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes. You can use the Filters parameter to refine results based on resource attributes. You can use Scopes and Filters independently or together. When both are provided, Scopes narrows the data set first, and then Filters refines results within that scoped data set.
Represents tag information associated with Amazon Web Services resources.
A comprehensive distribution of security findings by severity level for Amazon Web Services resources.
A list of summaries for all finding types on a resource.
Provides comprehensive details about an Amazon Web Services resource and its associated security findings.
Returns a list of resources. You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you retrieve resources from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes. You can use the Filters parameter to refine results based on resource attributes. You can use Scopes and Filters independently or together. When both are provided, Scopes narrows the data set first, and then Filters refines results within that scoped data set.
Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details.
An object that describes a security control parameter and the options for customizing it.
Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, severity, availability in Amazon Web Services Regions, and a link to remediation steps.
Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Invites other Amazon Web Services accounts to become member accounts for the Security Hub CSPM administrator account that the invitation is sent from. This operation is only used to invite accounts that don't belong to an Amazon Web Services organization. Organization accounts don't receive invitations. Before you can use this action to invite a member, you must first use the CreateMembers action to create the member account in Security Hub CSPM. When the account owner enables Security Hub CSPM and accepts the invitation to become a member account, the administrator account can view the findings generated in the member account.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Invites other Amazon Web Services accounts to become member accounts for the Security Hub CSPM administrator account that the invitation is sent from. This operation is only used to invite accounts that don't belong to an Amazon Web Services organization. Organization accounts don't receive invitations. Before you can use this action to invite a member, you must first use the CreateMembers action to create the member account in Security Hub CSPM. When the account owner enables Security Hub CSPM and accepts the invitation to become a member account, the administrator account can view the findings generated in the member account.
The parameters used to modify an existing Jira Cloud integration.
Retrieves a list of V2 aggregators.
Retrieves a list of V2 aggregators.
A list of automation rules and their metadata for the calling account.
A list of automation rules and their metadata for the calling account.
Returns a list of automation rules and metadata for the calling account.
Returns a list of automation rules and metadata for the calling account.
Lists the configuration policies that the Security Hub CSPM delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region.
Lists the configuration policies that the Security Hub CSPM delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region.
Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Grants permission to retrieve a list of connectorsV2 and their metadata for the calling account.
Grants permission to retrieve a list of connectorsV2 and their metadata for the calling account.
Lists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub CSPM.
Lists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub CSPM.
If cross-Region aggregation is enabled, then ListFindingAggregators returns the Amazon Resource Name (ARN) of the finding aggregator. You can run this operation from any Amazon Web Services Region.
If cross-Region aggregation is enabled, then ListFindingAggregators returns the Amazon Resource Name (ARN) of the finding aggregator. You can run this operation from any Amazon Web Services Region.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Lists all Security Hub CSPM membership invitations that were sent to the calling account. Only accounts that are managed by invitation can use this operation. Accounts that are managed using the integration with Organizations don't receive invitations.
We recommend using Organizations instead of Security Hub CSPM invitations to manage your member accounts. For information, see Managing Security Hub CSPM administrator and member accounts with Organizations in the Security Hub CSPM User Guide. Lists all Security Hub CSPM membership invitations that were sent to the calling account. Only accounts that are managed by invitation can use this operation. Accounts that are managed using the integration with Organizations don't receive invitations.
Lists details about all member accounts for the current Security Hub CSPM administrator account. The results include both member accounts that belong to an organization and member accounts that were invited manually.
Lists details about all member accounts for the current Security Hub CSPM administrator account. The results include both member accounts that belong to an organization and member accounts that were invited manually.
Lists the Security Hub CSPM administrator accounts. Can only be called by the organization management account.
Lists the Security Hub CSPM administrator accounts. Can only be called by the organization management account.
Lists all of the security controls that apply to a specified standard.
Lists all of the security controls that apply to a specified standard.
Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account. This operation omits standards control associations for standard subscriptions where StandardsControlsUpdatable has value NOT_READY_FOR_UPDATES.
An array that provides the enablement status and other details for each control that applies to each enabled standard.
Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account. This operation omits standards control associations for standard subscriptions where StandardsControlsUpdatable has value NOT_READY_FOR_UPDATES.
Returns a list of tags associated with a resource.
Returns a list of tags associated with a resource.
The parameters used to modify an existing ServiceNow integration.
The parameters required to update the configuration of an integration provider.
Grants permission to complete the authorization based on input parameters.
Grants permission to complete the authorization based on input parameters.
The request was rejected because it conflicts with the resource's availability. For example, you tried to update a security control that's currently in the UPDATING state.
Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Adds one or more tags to a resource.
Adds one or more tags to a resource.
Removes one or more tags from a resource.
Removes one or more tags from a resource.
Updates the name and description of a custom action target in Security Hub CSPM.
Updates the name and description of a custom action target in Security Hub CSPM.
Udpates the configuration for the Aggregator V2.
Udpates the configuration for the Aggregator V2.
Updates a V2 automation rule.
Updates a V2 automation rule.
Updates a configuration policy. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Updates a configuration policy. Only the Security Hub CSPM delegated administrator can invoke this operation from the home Region.
Grants permission to update a connectorV2 based on its id and input parameters.
Grants permission to update a connectorV2 based on its id and input parameters.
The aggregation Region is now called the home Region. Updates cross-Region aggregation settings. You can use this operation to update the Region linking mode and the list of included or excluded Amazon Web Services Regions. However, you can't use this operation to change the home Region. You can invoke this operation from the current home Region only.
The aggregation Region is now called the home Region. Updates cross-Region aggregation settings. You can use this operation to update the Region linking mode and the list of included or excluded Amazon Web Services Regions. However, you can't use this operation to change the home Region. You can invoke this operation from the current home Region only.
UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation. The UpdateFindings operation updates the Note and RecordState of the Security Hub CSPM aggregated findings that the filter attributes specify. Any member account that can view the finding can also see the update to the finding. Finding updates made with UpdateFindings aren't persisted if the same finding is later updated by the finding provider through the BatchImportFindings operation. In addition, Security Hub CSPM doesn't record updates made with UpdateFindings in the finding history.
UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation. The UpdateFindings operation updates the Note and RecordState of the Security Hub CSPM aggregated findings that the filter attributes specify. Any member account that can view the finding can also see the update to the finding. Finding updates made with UpdateFindings aren't persisted if the same finding is later updated by the finding provider through the BatchImportFindings operation. In addition, Security Hub CSPM doesn't record updates made with UpdateFindings in the finding history.
Updates the Security Hub CSPM insight identified by the specified insight ARN.
Updates the Security Hub CSPM insight identified by the specified insight ARN.
Updates the configuration of your organization in Security Hub CSPM. Only the Security Hub CSPM administrator account can invoke this operation.
Updates the configuration of your organization in Security Hub CSPM. Only the Security Hub CSPM administrator account can invoke this operation.
Updates the properties of a security control.
Updates the properties of a security control.
Updates configuration options for Security Hub CSPM.
Updates configuration options for Security Hub CSPM.
Used to control whether an individual security standard control is enabled or disabled. Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the control has StandardsControlsUpdatable value NOT_READY_FOR_UPDATES.
Used to control whether an individual security standard control is enabled or disabled. Calls to this operation return a RESOURCE_NOT_FOUND_EXCEPTION error when the standard subscription for the control has StandardsControlsUpdatable value NOT_READY_FOR_UPDATES.