aws-sdk-securityhub 1.153.0 → 1.155.0

data/lib/aws-sdk-securityhub/types.rb

@@ -15220,6 +15220,47 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Specifies an Organizations scope. Data from the specified organization
+    # or organizational unit is included in the response.
+    #
+    # To scope to a specific organizational unit, provide
+    # `OrganizationalUnitId`. You can optionally include `OrganizationId`.
+    # If you omit `OrganizationId`, Security Hub uses the caller's
+    # organization ID. To scope to the delegated administrator's entire
+    # organization, provide only `OrganizationId`.
+    #
+    # The organization ID and organizational unit must belong to the
+    # delegated administrator's own organization. Each request must use one
+    # scoping approach: either scope to the entire organization by providing
+    # an `AwsOrganizationScope` entry with only `OrganizationId`, or scope
+    # to specific organizational units by providing `AwsOrganizationScope`
+    # entries with `OrganizationalUnitId`. You can't combine both
+    # approaches in the same request.
+    #
+    # @!attribute [rw] organization_id
+    #   The unique identifier (ID) of the organization (for example,
+    #   `o-abcd1234567890`). The organization must be the delegated
+    #   administrator's own organization. If you omit this value and
+    #   provide `OrganizationalUnitId`, Security Hub uses the caller's
+    #   organization ID.
+    #   @return [String]
+    #
+    # @!attribute [rw] organizational_unit_id
+    #   The unique identifier (ID) of the organizational unit (OU) (for
+    #   example, `ou-ab12-cd345678`). The OU must exist within the delegated
+    #   administrator's own organization. When specified, the results
+    #   include only data from accounts in this OU.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/AwsOrganizationScope AWS API Documentation
+    #
+    class AwsOrganizationScope < Struct.new(
+      :organization_id,
+      :organizational_unit_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An IAM role that is associated with the Amazon RDS DB cluster.
     #
     # @!attribute [rw] role_arn
@@ -22131,14 +22172,14 @@ module Aws::SecurityHub
     # @!attribute [rw] severity_id
     #   The updated value for the normalized severity identifier. The
     #   severity ID is an integer with the allowed enum values \[0, 1, 2, 3,
-    #   4, 5, 99\]. When customer provides the updated severity ID, the
+    #   4, 5, 6, 99\]. When customer provides the updated severity ID, the
     #   string sibling severity will automatically be updated in the
     #   finding.
     #   @return [Integer]
     #
     # @!attribute [rw] status_id
     #   The updated value for the normalized status identifier. The status
-    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5, 6,
+    #   ID is an integer with the allowed enum values \[0, 1, 2, 3, 4, 5,
     #   99\]. When customer provides the updated status ID, the string
     #   sibling status will automatically be updated in the finding.
     #   @return [Integer]
@@ -23714,11 +23755,20 @@ module Aws::SecurityHub
     #   A date range unit for the date filter.
     #   @return [String]
     #
+    # @!attribute [rw] comparison
+    #   The condition to apply to a date range filter. If you specify
+    #   `WITHIN`, Security Hub filters for dates within the specified date
+    #   range. If you specify `OLDER_THAN`, Security Hub filters for dates
+    #   before the specified date range. If you don't specify a value, the
+    #   default is `WITHIN`.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DateRange AWS API Documentation
     #
     class DateRange < Struct.new(
       :value,
-      :unit)
+      :unit,
+      :comparison)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -25007,6 +25057,24 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Defines the data boundary for a findings query. Scopes determine which
+    # organizational units or organizations to retrieve data from.
+    #
+    # @!attribute [rw] aws_organizations
+    #   A list of Organizations scopes to include in the query results. Each
+    #   entry in the list specifies an organization or organizational unit
+    #   to include for the delegated administrator's account. If the list
+    #   specifies multiple entries, the entries are combined using OR logic.
+    #   @return [Array<Types::AwsOrganizationScope>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/FindingScopes AWS API Documentation
+    #
+    class FindingScopes < Struct.new(
+      :aws_organizations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A filter structure that contains a logical combination of string
     # filters and nested composite filters for findings trend data.
     #
@@ -25171,6 +25239,23 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] metadata_uid
+    #   The unique identifier (ID) of Security Hub OCSF findings found under
+    #   the `metadata.uid` field of the finding.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GenerateRecommendedPolicyV2Request AWS API Documentation
+    #
+    class GenerateRecommendedPolicyV2Request < Struct.new(
+      :metadata_uid)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GenerateRecommendedPolicyV2Response AWS API Documentation
+    #
+    class GenerateRecommendedPolicyV2Response < Aws::EmptyStructure; end
+
     # Provides metadata for the Amazon CodeGuru detector associated with a
     # finding. This field pertains to findings that relate to Lambda
     # functions. Amazon Inspector identifies policy violations and
@@ -25737,6 +25822,22 @@ module Aws::SecurityHub
     #   in a single call.
     #   @return [Array<Types::GroupByRule>]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::FindingScopes]
+    #
     # @!attribute [rw] sort_order
     #   Orders the aggregation count in descending or ascending order.
     #   Descending order is the default.
@@ -25750,6 +25851,7 @@ module Aws::SecurityHub
     #
     class GetFindingStatisticsV2Request < Struct.new(
       :group_by_rules,
+      :scopes,
       :sort_order,
       :max_statistic_results)
       SENSITIVE = []
@@ -25893,6 +25995,21 @@ module Aws::SecurityHub
     #   up to 20 filters.
     #   @return [Types::OcsfFindingFilters]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to findings from specific organizational units or
+    #   from the delegated administrator's organization. Only the delegated
+    #   administrator account can use this parameter. Other accounts receive
+    #   an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees findings from all accounts across the entire
+    #   organization. Other accounts see only their own findings.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::FindingScopes]
+    #
     # @!attribute [rw] sort_criteria
     #   The finding attributes used to sort the list of returned findings.
     #   @return [Array<Types::SortCriterion>]
@@ -25912,6 +26029,7 @@ module Aws::SecurityHub
     #
     class GetFindingsV2Request < Struct.new(
       :filters,
+      :scopes,
       :sort_criteria,
       :next_token,
       :max_results)
@@ -26078,11 +26196,91 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] metadata_uid
+    #   The unique identifier (ID) of Security Hub OCSF findings found under
+    #   the `metadata.uid` field of the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] next_token
+    #   The token used to paginate the `RecommendationSteps` list returned.
+    #   On your first call to `GetRecommendedPolicyV2`, omit this parameter
+    #   or set it to `NULL`. For subsequent calls, use the `NextToken` value
+    #   returned in the previous response to retrieve the next page of
+    #   results.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of recommendation steps to return.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetRecommendedPolicyV2Request AWS API Documentation
+    #
+    class GetRecommendedPolicyV2Request < Struct.new(
+      :metadata_uid,
+      :next_token,
+      :max_results)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   The pagination token to use to request the next page of results.
+    #   @return [String]
+    #
+    # @!attribute [rw] recommendation_type
+    #   The type of recommendation for the finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] recommendation_steps
+    #   The recommended steps to take to resolve the finding.
+    #   @return [Array<Types::RecommendationStep>]
+    #
+    # @!attribute [rw] error
+    #   Detailed information for a `FAILED` retrieval status.
+    #   @return [Types::RecommendationError]
+    #
+    # @!attribute [rw] status
+    #   The current status of the recommended policy retrieval.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_arn
+    #   The ARN of the resource of the finding.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetRecommendedPolicyV2Response AWS API Documentation
+    #
+    class GetRecommendedPolicyV2Response < Struct.new(
+      :next_token,
+      :recommendation_type,
+      :recommendation_steps,
+      :error,
+      :status,
+      :resource_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] group_by_rules
     #   How resource statistics should be aggregated and organized in the
     #   response.
     #   @return [Array<Types::ResourceGroupByRule>]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to resources from specific organizational units
+    #   or from the delegated administrator's organization. Only the
+    #   delegated administrator account can use this parameter. Other
+    #   accounts receive an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees statistics from all accounts across the entire
+    #   organization. Other accounts see only statistics for their own
+    #   resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::ResourceScopes]
+    #
     # @!attribute [rw] sort_order
     #   Sorts aggregated statistics.
     #   @return [String]
@@ -26095,6 +26293,7 @@ module Aws::SecurityHub
     #
     class GetResourcesStatisticsV2Request < Struct.new(
       :group_by_rules,
+      :scopes,
       :sort_order,
       :max_statistic_results)
       SENSITIVE = []
@@ -26179,8 +26378,23 @@ module Aws::SecurityHub
     #   Filters resources based on a set of criteria.
     #   @return [Types::ResourcesFilters]
     #
+    # @!attribute [rw] scopes
+    #   Limits the results to resources from specific organizational units
+    #   or from the delegated administrator's organization. Only the
+    #   delegated administrator account can use this parameter. Other
+    #   accounts receive an `AccessDeniedException`.
+    #
+    #   This parameter is optional. If you omit it, the delegated
+    #   administrator sees resources from all accounts across the entire
+    #   organization. Other accounts see only their own resources.
+    #
+    #   You can specify up to 10 entries in `Scopes.AwsOrganizations`. If
+    #   multiple entries are specified, the entries are combined using OR
+    #   logic.
+    #   @return [Types::ResourceScopes]
+    #
     # @!attribute [rw] sort_criteria
-    #   The finding attributes used to sort the list of returned findings.
+    #   The resource attributes used to sort the list of returned resources.
     #   @return [Array<Types::SortCriterion>]
     #
     # @!attribute [rw] next_token
@@ -26198,6 +26412,7 @@ module Aws::SecurityHub
     #
     class GetResourcesV2Request < Struct.new(
       :filters,
+      :scopes,
       :sort_criteria,
       :next_token,
       :max_results)
@@ -26206,7 +26421,7 @@ module Aws::SecurityHub
     end
 
     # @!attribute [rw] resources
-    #   Filters resources based on a set of criteria.
+    #   An array of resources returned by the operation.
     #   @return [Array<Types::ResourceResult>]
     #
     # @!attribute [rw] next_token
@@ -28425,6 +28640,42 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # The request failed because one or more organizations specified in the
+    # request don't exist or don't belong to the caller's organization.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] code
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/OrganizationNotFoundException AWS API Documentation
+    #
+    class OrganizationNotFoundException < Struct.new(
+      :message,
+      :code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The request failed because one or more organizational units specified
+    # in the request don't exist within the caller's organization.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] code
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/OrganizationalUnitNotFoundException AWS API Documentation
+    #
+    class OrganizationalUnitNotFoundException < Struct.new(
+      :message,
+      :code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An occurrence of sensitive data in an Adobe Portable Document Format
     # (PDF) file.
     #
@@ -28956,8 +29207,8 @@ module Aws::SecurityHub
     #   @return [String]
     #
     # @!attribute [rw] marketplace_product_id
-    #   The identifier for the AWS Marketplace product associated with this
-    #   integration.
+    #   The identifier for the Amazon Web Services Marketplace product
+    #   associated with this integration.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ProductV2 AWS API Documentation
@@ -29148,6 +29399,50 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Contains information about the reason that the retrieval of a
+    # recommended policy for a finding failed.
+    #
+    # @!attribute [rw] code
+    #   The error code for a failed retrieval of a recommended policy for a
+    #   finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   The error message for a failed retrieval of a recommended policy for
+    #   a finding.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/RecommendationError AWS API Documentation
+    #
+    class RecommendationError < Struct.new(
+      :code,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains information about a recommended step to remediate a Security
+    # Hub finding.
+    #
+    # @note RecommendationStep is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of RecommendationStep corresponding to the set member.
+    #
+    # @!attribute [rw] unused_permissions
+    #   A recommended step to remediate an unused permissions finding.
+    #   @return [Types::UnusedPermissionsRecommendationStep]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/RecommendationStep AWS API Documentation
+    #
+    class RecommendationStep < Struct.new(
+      :unused_permissions,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class UnusedPermissions < RecommendationStep; end
+      class Unknown < RecommendationStep; end
+    end
+
     # An occurrence of sensitive data in an Apache Avro object container or
     # an Apache Parquet file.
     #
@@ -30081,6 +30376,24 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Defines the data boundary for a resources query. Scopes determine
+    # which organizational units or organizations to retrieve data from.
+    #
+    # @!attribute [rw] aws_organizations
+    #   A list of Organizations scopes to include in the query results. Each
+    #   entry in the list specifies an organization or organizational unit
+    #   to include for the delegated administrator's account. If the list
+    #   specifies multiple entries, the entries are combined using OR logic.
+    #   @return [Array<Types::AwsOrganizationScope>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ResourceScopes AWS API Documentation
+    #
+    class ResourceScopes < Struct.new(
+      :aws_organizations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A comprehensive distribution of security findings by severity level
     # for Amazon Web Services resources.
     #
@@ -32561,10 +32874,11 @@ module Aws::SecurityHub
     #
     #   * `ResourceType NOT_EQUALS AwsEc2NetworkInterface`
     #
-    #   `CONTAINS` and `NOT_CONTAINS` operators can be used only with
-    #   automation rules V1. `CONTAINS_WORD` operator is only supported in
-    #   `GetFindingsV2`, `GetFindingStatisticsV2`, `GetResourcesV2`, and
-    #   `GetResourceStatisticsV2` APIs. For more information, see
+    #   The `CONTAINS` operator works with automation rules V1 and V2. The
+    #   `NOT_CONTAINS` operator works only with automation rules V1. The
+    #   `CONTAINS_WORD` operator works only in the `GetFindingsV2`,
+    #   `GetFindingStatisticsV2`, `GetResourcesV2`, and
+    #   `GetResourcesStatisticsV2` APIs. For more information, see
     #   [Automation rules][1] in the *Security Hub CSPM User Guide*.
     #
     #
@@ -33007,6 +33321,46 @@ module Aws::SecurityHub
     #
     class UntagResourceResponse < Aws::EmptyStructure; end
 
+    # Contains information about the action to take for a policy in an
+    # unused permissions finding.
+    #
+    # @!attribute [rw] recommended_action
+    #   A recommendation of whether to create or detach a policy for an
+    #   unused permissions finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_policy
+    #   The contents of the existing policy identified by `ExistingPolicyId`
+    #   which needs to be replaced, when the `RecommendedAction` is
+    #   `CREATE_POLICY`.
+    #   @return [String]
+    #
+    # @!attribute [rw] existing_policy_id
+    #   The ID of an existing policy to be replaced or detached.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy_updated_at
+    #   The time at which the existing policy for the unused permissions
+    #   finding was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] recommended_policy
+    #   The contents of the least-privileged recommended replacement for
+    #   `ExistingPolicyId`, when the `RecommendedAction` is `CREATE_POLICY`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UnusedPermissionsRecommendationStep AWS API Documentation
+    #
+    class UnusedPermissionsRecommendationStep < Struct.new(
+      :recommended_action,
+      :existing_policy,
+      :existing_policy_id,
+      :policy_updated_at,
+      :recommended_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] action_target_arn
     #   The ARN of the custom action target to update.
     #   @return [String]

data/lib/aws-sdk-securityhub.rb

@@ -54,7 +54,7 @@ module Aws::SecurityHub
   autoload :EndpointProvider, 'aws-sdk-securityhub/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-securityhub/endpoints'
 
-  GEM_VERSION = '1.153.0'
+  GEM_VERSION = '1.155.0'
 
 end