aws-sdk-fms 1.18.0 → 1.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4fa045776728f3aac3709e2cdcdc61af5a55ec24
-  data.tar.gz: ebfb0cedd0a8fe7326ea091362e5f1bec857bbd4
+  metadata.gz: 476466d4fe38aa8c9aa515c3aa5eb574b2af9354
+  data.tar.gz: 6e59a6eb401ffc20af8f21a1a2f40d8a1c7ed173
 SHA512:
-  metadata.gz: 89eb0f70f4ba90f63bb78118421c2427a177bc0ab5d426b40a99f8e1d6e3f7c9f5e6c6edcb1872fe9c09ab1d99e48f5e7104b0595873ea88a693192bf25aa31c
-  data.tar.gz: 23af38f841cf88850f69dc7b17f4e609f07e856cc8f64df917b2c6caa71e00d6254ec606c6b81fa75d10affdc3d862acd108fca2cd879cf94427e4f332286465
+  metadata.gz: 83f8ba6fb8a3c0386fdea27dfc740d9fb99975ab5f23363282f54a14d1b9107a6870e445dab2a593811bd90b5db490a57a8937dfa4c0259520a60c8c04e9f0c8
+  data.tar.gz: 35ea4ad21b1be2502c49663dc7a9b484165e93d381e39e36358f79e2d5493b9b53cac05615e849f9f1a68ad78dcba9a1f3a735d7116832da93194481e225fde8

data/lib/aws-sdk-fms.rb

@@ -42,6 +42,6 @@ require_relative 'aws-sdk-fms/customizations'
 # @service
 module Aws::FMS
 
-  GEM_VERSION = '1.18.0'
+  GEM_VERSION = '1.19.0'
 
 end

data/lib/aws-sdk-fms/client.rb

@@ -265,7 +265,7 @@ module Aws::FMS
     # @!group API Operations
 
     # Sets the AWS Firewall Manager administrator account. AWS Firewall
-    # Manager must be associated with the master account your AWS
+    # Manager must be associated with the master account of your AWS
     # organization or associated with a member account that has the
     # appropriate permissions. If the account ID that you submit is not an
     # AWS Organizations master account, AWS Firewall Manager will set the
@@ -324,21 +324,34 @@ module Aws::FMS
     #   by `PutPolicy` and by `ListPolicies`.
     #
     # @option params [Boolean] :delete_all_policy_resources
-    #   If `True`, the request will also perform a clean-up process that will:
+    #   If `True`, the request performs cleanup according to the policy type.
     #
-    #   * Delete rule groups created by AWS Firewall Manager
+    #   For AWS WAF and Shield Advanced policies, the cleanup does the
+    #   following:
     #
-    #   * Remove web ACLs from in-scope resources
+    #   * Deletes rule groups created by AWS Firewall Manager
     #
-    #   * Delete web ACLs that contain no rules or rule groups
+    #   * Removes web ACLs from in-scope resources
     #
-    #   After the cleanup, in-scope resources will no longer be protected by
-    #   web ACLs in this policy. Protection of out-of-scope resources will
-    #   remain unchanged. Scope is determined by tags and accounts associated
-    #   with the policy. When creating the policy, if you specified that only
-    #   resources in specific accounts or with specific tags be protected by
-    #   the policy, those resources are in-scope. All others are out of scope.
-    #   If you did not specify tags or accounts, all resources are in-scope.
+    #   * Deletes web ACLs that contain no rules or rule groups
+    #
+    #   For security group policies, the cleanup does the following for each
+    #   security group in the policy:
+    #
+    #   * Disassociates the security group from in-scope resources
+    #
+    #   * Deletes the security group if it was created through Firewall
+    #     Manager and if it's no longer associated with any resources through
+    #     another policy
+    #
+    #   After the cleanup, in-scope resources are no longer protected by web
+    #   ACLs in this policy. Protection of out-of-scope resources remains
+    #   unchanged. Scope is determined by tags that you create and accounts
+    #   that you associate with the policy. When creating the policy, if you
+    #   specify that only resources in specific accounts or with specific tags
+    #   are in scope of the policy, those accounts and resources are handled
+    #   by the policy. All others are out of scope. If you don't specify tags
+    #   or accounts, all resources are in scope.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -361,7 +374,7 @@ module Aws::FMS
     # Disassociates the account that has been set as the AWS Firewall
     # Manager administrator account. To set a different account as the
     # administrator account, you must submit an `AssociateAdminAccount`
-    # request .
+    # request.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -398,8 +411,12 @@ module Aws::FMS
 
     # Returns detailed compliance information about the specified member
     # account. Details include resources that are in and out of compliance
-    # with the specified policy. Resources are considered non-compliant if
-    # the specified policy has not been applied to them.
+    # with the specified policy. Resources are considered noncompliant for
+    # AWS WAF and Shield Advanced policies if the specified policy has not
+    # been applied to them. Resources are considered noncompliant for
+    # security group policies if they are in scope of the policy, they
+    # violate one or more of the policy rules, and remediation is disabled
+    # or not possible.
     #
     # @option params [required, String] :policy_id
     #   The ID of the policy that you want to get the details for. `PolicyId`
@@ -427,7 +444,7 @@ module Aws::FMS
     #   resp.policy_compliance_detail.member_account #=> String
     #   resp.policy_compliance_detail.violators #=> Array
     #   resp.policy_compliance_detail.violators[0].resource_id #=> String
-    #   resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION"
+    #   resp.policy_compliance_detail.violators[0].violation_reason #=> String, one of "WEB_ACL_MISSING_RULE_GROUP", "RESOURCE_MISSING_WEB_ACL", "RESOURCE_INCORRECT_WEB_ACL", "RESOURCE_MISSING_SHIELD_PROTECTION", "RESOURCE_MISSING_WEB_ACL_OR_SHIELD_PROTECTION", "RESOURCE_MISSING_SECURITY_GROUP", "RESOURCE_VIOLATES_AUDIT_SECURITY_GROUP", "SECURITY_GROUP_UNUSED", "SECURITY_GROUP_REDUNDANT"
     #   resp.policy_compliance_detail.violators[0].resource_type #=> String
     #   resp.policy_compliance_detail.evaluation_limit_exceeded #=> Boolean
     #   resp.policy_compliance_detail.expired_at #=> Time
@@ -443,8 +460,8 @@ module Aws::FMS
       req.send_request(options)
     end
 
-    # Returns information about the Amazon Simple Notification Service (SNS)
-    # topic that is used to record AWS Firewall Manager SNS logs.
+    # Information about the Amazon Simple Notification Service (SNS) topic
+    # that is used to record AWS Firewall Manager SNS logs.
     #
     # @return [Types::GetNotificationChannelResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -487,7 +504,7 @@ module Aws::FMS
     #   resp.policy.policy_id #=> String
     #   resp.policy.policy_name #=> String
     #   resp.policy.policy_update_token #=> String
-    #   resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED"
+    #   resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
     #   resp.policy.security_service_policy_data.managed_service_data #=> String
     #   resp.policy.resource_type #=> String
     #   resp.policy.resource_type_list #=> Array
@@ -515,7 +532,8 @@ module Aws::FMS
     end
 
     # If you created a Shield Advanced policy, returns policy-level attack
-    # summary information in the event of a potential DDoS attack.
+    # summary information in the event of a potential DDoS attack. Other
+    # policy types are currently unsupported.
     #
     # @option params [required, String] :policy_id
     #   The ID of the policy for which you want to get the attack information.
@@ -526,21 +544,21 @@ module Aws::FMS
     #
     # @option params [Time,DateTime,Date,Integer,String] :start_time
     #   The start of the time period to query for the attacks. This is a
-    #   `timestamp` type. The sample request above indicates a number type
+    #   `timestamp` type. The request syntax listing indicates a `number` type
     #   because the default used by AWS Firewall Manager is Unix time in
     #   seconds. However, any valid `timestamp` format is allowed.
     #
     # @option params [Time,DateTime,Date,Integer,String] :end_time
     #   The end of the time period to query for the attacks. This is a
-    #   `timestamp` type. The sample request above indicates a number type
+    #   `timestamp` type. The request syntax listing indicates a `number` type
     #   because the default used by AWS Firewall Manager is Unix time in
     #   seconds. However, any valid `timestamp` format is allowed.
     #
     # @option params [String] :next_token
     #   If you specify a value for `MaxResults` and you have more objects than
     #   the number that you specify for `MaxResults`, AWS Firewall Manager
-    #   returns a `NextToken` value in the response that allows you to list
-    #   another group of objects. For the second and subsequent
+    #   returns a `NextToken` value in the response, which you can use to
+    #   retrieve another group of objects. For the second and subsequent
     #   `GetProtectionStatus` requests, specify the value of `NextToken` from
     #   the previous response to get information about another batch of
     #   objects.
@@ -572,7 +590,7 @@ module Aws::FMS
     # @example Response structure
     #
     #   resp.admin_account_id #=> String
-    #   resp.service_type #=> String, one of "WAF", "SHIELD_ADVANCED"
+    #   resp.service_type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
     #   resp.data #=> String
     #   resp.next_token #=> String
     #
@@ -734,7 +752,7 @@ module Aws::FMS
     #   resp.policy_list[0].policy_id #=> String
     #   resp.policy_list[0].policy_name #=> String
     #   resp.policy_list[0].resource_type #=> String
-    #   resp.policy_list[0].security_service_type #=> String, one of "WAF", "SHIELD_ADVANCED"
+    #   resp.policy_list[0].security_service_type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
     #   resp.policy_list[0].remediation_enabled #=> Boolean
     #   resp.next_token #=> String
     #
@@ -778,17 +796,23 @@ module Aws::FMS
 
     # Creates an AWS Firewall Manager policy.
     #
-    # Firewall Manager provides two types of policies: A Shield Advanced
-    # policy, which applies Shield Advanced protection to specified accounts
-    # and resources, or a WAF policy, which contains a rule group and
-    # defines which resources are to be protected by that rule group. A
-    # policy is specific to either WAF or Shield Advanced. If you want to
-    # enforce both WAF rules and Shield Advanced protection across accounts,
-    # you can create multiple policies. You can create one or more policies
-    # for WAF rules, and one or more policies for Shield Advanced.
+    # Firewall Manager provides the following types of policies:
+    #
+    # * A Shield Advanced policy, which applies Shield Advanced protection
+    #   to specified accounts and resources
+    #
+    # * An AWS WAF policy, which contains a rule group and defines which
+    #   resources are to be protected by that rule group
+    #
+    # * A security group policy, which manages VPC security groups across
+    #   your AWS organization.
+    #
+    # Each policy is specific to one of the three types. If you want to
+    # enforce more than one policy type across accounts, you can create
+    # multiple policies. You can create multiple policies for each type.
     #
     # You must be subscribed to Shield Advanced to create a Shield Advanced
-    # policy. For more information on subscribing to Shield Advanced, see
+    # policy. For more information about subscribing to Shield Advanced, see
     # [CreateSubscription][1].
     #
     #
@@ -811,7 +835,7 @@ module Aws::FMS
     #       policy_name: "ResourceName", # required
     #       policy_update_token: "PolicyUpdateToken",
     #       security_service_policy_data: { # required
-    #         type: "WAF", # required, accepts WAF, SHIELD_ADVANCED
+    #         type: "WAF", # required, accepts WAF, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
     #         managed_service_data: "ManagedServiceData",
     #       },
     #       resource_type: "ResourceType", # required
@@ -838,7 +862,7 @@ module Aws::FMS
     #   resp.policy.policy_id #=> String
     #   resp.policy.policy_name #=> String
     #   resp.policy.policy_update_token #=> String
-    #   resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED"
+    #   resp.policy.security_service_policy_data.type #=> String, one of "WAF", "SHIELD_ADVANCED", "SECURITY_GROUPS_COMMON", "SECURITY_GROUPS_CONTENT_AUDIT", "SECURITY_GROUPS_USAGE_AUDIT"
     #   resp.policy.security_service_policy_data.managed_service_data #=> String
     #   resp.policy.resource_type #=> String
     #   resp.policy.resource_type_list #=> Array
@@ -878,7 +902,7 @@ module Aws::FMS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-fms'
-      context[:gem_version] = '1.18.0'
+      context[:gem_version] = '1.19.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-fms/types.rb

@@ -45,7 +45,7 @@ module Aws::FMS
     #   @return [String]
     #
     # @!attribute [rw] resource_type
-    #   The resource type. This is in the format shown in [AWS Resource
+    #   The resource type. This is in the format shown in the [AWS Resource
     #   Types Reference][1]. For example:
     #   `AWS::ElasticLoadBalancingV2::LoadBalancer` or
     #   `AWS::CloudFront::Distribution`.
@@ -84,23 +84,35 @@ module Aws::FMS
     #   @return [String]
     #
     # @!attribute [rw] delete_all_policy_resources
-    #   If `True`, the request will also perform a clean-up process that
-    #   will:
+    #   If `True`, the request performs cleanup according to the policy
+    #   type.
     #
-    #   * Delete rule groups created by AWS Firewall Manager
+    #   For AWS WAF and Shield Advanced policies, the cleanup does the
+    #   following:
     #
-    #   * Remove web ACLs from in-scope resources
+    #   * Deletes rule groups created by AWS Firewall Manager
     #
-    #   * Delete web ACLs that contain no rules or rule groups
+    #   * Removes web ACLs from in-scope resources
     #
-    #   After the cleanup, in-scope resources will no longer be protected by
-    #   web ACLs in this policy. Protection of out-of-scope resources will
-    #   remain unchanged. Scope is determined by tags and accounts
-    #   associated with the policy. When creating the policy, if you
-    #   specified that only resources in specific accounts or with specific
-    #   tags be protected by the policy, those resources are in-scope. All
-    #   others are out of scope. If you did not specify tags or accounts,
-    #   all resources are in-scope.
+    #   * Deletes web ACLs that contain no rules or rule groups
+    #
+    #   For security group policies, the cleanup does the following for each
+    #   security group in the policy:
+    #
+    #   * Disassociates the security group from in-scope resources
+    #
+    #   * Deletes the security group if it was created through Firewall
+    #     Manager and if it's no longer associated with any resources
+    #     through another policy
+    #
+    #   After the cleanup, in-scope resources are no longer protected by web
+    #   ACLs in this policy. Protection of out-of-scope resources remains
+    #   unchanged. Scope is determined by tags that you create and accounts
+    #   that you associate with the policy. When creating the policy, if you
+    #   specify that only resources in specific accounts or with specific
+    #   tags are in scope of the policy, those accounts and resources are
+    #   handled by the policy. All others are out of scope. If you don't
+    #   specify tags or accounts, all resources are in scope.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DeletePolicyRequest AWS API Documentation
@@ -118,8 +130,9 @@ module Aws::FMS
     class DisassociateAdminAccountRequest < Aws::EmptyStructure; end
 
     # Describes the compliance status for the account. An account is
-    # considered non-compliant if it includes resources that are not
-    # protected by the specified policy.
+    # considered noncompliant if it includes resources that are not
+    # protected by the specified policy or that don't comply with the
+    # policy.
     #
     # @!attribute [rw] compliance_status
     #   Describes an AWS account's compliance with the AWS Firewall Manager
@@ -127,13 +140,16 @@ module Aws::FMS
     #   @return [String]
     #
     # @!attribute [rw] violator_count
-    #   Number of resources that are non-compliant with the specified
-    #   policy. A resource is considered non-compliant if it is not
-    #   associated with the specified policy.
+    #   The number of resources that are noncompliant with the specified
+    #   policy. For AWS WAF and Shield Advanced policies, a resource is
+    #   considered noncompliant if it is not associated with the policy. For
+    #   security group policies, a resource is considered noncompliant if it
+    #   doesn't comply with the rules of the policy and remediation is
+    #   disabled or not possible.
     #   @return [Integer]
     #
     # @!attribute [rw] evaluation_limit_exceeded
-    #   Indicates that over 100 resources are non-compliant with the AWS
+    #   Indicates that over 100 resources are noncompliant with the AWS
     #   Firewall Manager policy.
     #   @return [Boolean]
     #
@@ -290,26 +306,26 @@ module Aws::FMS
     #
     # @!attribute [rw] start_time
     #   The start of the time period to query for the attacks. This is a
-    #   `timestamp` type. The sample request above indicates a number type
-    #   because the default used by AWS Firewall Manager is Unix time in
-    #   seconds. However, any valid `timestamp` format is allowed.
+    #   `timestamp` type. The request syntax listing indicates a `number`
+    #   type because the default used by AWS Firewall Manager is Unix time
+    #   in seconds. However, any valid `timestamp` format is allowed.
     #   @return [Time]
     #
     # @!attribute [rw] end_time
     #   The end of the time period to query for the attacks. This is a
-    #   `timestamp` type. The sample request above indicates a number type
-    #   because the default used by AWS Firewall Manager is Unix time in
-    #   seconds. However, any valid `timestamp` format is allowed.
+    #   `timestamp` type. The request syntax listing indicates a `number`
+    #   type because the default used by AWS Firewall Manager is Unix time
+    #   in seconds. However, any valid `timestamp` format is allowed.
     #   @return [Time]
     #
     # @!attribute [rw] next_token
     #   If you specify a value for `MaxResults` and you have more objects
     #   than the number that you specify for `MaxResults`, AWS Firewall
-    #   Manager returns a `NextToken` value in the response that allows you
-    #   to list another group of objects. For the second and subsequent
-    #   `GetProtectionStatus` requests, specify the value of `NextToken`
-    #   from the previous response to get information about another batch of
-    #   objects.
+    #   Manager returns a `NextToken` value in the response, which you can
+    #   use to retrieve another group of objects. For the second and
+    #   subsequent `GetProtectionStatus` requests, specify the value of
+    #   `NextToken` from the previous response to get information about
+    #   another batch of objects.
     #   @return [String]
     #
     # @!attribute [rw] max_results
@@ -353,8 +369,7 @@ module Aws::FMS
     #
     #   * End time of the attack (ongoing attacks will not have an end time)
     #
-    #   The details are in JSON format. An example is shown in the Examples
-    #   section below.
+    #   The details are in JSON format.
     #   @return [String]
     #
     # @!attribute [rw] next_token
@@ -635,7 +650,7 @@ module Aws::FMS
     #         policy_name: "ResourceName", # required
     #         policy_update_token: "PolicyUpdateToken",
     #         security_service_policy_data: { # required
-    #           type: "WAF", # required, accepts WAF, SHIELD_ADVANCED
+    #           type: "WAF", # required, accepts WAF, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
     #           managed_service_data: "ManagedServiceData",
     #         },
     #         resource_type: "ResourceType", # required
@@ -678,10 +693,17 @@ module Aws::FMS
     #   @return [Types::SecurityServicePolicyData]
     #
     # @!attribute [rw] resource_type
-    #   The type of resource to protect with the policy. This is in the
-    #   format shown in [AWS Resource Types Reference][1]. For example:
-    #   `AWS::ElasticLoadBalancingV2::LoadBalancer` or
-    #   `AWS::CloudFront::Distribution`.
+    #   The type of resource protected by or in scope of the policy. This is
+    #   in the format shown in the [AWS Resource Types Reference][1]. For
+    #   AWS WAF and Shield Advanced, examples include
+    #   `AWS::ElasticLoadBalancingV2::LoadBalancer` and
+    #   `AWS::CloudFront::Distribution`. For a security group common policy,
+    #   valid values are `AWS::EC2::NetworkInterface` and
+    #   `AWS::EC2::Instance`. For a security group content audit policy,
+    #   valid values are `AWS::EC2::SecurityGroup`,
+    #   `AWS::EC2::NetworkInterface`, and `AWS::EC2::Instance`. For a
+    #   security group usage audit policy, the value is
+    #   `AWS::EC2::SecurityGroup`.
     #
     #
     #
@@ -698,9 +720,9 @@ module Aws::FMS
     #
     # @!attribute [rw] exclude_resource_tags
     #   If set to `True`, resources with the tags that are specified in the
-    #   `ResourceTag` array are not protected by the policy. If set to
+    #   `ResourceTag` array are not in scope of the policy. If set to
     #   `False`, and the `ResourceTag` array is not null, only resources
-    #   with the specified tags are associated with the policy.
+    #   with the specified tags are in scope of the policy.
     #   @return [Boolean]
     #
     # @!attribute [rw] remediation_enabled
@@ -746,9 +768,9 @@ module Aws::FMS
       include Aws::Structure
     end
 
-    # Describes the non-compliant resources in a member account for a
+    # Describes the noncompliant resources in a member account for a
     # specific AWS Firewall Manager policy. A maximum of 100 entries are
-    # displayed. If more than 100 resources are non-compliant,
+    # displayed. If more than 100 resources are noncompliant,
     # `EvaluationLimitExceeded` is set to `True`.
     #
     # @!attribute [rw] policy_owner
@@ -764,22 +786,24 @@ module Aws::FMS
     #   @return [String]
     #
     # @!attribute [rw] violators
-    #   An array of resources that are not protected by the policy.
+    #   An array of resources that aren't protected by the AWS WAF or
+    #   Shield Advanced policy or that aren't in compliance with the
+    #   security group policy.
     #   @return [Array<Types::ComplianceViolator>]
     #
     # @!attribute [rw] evaluation_limit_exceeded
-    #   Indicates if over 100 resources are non-compliant with the AWS
+    #   Indicates if over 100 resources are noncompliant with the AWS
     #   Firewall Manager policy.
     #   @return [Boolean]
     #
     # @!attribute [rw] expired_at
-    #   A time stamp that indicates when the returned information should be
-    #   considered out-of-date.
+    #   A timestamp that indicates when the returned information should be
+    #   considered out of date.
     #   @return [Time]
     #
     # @!attribute [rw] issue_info_map
     #   Details about problems with dependent services, such as AWS WAF or
-    #   AWS Config, that are causing a resource to be non-compliant. The
+    #   AWS Config, that are causing a resource to be noncompliant. The
     #   details include the name of the dependent service and the error
     #   message received that indicates the problem with the service.
     #   @return [Hash<String,String>]
@@ -798,8 +822,10 @@ module Aws::FMS
     end
 
     # Indicates whether the account is compliant with the specified policy.
-    # An account is considered non-compliant if it includes resources that
-    # are not protected by the policy.
+    # An account is considered noncompliant if it includes resources that
+    # are not protected by the policy, for AWS WAF and Shield Advanced
+    # policies, or that are noncompliant with the policy, for security group
+    # policies.
     #
     # @!attribute [rw] policy_owner
     #   The AWS account that created the AWS Firewall Manager policy.
@@ -822,12 +848,12 @@ module Aws::FMS
     #   @return [Array<Types::EvaluationResult>]
     #
     # @!attribute [rw] last_updated
-    #   Time stamp of the last update to the `EvaluationResult` objects.
+    #   Timestamp of the last update to the `EvaluationResult` objects.
     #   @return [Time]
     #
     # @!attribute [rw] issue_info_map
     #   Details about problems with dependent services, such as AWS WAF or
-    #   AWS Config, that are causing a resource to be non-compliant. The
+    #   AWS Config, that are causing a resource to be noncompliant. The
     #   details include the name of the dependent service and the error
     #   message received that indicates the problem with the service.
     #   @return [Hash<String,String>]
@@ -860,10 +886,17 @@ module Aws::FMS
     #   @return [String]
     #
     # @!attribute [rw] resource_type
-    #   The type of resource to protect with the policy. This is in the
-    #   format shown in [AWS Resource Types Reference][1]. For example:
-    #   `AWS::ElasticLoadBalancingV2::LoadBalancer` or
-    #   `AWS::CloudFront::Distribution`.
+    #   The type of resource protected by or in scope of the policy. This is
+    #   in the format shown in the [AWS Resource Types Reference][1]. For
+    #   AWS WAF and Shield Advanced, examples include
+    #   `AWS::ElasticLoadBalancingV2::LoadBalancer` and
+    #   `AWS::CloudFront::Distribution`. For a security group common policy,
+    #   valid values are `AWS::EC2::NetworkInterface` and
+    #   `AWS::EC2::Instance`. For a security group content audit policy,
+    #   valid values are `AWS::EC2::SecurityGroup`,
+    #   `AWS::EC2::NetworkInterface`, and `AWS::EC2::Instance`. For a
+    #   security group usage audit policy, the value is
+    #   `AWS::EC2::SecurityGroup`.
     #
     #
     #
@@ -872,8 +905,8 @@ module Aws::FMS
     #
     # @!attribute [rw] security_service_type
     #   The service that the policy is using to protect the resources. This
-    #   specifies the type of policy that is created, either a WAF policy or
-    #   Shield Advanced policy.
+    #   specifies the type of policy that is created, either an AWS WAF
+    #   policy, a Shield Advanced policy, or a security group policy.
     #   @return [String]
     #
     # @!attribute [rw] remediation_enabled
@@ -928,7 +961,7 @@ module Aws::FMS
     #           policy_name: "ResourceName", # required
     #           policy_update_token: "PolicyUpdateToken",
     #           security_service_policy_data: { # required
-    #             type: "WAF", # required, accepts WAF, SHIELD_ADVANCED
+    #             type: "WAF", # required, accepts WAF, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
     #             managed_service_data: "ManagedServiceData",
     #           },
     #           resource_type: "ResourceType", # required
@@ -990,14 +1023,14 @@ module Aws::FMS
     end
 
     # The resource tags that AWS Firewall Manager uses to determine if a
-    # particular resource should be included or excluded from protection by
-    # the AWS Firewall Manager policy. Tags enable you to categorize your
-    # AWS resources in different ways, for example, by purpose, owner, or
-    # environment. Each tag consists of a key and an optional value, both of
-    # which you define. Tags are combined with an "OR." That is, if you
-    # add more than one tag, if any of the tags matches, the resource is
-    # considered a match for the include or exclude. [Working with Tag
-    # Editor][1].
+    # particular resource should be included or excluded from the AWS
+    # Firewall Manager policy. Tags enable you to categorize your AWS
+    # resources in different ways, for example, by purpose, owner, or
+    # environment. Each tag consists of a key and an optional value.
+    # Firewall Manager combines the tags with "AND" so that, if you add
+    # more than one tag to a policy scope, a resource must have all the
+    # specified tags to be included or excluded. For more information, see
+    # [Working with Tag Editor][1].
     #
     #
     #
@@ -1034,26 +1067,54 @@ module Aws::FMS
     #   data as a hash:
     #
     #       {
-    #         type: "WAF", # required, accepts WAF, SHIELD_ADVANCED
+    #         type: "WAF", # required, accepts WAF, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT
     #         managed_service_data: "ManagedServiceData",
     #       }
     #
     # @!attribute [rw] type
     #   The service that the policy is using to protect the resources. This
-    #   specifies the type of policy that is created, either a WAF policy or
-    #   Shield Advanced policy.
+    #   specifies the type of policy that is created, either an AWS WAF
+    #   policy, a Shield Advanced policy, or a security group policy. For
+    #   security group policies, Firewall Manager supports one security
+    #   group for each common policy and for each content audit policy. This
+    #   is an adjustable limit that you can increase by contacting AWS
+    #   Support.
     #   @return [String]
     #
     # @!attribute [rw] managed_service_data
-    #   Details about the service. This contains `WAF` data in JSON format,
-    #   as shown in the following example:
+    #   Details about the service that are specific to the service type, in
+    #   JSON format. For service type `SHIELD_ADVANCED`, this is an empty
+    #   string.
+    #
+    #   * Example: `WAF`
+    #
+    #     `ManagedServiceData": "\{"type": "WAF", "ruleGroups":
+    #     [\{"id": "12345678-1bcd-9012-efga-0987654321ab",
+    #     "overrideAction" : \{"type": "COUNT"\}\}],
+    #     "defaultAction": \{"type": "BLOCK"\}\}`
+    #
+    #   * Example: `SECURITY_GROUPS_COMMON`
+    #
+    #     `"SecurityServicePolicyData":\{"Type":"SECURITY_GROUPS_COMMON","ManagedServiceData":"\{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,"securityGroups":[\{"id":"
+    #     sg-000e55995d61a06bd"\}]\}"\},"RemediationEnabled":false,"ResourceType":"AWS::EC2::NetworkInterface"\}`
+    #
+    #   * Example: `SECURITY_GROUPS_CONTENT_AUDIT`
+    #
+    #     `"SecurityServicePolicyData":\{"Type":"SECURITY_GROUPS_CONTENT_AUDIT","ManagedServiceData":"\{"type":"SECURITY_GROUPS_CONTENT_AUDIT","securityGroups":[\{"id":"
+    #     sg-000e55995d61a06bd
+    #     "\}],"securityGroupAction":\{"type":"ALLOW"\}\}"\},"RemediationEnabled":false,"ResourceType":"AWS::EC2::NetworkInterface"\}`
+    #
+    #     The security group action for content audit can be `ALLOW` or
+    #     `DENY`. For `ALLOW`, all in-scope security group rules must be
+    #     within the allowed range of the policy's security group rules.
+    #     For `DENY`, all in-scope security group rules must not contain a
+    #     value or a range that matches a rule value or range in the policy
+    #     security group.
     #
-    #   `ManagedServiceData": "\{"type": "WAF", "ruleGroups":
-    #   [\{"id": "12345678-1bcd-9012-efga-0987654321ab",
-    #   "overrideAction" : \{"type": "COUNT"\}\}], "defaultAction":
-    #   \{"type": "BLOCK"\}\}`
+    #   * Example: `SECURITY_GROUPS_USAGE_AUDIT`
     #
-    #   If this is a Shield Advanced policy, this string will be empty.
+    #     `"SecurityServicePolicyData":\{"Type":"SECURITY_GROUPS_USAGE_AUDIT","ManagedServiceData":"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"\},"RemediationEnabled":false,"Resou
+    #     rceType":"AWS::EC2::SecurityGroup"\}`
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/SecurityServicePolicyData AWS API Documentation

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-fms
 version: !ruby/object:Gem::Version
-  version: 1.18.0
+  version: 1.19.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-25 00:00:00.000000000 Z
+date: 2019-10-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core