aws-sdk-securityhub 1.153.0 → 1.155.0

data/lib/aws-sdk-securityhub/client.rb

@@ -929,21 +929,25 @@ module Aws::SecurityHub
     #   resp.rules[0].criteria.first_observed_at[0].end #=> String
     #   resp.rules[0].criteria.first_observed_at[0].date_range.value #=> Integer
     #   resp.rules[0].criteria.first_observed_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.rules[0].criteria.first_observed_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.rules[0].criteria.last_observed_at #=> Array
     #   resp.rules[0].criteria.last_observed_at[0].start #=> String
     #   resp.rules[0].criteria.last_observed_at[0].end #=> String
     #   resp.rules[0].criteria.last_observed_at[0].date_range.value #=> Integer
     #   resp.rules[0].criteria.last_observed_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.rules[0].criteria.last_observed_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.rules[0].criteria.created_at #=> Array
     #   resp.rules[0].criteria.created_at[0].start #=> String
     #   resp.rules[0].criteria.created_at[0].end #=> String
     #   resp.rules[0].criteria.created_at[0].date_range.value #=> Integer
     #   resp.rules[0].criteria.created_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.rules[0].criteria.created_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.rules[0].criteria.updated_at #=> Array
     #   resp.rules[0].criteria.updated_at[0].start #=> String
     #   resp.rules[0].criteria.updated_at[0].end #=> String
     #   resp.rules[0].criteria.updated_at[0].date_range.value #=> Integer
     #   resp.rules[0].criteria.updated_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.rules[0].criteria.updated_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.rules[0].criteria.confidence #=> Array
     #   resp.rules[0].criteria.confidence[0].gte #=> Float
     #   resp.rules[0].criteria.confidence[0].lte #=> Float
@@ -1026,6 +1030,7 @@ module Aws::SecurityHub
     #   resp.rules[0].criteria.note_updated_at[0].end #=> String
     #   resp.rules[0].criteria.note_updated_at[0].date_range.value #=> Integer
     #   resp.rules[0].criteria.note_updated_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.rules[0].criteria.note_updated_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.rules[0].criteria.note_updated_by #=> Array
     #   resp.rules[0].criteria.note_updated_by[0].value #=> String
     #   resp.rules[0].criteria.note_updated_by[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS", "CONTAINS_WORD"
@@ -1622,6 +1627,7 @@ module Aws::SecurityHub
     #               date_range: {
     #                 value: 1,
     #                 unit: "DAYS", # accepts DAYS
+    #                 comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #               },
     #             },
     #           ],
@@ -1632,6 +1638,7 @@ module Aws::SecurityHub
     #               date_range: {
     #                 value: 1,
     #                 unit: "DAYS", # accepts DAYS
+    #                 comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #               },
     #             },
     #           ],
@@ -1642,6 +1649,7 @@ module Aws::SecurityHub
     #               date_range: {
     #                 value: 1,
     #                 unit: "DAYS", # accepts DAYS
+    #                 comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #               },
     #             },
     #           ],
@@ -1652,6 +1660,7 @@ module Aws::SecurityHub
     #               date_range: {
     #                 value: 1,
     #                 unit: "DAYS", # accepts DAYS
+    #                 comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #               },
     #             },
     #           ],
@@ -1808,6 +1817,7 @@ module Aws::SecurityHub
     #               date_range: {
     #                 value: 1,
     #                 unit: "DAYS", # accepts DAYS
+    #                 comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #               },
     #             },
     #           ],
@@ -2131,17 +2141,30 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
-    # Used by customers to update information about their investigation into
-    # a finding. Requested by delegated administrator accounts or member
-    # accounts. Delegated administrator accounts can update findings for
-    # their account and their member accounts. Member accounts can update
-    # findings for their account. `BatchUpdateFindings` and
-    # `BatchUpdateFindingV2` both use `securityhub:BatchUpdateFindings` in
-    # the `Action` element of an IAM policy statement. You must have
-    # permission to perform the `securityhub:BatchUpdateFindings` action.
+    # Updates information about a customer's investigation into a finding.
+    # Delegated administrator accounts can update findings for their account
+    # and their member accounts. Member accounts can update findings for
+    # their own account.
+    #
+    # `BatchUpdateFindings` and `BatchUpdateFindingsV2` both use
+    # `securityhub:BatchUpdateFindings` in the `Action` element of an IAM
+    # policy statement. You must have permission to perform the
+    # `securityhub:BatchUpdateFindings` action. You can configure IAM
+    # policies to restrict access to specific finding fields or field values
+    # by using the `securityhub:OCSFSyntaxPath/<fieldName>` condition key,
+    # where `<fieldName>` is one of the following supported fields:
+    # `SeverityId`, `StatusId`, or `Comment`.
+    #
+    # To prevent a user from updating a specific field, use a `Null`
+    # condition with `securityhub:OCSFSyntaxPath/<fieldName>` set to
+    # `"false"`. To prevent a user from setting a field to a specific value,
+    # use a `StringEquals` condition with
+    # `securityhub:OCSFSyntaxPath/<fieldName>` set to the disallowed value
+    # or list of values.
+    #
     # Updates from `BatchUpdateFindingsV2` don't affect the value of
-    # f`inding_info.modified_time`, `finding_info.modified_time_dt`, `time`,
-    # `time_dt for a finding`.
+    # `finding_info.modified_time`, `finding_info.modified_time_dt`, `time`,
+    # or `time_dt` for a finding.
     #
     # @option params [Array<String>] :metadata_uids
     #   The list of finding `metadata.uid` to indicate findings to update.
@@ -2158,14 +2181,14 @@ module Aws::SecurityHub
     #
     # @option params [Integer] :severity_id
     #   The updated value for the normalized severity identifier. The severity
-    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5,
+    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 6,
     #   99\]. When customer provides the updated severity ID, the string
     #   sibling severity will automatically be updated in the finding.
     #
     # @option params [Integer] :status_id
     #   The updated value for the normalized status identifier. The status ID
-    #   is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 6,
-    #   99\]. When customer provides the updated status ID, the string sibling
+    #   is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 99\].
+    #   When customer provides the updated status ID, the string sibling
     #   status will automatically be updated in the finding.
     #
     # @return [Types::BatchUpdateFindingsV2Response] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
@@ -2574,6 +2597,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -2584,6 +2608,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -2594,6 +2619,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -2604,6 +2630,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -2760,6 +2787,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -2905,6 +2933,7 @@ module Aws::SecurityHub
     #                   date_range: {
     #                     value: 1,
     #                     unit: "DAYS", # accepts DAYS
+    #                     comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #                   },
     #                 },
     #               },
@@ -3467,6 +3496,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3477,6 +3507,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3487,6 +3518,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3497,6 +3529,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3721,6 +3754,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3731,6 +3765,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3759,6 +3794,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3858,6 +3894,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3898,6 +3935,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3932,6 +3970,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -3997,6 +4036,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -5700,6 +5740,31 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Begins the recommended policy generation to remediate a Security Hub
+    # finding. `GenerateRecommendedPolicyV2` only supports findings for
+    # unused permissions.
+    #
+    # @option params [required, String] :metadata_uid
+    #   The unique identifier (ID) of Security Hub OCSF findings found under
+    #   the `metadata.uid` field of the finding.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.generate_recommended_policy_v2({
+    #     metadata_uid: "NonEmptyString", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GenerateRecommendedPolicyV2 AWS API Documentation
+    #
+    # @overload generate_recommended_policy_v2(params = {})
+    # @param [Hash] params ({})
+    def generate_recommended_policy_v2(params = {}, options = {})
+      req = build_request(:generate_recommended_policy_v2, params)
+      req.send_request(options)
+    end
+
     # Provides the details for the Security Hub CSPM administrator account
     # for the current member account.
     #
@@ -5822,6 +5887,7 @@ module Aws::SecurityHub
     #   resp.criteria.ocsf_finding_criteria.composite_filters[0].date_filters[0].filter.end #=> String
     #   resp.criteria.ocsf_finding_criteria.composite_filters[0].date_filters[0].filter.date_range.value #=> Integer
     #   resp.criteria.ocsf_finding_criteria.composite_filters[0].date_filters[0].filter.date_range.unit #=> String, one of "DAYS"
+    #   resp.criteria.ocsf_finding_criteria.composite_filters[0].date_filters[0].filter.date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.criteria.ocsf_finding_criteria.composite_filters[0].boolean_filters #=> Array
     #   resp.criteria.ocsf_finding_criteria.composite_filters[0].boolean_filters[0].field_name #=> String, one of "compliance.assessments.meets_criteria", "vulnerabilities.is_exploit_available", "vulnerabilities.is_fix_available"
     #   resp.criteria.ocsf_finding_criteria.composite_filters[0].boolean_filters[0].filter.value #=> Boolean
@@ -6400,15 +6466,37 @@ module Aws::SecurityHub
     end
 
     # Returns aggregated statistical data about findings.
-    # `GetFindingStatisticsV2` use `securityhub:GetAdhocInsightResults` in
+    #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # aggregate findings from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
+    # `GetFindingStatisticsV2` uses `securityhub:GetAdhocInsightResults` in
     # the `Action` element of an IAM policy statement. You must have
-    # permission to perform the `s` action.
+    # permission to perform the `securityhub:GetAdhocInsightResults` action.
     #
     # @option params [required, Array<Types::GroupByRule>] :group_by_rules
     #   Specifies how security findings should be aggregated and organized in
     #   the statistical analysis. It can accept up to 5 `groupBy` fields in a
     #   single call.
     #
+    # @option params [Types::FindingScopes] :scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [String] :sort_order
     #   Orders the aggregation count in descending or ascending order.
     #   Descending order is the default.
@@ -6446,6 +6534,7 @@ module Aws::SecurityHub
     #                     date_range: {
     #                       value: 1,
     #                       unit: "DAYS", # accepts DAYS
+    #                       comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #                     },
     #                   },
     #                 },
@@ -6499,6 +6588,14 @@ module Aws::SecurityHub
     #         group_by_field: "activity_name", # required, accepts activity_name, cloud.account.uid, cloud.provider, cloud.region, compliance.assessments.name, compliance.status, compliance.control, finding_info.title, finding_info.related_events.traits.category, finding_info.types, metadata.product.name, metadata.product.uid, resources.type, resources.uid, severity, status, vulnerabilities.fix_coverage, class_name, vulnerabilities.affected_packages.name, finding_info.analytic.name, compliance.standards, cloud.account.name, vendor_attributes.severity, metadata.product.vendor_name
     #       },
     #     ],
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_order: "asc", # accepts asc, desc
     #     max_statistic_results: 1,
     #   })
@@ -6714,6 +6811,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -6724,6 +6822,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -6734,6 +6833,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -6744,6 +6844,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -6968,6 +7069,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -6978,6 +7080,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -7006,6 +7109,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -7105,6 +7209,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -7145,6 +7250,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -7179,6 +7285,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -7244,6 +7351,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -7469,7 +7577,19 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
-    # Return a list of findings that match the specified criteria.
+    # Returns a list of findings that match the specified criteria.
+    #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # retrieve findings from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
+    # You can use the `Filters` parameter to refine results based on finding
+    # attributes. You can use `Scopes` and `Filters` independently or
+    # together. When both are provided, `Scopes` narrows the data set first,
+    # and then `Filters` refines results within that scoped data set.
+    #
     # `GetFindings` and `GetFindingsV2` both use `securityhub:GetFindings`
     # in the `Action` element of an IAM policy statement. You must have
     # permission to perform the `securityhub:GetFindings` action.
@@ -7480,6 +7600,20 @@ module Aws::SecurityHub
     #   each filter type inside of a composite filter, you can provide up to
     #   20 filters.
     #
+    # @option params [Types::FindingScopes] :scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees findings from all accounts across the entire
+    #   organization. Other accounts see only their own findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [Array<Types::SortCriterion>] :sort_criteria
     #   The finding attributes used to sort the list of returned findings.
     #
@@ -7523,6 +7657,7 @@ module Aws::SecurityHub
     #                 date_range: {
     #                   value: 1,
     #                   unit: "DAYS", # accepts DAYS
+    #                   comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #                 },
     #               },
     #             },
@@ -7573,6 +7708,14 @@ module Aws::SecurityHub
     #       ],
     #       composite_operator: "AND", # accepts AND, OR
     #     },
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_criteria: [
     #       {
     #         field: "NonEmptyString",
@@ -7754,21 +7897,25 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.first_observed_at[0].end #=> String
     #   resp.insights[0].filters.first_observed_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.first_observed_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.first_observed_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.last_observed_at #=> Array
     #   resp.insights[0].filters.last_observed_at[0].start #=> String
     #   resp.insights[0].filters.last_observed_at[0].end #=> String
     #   resp.insights[0].filters.last_observed_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.last_observed_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.last_observed_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.created_at #=> Array
     #   resp.insights[0].filters.created_at[0].start #=> String
     #   resp.insights[0].filters.created_at[0].end #=> String
     #   resp.insights[0].filters.created_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.created_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.created_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.updated_at #=> Array
     #   resp.insights[0].filters.updated_at[0].start #=> String
     #   resp.insights[0].filters.updated_at[0].end #=> String
     #   resp.insights[0].filters.updated_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.updated_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.updated_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.severity_product #=> Array
     #   resp.insights[0].filters.severity_product[0].gte #=> Float
     #   resp.insights[0].filters.severity_product[0].lte #=> Float
@@ -7892,11 +8039,13 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.process_launched_at[0].end #=> String
     #   resp.insights[0].filters.process_launched_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.process_launched_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.process_launched_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.process_terminated_at #=> Array
     #   resp.insights[0].filters.process_terminated_at[0].start #=> String
     #   resp.insights[0].filters.process_terminated_at[0].end #=> String
     #   resp.insights[0].filters.process_terminated_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.process_terminated_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.process_terminated_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.threat_intel_indicator_type #=> Array
     #   resp.insights[0].filters.threat_intel_indicator_type[0].value #=> String
     #   resp.insights[0].filters.threat_intel_indicator_type[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS", "CONTAINS_WORD"
@@ -7911,6 +8060,7 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.threat_intel_indicator_last_observed_at[0].end #=> String
     #   resp.insights[0].filters.threat_intel_indicator_last_observed_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.threat_intel_indicator_last_observed_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.threat_intel_indicator_last_observed_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.threat_intel_indicator_source #=> Array
     #   resp.insights[0].filters.threat_intel_indicator_source[0].value #=> String
     #   resp.insights[0].filters.threat_intel_indicator_source[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS", "CONTAINS_WORD"
@@ -7960,6 +8110,7 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.resource_aws_ec2_instance_launched_at[0].end #=> String
     #   resp.insights[0].filters.resource_aws_ec2_instance_launched_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.resource_aws_ec2_instance_launched_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.resource_aws_ec2_instance_launched_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.resource_aws_s3_bucket_owner_id #=> Array
     #   resp.insights[0].filters.resource_aws_s3_bucket_owner_id[0].value #=> String
     #   resp.insights[0].filters.resource_aws_s3_bucket_owner_id[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS", "CONTAINS_WORD"
@@ -7980,6 +8131,7 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.resource_aws_iam_access_key_created_at[0].end #=> String
     #   resp.insights[0].filters.resource_aws_iam_access_key_created_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.resource_aws_iam_access_key_created_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.resource_aws_iam_access_key_created_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.resource_aws_iam_user_user_name #=> Array
     #   resp.insights[0].filters.resource_aws_iam_user_user_name[0].value #=> String
     #   resp.insights[0].filters.resource_aws_iam_user_user_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS", "CONTAINS_WORD"
@@ -7997,6 +8149,7 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.resource_container_launched_at[0].end #=> String
     #   resp.insights[0].filters.resource_container_launched_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.resource_container_launched_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.resource_container_launched_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.resource_details_other #=> Array
     #   resp.insights[0].filters.resource_details_other[0].key #=> String
     #   resp.insights[0].filters.resource_details_other[0].value #=> String
@@ -8030,6 +8183,7 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.note_updated_at[0].end #=> String
     #   resp.insights[0].filters.note_updated_at[0].date_range.value #=> Integer
     #   resp.insights[0].filters.note_updated_at[0].date_range.unit #=> String, one of "DAYS"
+    #   resp.insights[0].filters.note_updated_at[0].date_range.comparison #=> String, one of "WITHIN", "OLDER_THAN"
     #   resp.insights[0].filters.note_updated_by #=> Array
     #   resp.insights[0].filters.note_updated_by[0].value #=> String
     #   resp.insights[0].filters.note_updated_by[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS", "CONTAINS_WORD"
@@ -8271,13 +8425,95 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Retrieves the recommended policy to remediate a Security Hub finding.
+    # `GetRecommendedPolicyV2` only supports findings for unused
+    # permissions.
+    #
+    # @option params [required, String] :metadata_uid
+    #   The unique identifier (ID) of Security Hub OCSF findings found under
+    #   the `metadata.uid` field of the finding.
+    #
+    # @option params [String] :next_token
+    #   The token used to paginate the `RecommendationSteps` list returned. On
+    #   your first call to `GetRecommendedPolicyV2`, omit this parameter or
+    #   set it to `NULL`. For subsequent calls, use the `NextToken` value
+    #   returned in the previous response to retrieve the next page of
+    #   results.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of recommendation steps to return.
+    #
+    # @return [Types::GetRecommendedPolicyV2Response] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetRecommendedPolicyV2Response#next_token #next_token} => String
+    #   * {Types::GetRecommendedPolicyV2Response#recommendation_type #recommendation_type} => String
+    #   * {Types::GetRecommendedPolicyV2Response#recommendation_steps #recommendation_steps} => Array&lt;Types::RecommendationStep&gt;
+    #   * {Types::GetRecommendedPolicyV2Response#error #error} => Types::RecommendationError
+    #   * {Types::GetRecommendedPolicyV2Response#status #status} => String
+    #   * {Types::GetRecommendedPolicyV2Response#resource_arn #resource_arn} => String
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_recommended_policy_v2({
+    #     metadata_uid: "NonEmptyString", # required
+    #     next_token: "NextToken",
+    #     max_results: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.next_token #=> String
+    #   resp.recommendation_type #=> String, one of "UNUSED_PERMISSION_RECOMMENDATION"
+    #   resp.recommendation_steps #=> Array
+    #   resp.recommendation_steps[0].unused_permissions.recommended_action #=> String
+    #   resp.recommendation_steps[0].unused_permissions.existing_policy #=> String
+    #   resp.recommendation_steps[0].unused_permissions.existing_policy_id #=> String
+    #   resp.recommendation_steps[0].unused_permissions.policy_updated_at #=> Time
+    #   resp.recommendation_steps[0].unused_permissions.recommended_policy #=> String
+    #   resp.error.code #=> String
+    #   resp.error.message #=> String
+    #   resp.status #=> String, one of "IN_PROGRESS", "SUCCEEDED", "FAILED"
+    #   resp.resource_arn #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetRecommendedPolicyV2 AWS API Documentation
+    #
+    # @overload get_recommended_policy_v2(params = {})
+    # @param [Hash] params ({})
+    def get_recommended_policy_v2(params = {}, options = {})
+      req = build_request(:get_recommended_policy_v2, params)
+      req.send_request(options)
+    end
+
     # Retrieves statistical information about Amazon Web Services resources
     # and their associated security findings.
     #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # aggregate resources from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
     # @option params [required, Array<Types::ResourceGroupByRule>] :group_by_rules
     #   How resource statistics should be aggregated and organized in the
     #   response.
     #
+    # @option params [Types::ResourceScopes] :scopes
+    #   Limits the results to resources from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [String] :sort_order
     #   Sorts aggregated statistics.
     #
@@ -8315,6 +8551,7 @@ module Aws::SecurityHub
     #                     date_range: {
     #                       value: 1,
     #                       unit: "DAYS", # accepts DAYS
+    #                       comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #                     },
     #                   },
     #                 },
@@ -8351,6 +8588,14 @@ module Aws::SecurityHub
     #         },
     #       },
     #     ],
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_order: "asc", # accepts asc, desc
     #     max_statistic_results: 1,
     #   })
@@ -8451,11 +8696,36 @@ module Aws::SecurityHub
 
     # Returns a list of resources.
     #
+    # You can use the `Scopes` parameter to define the data boundary for the
+    # query. Currently, `Scopes` supports `AwsOrganizations`, which lets you
+    # retrieve resources from your entire organization or from specific
+    # organizational units. Only the delegated administrator account can use
+    # `Scopes`.
+    #
+    # You can use the `Filters` parameter to refine results based on
+    # resource attributes. You can use `Scopes` and `Filters` independently
+    # or together. When both are provided, `Scopes` narrows the data set
+    # first, and then `Filters` refines results within that scoped data set.
+    #
     # @option params [Types::ResourcesFilters] :filters
     #   Filters resources based on a set of criteria.
     #
+    # @option params [Types::ResourceScopes] :scopes
+    #   Limits the results to resources from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees resources from all accounts across the entire
+    #   organization. Other accounts see only their own resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #
     # @option params [Array<Types::SortCriterion>] :sort_criteria
-    #   The finding attributes used to sort the list of returned findings.
+    #   The resource attributes used to sort the list of returned resources.
     #
     # @option params [String] :next_token
     #   The token required for pagination. On your first call, set the value
@@ -8497,6 +8767,7 @@ module Aws::SecurityHub
     #                 date_range: {
     #                   value: 1,
     #                   unit: "DAYS", # accepts DAYS
+    #                   comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #                 },
     #               },
     #             },
@@ -8531,6 +8802,14 @@ module Aws::SecurityHub
     #       ],
     #       composite_operator: "AND", # accepts AND, OR
     #     },
+    #     scopes: {
+    #       aws_organizations: [
+    #         {
+    #           organization_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #         },
+    #       ],
+    #     },
     #     sort_criteria: [
     #       {
     #         field: "NonEmptyString",
@@ -10208,6 +10487,7 @@ module Aws::SecurityHub
     #                   date_range: {
     #                     value: 1,
     #                     unit: "DAYS", # accepts DAYS
+    #                     comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #                   },
     #                 },
     #               },
@@ -10710,6 +10990,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -10720,6 +11001,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -10730,6 +11012,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -10740,6 +11023,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -10964,6 +11248,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -10974,6 +11259,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11002,6 +11288,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11101,6 +11388,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11141,6 +11429,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11175,6 +11464,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11240,6 +11530,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11468,6 +11759,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11478,6 +11770,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11488,6 +11781,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11498,6 +11792,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11722,6 +12017,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11732,6 +12028,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11760,6 +12057,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11859,6 +12157,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11899,6 +12198,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11933,6 +12233,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -11998,6 +12299,7 @@ module Aws::SecurityHub
     #           date_range: {
     #             value: 1,
     #             unit: "DAYS", # accepts DAYS
+    #             comparison: "WITHIN", # accepts WITHIN, OLDER_THAN
     #           },
     #         },
     #       ],
@@ -12409,7 +12711,7 @@ module Aws::SecurityHub
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-securityhub'
-      context[:gem_version] = '1.153.0'
+      context[:gem_version] = '1.155.0'
       Seahorse::Client::Request.new(handlers, context)
     end