aws-sdk-securityhub 1.96.0 → 1.98.0

data/lib/aws-sdk-securityhub/client.rb

@@ -930,6 +930,15 @@ module Aws::SecurityHub
     #   resp.rules[0].criteria.user_defined_fields[0].key #=> String
     #   resp.rules[0].criteria.user_defined_fields[0].value #=> String
     #   resp.rules[0].criteria.user_defined_fields[0].comparison #=> String, one of "EQUALS", "NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
+    #   resp.rules[0].criteria.resource_application_arn #=> Array
+    #   resp.rules[0].criteria.resource_application_arn[0].value #=> String
+    #   resp.rules[0].criteria.resource_application_arn[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
+    #   resp.rules[0].criteria.resource_application_name #=> Array
+    #   resp.rules[0].criteria.resource_application_name[0].value #=> String
+    #   resp.rules[0].criteria.resource_application_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
+    #   resp.rules[0].criteria.aws_account_name #=> Array
+    #   resp.rules[0].criteria.aws_account_name[0].value #=> String
+    #   resp.rules[0].criteria.aws_account_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
     #   resp.rules[0].actions #=> Array
     #   resp.rules[0].actions[0].type #=> String, one of "FINDING_FIELDS_UPDATE"
     #   resp.rules[0].actions[0].finding_fields_update.note.text #=> String
@@ -965,6 +974,108 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Returns associations between an Security Hub configuration and a batch
+    # of target accounts, organizational units, or the root. Only the
+    # Security Hub delegated administrator can invoke this operation from
+    # the home Region. A configuration can refer to a configuration policy
+    # or to a self-managed configuration.
+    #
+    # @option params [required, Array<Types::ConfigurationPolicyAssociation>] :configuration_policy_association_identifiers
+    #   Specifies one or more target account IDs, organizational unit (OU)
+    #   IDs, or the root ID to retrieve associations for.
+    #
+    # @return [Types::BatchGetConfigurationPolicyAssociationsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::BatchGetConfigurationPolicyAssociationsResponse#configuration_policy_associations #configuration_policy_associations} => Array&lt;Types::ConfigurationPolicyAssociationSummary&gt;
+    #   * {Types::BatchGetConfigurationPolicyAssociationsResponse#unprocessed_configuration_policy_associations #unprocessed_configuration_policy_associations} => Array&lt;Types::UnprocessedConfigurationPolicyAssociation&gt;
+    #
+    #
+    # @example Example: To get configuration associations for a batch of targets
+    #
+    #   # This operation provides details about configuration associations for a batch of target accounts, organizational units,
+    #   # or the root.
+    #
+    #   resp = client.batch_get_configuration_policy_associations({
+    #     configuration_policy_association_identifiers: [
+    #       {
+    #         target: {
+    #           account_id: "111122223333", 
+    #         }, 
+    #       }, 
+    #       {
+    #         target: {
+    #           root_id: "r-f6g7h8i9j0example", 
+    #         }, 
+    #       }, 
+    #     ], 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     configuration_policy_associations: [
+    #       {
+    #         association_status: "SUCCESS", 
+    #         association_status_message: "This field is only populated for a failed association", 
+    #         association_type: "INHERITED", 
+    #         configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #         target_id: "111122223333", 
+    #         target_type: "ACCOUNT", 
+    #         updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #       }, 
+    #     ], 
+    #     unprocessed_configuration_policy_associations: [
+    #       {
+    #         configuration_policy_association_identifiers: {
+    #           target: {
+    #             root_id: "r-f6g7h8i9j0example", 
+    #           }, 
+    #         }, 
+    #         error_code: "400", 
+    #         error_reason: "You do not have sufficient access to perform this action.", 
+    #       }, 
+    #     ], 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.batch_get_configuration_policy_associations({
+    #     configuration_policy_association_identifiers: [ # required
+    #       {
+    #         target: {
+    #           account_id: "NonEmptyString",
+    #           organizational_unit_id: "NonEmptyString",
+    #           root_id: "NonEmptyString",
+    #         },
+    #       },
+    #     ],
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.configuration_policy_associations #=> Array
+    #   resp.configuration_policy_associations[0].configuration_policy_id #=> String
+    #   resp.configuration_policy_associations[0].target_id #=> String
+    #   resp.configuration_policy_associations[0].target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT"
+    #   resp.configuration_policy_associations[0].association_type #=> String, one of "INHERITED", "APPLIED"
+    #   resp.configuration_policy_associations[0].updated_at #=> Time
+    #   resp.configuration_policy_associations[0].association_status #=> String, one of "PENDING", "SUCCESS", "FAILED"
+    #   resp.configuration_policy_associations[0].association_status_message #=> String
+    #   resp.unprocessed_configuration_policy_associations #=> Array
+    #   resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.account_id #=> String
+    #   resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.organizational_unit_id #=> String
+    #   resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.root_id #=> String
+    #   resp.unprocessed_configuration_policy_associations[0].error_code #=> String
+    #   resp.unprocessed_configuration_policy_associations[0].error_reason #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/BatchGetConfigurationPolicyAssociations AWS API Documentation
+    #
+    # @overload batch_get_configuration_policy_associations(params = {})
+    # @param [Hash] params ({})
+    def batch_get_configuration_policy_associations(params = {}, options = {})
+      req = build_request(:batch_get_configuration_policy_associations, params)
+      req.send_request(options)
+    end
+
     # Provides details about a batch of security controls for the current
     # Amazon Web Services account and Amazon Web Services Region.
     #
@@ -1606,6 +1717,24 @@ module Aws::SecurityHub
     #               comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
     #             },
     #           ],
+    #           resource_application_arn: [
+    #             {
+    #               value: "NonEmptyString",
+    #               comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #             },
+    #           ],
+    #           resource_application_name: [
+    #             {
+    #               value: "NonEmptyString",
+    #               comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #             },
+    #           ],
+    #           aws_account_name: [
+    #             {
+    #               value: "NonEmptyString",
+    #               comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #             },
+    #           ],
     #         },
     #         actions: [
     #           {
@@ -2035,7 +2164,7 @@ module Aws::SecurityHub
     # Creates an automation rule based on input parameters.
     #
     # @option params [Hash<String,String>] :tags
-    #   User-defined tags that help you label the purpose of a rule.
+    #   User-defined tags associated with an automation rule.
     #
     # @option params [String] :rule_status
     #   Whether the rule is active after it is created. If this parameter is
@@ -2399,6 +2528,24 @@ module Aws::SecurityHub
     #           comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS
     #         },
     #       ],
+    #       resource_application_arn: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       aws_account_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
     #     },
     #     actions: [ # required
     #       {
@@ -2447,6 +2594,200 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Creates a configuration policy with the defined configuration. Only
+    # the Security Hub delegated administrator can invoke this operation
+    # from the home Region.
+    #
+    # @option params [required, String] :name
+    #   The name of the configuration policy.
+    #
+    # @option params [String] :description
+    #   The description of the configuration policy.
+    #
+    # @option params [required, Types::Policy] :configuration_policy
+    #   An object that defines how Security Hub is configured. It includes
+    #   whether Security Hub is enabled or disabled, a list of enabled
+    #   security standards, a list of enabled or disabled security controls,
+    #   and a list of custom parameter values for specified controls. If you
+    #   provide a list of security controls that are enabled in the
+    #   configuration policy, Security Hub disables all other controls
+    #   (including newly released controls). If you provide a list of security
+    #   controls that are disabled in the configuration policy, Security Hub
+    #   enables all other controls (including newly released controls).
+    #
+    # @option params [Hash<String,String>] :tags
+    #   User-defined tags associated with a configuration policy. For more
+    #   information, see [Tagging Security Hub resources][1] in the *Security
+    #   Hub user guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/securityhub/latest/userguide/tagging-resources.html
+    #
+    # @return [Types::CreateConfigurationPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::CreateConfigurationPolicyResponse#arn #arn} => String
+    #   * {Types::CreateConfigurationPolicyResponse#id #id} => String
+    #   * {Types::CreateConfigurationPolicyResponse#name #name} => String
+    #   * {Types::CreateConfigurationPolicyResponse#description #description} => String
+    #   * {Types::CreateConfigurationPolicyResponse#updated_at #updated_at} => Time
+    #   * {Types::CreateConfigurationPolicyResponse#created_at #created_at} => Time
+    #   * {Types::CreateConfigurationPolicyResponse#configuration_policy #configuration_policy} => Types::Policy
+    #
+    #
+    # @example Example: To create a configuration policy
+    #
+    #   # This operation creates a configuration policy in Security Hub.
+    #
+    #   resp = client.create_configuration_policy({
+    #     configuration_policy: {
+    #       security_hub: {
+    #         enabled_standard_identifiers: [
+    #           "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
+    #           "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
+    #         ], 
+    #         security_controls_configuration: {
+    #           disabled_security_control_identifiers: [
+    #             "CloudWatch.1", 
+    #           ], 
+    #           security_control_custom_parameters: [
+    #             {
+    #               parameters: {
+    #                 "daysToExpiration" => {
+    #                   value: {
+    #                     integer: 14, 
+    #                   }, 
+    #                   value_type: "CUSTOM", 
+    #                 }, 
+    #               }, 
+    #               security_control_id: "ACM.1", 
+    #             }, 
+    #           ], 
+    #         }, 
+    #         service_enabled: true, 
+    #       }, 
+    #     }, 
+    #     description: "Configuration policy for testing FSBP and CIS", 
+    #     name: "TestConfigurationPolicy", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     configuration_policy: {
+    #       security_hub: {
+    #         enabled_standard_identifiers: [
+    #           "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
+    #           "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
+    #         ], 
+    #         security_controls_configuration: {
+    #           disabled_security_control_identifiers: [
+    #             "CloudWatch.1", 
+    #           ], 
+    #           security_control_custom_parameters: [
+    #             {
+    #               parameters: {
+    #                 "daysToExpiration" => {
+    #                   value: {
+    #                     integer: 14, 
+    #                   }, 
+    #                   value_type: "CUSTOM", 
+    #                 }, 
+    #               }, 
+    #               security_control_id: "ACM.1", 
+    #             }, 
+    #           ], 
+    #         }, 
+    #         service_enabled: true, 
+    #       }, 
+    #     }, 
+    #     created_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #     description: "Configuration policy for testing FSBP and CIS", 
+    #     id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     name: "TestConfigurationPolicy", 
+    #     updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.create_configuration_policy({
+    #     name: "NonEmptyString", # required
+    #     description: "NonEmptyString",
+    #     configuration_policy: { # required
+    #       security_hub: {
+    #         service_enabled: false,
+    #         enabled_standard_identifiers: ["NonEmptyString"],
+    #         security_controls_configuration: {
+    #           enabled_security_control_identifiers: ["NonEmptyString"],
+    #           disabled_security_control_identifiers: ["NonEmptyString"],
+    #           security_control_custom_parameters: [
+    #             {
+    #               security_control_id: "NonEmptyString",
+    #               parameters: {
+    #                 "NonEmptyString" => {
+    #                   value_type: "DEFAULT", # required, accepts DEFAULT, CUSTOM
+    #                   value: {
+    #                     integer: 1,
+    #                     integer_list: [1],
+    #                     double: 1.0,
+    #                     string: "NonEmptyString",
+    #                     string_list: ["NonEmptyString"],
+    #                     boolean: false,
+    #                     enum: "NonEmptyString",
+    #                     enum_list: ["NonEmptyString"],
+    #                   },
+    #                 },
+    #               },
+    #             },
+    #           ],
+    #         },
+    #       },
+    #     },
+    #     tags: {
+    #       "TagKey" => "TagValue",
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.arn #=> String
+    #   resp.id #=> String
+    #   resp.name #=> String
+    #   resp.description #=> String
+    #   resp.updated_at #=> Time
+    #   resp.created_at #=> Time
+    #   resp.configuration_policy.security_hub.service_enabled #=> Boolean
+    #   resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM"
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/CreateConfigurationPolicy AWS API Documentation
+    #
+    # @overload create_configuration_policy(params = {})
+    # @param [Hash] params ({})
+    def create_configuration_policy(params = {}, options = {})
+      req = build_request(:create_configuration_policy, params)
+      req.send_request(options)
+    end
+
     # Used to enable finding aggregation. Must be called from the
     # aggregation Region.
     #
@@ -3283,6 +3624,24 @@ module Aws::SecurityHub
     #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
     #         },
     #       ],
+    #       aws_account_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_arn: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
     #     },
     #     group_by_attribute: "NonEmptyString", # required
     #   })
@@ -3511,6 +3870,42 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Deletes a configuration policy. Only the Security Hub delegated
+    # administrator can invoke this operation from the home Region. For the
+    # deletion to succeed, you must first disassociate a configuration
+    # policy from target accounts, organizational units, or the root by
+    # invoking the `StartConfigurationPolicyDisassociation` operation.
+    #
+    # @option params [required, String] :identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier (UUID)
+    #   of the configuration policy.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    #
+    # @example Example: To delete a configuration policy
+    #
+    #   # This operation deletes the specified configuration policy.
+    #
+    #   resp = client.delete_configuration_policy({
+    #     identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #   })
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.delete_configuration_policy({
+    #     identifier: "NonEmptyString", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DeleteConfigurationPolicy AWS API Documentation
+    #
+    # @overload delete_configuration_policy(params = {})
+    # @param [Hash] params ({})
+    def delete_configuration_policy(params = {}, options = {})
+      req = build_request(:delete_configuration_policy, params)
+      req.send_request(options)
+    end
+
     # Deletes a finding aggregator. When you delete the finding aggregator,
     # you stop finding aggregation.
     #
@@ -3830,29 +4225,35 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
-    # Returns information about the Organizations configuration for Security
-    # Hub. Can only be called from a Security Hub administrator account.
+    # Returns information about the way your organization is configured in
+    # Security Hub. Only the Security Hub administrator account can invoke
+    # this operation.
     #
     # @return [Types::DescribeOrganizationConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeOrganizationConfigurationResponse#auto_enable #auto_enable} => Boolean
     #   * {Types::DescribeOrganizationConfigurationResponse#member_account_limit_reached #member_account_limit_reached} => Boolean
     #   * {Types::DescribeOrganizationConfigurationResponse#auto_enable_standards #auto_enable_standards} => String
+    #   * {Types::DescribeOrganizationConfigurationResponse#organization_configuration #organization_configuration} => Types::OrganizationConfiguration
     #
     #
-    # @example Example: To get information about Organizations configuration
+    # @example Example: To get information about organization configuration
     #
-    #   # The following example returns details about the way in which AWS Organizations is configured for a Security Hub account
-    #   # that belongs to an organization. Only a Security Hub administrator account can call this operation.
+    #   # This operation provides information about the way your organization is configured in Security Hub. Only a Security Hub
+    #   # administrator account can invoke this operation.
     #
     #   resp = client.describe_organization_configuration({
     #   })
     #
     #   resp.to_h outputs the following:
     #   {
-    #     auto_enable: true, 
-    #     auto_enable_standards: "DEFAULT", 
-    #     member_account_limit_reached: true, 
+    #     auto_enable: false, 
+    #     auto_enable_standards: "NONE", 
+    #     member_account_limit_reached: false, 
+    #     organization_configuration: {
+    #       configuration_type: "CENTRAL", 
+    #       status: "ENABLED", 
+    #     }, 
     #   }
     #
     # @example Response structure
@@ -3860,6 +4261,9 @@ module Aws::SecurityHub
     #   resp.auto_enable #=> Boolean
     #   resp.member_account_limit_reached #=> Boolean
     #   resp.auto_enable_standards #=> String, one of "NONE", "DEFAULT"
+    #   resp.organization_configuration.configuration_type #=> String, one of "CENTRAL", "LOCAL"
+    #   resp.organization_configuration.status #=> String, one of "PENDING", "ENABLED", "FAILED"
+    #   resp.organization_configuration.status_message #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DescribeOrganizationConfiguration AWS API Documentation
     #
@@ -4583,6 +4987,188 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Provides information about a configuration policy. Only the Security
+    # Hub delegated administrator can invoke this operation from the home
+    # Region.
+    #
+    # @option params [required, String] :identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier (UUID)
+    #   of the configuration policy.
+    #
+    # @return [Types::GetConfigurationPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetConfigurationPolicyResponse#arn #arn} => String
+    #   * {Types::GetConfigurationPolicyResponse#id #id} => String
+    #   * {Types::GetConfigurationPolicyResponse#name #name} => String
+    #   * {Types::GetConfigurationPolicyResponse#description #description} => String
+    #   * {Types::GetConfigurationPolicyResponse#updated_at #updated_at} => Time
+    #   * {Types::GetConfigurationPolicyResponse#created_at #created_at} => Time
+    #   * {Types::GetConfigurationPolicyResponse#configuration_policy #configuration_policy} => Types::Policy
+    #
+    #
+    # @example Example: To get details about a configuration policy
+    #
+    #   # This operation provides details about the specified configuration policy.
+    #
+    #   resp = client.get_configuration_policy({
+    #     identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     configuration_policy: {
+    #       security_hub: {
+    #         enabled_standard_identifiers: [
+    #           "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
+    #           "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
+    #         ], 
+    #         security_controls_configuration: {
+    #           disabled_security_control_identifiers: [
+    #             "CloudWatch.1", 
+    #           ], 
+    #           security_control_custom_parameters: [
+    #             {
+    #               parameters: {
+    #                 "daysToExpiration" => {
+    #                   value: {
+    #                     integer: 14, 
+    #                   }, 
+    #                   value_type: "CUSTOM", 
+    #                 }, 
+    #               }, 
+    #               security_control_id: "ACM.1", 
+    #             }, 
+    #           ], 
+    #         }, 
+    #         service_enabled: true, 
+    #       }, 
+    #     }, 
+    #     created_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #     description: "Configuration policy for testing FSBP and CIS", 
+    #     id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     name: "TestConfigurationPolicy", 
+    #     updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_configuration_policy({
+    #     identifier: "NonEmptyString", # required
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.arn #=> String
+    #   resp.id #=> String
+    #   resp.name #=> String
+    #   resp.description #=> String
+    #   resp.updated_at #=> Time
+    #   resp.created_at #=> Time
+    #   resp.configuration_policy.security_hub.service_enabled #=> Boolean
+    #   resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM"
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicy AWS API Documentation
+    #
+    # @overload get_configuration_policy(params = {})
+    # @param [Hash] params ({})
+    def get_configuration_policy(params = {}, options = {})
+      req = build_request(:get_configuration_policy, params)
+      req.send_request(options)
+    end
+
+    # Returns the association between a configuration and a target account,
+    # organizational unit, or the root. The configuration can be a
+    # configuration policy or self-managed behavior. Only the Security Hub
+    # delegated administrator can invoke this operation from the home
+    # Region.
+    #
+    # @option params [required, Types::Target] :target
+    #   The target account ID, organizational unit ID, or the root ID to
+    #   retrieve the association for.
+    #
+    # @return [Types::GetConfigurationPolicyAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetConfigurationPolicyAssociationResponse#configuration_policy_id #configuration_policy_id} => String
+    #   * {Types::GetConfigurationPolicyAssociationResponse#target_id #target_id} => String
+    #   * {Types::GetConfigurationPolicyAssociationResponse#target_type #target_type} => String
+    #   * {Types::GetConfigurationPolicyAssociationResponse#association_type #association_type} => String
+    #   * {Types::GetConfigurationPolicyAssociationResponse#updated_at #updated_at} => Time
+    #   * {Types::GetConfigurationPolicyAssociationResponse#association_status #association_status} => String
+    #   * {Types::GetConfigurationPolicyAssociationResponse#association_status_message #association_status_message} => String
+    #
+    #
+    # @example Example: To get details about a configuration association
+    #
+    #   # This operation provides details about configuration associations for a specific target account, organizational unit, or
+    #   # the root.
+    #
+    #   resp = client.get_configuration_policy_association({
+    #     target: {
+    #       account_id: "111122223333", 
+    #     }, 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     association_status: "FAILED", 
+    #     association_status_message: "Configuration Policy a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 couldn\u2019t be applied to account 111122223333 in us-east-1 Region. Retry your request.", 
+    #     association_type: "INHERITED", 
+    #     configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     target_id: "111122223333", 
+    #     target_type: "ACCOUNT", 
+    #     updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_configuration_policy_association({
+    #     target: { # required
+    #       account_id: "NonEmptyString",
+    #       organizational_unit_id: "NonEmptyString",
+    #       root_id: "NonEmptyString",
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.configuration_policy_id #=> String
+    #   resp.target_id #=> String
+    #   resp.target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT"
+    #   resp.association_type #=> String, one of "INHERITED", "APPLIED"
+    #   resp.updated_at #=> Time
+    #   resp.association_status #=> String, one of "PENDING", "SUCCESS", "FAILED"
+    #   resp.association_status_message #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicyAssociation AWS API Documentation
+    #
+    # @overload get_configuration_policy_association(params = {})
+    # @param [Hash] params ({})
+    def get_configuration_policy_association(params = {}, options = {})
+      req = build_request(:get_configuration_policy_association, params)
+      req.send_request(options)
+    end
+
     # Returns a list of the standards that are currently enabled.
     #
     # @option params [Array<String>] :standards_subscription_arns
@@ -5695,6 +6281,24 @@ module Aws::SecurityHub
     #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
     #         },
     #       ],
+    #       aws_account_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_arn: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
     #     },
     #     sort_criteria: [
     #       {
@@ -6200,6 +6804,15 @@ module Aws::SecurityHub
     #   resp.insights[0].filters.compliance_security_control_parameters_value #=> Array
     #   resp.insights[0].filters.compliance_security_control_parameters_value[0].value #=> String
     #   resp.insights[0].filters.compliance_security_control_parameters_value[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
+    #   resp.insights[0].filters.aws_account_name #=> Array
+    #   resp.insights[0].filters.aws_account_name[0].value #=> String
+    #   resp.insights[0].filters.aws_account_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
+    #   resp.insights[0].filters.resource_application_name #=> Array
+    #   resp.insights[0].filters.resource_application_name[0].value #=> String
+    #   resp.insights[0].filters.resource_application_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
+    #   resp.insights[0].filters.resource_application_arn #=> Array
+    #   resp.insights[0].filters.resource_application_arn[0].value #=> String
+    #   resp.insights[0].filters.resource_application_arn[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS"
     #   resp.insights[0].group_by_attribute #=> String
     #   resp.next_token #=> String
     #
@@ -6617,6 +7230,185 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Lists the configuration policies that the Security Hub delegated
+    # administrator has created for your organization. Only the delegated
+    # administrator can invoke this operation from the home Region.
+    #
+    # @option params [String] :next_token
+    #   The NextToken value that's returned from a previous paginated
+    #   `ListConfigurationPolicies` request where `MaxResults` was used but
+    #   the results exceeded the value of that parameter. Pagination continues
+    #   from the `MaxResults` was used but the results exceeded the value of
+    #   that parameter. Pagination continues from the end of the previous
+    #   response that returned the `NextToken` value. This value is `null`
+    #   when there are no more results to return.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of results that's returned by
+    #   `ListConfigurationPolicies` in each page of the response. When this
+    #   parameter is used, `ListConfigurationPolicies` returns the specified
+    #   number of results in a single page and a `NextToken` response element.
+    #   You can see the remaining results of the initial request by sending
+    #   another `ListConfigurationPolicies` request with the returned
+    #   `NextToken` value. A valid range for `MaxResults` is between 1 and
+    #   100.
+    #
+    # @return [Types::ListConfigurationPoliciesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListConfigurationPoliciesResponse#configuration_policy_summaries #configuration_policy_summaries} => Array&lt;Types::ConfigurationPolicySummary&gt;
+    #   * {Types::ListConfigurationPoliciesResponse#next_token #next_token} => String
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    #
+    # @example Example: To view a list of configuration policies
+    #
+    #   # This operation provides a list of your configuration policies, including metadata for each policy.
+    #
+    #   resp = client.list_configuration_policies({
+    #     max_results: 1, 
+    #     next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOhvw3o2JqjI86QDxdf", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     configuration_policy_summaries: [
+    #       {
+    #         arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #         description: "Configuration policy for testing FSBP and CIS", 
+    #         id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #         name: "TestConfigurationPolicy", 
+    #         service_enabled: true, 
+    #         updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #       }, 
+    #     ], 
+    #     next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOfvw3o2JqjI86QDxef", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_configuration_policies({
+    #     next_token: "NextToken",
+    #     max_results: 1,
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.configuration_policy_summaries #=> Array
+    #   resp.configuration_policy_summaries[0].arn #=> String
+    #   resp.configuration_policy_summaries[0].id #=> String
+    #   resp.configuration_policy_summaries[0].name #=> String
+    #   resp.configuration_policy_summaries[0].description #=> String
+    #   resp.configuration_policy_summaries[0].updated_at #=> Time
+    #   resp.configuration_policy_summaries[0].service_enabled #=> Boolean
+    #   resp.next_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPolicies AWS API Documentation
+    #
+    # @overload list_configuration_policies(params = {})
+    # @param [Hash] params ({})
+    def list_configuration_policies(params = {}, options = {})
+      req = build_request(:list_configuration_policies, params)
+      req.send_request(options)
+    end
+
+    # Provides information about the associations for your configuration
+    # policies and self-managed behavior. Only the Security Hub delegated
+    # administrator can invoke this operation from the home Region.
+    #
+    # @option params [String] :next_token
+    #   The `NextToken` value that's returned from a previous paginated
+    #   `ListConfigurationPolicyAssociations` request where `MaxResults` was
+    #   used but the results exceeded the value of that parameter. Pagination
+    #   continues from the end of the previous response that returned the
+    #   `NextToken` value. This value is `null` when there are no more results
+    #   to return.
+    #
+    # @option params [Integer] :max_results
+    #   The maximum number of results that's returned by
+    #   `ListConfigurationPolicies` in each page of the response. When this
+    #   parameter is used, `ListConfigurationPolicyAssociations` returns the
+    #   specified number of results in a single page and a `NextToken`
+    #   response element. You can see the remaining results of the initial
+    #   request by sending another `ListConfigurationPolicyAssociations`
+    #   request with the returned `NextToken` value. A valid range for
+    #   `MaxResults` is between 1 and 100.
+    #
+    # @option params [Types::AssociationFilters] :filters
+    #   Options for filtering the `ListConfigurationPolicyAssociations`
+    #   response. You can filter by the Amazon Resource Name (ARN) or
+    #   universally unique identifier (UUID) of a configuration,
+    #   `AssociationType`, or `AssociationStatus`.
+    #
+    # @return [Types::ListConfigurationPolicyAssociationsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::ListConfigurationPolicyAssociationsResponse#configuration_policy_association_summaries #configuration_policy_association_summaries} => Array&lt;Types::ConfigurationPolicyAssociationSummary&gt;
+    #   * {Types::ListConfigurationPolicyAssociationsResponse#next_token #next_token} => String
+    #
+    # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}.
+    #
+    #
+    # @example Example: To list configuration associations
+    #
+    #   # This operation lists all of the associations between targets and configuration policies or self-managed behavior.
+    #   # Targets can include accounts, organizational units, or the root.
+    #
+    #   resp = client.list_configuration_policy_associations({
+    #     filters: {
+    #       association_type: "APPLIED", 
+    #     }, 
+    #     max_results: 1, 
+    #     next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOhvw3o2JqjI86QDxdf", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     configuration_policy_association_summaries: [
+    #       {
+    #         association_status: "PENDING", 
+    #         association_type: "APPLIED", 
+    #         configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #         target_id: "123456789012", 
+    #         target_type: "ACCOUNT", 
+    #         updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #       }, 
+    #     ], 
+    #     next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOfvw3o2JqjI86QDxef", 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.list_configuration_policy_associations({
+    #     next_token: "NextToken",
+    #     max_results: 1,
+    #     filters: {
+    #       configuration_policy_id: "NonEmptyString",
+    #       association_type: "INHERITED", # accepts INHERITED, APPLIED
+    #       association_status: "PENDING", # accepts PENDING, SUCCESS, FAILED
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.configuration_policy_association_summaries #=> Array
+    #   resp.configuration_policy_association_summaries[0].configuration_policy_id #=> String
+    #   resp.configuration_policy_association_summaries[0].target_id #=> String
+    #   resp.configuration_policy_association_summaries[0].target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT"
+    #   resp.configuration_policy_association_summaries[0].association_type #=> String, one of "INHERITED", "APPLIED"
+    #   resp.configuration_policy_association_summaries[0].updated_at #=> Time
+    #   resp.configuration_policy_association_summaries[0].association_status #=> String, one of "PENDING", "SUCCESS", "FAILED"
+    #   resp.configuration_policy_association_summaries[0].association_status_message #=> String
+    #   resp.next_token #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPolicyAssociations AWS API Documentation
+    #
+    # @overload list_configuration_policy_associations(params = {})
+    # @param [Hash] params ({})
+    def list_configuration_policy_associations(params = {}, options = {})
+      req = build_request(:list_configuration_policy_associations, params)
+      req.send_request(options)
+    end
+
     # Lists all findings-generating solutions (products) that you are
     # subscribed to receive findings from in Security Hub.
     #
@@ -7251,6 +8043,136 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Associates a target account, organizational unit, or the root with a
+    # specified configuration. The target can be associated with a
+    # configuration policy or self-managed behavior. Only the Security Hub
+    # delegated administrator can invoke this operation from the home
+    # Region.
+    #
+    # @option params [required, String] :configuration_policy_identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier (UUID)
+    #   of the configuration policy.
+    #
+    # @option params [required, Types::Target] :target
+    #   The identifier of the target account, organizational unit, or the root
+    #   to associate with the specified configuration.
+    #
+    # @return [Types::StartConfigurationPolicyAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::StartConfigurationPolicyAssociationResponse#configuration_policy_id #configuration_policy_id} => String
+    #   * {Types::StartConfigurationPolicyAssociationResponse#target_id #target_id} => String
+    #   * {Types::StartConfigurationPolicyAssociationResponse#target_type #target_type} => String
+    #   * {Types::StartConfigurationPolicyAssociationResponse#association_type #association_type} => String
+    #   * {Types::StartConfigurationPolicyAssociationResponse#updated_at #updated_at} => Time
+    #   * {Types::StartConfigurationPolicyAssociationResponse#association_status #association_status} => String
+    #   * {Types::StartConfigurationPolicyAssociationResponse#association_status_message #association_status_message} => String
+    #
+    #
+    # @example Example: To associate a configuration with a target
+    #
+    #   # This operation associates a configuration policy or self-managed behavior with the target account, organizational unit,
+    #   # or the root.
+    #
+    #   resp = client.start_configuration_policy_association({
+    #     configuration_policy_identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     target: {
+    #       account_id: "111122223333", 
+    #     }, 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     association_status: "SUCCESS", 
+    #     association_status_message: "This field is populated only if the association fails", 
+    #     association_type: "APPLIED", 
+    #     configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     target_id: "111122223333", 
+    #     target_type: "ACCOUNT", 
+    #     updated_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.start_configuration_policy_association({
+    #     configuration_policy_identifier: "NonEmptyString", # required
+    #     target: { # required
+    #       account_id: "NonEmptyString",
+    #       organizational_unit_id: "NonEmptyString",
+    #       root_id: "NonEmptyString",
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.configuration_policy_id #=> String
+    #   resp.target_id #=> String
+    #   resp.target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT"
+    #   resp.association_type #=> String, one of "INHERITED", "APPLIED"
+    #   resp.updated_at #=> Time
+    #   resp.association_status #=> String, one of "PENDING", "SUCCESS", "FAILED"
+    #   resp.association_status_message #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyAssociation AWS API Documentation
+    #
+    # @overload start_configuration_policy_association(params = {})
+    # @param [Hash] params ({})
+    def start_configuration_policy_association(params = {}, options = {})
+      req = build_request(:start_configuration_policy_association, params)
+      req.send_request(options)
+    end
+
+    # Disassociates a target account, organizational unit, or the root from
+    # a specified configuration. When you disassociate a configuration from
+    # its target, the target inherits the configuration of the closest
+    # parent. If there’s no configuration to inherit, the target retains its
+    # settings but becomes a self-managed account. A target can be
+    # disassociated from a configuration policy or self-managed behavior.
+    # Only the Security Hub delegated administrator can invoke this
+    # operation from the home Region.
+    #
+    # @option params [Types::Target] :target
+    #   The identifier of the target account, organizational unit, or the root
+    #   to disassociate from the specified configuration.
+    #
+    # @option params [required, String] :configuration_policy_identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier (UUID)
+    #   of the configuration policy.
+    #
+    # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
+    #
+    #
+    # @example Example: To disassociate a configuration from a target
+    #
+    #   # This operation disassociates a configuration policy or self-managed behavior from the target account, organizational
+    #   # unit, or the root.
+    #
+    #   resp = client.start_configuration_policy_disassociation({
+    #     configuration_policy_identifier: "SELF_MANAGED_SECURITY_HUB", 
+    #     target: {
+    #       root_id: "r-f6g7h8i9j0example", 
+    #     }, 
+    #   })
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.start_configuration_policy_disassociation({
+    #     target: {
+    #       account_id: "NonEmptyString",
+    #       organizational_unit_id: "NonEmptyString",
+    #       root_id: "NonEmptyString",
+    #     },
+    #     configuration_policy_identifier: "NonEmptyString", # required
+    #   })
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyDisassociation AWS API Documentation
+    #
+    # @overload start_configuration_policy_disassociation(params = {})
+    # @param [Hash] params ({})
+    def start_configuration_policy_disassociation(params = {}, options = {})
+      req = build_request(:start_configuration_policy_disassociation, params)
+      req.send_request(options)
+    end
+
     # Adds one or more tags to a resource.
     #
     # @option params [required, String] :resource_arn
@@ -7376,6 +8298,205 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
+    # Updates a configuration policy. Only the Security Hub delegated
+    # administrator can invoke this operation from the home Region.
+    #
+    # @option params [required, String] :identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier (UUID)
+    #   of the configuration policy.
+    #
+    # @option params [String] :name
+    #   The name of the configuration policy.
+    #
+    # @option params [String] :description
+    #   The description of the configuration policy.
+    #
+    # @option params [String] :updated_reason
+    #   The reason for updating the configuration policy.
+    #
+    # @option params [Types::Policy] :configuration_policy
+    #   An object that defines how Security Hub is configured. It includes
+    #   whether Security Hub is enabled or disabled, a list of enabled
+    #   security standards, a list of enabled or disabled security controls,
+    #   and a list of custom parameter values for specified controls. If you
+    #   provide a list of security controls that are enabled in the
+    #   configuration policy, Security Hub disables all other controls
+    #   (including newly released controls). If you provide a list of security
+    #   controls that are disabled in the configuration policy, Security Hub
+    #   enables all other controls (including newly released controls).
+    #
+    #   When updating a configuration policy, provide a complete list of
+    #   standards that you want to enable and a complete list of controls that
+    #   you want to enable or disable. The updated configuration replaces the
+    #   current configuration.
+    #
+    # @return [Types::UpdateConfigurationPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::UpdateConfigurationPolicyResponse#arn #arn} => String
+    #   * {Types::UpdateConfigurationPolicyResponse#id #id} => String
+    #   * {Types::UpdateConfigurationPolicyResponse#name #name} => String
+    #   * {Types::UpdateConfigurationPolicyResponse#description #description} => String
+    #   * {Types::UpdateConfigurationPolicyResponse#updated_at #updated_at} => Time
+    #   * {Types::UpdateConfigurationPolicyResponse#created_at #created_at} => Time
+    #   * {Types::UpdateConfigurationPolicyResponse#configuration_policy #configuration_policy} => Types::Policy
+    #
+    #
+    # @example Example: To update a configuration policy
+    #
+    #   # This operation updates the specified configuration policy.
+    #
+    #   resp = client.update_configuration_policy({
+    #     configuration_policy: {
+    #       security_hub: {
+    #         enabled_standard_identifiers: [
+    #           "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
+    #           "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
+    #         ], 
+    #         security_controls_configuration: {
+    #           disabled_security_control_identifiers: [
+    #             "CloudWatch.1", 
+    #             "CloudWatch.2", 
+    #           ], 
+    #           security_control_custom_parameters: [
+    #             {
+    #               parameters: {
+    #                 "daysToExpiration" => {
+    #                   value: {
+    #                     integer: 21, 
+    #                   }, 
+    #                   value_type: "CUSTOM", 
+    #                 }, 
+    #               }, 
+    #               security_control_id: "ACM.1", 
+    #             }, 
+    #           ], 
+    #         }, 
+    #         service_enabled: true, 
+    #       }, 
+    #     }, 
+    #     description: "Updated configuration policy for testing FSBP and CIS", 
+    #     identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     name: "TestConfigurationPolicy", 
+    #     updated_reason: "Enabling ACM.2", 
+    #   })
+    #
+    #   resp.to_h outputs the following:
+    #   {
+    #     arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     configuration_policy: {
+    #       security_hub: {
+    #         enabled_standard_identifiers: [
+    #           "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", 
+    #           "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", 
+    #         ], 
+    #         security_controls_configuration: {
+    #           disabled_security_control_identifiers: [
+    #             "CloudWatch.1", 
+    #             "CloudWatch.2", 
+    #           ], 
+    #           security_control_custom_parameters: [
+    #             {
+    #               parameters: {
+    #                 "daysToExpiration" => {
+    #                   value: {
+    #                     integer: 21, 
+    #                   }, 
+    #                   value_type: "CUSTOM", 
+    #                 }, 
+    #               }, 
+    #               security_control_id: "ACM.1", 
+    #             }, 
+    #           ], 
+    #         }, 
+    #         service_enabled: true, 
+    #       }, 
+    #     }, 
+    #     created_at: Time.parse("2023-01-11T06:17:17.154Z"), 
+    #     description: "Updated configuration policy for testing FSBP and CIS", 
+    #     id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", 
+    #     name: "TestConfigurationPolicy", 
+    #     updated_at: Time.parse("2023-01-12T06:17:17.154Z"), 
+    #   }
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.update_configuration_policy({
+    #     identifier: "NonEmptyString", # required
+    #     name: "NonEmptyString",
+    #     description: "NonEmptyString",
+    #     updated_reason: "NonEmptyString",
+    #     configuration_policy: {
+    #       security_hub: {
+    #         service_enabled: false,
+    #         enabled_standard_identifiers: ["NonEmptyString"],
+    #         security_controls_configuration: {
+    #           enabled_security_control_identifiers: ["NonEmptyString"],
+    #           disabled_security_control_identifiers: ["NonEmptyString"],
+    #           security_control_custom_parameters: [
+    #             {
+    #               security_control_id: "NonEmptyString",
+    #               parameters: {
+    #                 "NonEmptyString" => {
+    #                   value_type: "DEFAULT", # required, accepts DEFAULT, CUSTOM
+    #                   value: {
+    #                     integer: 1,
+    #                     integer_list: [1],
+    #                     double: 1.0,
+    #                     string: "NonEmptyString",
+    #                     string_list: ["NonEmptyString"],
+    #                     boolean: false,
+    #                     enum: "NonEmptyString",
+    #                     enum_list: ["NonEmptyString"],
+    #                   },
+    #                 },
+    #               },
+    #             },
+    #           ],
+    #         },
+    #       },
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.arn #=> String
+    #   resp.id #=> String
+    #   resp.name #=> String
+    #   resp.description #=> String
+    #   resp.updated_at #=> Time
+    #   resp.created_at #=> Time
+    #   resp.configuration_policy.security_hub.service_enabled #=> Boolean
+    #   resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM"
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array
+    #   resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateConfigurationPolicy AWS API Documentation
+    #
+    # @overload update_configuration_policy(params = {})
+    # @param [Hash] params ({})
+    def update_configuration_policy(params = {}, options = {})
+      req = build_request(:update_configuration_policy, params)
+      req.send_request(options)
+    end
+
     # Updates the finding aggregation configuration. Used to update the
     # Region linking mode and the list of included or excluded Regions. You
     # cannot use `UpdateFindingAggregator` to change the aggregation Region.
@@ -8180,6 +9301,24 @@ module Aws::SecurityHub
     #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
     #         },
     #       ],
+    #       aws_account_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_arn: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
     #     },
     #     note: {
     #       text: "NonEmptyString", # required
@@ -8920,6 +10059,24 @@ module Aws::SecurityHub
     #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
     #         },
     #       ],
+    #       aws_account_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_name: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
+    #       resource_application_arn: [
+    #         {
+    #           value: "NonEmptyString",
+    #           comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS
+    #         },
+    #       ],
     #     },
     #     group_by_attribute: "NonEmptyString",
     #   })
@@ -8933,44 +10090,63 @@ module Aws::SecurityHub
       req.send_request(options)
     end
 
-    # Used to update the configuration related to Organizations. Can only be
-    # called from a Security Hub administrator account.
+    # Updates the configuration of your organization in Security Hub. Only
+    # the Security Hub administrator account can invoke this operation.
     #
     # @option params [required, Boolean] :auto_enable
-    #   Whether to automatically enable Security Hub for new accounts in the
-    #   organization.
+    #   Whether to automatically enable Security Hub in new member accounts
+    #   when they join the organization.
     #
-    #   By default, this is `false`, and new accounts are not added
-    #   automatically.
+    #   If set to `true`, then Security Hub is automatically enabled in new
+    #   accounts. If set to `false`, then Security Hub isn't enabled in new
+    #   accounts automatically. The default value is `false`.
     #
-    #   To automatically enable Security Hub for new accounts, set this to
-    #   `true`.
+    #   If the `ConfigurationType` of your organization is set to `CENTRAL`,
+    #   then this field is set to `false` and can't be changed in the home
+    #   Region and linked Regions. However, in that case, the delegated
+    #   administrator can create a configuration policy in which Security Hub
+    #   is enabled and associate the policy with new organization accounts.
     #
     # @option params [String] :auto_enable_standards
-    #   Whether to automatically enable Security Hub [default standards][1]
-    #   for new member accounts in the organization.
+    #   Whether to automatically enable Security Hub [default standards][1] in
+    #   new member accounts when they join the organization.
     #
-    #   By default, this parameter is equal to `DEFAULT`, and new member
-    #   accounts are automatically enabled with default Security Hub
-    #   standards.
+    #   The default value of this parameter is equal to `DEFAULT`.
+    #
+    #   If equal to `DEFAULT`, then Security Hub default standards are
+    #   automatically enabled for new member accounts. If equal to `NONE`,
+    #   then default standards are not automatically enabled for new member
+    #   accounts.
     #
-    #   To opt out of enabling default standards for new member accounts, set
-    #   this parameter equal to `NONE`.
+    #   If the `ConfigurationType` of your organization is set to `CENTRAL`,
+    #   then this field is set to `NONE` and can't be changed in the home
+    #   Region and linked Regions. However, in that case, the delegated
+    #   administrator can create a configuration policy in which specific
+    #   security standards are enabled and associate the policy with new
+    #   organization accounts.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html
     #
+    # @option params [Types::OrganizationConfiguration] :organization_configuration
+    #   Provides information about the way an organization is configured in
+    #   Security Hub.
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     #
     # @example Example: To update organization configuration
     #
-    #   # The following example updates the configuration for an organization so that Security Hub is automatically activated for
-    #   # new member accounts. Only the Security Hub administrator account can call this operation.
+    #   # This operation updates the way your organization is configured in Security Hub. Only a Security Hub administrator
+    #   # account can invoke this operation.
     #
     #   resp = client.update_organization_configuration({
-    #     auto_enable: true, 
+    #     auto_enable: false, 
+    #     auto_enable_standards: "NONE", 
+    #     organization_configuration: {
+    #       configuration_type: "CENTRAL", 
+    #     }, 
     #   })
     #
     # @example Request syntax with placeholder values
@@ -8978,6 +10154,11 @@ module Aws::SecurityHub
     #   resp = client.update_organization_configuration({
     #     auto_enable: false, # required
     #     auto_enable_standards: "NONE", # accepts NONE, DEFAULT
+    #     organization_configuration: {
+    #       configuration_type: "CENTRAL", # accepts CENTRAL, LOCAL
+    #       status: "PENDING", # accepts PENDING, ENABLED, FAILED
+    #       status_message: "NonEmptyString",
+    #     },
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateOrganizationConfiguration AWS API Documentation
@@ -9165,7 +10346,7 @@ module Aws::SecurityHub
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-securityhub'
-      context[:gem_version] = '1.96.0'
+      context[:gem_version] = '1.98.0'
       Seahorse::Client::Request.new(handlers, context)
     end