aws-sdk-securityhub 1.96.0 → 1.98.0

data/lib/aws-sdk-securityhub/types.rb

@@ -329,6 +329,36 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Options for filtering the `ListConfigurationPolicyAssociations`
+    # response. You can filter by the Amazon Resource Name (ARN) or
+    # universally unique identifier (UUID) of a configuration policy,
+    # `AssociationType`, or `AssociationStatus`.
+    #
+    # @!attribute [rw] configuration_policy_id
+    #   The ARN or UUID of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_type
+    #   Indicates whether the association between a target and a
+    #   configuration was directly applied by the Security Hub delegated
+    #   administrator or inherited from a parent.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_status
+    #   The current status of the association between a target and a
+    #   configuration policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/AssociationFilters AWS API Documentation
+    #
+    class AssociationFilters < Struct.new(
+      :configuration_policy_id,
+      :association_type,
+      :association_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The associations between a route table and one or more subnets or a
     # gateway.
     #
@@ -886,6 +916,26 @@ module Aws::SecurityHub
     #   Array Members: Minimum number of 1 item. Maximum number of 20 items.
     #   @return [Array<Types::MapFilter>]
     #
+    # @!attribute [rw] resource_application_arn
+    #   The Amazon Resource Name (ARN) of the application that is related to
+    #   a finding.
+    #
+    #   Array Members: Minimum number of 1 item. Maximum number of 20 items.
+    #   @return [Array<Types::StringFilter>]
+    #
+    # @!attribute [rw] resource_application_name
+    #   The name of the application that is related to a finding.
+    #
+    #   Array Members: Minimum number of 1 item. Maximum number of 20 items.
+    #   @return [Array<Types::StringFilter>]
+    #
+    # @!attribute [rw] aws_account_name
+    #   The name of the Amazon Web Services account in which a finding was
+    #   generated.
+    #
+    #   Array Members: Minimum number of 1 item. Maximum number of 20 items.
+    #   @return [Array<Types::StringFilter>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/AutomationRulesFindingFilters AWS API Documentation
     #
     class AutomationRulesFindingFilters < Struct.new(
@@ -923,7 +973,10 @@ module Aws::SecurityHub
       :note_text,
       :note_updated_at,
       :note_updated_by,
-      :user_defined_fields)
+      :user_defined_fields,
+      :resource_application_arn,
+      :resource_application_name,
+      :aws_account_name)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -18641,6 +18694,25 @@ module Aws::SecurityHub
     #   receives those findings.
     #   @return [Types::GeneratorDetails]
     #
+    # @!attribute [rw] processed_at
+    #   An ISO8601-formatted timestamp that indicates when Security Hub
+    #   received a finding and begins to process it.
+    #
+    #   A correctly formatted example is `2020-05-21T20:16:34.724Z`. The
+    #   value cannot contain spaces, and date and time should be separated
+    #   by `T`. For more information, see [RFC 3339 section 5.6, Internet
+    #   Date/Time Format][1].
+    #
+    #
+    #
+    #   [1]: https://www.rfc-editor.org/rfc/rfc3339#section-5.6
+    #   @return [String]
+    #
+    # @!attribute [rw] aws_account_name
+    #   The name of the Amazon Web Services account from which a finding was
+    #   generated.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/AwsSecurityFinding AWS API Documentation
     #
     class AwsSecurityFinding < Struct.new(
@@ -18685,7 +18757,9 @@ module Aws::SecurityHub
       :action,
       :finding_provider_fields,
       :sample,
-      :generator_details)
+      :generator_details,
+      :processed_at,
+      :aws_account_name)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -18704,7 +18778,7 @@ module Aws::SecurityHub
     #   @return [Array<Types::StringFilter>]
     #
     # @!attribute [rw] aws_account_id
-    #   The Amazon Web Services account ID that a finding is generated in.
+    #   The Amazon Web Services account ID in which a finding is generated.
     #   @return [Array<Types::StringFilter>]
     #
     # @!attribute [rw] id
@@ -19292,6 +19366,19 @@ module Aws::SecurityHub
     #   The current value of a security control parameter.
     #   @return [Array<Types::StringFilter>]
     #
+    # @!attribute [rw] aws_account_name
+    #   The name of the Amazon Web Services account in which a finding is
+    #   generated.
+    #   @return [Array<Types::StringFilter>]
+    #
+    # @!attribute [rw] resource_application_name
+    #   The name of the application that is related to a finding.
+    #   @return [Array<Types::StringFilter>]
+    #
+    # @!attribute [rw] resource_application_arn
+    #   The ARN of the application that is related to a finding.
+    #   @return [Array<Types::StringFilter>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/AwsSecurityFindingFilters AWS API Documentation
     #
     class AwsSecurityFindingFilters < Struct.new(
@@ -19395,7 +19482,10 @@ module Aws::SecurityHub
       :vulnerabilities_exploit_available,
       :vulnerabilities_fix_available,
       :compliance_security_control_parameters_name,
-      :compliance_security_control_parameters_value)
+      :compliance_security_control_parameters_value,
+      :aws_account_name,
+      :resource_application_name,
+      :resource_application_arn)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -21099,6 +21189,38 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] configuration_policy_association_identifiers
+    #   Specifies one or more target account IDs, organizational unit (OU)
+    #   IDs, or the root ID to retrieve associations for.
+    #   @return [Array<Types::ConfigurationPolicyAssociation>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/BatchGetConfigurationPolicyAssociationsRequest AWS API Documentation
+    #
+    class BatchGetConfigurationPolicyAssociationsRequest < Struct.new(
+      :configuration_policy_association_identifiers)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] configuration_policy_associations
+    #   Describes associations for the target accounts, OUs, or the root.
+    #   @return [Array<Types::ConfigurationPolicyAssociationSummary>]
+    #
+    # @!attribute [rw] unprocessed_configuration_policy_associations
+    #   An array of configuration policy associations, one for each
+    #   configuration policy association identifier, that was specified in
+    #   the request but couldn’t be processed due to an error.
+    #   @return [Array<Types::UnprocessedConfigurationPolicyAssociation>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/BatchGetConfigurationPolicyAssociationsResponse AWS API Documentation
+    #
+    class BatchGetConfigurationPolicyAssociationsResponse < Struct.new(
+      :configuration_policy_associations,
+      :unprocessed_configuration_policy_associations)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] security_control_ids
     #   A list of security controls (identified with `SecurityControlId`,
     #   `SecurityControlArn`, or a mix of both parameters). The security
@@ -21820,6 +21942,119 @@ module Aws::SecurityHub
       class Unknown < ConfigurationOptions; end
     end
 
+    # Provides details about the association between an Security Hub
+    # configuration and a target account, organizational unit, or the root.
+    # An association can exist between a target and a configuration policy,
+    # or between a target and self-managed behavior.
+    #
+    # @!attribute [rw] target
+    #   The target account, organizational unit, or the root.
+    #   @return [Types::Target]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ConfigurationPolicyAssociation AWS API Documentation
+    #
+    class ConfigurationPolicyAssociation < Struct.new(
+      :target)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # An object that contains the details of a configuration policy
+    # association that’s returned in a `ListConfigurationPolicyAssociations`
+    # request.
+    #
+    # @!attribute [rw] configuration_policy_id
+    #   The universally unique identifier (UUID) of the configuration
+    #   policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_id
+    #   The identifier of the target account, organizational unit, or the
+    #   root.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_type
+    #   Specifies whether the target is an Amazon Web Services account,
+    #   organizational unit, or the root.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_type
+    #   Indicates whether the association between the specified target and
+    #   the configuration was directly applied by the Security Hub delegated
+    #   administrator or inherited from a parent.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy association was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] association_status
+    #   The current status of the association between the specified target
+    #   and the configuration.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_status_message
+    #   The explanation for a `FAILED` value for `AssociationStatus`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ConfigurationPolicyAssociationSummary AWS API Documentation
+    #
+    class ConfigurationPolicyAssociationSummary < Struct.new(
+      :configuration_policy_id,
+      :target_id,
+      :target_type,
+      :association_type,
+      :updated_at,
+      :association_status,
+      :association_status_message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # An object that contains the details of an Security Hub configuration
+    # policy that’s returned in a `ListConfigurationPolicies` request.
+    #
+    # @!attribute [rw] arn
+    #   The Amazon Resource Name (ARN) of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The universally unique identifier (UUID) of the configuration
+    #   policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] description
+    #   The description of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] service_enabled
+    #   Indicates whether the service that the configuration policy applies
+    #   to is enabled in the policy.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ConfigurationPolicySummary AWS API Documentation
+    #
+    class ConfigurationPolicySummary < Struct.new(
+      :arn,
+      :id,
+      :name,
+      :description,
+      :updated_at,
+      :service_enabled)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Container details related to a finding.
     #
     # @!attribute [rw] container_runtime
@@ -21931,7 +22166,7 @@ module Aws::SecurityHub
     end
 
     # @!attribute [rw] tags
-    #   User-defined tags that help you label the purpose of a rule.
+    #   User-defined tags associated with an automation rule.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] rule_status
@@ -22010,6 +22245,102 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] name
+    #   The name of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] description
+    #   The description of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] configuration_policy
+    #   An object that defines how Security Hub is configured. It includes
+    #   whether Security Hub is enabled or disabled, a list of enabled
+    #   security standards, a list of enabled or disabled security controls,
+    #   and a list of custom parameter values for specified controls. If you
+    #   provide a list of security controls that are enabled in the
+    #   configuration policy, Security Hub disables all other controls
+    #   (including newly released controls). If you provide a list of
+    #   security controls that are disabled in the configuration policy,
+    #   Security Hub enables all other controls (including newly released
+    #   controls).
+    #   @return [Types::Policy]
+    #
+    # @!attribute [rw] tags
+    #   User-defined tags associated with a configuration policy. For more
+    #   information, see [Tagging Security Hub resources][1] in the
+    #   *Security Hub user guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/securityhub/latest/userguide/tagging-resources.html
+    #   @return [Hash<String,String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/CreateConfigurationPolicyRequest AWS API Documentation
+    #
+    class CreateConfigurationPolicyRequest < Struct.new(
+      :name,
+      :description,
+      :configuration_policy,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] arn
+    #   The Amazon Resource Name (ARN) of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The universally unique identifier (UUID) of the configuration
+    #   policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] description
+    #   The description of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] created_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] configuration_policy
+    #   An object that defines how Security Hub is configured. It includes
+    #   whether Security Hub is enabled or disabled, a list of enabled
+    #   security standards, a list of enabled or disabled security controls,
+    #   and a list of custom parameter values for specified controls. If the
+    #   request included a list of security controls that are enabled in the
+    #   configuration policy, Security Hub disables all other controls
+    #   (including newly released controls). If the request included a list
+    #   of security controls that are disabled in the configuration policy,
+    #   Security Hub enables all other controls (including newly released
+    #   controls).
+    #   @return [Types::Policy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/CreateConfigurationPolicyResponse AWS API Documentation
+    #
+    class CreateConfigurationPolicyResponse < Struct.new(
+      :arn,
+      :id,
+      :name,
+      :description,
+      :updated_at,
+      :created_at,
+      :configuration_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] region_linking_mode
     #   Indicates whether to aggregate findings from all of the available
     #   Regions in the current partition. Also determines whether to
@@ -22372,6 +22703,23 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier
+    #   (UUID) of the configuration policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DeleteConfigurationPolicyRequest AWS API Documentation
+    #
+    class DeleteConfigurationPolicyRequest < Struct.new(
+      :identifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DeleteConfigurationPolicyResponse AWS API Documentation
+    #
+    class DeleteConfigurationPolicyResponse < Aws::EmptyStructure; end
+
     # @!attribute [rw] finding_aggregator_arn
     #   The ARN of the finding aggregator to delete. To obtain the ARN, use
     #   `ListFindingAggregators`.
@@ -22578,11 +22926,19 @@ module Aws::SecurityHub
     class DescribeOrganizationConfigurationRequest < Aws::EmptyStructure; end
 
     # @!attribute [rw] auto_enable
-    #   Whether to automatically enable Security Hub for new accounts in the
-    #   organization.
-    #
-    #   If set to `true`, then Security Hub is enabled for new accounts. If
-    #   set to false, then new accounts are not added automatically.
+    #   Whether to automatically enable Security Hub in new member accounts
+    #   when they join the organization.
+    #
+    #   If set to `true`, then Security Hub is automatically enabled in new
+    #   accounts. If set to `false`, then Security Hub isn't enabled in new
+    #   accounts automatically. The default value is `false`.
+    #
+    #   If the `ConfigurationType` of your organization is set to `CENTRAL`,
+    #   then this field is set to `false` and can't be changed in the home
+    #   Region and linked Regions. However, in that case, the delegated
+    #   administrator can create a configuration policy in which Security
+    #   Hub is enabled and associate the policy with new organization
+    #   accounts.
     #   @return [Boolean]
     #
     # @!attribute [rw] member_account_limit_reached
@@ -22592,26 +22948,37 @@ module Aws::SecurityHub
     #
     # @!attribute [rw] auto_enable_standards
     #   Whether to automatically enable Security Hub [default standards][1]
-    #   for new member accounts in the organization.
-    #
-    #   The default value of this parameter is equal to `DEFAULT`.
+    #   in new member accounts when they join the organization.
     #
     #   If equal to `DEFAULT`, then Security Hub default standards are
     #   automatically enabled for new member accounts. If equal to `NONE`,
     #   then default standards are not automatically enabled for new member
-    #   accounts.
+    #   accounts. The default value of this parameter is equal to `DEFAULT`.
+    #
+    #   If the `ConfigurationType` of your organization is set to `CENTRAL`,
+    #   then this field is set to `NONE` and can't be changed in the home
+    #   Region and linked Regions. However, in that case, the delegated
+    #   administrator can create a configuration policy in which specific
+    #   security standards are enabled and associate the policy with new
+    #   organization accounts.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html
     #   @return [String]
     #
+    # @!attribute [rw] organization_configuration
+    #   Provides information about the way an organization is configured in
+    #   Security Hub.
+    #   @return [Types::OrganizationConfiguration]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DescribeOrganizationConfigurationResponse AWS API Documentation
     #
     class DescribeOrganizationConfigurationResponse < Struct.new(
       :auto_enable,
       :member_account_limit_reached,
-      :auto_enable_standards)
+      :auto_enable_standards,
+      :organization_configuration)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -23430,6 +23797,133 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] target
+    #   The target account ID, organizational unit ID, or the root ID to
+    #   retrieve the association for.
+    #   @return [Types::Target]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicyAssociationRequest AWS API Documentation
+    #
+    class GetConfigurationPolicyAssociationRequest < Struct.new(
+      :target)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] configuration_policy_id
+    #   The universally unique identifier (UUID) of a configuration policy.
+    #   For self-managed behavior, the value is `SELF_MANAGED_SECURITY_HUB`.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_id
+    #   The target account ID, organizational unit ID, or the root ID for
+    #   which the association is retrieved.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_type
+    #   Specifies whether the target is an Amazon Web Services account,
+    #   organizational unit, or the organization root.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_type
+    #   Indicates whether the association between the specified target and
+    #   the configuration was directly applied by the Security Hub delegated
+    #   administrator or inherited from a parent.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy association was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] association_status
+    #   The current status of the association between the specified target
+    #   and the configuration.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_status_message
+    #   The explanation for a `FAILED` value for `AssociationStatus`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicyAssociationResponse AWS API Documentation
+    #
+    class GetConfigurationPolicyAssociationResponse < Struct.new(
+      :configuration_policy_id,
+      :target_id,
+      :target_type,
+      :association_type,
+      :updated_at,
+      :association_status,
+      :association_status_message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier
+    #   (UUID) of the configuration policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicyRequest AWS API Documentation
+    #
+    class GetConfigurationPolicyRequest < Struct.new(
+      :identifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] arn
+    #   The ARN of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The UUID of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] description
+    #   The description of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] created_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] configuration_policy
+    #   An object that defines how Security Hub is configured. It includes
+    #   whether Security Hub is enabled or disabled, a list of enabled
+    #   security standards, a list of enabled or disabled security controls,
+    #   and a list of custom parameter values for specified controls. If the
+    #   policy includes a list of security controls that are enabled,
+    #   Security Hub disables all other controls (including newly released
+    #   controls). If the policy includes a list of security controls that
+    #   are disabled, Security Hub enables all other controls (including
+    #   newly released controls).
+    #   @return [Types::Policy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicyResponse AWS API Documentation
+    #
+    class GetConfigurationPolicyResponse < Struct.new(
+      :arn,
+      :id,
+      :name,
+      :description,
+      :updated_at,
+      :created_at,
+      :configuration_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] standards_subscription_arns
     #   The list of the standards subscription ARNs for the standards to
     #   retrieve.
@@ -24299,6 +24793,117 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] next_token
+    #   The NextToken value that's returned from a previous paginated
+    #   `ListConfigurationPolicies` request where `MaxResults` was used but
+    #   the results exceeded the value of that parameter. Pagination
+    #   continues from the `MaxResults` was used but the results exceeded
+    #   the value of that parameter. Pagination continues from the end of
+    #   the previous response that returned the `NextToken` value. This
+    #   value is `null` when there are no more results to return.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results that's returned by
+    #   `ListConfigurationPolicies` in each page of the response. When this
+    #   parameter is used, `ListConfigurationPolicies` returns the specified
+    #   number of results in a single page and a `NextToken` response
+    #   element. You can see the remaining results of the initial request by
+    #   sending another `ListConfigurationPolicies` request with the
+    #   returned `NextToken` value. A valid range for `MaxResults` is
+    #   between 1 and 100.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPoliciesRequest AWS API Documentation
+    #
+    class ListConfigurationPoliciesRequest < Struct.new(
+      :next_token,
+      :max_results)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] configuration_policy_summaries
+    #   Provides metadata for each of your configuration policies.
+    #   @return [Array<Types::ConfigurationPolicySummary>]
+    #
+    # @!attribute [rw] next_token
+    #   The `NextToken` value to include in the next
+    #   `ListConfigurationPolicies` request. When the results of a
+    #   `ListConfigurationPolicies` request exceed `MaxResults`, this value
+    #   can be used to retrieve the next page of results. This value is
+    #   `null` when there are no more results to return.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPoliciesResponse AWS API Documentation
+    #
+    class ListConfigurationPoliciesResponse < Struct.new(
+      :configuration_policy_summaries,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_token
+    #   The `NextToken` value that's returned from a previous paginated
+    #   `ListConfigurationPolicyAssociations` request where `MaxResults` was
+    #   used but the results exceeded the value of that parameter.
+    #   Pagination continues from the end of the previous response that
+    #   returned the `NextToken` value. This value is `null` when there are
+    #   no more results to return.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of results that's returned by
+    #   `ListConfigurationPolicies` in each page of the response. When this
+    #   parameter is used, `ListConfigurationPolicyAssociations` returns the
+    #   specified number of results in a single page and a `NextToken`
+    #   response element. You can see the remaining results of the initial
+    #   request by sending another `ListConfigurationPolicyAssociations`
+    #   request with the returned `NextToken` value. A valid range for
+    #   `MaxResults` is between 1 and 100.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] filters
+    #   Options for filtering the `ListConfigurationPolicyAssociations`
+    #   response. You can filter by the Amazon Resource Name (ARN) or
+    #   universally unique identifier (UUID) of a configuration,
+    #   `AssociationType`, or `AssociationStatus`.
+    #   @return [Types::AssociationFilters]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPolicyAssociationsRequest AWS API Documentation
+    #
+    class ListConfigurationPolicyAssociationsRequest < Struct.new(
+      :next_token,
+      :max_results,
+      :filters)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] configuration_policy_association_summaries
+    #   An object that contains the details of each configuration policy
+    #   association that’s returned in a
+    #   `ListConfigurationPolicyAssociations` request.
+    #   @return [Array<Types::ConfigurationPolicyAssociationSummary>]
+    #
+    # @!attribute [rw] next_token
+    #   The `NextToken` value to include in the next
+    #   `ListConfigurationPolicyAssociations` request. When the results of a
+    #   `ListConfigurationPolicyAssociations` request exceed `MaxResults`,
+    #   this value can be used to retrieve the next page of results. This
+    #   value is `null` when there are no more results to return.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPolicyAssociationsResponse AWS API Documentation
+    #
+    class ListConfigurationPolicyAssociationsResponse < Struct.new(
+      :configuration_policy_association_summaries,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] next_token
     #   The token that is required for pagination. On your first call to the
     #   `ListEnabledProductsForImport` operation, set the value of this
@@ -25177,6 +25782,53 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # Provides information about the way an organization is configured in
+    # Security Hub.
+    #
+    # @!attribute [rw] configuration_type
+    #   Indicates whether the organization uses local or central
+    #   configuration.
+    #
+    #   If you use local configuration, the Security Hub delegated
+    #   administrator can set `AutoEnable` to `true` and
+    #   `AutoEnableStandards` to `DEFAULT`. This automatically enables
+    #   Security Hub and default security standards in new organization
+    #   accounts. These new account settings must be set separately in each
+    #   Amazon Web Services Region, and settings may be different in each
+    #   Region.
+    #
+    #   If you use central configuration, the delegated administrator can
+    #   create configuration policies. Configuration policies can be used to
+    #   configure Security Hub, security standards, and security controls in
+    #   multiple accounts and Regions. If you want new organization accounts
+    #   to use a specific configuration, you can create a configuration
+    #   policy and associate it with the root or specific organizational
+    #   units (OUs). New accounts will inherit the policy from the root or
+    #   their assigned OU.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   Describes whether central configuration could be enabled as the
+    #   `ConfigurationType` for the organization. If your
+    #   `ConfigurationType` is local configuration, then the value of
+    #   `Status` is always `ENABLED`.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   Provides an explanation if the value of `Status` is equal to
+    #   `FAILED` when `ConfigurationType` is equal to `CENTRAL`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/OrganizationConfiguration AWS API Documentation
+    #
+    class OrganizationConfiguration < Struct.new(
+      :configuration_type,
+      :status,
+      :status_message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # An occurrence of sensitive data in an Adobe Portable Document Format
     # (PDF) file.
     #
@@ -25404,6 +26056,37 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # An object that defines how Security Hub is configured. It includes
+    # whether Security Hub is enabled or disabled, a list of enabled
+    # security standards, a list of enabled or disabled security controls,
+    # and a list of custom parameter values for specified controls. If you
+    # provide a list of security controls that are enabled in the
+    # configuration policy, Security Hub disables all other controls
+    # (including newly released controls). If you provide a list of security
+    # controls that are disabled in the configuration policy, Security Hub
+    # enables all other controls (including newly released controls).
+    #
+    # @note Policy is a union - when making an API calls you must set exactly one of the members.
+    #
+    # @note Policy is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of Policy corresponding to the set member.
+    #
+    # @!attribute [rw] security_hub
+    #   The Amazon Web Service that the configuration policy applies to.
+    #   @return [Types::SecurityHubPolicy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/Policy AWS API Documentation
+    #
+    class Policy < Struct.new(
+      :security_hub,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class SecurityHub < Policy; end
+      class Unknown < Policy; end
+    end
+
     # Provided if `ActionType` is `PORT_PROBE`. It provides details about
     # the attempted port probe that was detected.
     #
@@ -25788,6 +26471,15 @@ module Aws::SecurityHub
     #   Additional details about the resource related to a finding.
     #   @return [Types::ResourceDetails]
     #
+    # @!attribute [rw] application_name
+    #   The name of the application that is related to a finding.
+    #   @return [String]
+    #
+    # @!attribute [rw] application_arn
+    #   The Amazon Resource Name (ARN) of the application that is related to
+    #   a finding.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/Resource AWS API Documentation
     #
     class Resource < Struct.new(
@@ -25798,7 +26490,9 @@ module Aws::SecurityHub
       :resource_role,
       :tags,
       :data_classification,
-      :details)
+      :details,
+      :application_name,
+      :application_arn)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -27057,6 +27751,27 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # A list of security controls and control parameter values that are
+    # included in a configuration policy.
+    #
+    # @!attribute [rw] security_control_id
+    #   The ID of the security control.
+    #   @return [String]
+    #
+    # @!attribute [rw] parameters
+    #   An object that specifies parameter values for a control in a
+    #   configuration policy.
+    #   @return [Hash<String,Types::ParameterConfiguration>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/SecurityControlCustomParameter AWS API Documentation
+    #
+    class SecurityControlCustomParameter < Struct.new(
+      :security_control_id,
+      :parameters)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Provides metadata for a security control, including its unique
     # standard-agnostic identifier, title, description, severity,
     # availability in Amazon Web Services Regions, and a link to remediation
@@ -27149,6 +27864,73 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # An object that defines which security controls are enabled in an
+    # Security Hub configuration policy. The enablement status of a control
+    # is aligned across all of the enabled standards in an account.
+    #
+    # @!attribute [rw] enabled_security_control_identifiers
+    #   A list of security controls that are enabled in the configuration
+    #   policy. Security Hub disables all other controls (including newly
+    #   released controls) other than the listed controls.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] disabled_security_control_identifiers
+    #   A list of security controls that are disabled in the configuration
+    #   policy. Security Hub enables all other controls (including newly
+    #   released controls) other than the listed controls.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] security_control_custom_parameters
+    #   A list of security controls and control parameter values that are
+    #   included in a configuration policy.
+    #   @return [Array<Types::SecurityControlCustomParameter>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/SecurityControlsConfiguration AWS API Documentation
+    #
+    class SecurityControlsConfiguration < Struct.new(
+      :enabled_security_control_identifiers,
+      :disabled_security_control_identifiers,
+      :security_control_custom_parameters)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # An object that defines how Security Hub is configured. The
+    # configuration policy includes whether Security Hub is enabled or
+    # disabled, a list of enabled security standards, a list of enabled or
+    # disabled security controls, and a list of custom parameter values for
+    # specified controls. If you provide a list of security controls that
+    # are enabled in the configuration policy, Security Hub disables all
+    # other controls (including newly released controls). If you provide a
+    # list of security controls that are disabled in the configuration
+    # policy, Security Hub enables all other controls (including newly
+    # released controls).
+    #
+    # @!attribute [rw] service_enabled
+    #   Indicates whether Security Hub is enabled in the policy.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] enabled_standard_identifiers
+    #   A list that defines which security standards are enabled in the
+    #   configuration policy.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] security_controls_configuration
+    #   An object that defines which security controls are enabled in the
+    #   configuration policy. The enablement status of a control is aligned
+    #   across all of the enabled standards in an account.
+    #   @return [Types::SecurityControlsConfiguration]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/SecurityHubPolicy AWS API Documentation
+    #
+    class SecurityHubPolicy < Struct.new(
+      :service_enabled,
+      :enabled_standard_identifiers,
+      :security_controls_configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The list of detected instances of sensitive data.
     #
     # @!attribute [rw] count
@@ -27666,7 +28448,7 @@ module Aws::SecurityHub
     #   @return [Time]
     #
     # @!attribute [rw] updated_reason
-    #   The reason for updating the control's enablement status in a
+    #   The reason for updating a control's enablement status in a
     #   specified standard.
     #   @return [String]
     #
@@ -27839,6 +28621,96 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] configuration_policy_identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier
+    #   (UUID) of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] target
+    #   The identifier of the target account, organizational unit, or the
+    #   root to associate with the specified configuration.
+    #   @return [Types::Target]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyAssociationRequest AWS API Documentation
+    #
+    class StartConfigurationPolicyAssociationRequest < Struct.new(
+      :configuration_policy_identifier,
+      :target)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] configuration_policy_id
+    #   The UUID of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_id
+    #   The identifier of the target account, organizational unit, or the
+    #   organization root with which the configuration is associated.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_type
+    #   Indicates whether the target is an Amazon Web Services account,
+    #   organizational unit, or the organization root.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_type
+    #   Indicates whether the association between the specified target and
+    #   the configuration was directly applied by the Security Hub delegated
+    #   administrator or inherited from a parent.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy association was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] association_status
+    #   The current status of the association between the specified target
+    #   and the configuration.
+    #   @return [String]
+    #
+    # @!attribute [rw] association_status_message
+    #   An explanation for a `FAILED` value for `AssociationStatus`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyAssociationResponse AWS API Documentation
+    #
+    class StartConfigurationPolicyAssociationResponse < Struct.new(
+      :configuration_policy_id,
+      :target_id,
+      :target_type,
+      :association_type,
+      :updated_at,
+      :association_status,
+      :association_status_message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] target
+    #   The identifier of the target account, organizational unit, or the
+    #   root to disassociate from the specified configuration.
+    #   @return [Types::Target]
+    #
+    # @!attribute [rw] configuration_policy_identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier
+    #   (UUID) of the configuration policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyDisassociationRequest AWS API Documentation
+    #
+    class StartConfigurationPolicyDisassociationRequest < Struct.new(
+      :target,
+      :configuration_policy_identifier)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyDisassociationResponse AWS API Documentation
+    #
+    class StartConfigurationPolicyDisassociationResponse < Aws::EmptyStructure; end
+
     # The definition of a custom action that can be used for stateless
     # packet handling.
     #
@@ -28097,6 +28969,43 @@ module Aws::SecurityHub
     #
     class TagResourceResponse < Aws::EmptyStructure; end
 
+    # The target account, organizational unit, or the root that is
+    # associated with an Security Hub configuration. The configuration can
+    # be a configuration policy or self-managed behavior.
+    #
+    # @note Target is a union - when making an API calls you must set exactly one of the members.
+    #
+    # @note Target is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of Target corresponding to the set member.
+    #
+    # @!attribute [rw] account_id
+    #   The Amazon Web Services account ID of the target account.
+    #   @return [String]
+    #
+    # @!attribute [rw] organizational_unit_id
+    #   The organizational unit ID of the target organizational unit.
+    #   @return [String]
+    #
+    # @!attribute [rw] root_id
+    #   The ID of the organization root.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/Target AWS API Documentation
+    #
+    class Target < Struct.new(
+      :account_id,
+      :organizational_unit_id,
+      :root_id,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class AccountId < Target; end
+      class OrganizationalUnitId < Target; end
+      class RootId < Target; end
+      class Unknown < Target; end
+    end
+
     # Provides information about the threat detected in a security finding
     # and the file paths that were affected by the threat.
     #
@@ -28205,6 +29114,37 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # An array of configuration policy associations, one for each
+    # configuration policy association identifier, that was specified in a
+    # `BatchGetConfigurationPolicyAssociations` request but couldn’t be
+    # processed due to an error.
+    #
+    # @!attribute [rw] configuration_policy_association_identifiers
+    #   Configuration policy association identifiers that were specified in
+    #   a `BatchGetConfigurationPolicyAssociations` request but couldn’t be
+    #   processed due to an error.
+    #   @return [Types::ConfigurationPolicyAssociation]
+    #
+    # @!attribute [rw] error_code
+    #   An HTTP status code that identifies why the configuration policy
+    #   association failed.
+    #   @return [String]
+    #
+    # @!attribute [rw] error_reason
+    #   A string that identifies why the configuration policy association
+    #   failed.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UnprocessedConfigurationPolicyAssociation AWS API Documentation
+    #
+    class UnprocessedConfigurationPolicyAssociation < Struct.new(
+      :configuration_policy_association_identifiers,
+      :error_code,
+      :error_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Provides details about a security control for which a response
     # couldn't be returned.
     #
@@ -28427,6 +29367,106 @@ module Aws::SecurityHub
       include Aws::Structure
     end
 
+    # @!attribute [rw] identifier
+    #   The Amazon Resource Name (ARN) or universally unique identifier
+    #   (UUID) of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] description
+    #   The description of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_reason
+    #   The reason for updating the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] configuration_policy
+    #   An object that defines how Security Hub is configured. It includes
+    #   whether Security Hub is enabled or disabled, a list of enabled
+    #   security standards, a list of enabled or disabled security controls,
+    #   and a list of custom parameter values for specified controls. If you
+    #   provide a list of security controls that are enabled in the
+    #   configuration policy, Security Hub disables all other controls
+    #   (including newly released controls). If you provide a list of
+    #   security controls that are disabled in the configuration policy,
+    #   Security Hub enables all other controls (including newly released
+    #   controls).
+    #
+    #   When updating a configuration policy, provide a complete list of
+    #   standards that you want to enable and a complete list of controls
+    #   that you want to enable or disable. The updated configuration
+    #   replaces the current configuration.
+    #   @return [Types::Policy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateConfigurationPolicyRequest AWS API Documentation
+    #
+    class UpdateConfigurationPolicyRequest < Struct.new(
+      :identifier,
+      :name,
+      :description,
+      :updated_reason,
+      :configuration_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] arn
+    #   The ARN of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] id
+    #   The UUID of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The name of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] description
+    #   The description of the configuration policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] updated_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy was last updated.
+    #   @return [Time]
+    #
+    # @!attribute [rw] created_at
+    #   The date and time, in UTC and ISO 8601 format, that the
+    #   configuration policy was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] configuration_policy
+    #   An object that defines how Security Hub is configured. It includes
+    #   whether Security Hub is enabled or disabled, a list of enabled
+    #   security standards, a list of enabled or disabled security controls,
+    #   and a list of custom parameter values for specified controls. If the
+    #   request included a list of security controls that are enabled in the
+    #   configuration policy, Security Hub disables all other controls
+    #   (including newly released controls). If the request included a list
+    #   of security controls that are disabled in the configuration policy,
+    #   Security Hub enables all other controls (including newly released
+    #   controls).
+    #   @return [Types::Policy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateConfigurationPolicyResponse AWS API Documentation
+    #
+    class UpdateConfigurationPolicyResponse < Struct.new(
+      :arn,
+      :id,
+      :name,
+      :description,
+      :updated_at,
+      :created_at,
+      :configuration_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] finding_aggregator_arn
     #   The ARN of the finding aggregator. To obtain the ARN, use
     #   `ListFindingAggregators`.
@@ -28567,37 +29607,55 @@ module Aws::SecurityHub
     class UpdateInsightResponse < Aws::EmptyStructure; end
 
     # @!attribute [rw] auto_enable
-    #   Whether to automatically enable Security Hub for new accounts in the
-    #   organization.
-    #
-    #   By default, this is `false`, and new accounts are not added
-    #   automatically.
-    #
-    #   To automatically enable Security Hub for new accounts, set this to
-    #   `true`.
+    #   Whether to automatically enable Security Hub in new member accounts
+    #   when they join the organization.
+    #
+    #   If set to `true`, then Security Hub is automatically enabled in new
+    #   accounts. If set to `false`, then Security Hub isn't enabled in new
+    #   accounts automatically. The default value is `false`.
+    #
+    #   If the `ConfigurationType` of your organization is set to `CENTRAL`,
+    #   then this field is set to `false` and can't be changed in the home
+    #   Region and linked Regions. However, in that case, the delegated
+    #   administrator can create a configuration policy in which Security
+    #   Hub is enabled and associate the policy with new organization
+    #   accounts.
     #   @return [Boolean]
     #
     # @!attribute [rw] auto_enable_standards
     #   Whether to automatically enable Security Hub [default standards][1]
-    #   for new member accounts in the organization.
+    #   in new member accounts when they join the organization.
     #
-    #   By default, this parameter is equal to `DEFAULT`, and new member
-    #   accounts are automatically enabled with default Security Hub
-    #   standards.
+    #   The default value of this parameter is equal to `DEFAULT`.
     #
-    #   To opt out of enabling default standards for new member accounts,
-    #   set this parameter equal to `NONE`.
+    #   If equal to `DEFAULT`, then Security Hub default standards are
+    #   automatically enabled for new member accounts. If equal to `NONE`,
+    #   then default standards are not automatically enabled for new member
+    #   accounts.
+    #
+    #   If the `ConfigurationType` of your organization is set to `CENTRAL`,
+    #   then this field is set to `NONE` and can't be changed in the home
+    #   Region and linked Regions. However, in that case, the delegated
+    #   administrator can create a configuration policy in which specific
+    #   security standards are enabled and associate the policy with new
+    #   organization accounts.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html
     #   @return [String]
     #
+    # @!attribute [rw] organization_configuration
+    #   Provides information about the way an organization is configured in
+    #   Security Hub.
+    #   @return [Types::OrganizationConfiguration]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateOrganizationConfigurationRequest AWS API Documentation
     #
     class UpdateOrganizationConfigurationRequest < Struct.new(
       :auto_enable,
-      :auto_enable_standards)
+      :auto_enable_standards,
+      :organization_configuration)
       SENSITIVE = []
       include Aws::Structure
     end