aws-sdk-securityhub 1.153.0 → 1.154.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bfc1f6ab6ae37a8e88de619008d4d65e82dbf00a74f77752b382f92877042127
-  data.tar.gz: 80b4b215bdbdf70ee6996275566225d6f48bf52579e3f4ae5e31e4155b774dde
+  metadata.gz: '0588c1ee7069ed61c7b5a392261c226405bfe38e0b44fddf728f0339d4b0e032'
+  data.tar.gz: 917627145b4a6b8bf9d58d57fb3d8d6cc9a629204ba6ca1ca824dadcf640856e
 SHA512:
-  metadata.gz: 0ec845c93f1b4404e8c48a64cf4b4404a4a454cd68bb6d69e49c34c58c4d1ff6ae11f0882534ef3b0e2ffc30058144b23e08c0ce8c178e15c771ef4fe18ad1ee
-  data.tar.gz: fe7bdf6c91a6ab69b30e8cb8f864f011680957906b0c4fea3ff3cb2b9eca5b9553afb4760a78f95d7e1793648da9083d55c796d4c38ed7fb14beead63a372003
+  metadata.gz: b5d92a8976ffc710bbf3467755e2f6a0192e2fe452acb4dd02568f3ff9b5bddb2607ddc7ec0109501d9b7760d432ca2076ba53565402e92683e7a7405aa0389e
+  data.tar.gz: 7f3b5bbc8285f1c23bf063343716ef7635b993c50997f664f231da73c11b568ce67ef36df7e6fca510b0d84261563147c4bd65cd9a1f6da5acd189fcbb3807e9

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.154.0 (2026-04-13)
+------------------
+
+* Feature - Provide organizational unit scoping capability for GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, GetResourcesStatisticsV2 APIs.
+
 1.153.0 (2026-03-18)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.153.0
+1.154.0

data/lib/aws-sdk-securityhub/client.rb

@@ -2131,17 +2131,30 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
-    # Used by customers to update information about their investigation into
-    # a finding. Requested by delegated administrator accounts or member
-    # accounts. Delegated administrator accounts can update findings for
-    # their account and their member accounts. Member accounts can update
-    # findings for their account. `BatchUpdateFindings` and
-    # `BatchUpdateFindingV2` both use `securityhub:BatchUpdateFindings` in
-    # the `Action` element of an IAM policy statement. You must have
-    # permission to perform the `securityhub:BatchUpdateFindings` action.
+    # Updates information about a customer's investigation into a finding.
+    # Delegated administrator accounts can update findings for their account
+    # and their member accounts. Member accounts can update findings for
+    # their own account.
+    #
+    # `BatchUpdateFindings` and `BatchUpdateFindingsV2` both use
+    # `securityhub:BatchUpdateFindings` in the `Action` element of an IAM
+    # policy statement. You must have permission to perform the
+    # `securityhub:BatchUpdateFindings` action. You can configure IAM
+    # policies to restrict access to specific finding fields or field values
+    # by using the `securityhub:OCSFSyntaxPath/<fieldName>` condition key,
+    # where `<fieldName>` is one of the following supported fields:
+    # `SeverityId`, `StatusId`, or `Comment`.
+    #
+    # To prevent a user from updating a specific field, use a `Null`
+    # condition with `securityhub:OCSFSyntaxPath/<fieldName>` set to
+    # `"false"`. To prevent a user from setting a field to a specific value,
+    # use a `StringEquals` condition with
+    # `securityhub:OCSFSyntaxPath/<fieldName>` set to the disallowed value
+    # or list of values.
+    #
     # Updates from `BatchUpdateFindingsV2` don't affect the value of
-    # f`inding_info.modified_time`, `finding_info.modified_time_dt`, `time`,
-    # `time_dt for a finding`.
+    # `finding_info.modified_time`, `finding_info.modified_time_dt`, `time`,
+    # or `time_dt` for a finding.
     #
     # @option params [Array<String>] :metadata_uids
     #   The list of finding `metadata.uid` to indicate findings to update.
@@ -2158,14 +2171,14 @@ module Aws::SecurityHub
     #
     # @option params [Integer] :severity_id
     #   The updated value for the normalized severity identifier. The severity
-    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5,
+    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 6,
     #   99\]. When customer provides the updated severity ID, the string
     #   sibling severity will automatically be updated in the finding.
     #
     # @option params [Integer] :status_id
     #   The updated value for the normalized status identifier. The status ID
-    #   is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 6,
-    #   99\]. When customer provides the updated status ID, the string sibling
+    #   is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 99\].
+    #   When customer provides the updated status ID, the string sibling
     #   status will automatically be updated in the finding.
     #
     # @return [Types::BatchUpdateFindingsV2Response] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
@@ -6400,15 +6413,37 @@ module Aws::SecurityHub
     end
 
     # Returns aggregated statistical data about findings.
-    # `GetFindingStatisticsV2` use `securityhub:GetAdhocInsightResults` in
+    #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # aggregate findings from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
+    # `GetFindingStatisticsV2` uses `securityhub:GetAdhocInsightResults` in
     # the `Action` element of an IAM policy statement. You must have
-    # permission to perform the `s` action.
+    # permission to perform the `securityhub:GetAdhocInsightResults` action.
     #
     # @option params [required, Array<Types::GroupByRule>] :group_by_rules
     #   Specifies how security findings should be aggregated and organized in
     #   the statistical analysis. It can accept up to 5 `groupBy` fields in a
     #   single call.
     #
+    # @option params [Types::FindingScopes] :scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [String] :sort_order
     #   Orders the aggregation count in descending or ascending order.
     #   Descending order is the default.
@@ -6499,6 +6534,14 @@ module Aws::SecurityHub
     #         group_by_field: "activity_name", # required, accepts activity_name, cloud.account.uid, cloud.provider, cloud.region, compliance.assessments.name, compliance.status, compliance.control, finding_info.title, finding_info.related_events.traits.category, finding_info.types, metadata.product.name, metadata.product.uid, resources.type, resources.uid, severity, status, vulnerabilities.fix_coverage, class_name, vulnerabilities.affected_packages.name, finding_info.analytic.name, compliance.standards, cloud.account.name, vendor_attributes.severity, metadata.product.vendor_name
     #       },
     #     ],
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_order: "asc", # accepts asc, desc
     #     max_statistic_results: 1,
     #   })
@@ -7469,7 +7512,19 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
-    # Return a list of findings that match the specified criteria.
+    # Returns a list of findings that match the specified criteria.
+    #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # retrieve findings from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
+    # You can use the `Filters` parameter to refine results based on finding
+    # attributes. You can use `Scopes` and `Filters` independently or
+    # together. When both are provided, `Scopes` narrows the data set first,
+    # and then `Filters` refines results within that scoped data set.
+    #
     # `GetFindings` and `GetFindingsV2` both use `securityhub:GetFindings`
     # in the `Action` element of an IAM policy statement. You must have
     # permission to perform the `securityhub:GetFindings` action.
@@ -7480,6 +7535,20 @@ module Aws::SecurityHub
     #   each filter type inside of a composite filter, you can provide up to
     #   20 filters.
     #
+    # @option params [Types::FindingScopes] :scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees findings from all accounts across the entire
+    #   organization. Other accounts see only their own findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [Array<Types::SortCriterion>] :sort_criteria
     #   The finding attributes used to sort the list of returned findings.
     #
@@ -7573,6 +7642,14 @@ module Aws::SecurityHub
     #       ],
     #       composite_operator: "AND", # accepts AND, OR
     #     },
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_criteria: [
     #       {
     #         field: "NonEmptyString",
@@ -8274,10 +8351,31 @@ module Aws::SecurityHub
     # Retrieves statistical information about Amazon Web Services resources
     # and their associated security findings.
     #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # aggregate resources from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
     # @option params [required, Array<Types::ResourceGroupByRule>] :group_by_rules
     #   How resource statistics should be aggregated and organized in the
     #   response.
     #
+    # @option params [Types::ResourceScopes] :scopes
+    #   Limits the results to resources from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [String] :sort_order
     #   Sorts aggregated statistics.
     #
@@ -8351,6 +8449,14 @@ module Aws::SecurityHub
     #         },
     #       },
     #     ],
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_order: "asc", # accepts asc, desc
     #     max_statistic_results: 1,
     #   })
@@ -8451,11 +8557,36 @@ module Aws::SecurityHub
 
     # Returns a list of resources.
     #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # retrieve resources from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
+    # You can use the `Filters` parameter to refine results based on
+    # resource attributes. You can use `Scopes` and `Filters` independently
+    # or together. When both are provided, `Scopes` narrows the data set
+    # first, and then `Filters` refines results within that scoped data set.
+    #
     # @option params [Types::ResourcesFilters] :filters
     #   Filters resources based on a set of criteria.
     #
+    # @option params [Types::ResourceScopes] :scopes
+    #   Limits the results to resources from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees resources from all accounts across the entire
+    #   organization. Other accounts see only their own resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [Array<Types::SortCriterion>] :sort_criteria
-    #   The finding attributes used to sort the list of returned findings.
+    #   The resource attributes used to sort the list of returned resources.
     #
     # @option params [String] :next_token
     #   The token required for pagination. On your first call, set the value
@@ -8531,6 +8662,14 @@ module Aws::SecurityHub
     #       ],
     #       composite_operator: "AND", # accepts AND, OR
     #     },
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_criteria: [
     #       {
     #         field: "NonEmptyString",
@@ -12409,7 +12548,7 @@ module Aws::SecurityHub
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-securityhub'
-      context[:gem_version] = '1.153.0'
+      context[:gem_version] = '1.154.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-securityhub/client_api.rb

@@ -544,6 +544,8 @@ module Aws::SecurityHub
     AwsOpenSearchServiceDomainNodeToNodeEncryptionOptionsDetails = Shapes::StructureShape.new(name: 'AwsOpenSearchServiceDomainNodeToNodeEncryptionOptionsDetails')
     AwsOpenSearchServiceDomainServiceSoftwareOptionsDetails = Shapes::StructureShape.new(name: 'AwsOpenSearchServiceDomainServiceSoftwareOptionsDetails')
     AwsOpenSearchServiceDomainVpcOptionsDetails = Shapes::StructureShape.new(name: 'AwsOpenSearchServiceDomainVpcOptionsDetails')
+    AwsOrganizationScope = Shapes::StructureShape.new(name: 'AwsOrganizationScope')
+    AwsOrganizationScopeList = Shapes::ListShape.new(name: 'AwsOrganizationScopeList')
     AwsRdsDbClusterAssociatedRole = Shapes::StructureShape.new(name: 'AwsRdsDbClusterAssociatedRole')
     AwsRdsDbClusterAssociatedRoles = Shapes::ListShape.new(name: 'AwsRdsDbClusterAssociatedRoles')
     AwsRdsDbClusterDetails = Shapes::StructureShape.new(name: 'AwsRdsDbClusterDetails')
@@ -910,6 +912,7 @@ module Aws::SecurityHub
     FindingHistoryUpdatesList = Shapes::ListShape.new(name: 'FindingHistoryUpdatesList')
     FindingProviderFields = Shapes::StructureShape.new(name: 'FindingProviderFields')
     FindingProviderSeverity = Shapes::StructureShape.new(name: 'FindingProviderSeverity')
+    FindingScopes = Shapes::StructureShape.new(name: 'FindingScopes')
     FindingsTrendsCompositeFilter = Shapes::StructureShape.new(name: 'FindingsTrendsCompositeFilter')
     FindingsTrendsCompositeFilterList = Shapes::ListShape.new(name: 'FindingsTrendsCompositeFilterList')
     FindingsTrendsFilters = Shapes::StructureShape.new(name: 'FindingsTrendsFilters')
@@ -1103,6 +1106,8 @@ module Aws::SecurityHub
     OrganizationConfiguration = Shapes::StructureShape.new(name: 'OrganizationConfiguration')
     OrganizationConfigurationConfigurationType = Shapes::StringShape.new(name: 'OrganizationConfigurationConfigurationType')
     OrganizationConfigurationStatus = Shapes::StringShape.new(name: 'OrganizationConfigurationStatus')
+    OrganizationNotFoundException = Shapes::StructureShape.new(name: 'OrganizationNotFoundException')
+    OrganizationalUnitNotFoundException = Shapes::StructureShape.new(name: 'OrganizationalUnitNotFoundException')
     Page = Shapes::StructureShape.new(name: 'Page')
     Pages = Shapes::ListShape.new(name: 'Pages')
     ParameterConfiguration = Shapes::StructureShape.new(name: 'ParameterConfiguration')
@@ -1161,6 +1166,7 @@ module Aws::SecurityHub
     ResourceList = Shapes::ListShape.new(name: 'ResourceList')
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     ResourceResult = Shapes::StructureShape.new(name: 'ResourceResult')
+    ResourceScopes = Shapes::StructureShape.new(name: 'ResourceScopes')
     ResourceSeverityBreakdown = Shapes::StructureShape.new(name: 'ResourceSeverityBreakdown')
     ResourceTag = Shapes::StructureShape.new(name: 'ResourceTag')
     ResourceTagList = Shapes::ListShape.new(name: 'ResourceTagList')
@@ -4204,6 +4210,12 @@ module Aws::SecurityHub
     AwsOpenSearchServiceDomainVpcOptionsDetails.add_member(:subnet_ids, Shapes::ShapeRef.new(shape: NonEmptyStringList, location_name: "SubnetIds"))
     AwsOpenSearchServiceDomainVpcOptionsDetails.struct_class = Types::AwsOpenSearchServiceDomainVpcOptionsDetails
 
+    AwsOrganizationScope.add_member(:organization_id, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "OrganizationId"))
+    AwsOrganizationScope.add_member(:organizational_unit_id, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "OrganizationalUnitId"))
+    AwsOrganizationScope.struct_class = Types::AwsOrganizationScope
+
+    AwsOrganizationScopeList.member = Shapes::ShapeRef.new(shape: AwsOrganizationScope)
+
     AwsRdsDbClusterAssociatedRole.add_member(:role_arn, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "RoleArn"))
     AwsRdsDbClusterAssociatedRole.add_member(:status, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "Status"))
     AwsRdsDbClusterAssociatedRole.struct_class = Types::AwsRdsDbClusterAssociatedRole
@@ -6028,6 +6040,9 @@ module Aws::SecurityHub
     FindingProviderSeverity.add_member(:original, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "Original"))
     FindingProviderSeverity.struct_class = Types::FindingProviderSeverity
 
+    FindingScopes.add_member(:aws_organizations, Shapes::ShapeRef.new(shape: AwsOrganizationScopeList, location_name: "AwsOrganizations"))
+    FindingScopes.struct_class = Types::FindingScopes
+
     FindingsTrendsCompositeFilter.add_member(:string_filters, Shapes::ShapeRef.new(shape: FindingsTrendsStringFilterList, location_name: "StringFilters"))
     FindingsTrendsCompositeFilter.add_member(:nested_composite_filters, Shapes::ShapeRef.new(shape: FindingsTrendsCompositeFilterList, location_name: "NestedCompositeFilters"))
     FindingsTrendsCompositeFilter.add_member(:operator, Shapes::ShapeRef.new(shape: AllowedOperators, location_name: "Operator"))
@@ -6175,6 +6190,7 @@ module Aws::SecurityHub
     GetFindingHistoryResponse.struct_class = Types::GetFindingHistoryResponse
 
     GetFindingStatisticsV2Request.add_member(:group_by_rules, Shapes::ShapeRef.new(shape: GroupByRules, required: true, location_name: "GroupByRules"))
+    GetFindingStatisticsV2Request.add_member(:scopes, Shapes::ShapeRef.new(shape: FindingScopes, location_name: "Scopes"))
     GetFindingStatisticsV2Request.add_member(:sort_order, Shapes::ShapeRef.new(shape: SortOrder, location_name: "SortOrder"))
     GetFindingStatisticsV2Request.add_member(:max_statistic_results, Shapes::ShapeRef.new(shape: MaxStatisticResults, location_name: "MaxStatisticResults"))
     GetFindingStatisticsV2Request.struct_class = Types::GetFindingStatisticsV2Request
@@ -6205,6 +6221,7 @@ module Aws::SecurityHub
     GetFindingsTrendsV2Response.struct_class = Types::GetFindingsTrendsV2Response
 
     GetFindingsV2Request.add_member(:filters, Shapes::ShapeRef.new(shape: OcsfFindingFilters, location_name: "Filters"))
+    GetFindingsV2Request.add_member(:scopes, Shapes::ShapeRef.new(shape: FindingScopes, location_name: "Scopes"))
     GetFindingsV2Request.add_member(:sort_criteria, Shapes::ShapeRef.new(shape: SortCriteria, location_name: "SortCriteria"))
     GetFindingsV2Request.add_member(:next_token, Shapes::ShapeRef.new(shape: NextToken, location_name: "NextToken"))
     GetFindingsV2Request.add_member(:max_results, Shapes::ShapeRef.new(shape: MaxResults, location_name: "MaxResults"))
@@ -6247,6 +6264,7 @@ module Aws::SecurityHub
     GetMembersResponse.struct_class = Types::GetMembersResponse
 
     GetResourcesStatisticsV2Request.add_member(:group_by_rules, Shapes::ShapeRef.new(shape: ResourceGroupByRules, required: true, location_name: "GroupByRules"))
+    GetResourcesStatisticsV2Request.add_member(:scopes, Shapes::ShapeRef.new(shape: ResourceScopes, location_name: "Scopes"))
     GetResourcesStatisticsV2Request.add_member(:sort_order, Shapes::ShapeRef.new(shape: SortOrder, location_name: "SortOrder"))
     GetResourcesStatisticsV2Request.add_member(:max_statistic_results, Shapes::ShapeRef.new(shape: MaxStatisticResults, location_name: "MaxStatisticResults"))
     GetResourcesStatisticsV2Request.struct_class = Types::GetResourcesStatisticsV2Request
@@ -6267,6 +6285,7 @@ module Aws::SecurityHub
     GetResourcesTrendsV2Response.struct_class = Types::GetResourcesTrendsV2Response
 
     GetResourcesV2Request.add_member(:filters, Shapes::ShapeRef.new(shape: ResourcesFilters, location_name: "Filters"))
+    GetResourcesV2Request.add_member(:scopes, Shapes::ShapeRef.new(shape: ResourceScopes, location_name: "Scopes"))
     GetResourcesV2Request.add_member(:sort_criteria, Shapes::ShapeRef.new(shape: SortCriteria, location_name: "SortCriteria"))
     GetResourcesV2Request.add_member(:next_token, Shapes::ShapeRef.new(shape: NextToken, location_name: "NextToken"))
     GetResourcesV2Request.add_member(:max_results, Shapes::ShapeRef.new(shape: MaxResults, location_name: "MaxResults"))
@@ -6724,6 +6743,14 @@ module Aws::SecurityHub
     OrganizationConfiguration.add_member(:status_message, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "StatusMessage"))
     OrganizationConfiguration.struct_class = Types::OrganizationConfiguration
 
+    OrganizationNotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "Message"))
+    OrganizationNotFoundException.add_member(:code, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "Code"))
+    OrganizationNotFoundException.struct_class = Types::OrganizationNotFoundException
+
+    OrganizationalUnitNotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "Message"))
+    OrganizationalUnitNotFoundException.add_member(:code, Shapes::ShapeRef.new(shape: NonEmptyString, location_name: "Code"))
+    OrganizationalUnitNotFoundException.struct_class = Types::OrganizationalUnitNotFoundException
+
     Page.add_member(:page_number, Shapes::ShapeRef.new(shape: Long, location_name: "PageNumber"))
     Page.add_member(:line_range, Shapes::ShapeRef.new(shape: Range, location_name: "LineRange"))
     Page.add_member(:offset_range, Shapes::ShapeRef.new(shape: Range, location_name: "OffsetRange"))
@@ -7065,6 +7092,9 @@ module Aws::SecurityHub
     ResourceResult.add_member(:resource_config, Shapes::ShapeRef.new(shape: ResourceConfig, required: true, location_name: "ResourceConfig"))
     ResourceResult.struct_class = Types::ResourceResult
 
+    ResourceScopes.add_member(:aws_organizations, Shapes::ShapeRef.new(shape: AwsOrganizationScopeList, location_name: "AwsOrganizations"))
+    ResourceScopes.struct_class = Types::ResourceScopes
+
     ResourceSeverityBreakdown.add_member(:other, Shapes::ShapeRef.new(shape: Integer, location_name: "Other"))
     ResourceSeverityBreakdown.add_member(:fatal, Shapes::ShapeRef.new(shape: Integer, location_name: "Fatal"))
     ResourceSeverityBreakdown.add_member(:critical, Shapes::ShapeRef.new(shape: Integer, location_name: "Critical"))
@@ -8753,6 +8783,8 @@ module Aws::SecurityHub
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
         o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationalUnitNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationNotFoundException)
       end)
 
       api.add_operation(:get_findings, Seahorse::Model::Operation.new.tap do |o|
@@ -8802,6 +8834,8 @@ module Aws::SecurityHub
         o.errors << Shapes::ShapeRef.new(shape: AccessDeniedException)
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
         o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationalUnitNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationNotFoundException)
         o[:pager] = Aws::Pager.new(
           limit_key: "max_results",
           tokens: {
@@ -8893,6 +8927,8 @@ module Aws::SecurityHub
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
         o.errors << Shapes::ShapeRef.new(shape: ValidationException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationalUnitNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationNotFoundException)
       end)
 
       api.add_operation(:get_resources_trends_v2, Seahorse::Model::Operation.new.tap do |o|
@@ -8925,6 +8961,8 @@ module Aws::SecurityHub
         o.errors << Shapes::ShapeRef.new(shape: ConflictException)
         o.errors << Shapes::ShapeRef.new(shape: ValidationException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationalUnitNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: OrganizationNotFoundException)
         o[:pager] = Aws::Pager.new(
           limit_key: "max_results",
           tokens: {

data/lib/aws-sdk-securityhub/errors.rb

@@ -34,6 +34,8 @@ module Aws::SecurityHub
   # * {InvalidAccessException}
   # * {InvalidInputException}
   # * {LimitExceededException}
+  # * {OrganizationNotFoundException}
+  # * {OrganizationalUnitNotFoundException}
   # * {ResourceConflictException}
   # * {ResourceInUseException}
   # * {ResourceNotFoundException}
@@ -187,6 +189,46 @@ module Aws::SecurityHub
       end
     end
 
+    class OrganizationNotFoundException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::SecurityHub::Types::OrganizationNotFoundException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+
+      # @return [String]
+      def code
+        @code || @data[:code]
+      end
+    end
+
+    class OrganizationalUnitNotFoundException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::SecurityHub::Types::OrganizationalUnitNotFoundException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+
+      # @return [String]
+      def code
+        @code || @data[:code]
+      end
+    end
+
     class ResourceConflictException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-securityhub/types.rb

@@ -15220,6 +15220,47 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Specifies an Organizations scope. Data from the specified organization
+    # or organizational unit is included in the response.
+    #
+    # To scope to a specific organizational unit, provide
+    # `OrganizationalUnitId`. You can optionally include `OrganizationId`.
+    # If you omit `OrganizationId`, Security Hub uses the caller's
+    # organization ID. To scope to the delegated administrator's entire
+    # organization, provide only `OrganizationId`.
+    #
+    # The organization ID and organizational unit must belong to the
+    # delegated administrator's own organization. Each request must use one
+    # scoping approach: either scope to the entire organization by providing
+    # an `AwsOrganizationScope` entry with only `OrganizationId`, or scope
+    # to specific organizational units by providing `AwsOrganizationScope`
+    # entries with `OrganizationalUnitId`. You can't combine both
+    # approaches in the same request.
+    #
+    # @!attribute [rw] organization_id
+    #   The unique identifier (ID) of the organization (for example,
+    #   `o-abcd1234567890`). The organization must be the delegated
+    #   administrator's own organization. If you omit this value and
+    #   provide `OrganizationalUnitId`, Security Hub uses the caller's
+    #   organization ID.
+    #   @return [String]
+    #
+    # @!attribute [rw] organizational_unit_id
+    #   The unique identifier (ID) of the organizational unit (OU) (for
+    #   example, `ou-ab12-cd345678`). The OU must exist within the delegated
+    #   administrator's own organization. When specified, the results
+    #   include only data from accounts in this OU.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/AwsOrganizationScope AWS API Documentation
+    #
+    class AwsOrganizationScope < Struct.new(
+      :organization_id,
+      :organizational_unit_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An IAM role that is associated with the Amazon RDS DB cluster.
     #
     # @!attribute [rw] role_arn
@@ -22131,14 +22172,14 @@ module Aws::SecurityHub
     # @!attribute [rw] severity_id
     #   The updated value for the normalized severity identifier. The
     #   severity ID is an integer with the allowed enum values \[0, 1, 2, 3,
-    #   4, 5, 99\]. When customer provides the updated severity ID, the
+    #   4, 5, 6, 99\]. When customer provides the updated severity ID, the
     #   string sibling severity will automatically be updated in the
     #   finding.
     #   @return [Integer]
     #
     # @!attribute [rw] status_id
     #   The updated value for the normalized status identifier. The status
-    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 6,
+    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5,
     #   99\]. When customer provides the updated status ID, the string
     #   sibling status will automatically be updated in the finding.
     #   @return [Integer]
@@ -25007,6 +25048,24 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Defines the data boundary for a findings query. Scopes determine which
+    # organizational units or organizations to retrieve data from.
+    #
+    # @!attribute [rw] aws_organizations
+    #   A list of Organizations scopes to include in the query results. Each
+    #   entry in the list specifies an organization or organizational unit
+    #   to include for the delegated administrator's account. If the list
+    #   specifies multiple entries, the entries are combined using OR logic.
+    #   @return [Array<Types::AwsOrganizationScope>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/FindingScopes AWS API Documentation
+    #
+    class FindingScopes < Struct.new(
+      :aws_organizations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A filter structure that contains a logical combination of string
     # filters and nested composite filters for findings trend data.
     #
@@ -25737,6 +25796,22 @@ module Aws::SecurityHub
     #   in a single call.
     #   @return [Array<Types::GroupByRule>]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::FindingScopes]
+    #
     # @!attribute [rw] sort_order
     #   Orders the aggregation count in descending or ascending order.
     #   Descending order is the default.
@@ -25750,6 +25825,7 @@ module Aws::SecurityHub
     #
     class GetFindingStatisticsV2Request < Struct.new(
       :group_by_rules,
+      :scopes,
       :sort_order,
       :max_statistic_results)
       SENSITIVE = []
@@ -25893,6 +25969,21 @@ module Aws::SecurityHub
     #   up to 20 filters.
     #   @return [Types::OcsfFindingFilters]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees findings from all accounts across the entire
+    #   organization. Other accounts see only their own findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::FindingScopes]
+    #
     # @!attribute [rw] sort_criteria
     #   The finding attributes used to sort the list of returned findings.
     #   @return [Array<Types::SortCriterion>]
@@ -25912,6 +26003,7 @@ module Aws::SecurityHub
     #
     class GetFindingsV2Request < Struct.new(
       :filters,
+      :scopes,
       :sort_criteria,
       :next_token,
       :max_results)
@@ -26083,6 +26175,22 @@ module Aws::SecurityHub
     #   response.
     #   @return [Array<Types::ResourceGroupByRule>]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to resources from specific organizational units
+    #   or from the delegated administrator's organization. Only the
+    #   delegated administrator account can use this parameter. Other
+    #   accounts receive an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::ResourceScopes]
+    #
     # @!attribute [rw] sort_order
     #   Sorts aggregated statistics.
     #   @return [String]
@@ -26095,6 +26203,7 @@ module Aws::SecurityHub
     #
     class GetResourcesStatisticsV2Request < Struct.new(
       :group_by_rules,
+      :scopes,
       :sort_order,
       :max_statistic_results)
       SENSITIVE = []
@@ -26179,8 +26288,23 @@ module Aws::SecurityHub
     #   Filters resources based on a set of criteria.
     #   @return [Types::ResourcesFilters]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to resources from specific organizational units
+    #   or from the delegated administrator's organization. Only the
+    #   delegated administrator account can use this parameter. Other
+    #   accounts receive an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees resources from all accounts across the entire
+    #   organization. Other accounts see only their own resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::ResourceScopes]
+    #
     # @!attribute [rw] sort_criteria
-    #   The finding attributes used to sort the list of returned findings.
+    #   The resource attributes used to sort the list of returned resources.
     #   @return [Array<Types::SortCriterion>]
     #
     # @!attribute [rw] next_token
@@ -26198,6 +26322,7 @@ module Aws::SecurityHub
     #
     class GetResourcesV2Request < Struct.new(
       :filters,
+      :scopes,
       :sort_criteria,
       :next_token,
       :max_results)
@@ -26206,7 +26331,7 @@ module Aws::SecurityHub
     end
 
     # @!attribute [rw] resources
-    #   Filters resources based on a set of criteria.
+    #   An array of resources returned by the operation.
     #   @return [Array<Types::ResourceResult>]
     #
     # @!attribute [rw] next_token
@@ -28425,6 +28550,42 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # The request failed because one or more organizations specified in the
+    # request don't exist or don't belong to the caller's organization.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] code
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/OrganizationNotFoundException AWS API Documentation
+    #
+    class OrganizationNotFoundException < Struct.new(
+      :message,
+      :code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request failed because one or more organizational units specified
+    # in the request don't exist within the caller's organization.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] code
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/OrganizationalUnitNotFoundException AWS API Documentation
+    #
+    class OrganizationalUnitNotFoundException < Struct.new(
+      :message,
+      :code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An occurrence of sensitive data in an Adobe Portable Document Format
     # (PDF) file.
     #
@@ -28956,8 +29117,8 @@ module Aws::SecurityHub
     #   @return [String]
     #
     # @!attribute [rw] marketplace_product_id
-    #   The identifier for the AWS Marketplace product associated with this
-    #   integration.
+    #   The identifier for the Amazon Web Services Marketplace product
+    #   associated with this integration.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ProductV2 AWS API Documentation
@@ -30081,6 +30242,24 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Defines the data boundary for a resources query. Scopes determine
+    # which organizational units or organizations to retrieve data from.
+    #
+    # @!attribute [rw] aws_organizations
+    #   A list of Organizations scopes to include in the query results. Each
+    #   entry in the list specifies an organization or organizational unit
+    #   to include for the delegated administrator's account. If the list
+    #   specifies multiple entries, the entries are combined using OR logic.
+    #   @return [Array<Types::AwsOrganizationScope>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ResourceScopes AWS API Documentation
+    #
+    class ResourceScopes < Struct.new(
+      :aws_organizations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A comprehensive distribution of security findings by severity level
     # for Amazon Web Services resources.
     #
@@ -32564,7 +32743,7 @@ module Aws::SecurityHub
     #   `CONTAINS` and `NOT_CONTAINS` operators can be used only with
     #   automation rules V1. `CONTAINS_WORD` operator is only supported in
     #   `GetFindingsV2`, `GetFindingStatisticsV2`, `GetResourcesV2`, and
-    #   `GetResourceStatisticsV2` APIs. For more information, see
+    #   `GetResourcesStatisticsV2` APIs. For more information, see
     #   [Automation rules][1] in the *Security Hub CSPM User Guide*.
     #
     #

data/lib/aws-sdk-securityhub.rb

@@ -54,7 +54,7 @@ module Aws::SecurityHub
   autoload :EndpointProvider, 'aws-sdk-securityhub/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-securityhub/endpoints'
 
-  GEM_VERSION = '1.153.0'
+  GEM_VERSION = '1.154.0'
 
 end
 

data/sig/client.rbs

@@ -6623,6 +6623,14 @@ module Aws
                                            group_by_field: ("activity_name" | "cloud.account.uid" | "cloud.provider" | "cloud.region" | "compliance.assessments.name" | "compliance.status" | "compliance.control" | "finding_info.title" | "finding_info.related_events.traits.category" | "finding_info.types" | "metadata.product.name" | "metadata.product.uid" | "resources.type" | "resources.uid" | "severity" | "status" | "vulnerabilities.fix_coverage" | "class_name" | "vulnerabilities.affected_packages.name" | "finding_info.analytic.name" | "compliance.standards" | "cloud.account.name" | "vendor_attributes.severity" | "metadata.product.vendor_name")
                                          },
                                        ],
+                                       ?scopes: {
+                                         aws_organizations: Array[
+                                           {
+                                             organization_id: ::String?,
+                                             organizational_unit_id: ::String?
+                                           },
+                                         ]?
+                                       },
                                        ?sort_order: ("asc" | "desc"),
                                        ?max_statistic_results: ::Integer
                                      ) -> _GetFindingStatisticsV2ResponseSuccess
@@ -7451,6 +7459,14 @@ module Aws
                                ]?,
                                composite_operator: ("AND" | "OR")?
                              },
+                             ?scopes: {
+                               aws_organizations: Array[
+                                 {
+                                   organization_id: ::String?,
+                                   organizational_unit_id: ::String?
+                                 },
+                               ]?
+                             },
                              ?sort_criteria: Array[
                                {
                                  field: ::String?,
@@ -7578,6 +7594,14 @@ module Aws
                                              }?
                                            },
                                          ],
+                                         ?scopes: {
+                                           aws_organizations: Array[
+                                             {
+                                               organization_id: ::String?,
+                                               organizational_unit_id: ::String?
+                                             },
+                                           ]?
+                                         },
                                          ?sort_order: ("asc" | "desc"),
                                          ?max_statistic_results: ::Integer
                                        ) -> _GetResourcesStatisticsV2ResponseSuccess
@@ -7676,6 +7700,14 @@ module Aws
                                 ]?,
                                 composite_operator: ("AND" | "OR")?
                               },
+                              ?scopes: {
+                                aws_organizations: Array[
+                                  {
+                                    organization_id: ::String?,
+                                    organizational_unit_id: ::String?
+                                  },
+                                ]?
+                              },
                               ?sort_criteria: Array[
                                 {
                                   field: ::String?,

data/sig/errors.rbs

@@ -39,6 +39,14 @@ module Aws
         def message: () -> ::String
         def code: () -> ::String
       end
+      class OrganizationNotFoundException < ::Aws::Errors::ServiceError
+        def message: () -> ::String
+        def code: () -> ::String
+      end
+      class OrganizationalUnitNotFoundException < ::Aws::Errors::ServiceError
+        def message: () -> ::String
+        def code: () -> ::String
+      end
       class ResourceConflictException < ::Aws::Errors::ServiceError
         def message: () -> ::String
         def code: () -> ::String

data/sig/types.rbs

@@ -3367,6 +3367,12 @@ module Aws::SecurityHub
       SENSITIVE: []
     end
 
+    class AwsOrganizationScope
+      attr_accessor organization_id: ::String
+      attr_accessor organizational_unit_id: ::String
+      SENSITIVE: []
+    end
+
     class AwsRdsDbClusterAssociatedRole
       attr_accessor role_arn: ::String
       attr_accessor status: ::String
@@ -5596,6 +5602,11 @@ module Aws::SecurityHub
       SENSITIVE: []
     end
 
+    class FindingScopes
+      attr_accessor aws_organizations: ::Array[Types::AwsOrganizationScope]
+      SENSITIVE: []
+    end
+
     class FindingsTrendsCompositeFilter
       attr_accessor string_filters: ::Array[Types::FindingsTrendsStringFilter]
       attr_accessor nested_composite_filters: ::Array[Types::FindingsTrendsCompositeFilter]
@@ -5787,6 +5798,7 @@ module Aws::SecurityHub
 
     class GetFindingStatisticsV2Request
       attr_accessor group_by_rules: ::Array[Types::GroupByRule]
+      attr_accessor scopes: Types::FindingScopes
       attr_accessor sort_order: ("asc" | "desc")
       attr_accessor max_statistic_results: ::Integer
       SENSITIVE: []
@@ -5829,6 +5841,7 @@ module Aws::SecurityHub
 
     class GetFindingsV2Request
       attr_accessor filters: Types::OcsfFindingFilters
+      attr_accessor scopes: Types::FindingScopes
       attr_accessor sort_criteria: ::Array[Types::SortCriterion]
       attr_accessor next_token: ::String
       attr_accessor max_results: ::Integer
@@ -5893,6 +5906,7 @@ module Aws::SecurityHub
 
     class GetResourcesStatisticsV2Request
       attr_accessor group_by_rules: ::Array[Types::ResourceGroupByRule]
+      attr_accessor scopes: Types::ResourceScopes
       attr_accessor sort_order: ("asc" | "desc")
       attr_accessor max_statistic_results: ::Integer
       SENSITIVE: []
@@ -5921,6 +5935,7 @@ module Aws::SecurityHub
 
     class GetResourcesV2Request
       attr_accessor filters: Types::ResourcesFilters
+      attr_accessor scopes: Types::ResourceScopes
       attr_accessor sort_criteria: ::Array[Types::SortCriterion]
       attr_accessor next_token: ::String
       attr_accessor max_results: ::Integer
@@ -6487,6 +6502,18 @@ module Aws::SecurityHub
       SENSITIVE: []
     end
 
+    class OrganizationNotFoundException
+      attr_accessor message: ::String
+      attr_accessor code: ::String
+      SENSITIVE: []
+    end
+
+    class OrganizationalUnitNotFoundException
+      attr_accessor message: ::String
+      attr_accessor code: ::String
+      SENSITIVE: []
+    end
+
     class Page
       attr_accessor page_number: ::Integer
       attr_accessor line_range: Types::Range
@@ -6885,6 +6912,11 @@ module Aws::SecurityHub
       SENSITIVE: []
     end
 
+    class ResourceScopes
+      attr_accessor aws_organizations: ::Array[Types::AwsOrganizationScope]
+      SENSITIVE: []
+    end
+
     class ResourceSeverityBreakdown
       attr_accessor other: ::Integer
       attr_accessor fatal: ::Integer

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-securityhub
 version: !ruby/object:Gem::Version
-  version: 1.153.0
+  version: 1.154.0
 platform: ruby
 authors:
 - Amazon Web Services