aws-sdk-ssm 1.173.0 → 1.196.0

data/lib/aws-sdk-ssm/types.rb

@@ -10,6 +10,20 @@
 module Aws::SSM
   module Types
 
+    # The requester doesn't have permissions to perform the requested
+    # operation.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/AccessDeniedException AWS API Documentation
+    #
+    class AccessDeniedException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Information includes the Amazon Web Services account ID where the
     # current document is shared and the version shared with that account.
     #
@@ -428,7 +442,7 @@ module Aws::SSM
     #   Choose the parameter that will define how your automation will
     #   branch out. This target is required for associations that use an
     #   Automation runbook and target resources by using rate controls.
-    #   Automation is a capability of Amazon Web Services Systems Manager.
+    #   Automation is a tool in Amazon Web Services Systems Manager.
     #   @return [String]
     #
     # @!attribute [rw] parameters
@@ -510,9 +524,9 @@ module Aws::SSM
     #
     #   In `MANUAL` mode, you must specify the `AssociationId` as a
     #   parameter for the PutComplianceItems API operation. In this case,
-    #   compliance data isn't managed by State Manager, a capability of
-    #   Amazon Web Services Systems Manager. It is managed by your direct
-    #   call to the PutComplianceItems API operation.
+    #   compliance data isn't managed by State Manager, a tool in Amazon
+    #   Web Services Systems Manager. It is managed by your direct call to
+    #   the PutComplianceItems API operation.
     #
     #   By default, all associations use `AUTO` mode.
     #   @return [String]
@@ -529,7 +543,8 @@ module Aws::SSM
     #   The names or Amazon Resource Names (ARNs) of the Change Calendar
     #   type documents your associations are gated under. The associations
     #   only run when that change calendar is open. For more information,
-    #   see [Amazon Web Services Systems Manager Change Calendar][1].
+    #   see [Amazon Web Services Systems Manager Change Calendar][1] in the
+    #   *Amazon Web Services Systems Manager User Guide*.
     #
     #
     #
@@ -967,15 +982,15 @@ module Aws::SSM
     #
     #   In `MANUAL` mode, you must specify the `AssociationId` as a
     #   parameter for the PutComplianceItems API operation. In this case,
-    #   compliance data isn't managed by State Manager, a capability of
-    #   Amazon Web Services Systems Manager. It is managed by your direct
-    #   call to the PutComplianceItems API operation.
+    #   compliance data isn't managed by State Manager, a tool in Amazon
+    #   Web Services Systems Manager. It is managed by your direct call to
+    #   the PutComplianceItems API operation.
     #
     #   By default, all associations use `AUTO` mode.
     #   @return [String]
     #
     # @!attribute [rw] apply_only_at_cron_interval
-    #   By default, when you create a new associations, the system runs it
+    #   By default, when you create new associations, the system runs it
     #   immediately after it is created and then according to the schedule
     #   you specified. Specify this option if you don't want an association
     #   to run immediately after you create it. This parameter isn't
@@ -987,7 +1002,8 @@ module Aws::SSM
     #   type documents your associations are gated under. The associations
     #   for this version only run when that Change Calendar is open. For
     #   more information, see [Amazon Web Services Systems Manager Change
-    #   Calendar][1].
+    #   Calendar][1] in the *Amazon Web Services Systems Manager User
+    #   Guide*.
     #
     #
     #
@@ -1124,12 +1140,12 @@ module Aws::SSM
     #   * For the key *SourceUrl*, the value is an S3 bucket location. For
     #     example:
     #
-    #     `"Values": [ "s3://doc-example-bucket/my-folder" ]`
+    #     `"Values": [ "s3://amzn-s3-demo-bucket/my-prefix" ]`
     #
     #   * For the key *S3FileUrl*, the value is a file in an S3 bucket. For
     #     example:
     #
-    #     `"Values": [ "s3://doc-example-bucket/my-folder/my-file.py" ]`
+    #     `"Values": [ "s3://amzn-s3-demo-bucket/my-prefix/my-file.py" ]`
     #
     #   * For the key *AttachmentReference*, the value is constructed from
     #     the name of another SSM document in your account, a version number
@@ -1326,6 +1342,12 @@ module Aws::SSM
     #   The CloudWatch alarm that was invoked by the automation.
     #   @return [Array<Types::AlarmStateInformation>]
     #
+    # @!attribute [rw] target_locations_url
+    #   A publicly accessible URL for a file that contains the
+    #   `TargetLocations` body. Currently, only files in presigned Amazon S3
+    #   buckets are supported
+    #   @return [String]
+    #
     # @!attribute [rw] automation_subtype
     #   The subtype of the Automation operation. Currently, the only
     #   supported value is `ChangeRequest`.
@@ -1394,6 +1416,7 @@ module Aws::SSM
       :progress_counters,
       :alarm_configuration,
       :triggered_alarms,
+      :target_locations_url,
       :automation_subtype,
       :scheduled_time,
       :runbooks,
@@ -1426,6 +1449,55 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # Information about the optional inputs that can be specified for an
+    # automation execution preview.
+    #
+    # @!attribute [rw] parameters
+    #   Information about parameters that can be specified for the preview
+    #   operation.
+    #   @return [Hash<String,Array<String>>]
+    #
+    # @!attribute [rw] target_parameter_name
+    #   The name of the parameter used as the target resource for the
+    #   rate-controlled execution. Required if you specify targets.
+    #   @return [String]
+    #
+    # @!attribute [rw] targets
+    #   Information about the resources that would be included in the actual
+    #   runbook execution, if it were to be run. Both Targets and TargetMaps
+    #   can't be specified together.
+    #   @return [Array<Types::Target>]
+    #
+    # @!attribute [rw] target_maps
+    #   A key-value mapping of document parameters to target resources. Both
+    #   Targets and TargetMaps can't be specified together.
+    #   @return [Array<Hash<String,Array<String>>>]
+    #
+    # @!attribute [rw] target_locations
+    #   Information about the Amazon Web Services Regions and Amazon Web
+    #   Services accounts targeted by the Automation execution preview
+    #   operation.
+    #   @return [Array<Types::TargetLocation>]
+    #
+    # @!attribute [rw] target_locations_url
+    #   A publicly accessible URL for a file that contains the
+    #   `TargetLocations` body. Currently, only files in presigned Amazon S3
+    #   buckets are supported.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/AutomationExecutionInputs AWS API Documentation
+    #
+    class AutomationExecutionInputs < Struct.new(
+      :parameters,
+      :target_parameter_name,
+      :targets,
+      :target_maps,
+      :target_locations,
+      :target_locations_url)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The number of simultaneously running Automation executions exceeded
     # the allowable limit.
     #
@@ -1534,9 +1606,9 @@ module Aws::SSM
     #   Use this filter with DescribeAutomationExecutions. Specify either
     #   Local or CrossAccount. CrossAccount is an Automation that runs in
     #   multiple Amazon Web Services Regions and Amazon Web Services
-    #   accounts. For more information, see [Running Automation workflows in
-    #   multiple Amazon Web Services Regions and accounts][1] in the *Amazon
-    #   Web Services Systems Manager User Guide*.
+    #   accounts. For more information, see [Running automations in multiple
+    #   Amazon Web Services Regions and accounts][1] in the *Amazon Web
+    #   Services Systems Manager User Guide*.
     #
     #
     #
@@ -1551,6 +1623,12 @@ module Aws::SSM
     #   The CloudWatch alarm that was invoked by the automation.
     #   @return [Array<Types::AlarmStateInformation>]
     #
+    # @!attribute [rw] target_locations_url
+    #   A publicly accessible URL for a file that contains the
+    #   `TargetLocations` body. Currently, only files in presigned Amazon S3
+    #   buckets are supported
+    #   @return [String]
+    #
     # @!attribute [rw] automation_subtype
     #   The subtype of the Automation operation. Currently, the only
     #   supported value is `ChangeRequest`.
@@ -1612,6 +1690,7 @@ module Aws::SSM
       :automation_type,
       :alarm_configuration,
       :triggered_alarms,
+      :target_locations_url,
       :automation_subtype,
       :scheduled_time,
       :runbooks,
@@ -1636,6 +1715,55 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # Information about the results of the execution preview.
+    #
+    # @!attribute [rw] step_previews
+    #   Information about the type of impact a runbook step would have on a
+    #   resource.
+    #
+    #   * `Mutating`: The runbook step would make changes to the targets
+    #     through actions that create, modify, or delete resources.
+    #
+    #   * `Non_Mutating`: The runbook step would retrieve data about
+    #     resources but not make changes to them. This category generally
+    #     includes `Describe*`, `List*`, `Get*`, and similar read-only API
+    #     actions.
+    #
+    #   * `Undetermined`: An undetermined step invokes executions performed
+    #     by another orchestration service like Lambda, Step Functions, or
+    #     Amazon Web Services Systems Manager Run Command. An undetermined
+    #     step might also call a third-party API. Systems Manager Automation
+    #     doesn't know the outcome of the orchestration processes or
+    #     third-party API executions, so the results of the steps are
+    #     undetermined.
+    #   @return [Hash<String,Integer>]
+    #
+    # @!attribute [rw] regions
+    #   Information about the Amazon Web Services Regions targeted by the
+    #   execution preview.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] target_previews
+    #   Information that provides a preview of what the impact of running
+    #   the specified Automation runbook would be.
+    #   @return [Array<Types::TargetPreview>]
+    #
+    # @!attribute [rw] total_accounts
+    #   Information about the Amazon Web Services accounts that were
+    #   included in the execution preview.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/AutomationExecutionPreview AWS API Documentation
+    #
+    class AutomationExecutionPreview < Struct.new(
+      :step_previews,
+      :regions,
+      :target_previews,
+      :total_accounts)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The specified step name and execution ID don't exist. Verify the
     # information and try again.
     #
@@ -1668,9 +1796,9 @@ module Aws::SSM
     #   A list of explicitly approved patches for the baseline.
     #
     #   For information about accepted formats for lists of approved patches
-    #   and rejected patches, see [About package name formats for approved
-    #   and rejected patch lists][1] in the *Amazon Web Services Systems
-    #   Manager User Guide*.
+    #   and rejected patches, see [Package name formats for approved and
+    #   rejected patch lists][1] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
     #
     #
     #
@@ -1687,9 +1815,9 @@ module Aws::SSM
     #   A list of explicitly rejected patches for the baseline.
     #
     #   For information about accepted formats for lists of approved patches
-    #   and rejected patches, see [About package name formats for approved
-    #   and rejected patch lists][1] in the *Amazon Web Services Systems
-    #   Manager User Guide*.
+    #   and rejected patches, see [Package name formats for approved and
+    #   rejected patch lists][1] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
     #
     #
     #
@@ -1715,6 +1843,16 @@ module Aws::SSM
     #   to Linux managed nodes only.
     #   @return [Array<Types::PatchSource>]
     #
+    # @!attribute [rw] available_security_updates_compliance_status
+    #   Indicates whether managed nodes for which there are available
+    #   security-related patches that have not been approved by the baseline
+    #   are being defined as `COMPLIANT` or `NON_COMPLIANT`. This option is
+    #   specified when the `CreatePatchBaseline` or `UpdatePatchBaseline`
+    #   commands are run.
+    #
+    #   Applies to Windows Server managed nodes only.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/BaselineOverride AWS API Documentation
     #
     class BaselineOverride < Struct.new(
@@ -1726,7 +1864,8 @@ module Aws::SSM
       :rejected_patches,
       :rejected_patches_action,
       :approved_patches_enable_non_security,
-      :sources)
+      :sources,
+      :available_security_updates_compliance_status)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1975,9 +2114,9 @@ module Aws::SSM
     #
     # @!attribute [rw] service_role
     #   The Identity and Access Management (IAM) service role that Run
-    #   Command, a capability of Amazon Web Services Systems Manager, uses
-    #   to act on your behalf when sending notifications about command
-    #   status changes.
+    #   Command, a tool in Amazon Web Services Systems Manager, uses to act
+    #   on your behalf when sending notifications about command status
+    #   changes.
     #   @return [String]
     #
     # @!attribute [rw] notification_config
@@ -2055,11 +2194,11 @@ module Aws::SSM
     #   The filter value. Valid values for each filter key are as follows:
     #
     #   * **InvokedAfter**: Specify a timestamp to limit your results. For
-    #     example, specify `2021-07-07T00:00:00Z` to see a list of command
+    #     example, specify `2024-07-07T00:00:00Z` to see a list of command
     #     executions occurring July 7, 2021, and later.
     #
     #   * **InvokedBefore**: Specify a timestamp to limit your results. For
-    #     example, specify `2021-07-07T00:00:00Z` to see a list of command
+    #     example, specify `2024-07-07T00:00:00Z` to see a list of command
     #     executions from before July 7, 2021.
     #
     #   * **Status**: Specify a valid command status to see a list of all
@@ -2091,7 +2230,6 @@ module Aws::SSM
     #     * `NoInstancesInTag`
     #
     #     * `LimitExceeded`
-    #
     #     The status values you can specify for `ListCommandInvocations`
     #     are:
     #
@@ -2120,7 +2258,6 @@ module Aws::SSM
     #     * `InvalidPlatform`
     #
     #     * `Terminated`
-    #
     #   * **DocumentName**: Specify name of the Amazon Web Services Systems
     #     Manager document (SSM document) for which you want to see command
     #     execution results. For example, specify `AWS-RunPatchBaseline` to
@@ -2269,9 +2406,9 @@ module Aws::SSM
     #
     # @!attribute [rw] service_role
     #   The Identity and Access Management (IAM) service role that Run
-    #   Command, a capability of Amazon Web Services Systems Manager, uses
-    #   to act on your behalf when sending notifications about command
-    #   status changes on a per managed node basis.
+    #   Command, a tool in Amazon Web Services Systems Manager, uses to act
+    #   on your behalf when sending notifications about command status
+    #   changes on a per managed node basis.
     #   @return [String]
     #
     # @!attribute [rw] notification_config
@@ -2413,12 +2550,11 @@ module Aws::SSM
     #   be stored. This was requested when issuing the command. For example,
     #   in the following response:
     #
-    #   `doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript`
+    #   `amzn-s3-demo-bucket/my-prefix/i-02573cafcfEXAMPLE/awsrunShellScript`
     #
-    #   `doc-example-bucket` is the name of the S3 bucket;
+    #   `amzn-s3-demo-bucket` is the name of the S3 bucket;
     #
-    #   `ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix` is the name of the S3
-    #   prefix;
+    #   `my-prefix` is the name of the S3 prefix;
     #
     #   `i-02573cafcfEXAMPLE` is the managed node ID;
     #
@@ -2430,12 +2566,11 @@ module Aws::SSM
     #   command executions should be stored. This was requested when issuing
     #   the command. For example, in the following response:
     #
-    #   `doc-example-bucket/ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix/i-02573cafcfEXAMPLE/awsrunShellScript`
+    #   `amzn-s3-demo-bucket/my-prefix/i-02573cafcfEXAMPLE/awsrunShellScript`
     #
-    #   `doc-example-bucket` is the name of the S3 bucket;
+    #   `amzn-s3-demo-bucket` is the name of the S3 bucket;
     #
-    #   `ab19cb99-a030-46dd-9dfc-8eSAMPLEPre-Fix` is the name of the S3
-    #   prefix;
+    #   `my-prefix` is the name of the S3 prefix;
     #
     #   `i-02573cafcfEXAMPLE` is the managed node ID;
     #
@@ -2707,9 +2842,9 @@ module Aws::SSM
     #   want to assign to the managed node. This IAM role must provide
     #   AssumeRole permissions for the Amazon Web Services Systems Manager
     #   service principal `ssm.amazonaws.com`. For more information, see
-    #   [Create an IAM service role for a hybrid and multicloud
-    #   environment][1] in the *Amazon Web Services Systems Manager User
-    #   Guide*.
+    #   [Create the IAM service role required for Systems Manager in a
+    #   hybrid and multicloud environments][1] in the *Amazon Web Services
+    #   Systems Manager User Guide*.
     #
     #   <note markdown="1"> You can't specify an IAM service-linked role for this parameter.
     #   You must create a unique role.
@@ -2718,7 +2853,7 @@ module Aws::SSM
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-service-role.html
     #   @return [String]
     #
     # @!attribute [rw] registration_limit
@@ -2728,7 +2863,7 @@ module Aws::SSM
     #
     # @!attribute [rw] expiration_date
     #   The date by which this activation request should expire, in
-    #   timestamp format, such as "2021-07-07T00:00:00". You can specify a
+    #   timestamp format, such as "2024-07-07T00:00:00". You can specify a
     #   date up to 30 days in advance. If you don't provide an expiration
     #   date, the activation code expires in 24 hours.
     #   @return [Time]
@@ -2859,8 +2994,8 @@ module Aws::SSM
     # @!attribute [rw] automation_target_parameter_name
     #   Specify the target for the association. This target is required for
     #   associations that use an Automation runbook and target resources by
-    #   using rate controls. Automation is a capability of Amazon Web
-    #   Services Systems Manager.
+    #   using rate controls. Automation is a tool in Amazon Web Services
+    #   Systems Manager.
     #   @return [String]
     #
     # @!attribute [rw] document_version
@@ -2929,26 +3064,39 @@ module Aws::SSM
     #
     #   In `MANUAL` mode, you must specify the `AssociationId` as a
     #   parameter for the PutComplianceItems API operation. In this case,
-    #   compliance data isn't managed by State Manager, a capability of
-    #   Amazon Web Services Systems Manager. It is managed by your direct
-    #   call to the PutComplianceItems API operation.
+    #   compliance data isn't managed by State Manager, a tool in Amazon
+    #   Web Services Systems Manager. It is managed by your direct call to
+    #   the PutComplianceItems API operation.
     #
     #   By default, all associations use `AUTO` mode.
     #   @return [String]
     #
     # @!attribute [rw] apply_only_at_cron_interval
-    #   By default, when you create a new associations, the system runs it
+    #   By default, when you create a new association, the system runs it
     #   immediately after it is created and then according to the schedule
-    #   you specified. Specify this option if you don't want an association
-    #   to run immediately after you create it. This parameter isn't
-    #   supported for rate expressions.
+    #   you specified and when target changes are detected. Specify `true`
+    #   for `ApplyOnlyAtCronInterval` if you want the association to run
+    #   only according to the schedule you specified.
+    #
+    #   For more information, see [Understanding when associations are
+    #   applied to resources][1] and [&gt;About target updates with
+    #   Automation runbooks][2] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
+    #
+    #   This parameter isn't supported for rate expressions.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#state-manager-about-scheduling
+    #   [2]: https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#runbook-target-updates
     #   @return [Boolean]
     #
     # @!attribute [rw] calendar_names
     #   The names or Amazon Resource Names (ARNs) of the Change Calendar
     #   type documents your associations are gated under. The associations
     #   only run when that Change Calendar is open. For more information,
-    #   see [Amazon Web Services Systems Manager Change Calendar][1].
+    #   see [Amazon Web Services Systems Manager Change Calendar][1] in the
+    #   *Amazon Web Services Systems Manager User Guide*.
     #
     #
     #
@@ -3099,9 +3247,10 @@ module Aws::SSM
     #   in an Amazon Web Services account, or individual managed node IDs.
     #   You can target all managed nodes in an Amazon Web Services account
     #   by specifying the `InstanceIds` key with a value of `*`. For more
-    #   information about choosing targets for an association, see [About
-    #   targets and rate controls in State Manager associations][1] in the
-    #   *Amazon Web Services Systems Manager User Guide*.
+    #   information about choosing targets for an association, see
+    #   [Understanding targets and rate controls in State Manager
+    #   associations][1] in the *Amazon Web Services Systems Manager User
+    #   Guide*.
     #
     #
     #
@@ -3126,7 +3275,7 @@ module Aws::SSM
     #   Choose the parameter that will define how your automation will
     #   branch out. This target is required for associations that use an
     #   Automation runbook and target resources by using rate controls.
-    #   Automation is a capability of Amazon Web Services Systems Manager.
+    #   Automation is a tool in Amazon Web Services Systems Manager.
     #   @return [String]
     #
     # @!attribute [rw] max_errors
@@ -3183,17 +3332,30 @@ module Aws::SSM
     # @!attribute [rw] apply_only_at_cron_interval
     #   By default, when you create a new association, the system runs it
     #   immediately after it is created and then according to the schedule
-    #   you specified. Specify this option if you don't want an association
-    #   to run immediately after you create it. This parameter isn't
-    #   supported for rate expressions.
+    #   you specified and when target changes are detected. Specify `true`
+    #   for `ApplyOnlyAtCronInterval`if you want the association to run only
+    #   according to the schedule you specified.
+    #
+    #   For more information, see [Understanding when associations are
+    #   applied to resources][1] and [&gt;About target updates with
+    #   Automation runbooks][2] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
+    #
+    #   This parameter isn't supported for rate expressions.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#state-manager-about-scheduling
+    #   [2]: https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#runbook-target-updates
     #   @return [Boolean]
     #
     # @!attribute [rw] calendar_names
-    #   The names or Amazon Resource Names (ARNs) of the Change Calendar
+    #   The names of Amazon Resource Names (ARNs) of the Change Calendar
     #   type documents you want to gate your associations under. The
     #   associations only run when that change calendar is open. For more
     #   information, see [Amazon Web Services Systems Manager Change
-    #   Calendar][1].
+    #   Calendar][1] in the *Amazon Web Services Systems Manager User
+    #   Guide*.
     #
     #
     #
@@ -3836,6 +3998,11 @@ module Aws::SSM
     #
     # @!attribute [rw] global_filters
     #   A set of global filters used to include patches in the baseline.
+    #
+    #   The `GlobalFilters` parameter can be configured only by using the
+    #   CLI or an Amazon Web Services SDK. It can't be configured from the
+    #   Patch Manager console, and its value isn't displayed in the
+    #   console.
     #   @return [Types::PatchFilterGroup]
     #
     # @!attribute [rw] approval_rules
@@ -3846,9 +4013,9 @@ module Aws::SSM
     #   A list of explicitly approved patches for the baseline.
     #
     #   For information about accepted formats for lists of approved patches
-    #   and rejected patches, see [About package name formats for approved
-    #   and rejected patch lists][1] in the *Amazon Web Services Systems
-    #   Manager User Guide*.
+    #   and rejected patches, see [Package name formats for approved and
+    #   rejected patch lists][1] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
     #
     #
     #
@@ -3871,9 +4038,9 @@ module Aws::SSM
     #   A list of explicitly rejected patches for the baseline.
     #
     #   For information about accepted formats for lists of approved patches
-    #   and rejected patches, see [About package name formats for approved
-    #   and rejected patch lists][1] in the *Amazon Web Services Systems
-    #   Manager User Guide*.
+    #   and rejected patches, see [Package name formats for approved and
+    #   rejected patch lists][1] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
     #
     #
     #
@@ -3884,19 +4051,28 @@ module Aws::SSM
     #   The action for Patch Manager to take on patches included in the
     #   `RejectedPackages` list.
     #
-    #   * <b> <code>ALLOW_AS_DEPENDENCY</code> </b>: A package in the
-    #     `Rejected` patches list is installed only if it is a dependency of
-    #     another package. It is considered compliant with the patch
-    #     baseline, and its status is reported as `InstalledOther`. This is
-    #     the default action if no option is specified.
+    #   ALLOW\_AS\_DEPENDENCY
+    #
+    #   : **Linux and macOS**: A package in the rejected patches list is
+    #     installed only if it is a dependency of another package. It is
+    #     considered compliant with the patch baseline, and its status is
+    #     reported as `INSTALLED_OTHER`. This is the default action if no
+    #     option is specified.
+    #
+    #     **Windows Server**: Windows Server doesn't support the concept of
+    #     package dependencies. If a package in the rejected patches list
+    #     and already installed on the node, its status is reported as
+    #     `INSTALLED_OTHER`. Any package not already installed on the node
+    #     is skipped. This is the default action if no option is specified.
     #
-    #   * **BLOCK**: Packages in the **Rejected patches** list, and packages
+    #   BLOCK
+    #
+    #   : **All OSs**: Packages in the rejected patches list, and packages
     #     that include them as dependencies, aren't installed by Patch
     #     Manager under any circumstances. If a package was installed before
-    #     it was added to the **Rejected patches** list, or is installed
-    #     outside of Patch Manager afterward, it's considered noncompliant
-    #     with the patch baseline and its status is reported as
-    #     *InstalledRejected*.
+    #     it was added to the rejected patches list, or is installed outside
+    #     of Patch Manager afterward, it's considered noncompliant with the
+    #     patch baseline and its status is reported as `INSTALLED_REJECTED`.
     #   @return [String]
     #
     # @!attribute [rw] description
@@ -3909,6 +4085,22 @@ module Aws::SSM
     #   to Linux managed nodes only.
     #   @return [Array<Types::PatchSource>]
     #
+    # @!attribute [rw] available_security_updates_compliance_status
+    #   Indicates the status you want to assign to security patches that are
+    #   available but not approved because they don't meet the installation
+    #   criteria specified in the patch baseline.
+    #
+    #   Example scenario: Security patches that you might want installed can
+    #   be skipped if you have specified a long period to wait after a patch
+    #   is released before installation. If an update to the patch is
+    #   released during your specified waiting period, the waiting period
+    #   for installing the patch starts over. If the waiting period is too
+    #   long, multiple versions of the patch could be released but never
+    #   installed.
+    #
+    #   Supported for Windows Server managed nodes only.
+    #   @return [String]
+    #
     # @!attribute [rw] client_token
     #   User-provided idempotency token.
     #
@@ -3948,6 +4140,7 @@ module Aws::SSM
       :rejected_patches_action,
       :description,
       :sources,
+      :available_security_updates_compliance_status,
       :client_token,
       :tags)
       SENSITIVE = []
@@ -4006,6 +4199,38 @@ module Aws::SSM
     #
     class CreateResourceDataSyncResult < Aws::EmptyStructure; end
 
+    # The temporary security credentials, which include an access key ID, a
+    # secret access key, and a security (or session) token.
+    #
+    # @!attribute [rw] access_key_id
+    #   The access key ID that identifies the temporary security
+    #   credentials.
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_access_key
+    #   The secret access key that can be used to sign requests.
+    #   @return [String]
+    #
+    # @!attribute [rw] session_token
+    #   The token that users must pass to the service API to use the
+    #   temporary credentials.
+    #   @return [String]
+    #
+    # @!attribute [rw] expiration_time
+    #   The datetime on which the current credentials expire.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/Credentials AWS API Documentation
+    #
+    class Credentials < Struct.new(
+      :access_key_id,
+      :secret_access_key,
+      :session_token,
+      :expiration_time)
+      SENSITIVE = [:secret_access_key, :session_token]
+      include Aws::Structure
+    end
+
     # You have exceeded the limit for custom schemas. Delete one or more
     # custom schemas and try again.
     #
@@ -4169,12 +4394,12 @@ module Aws::SSM
     #
     # @!attribute [rw] deletion_summary
     #   A summary of the delete operation. For more information about this
-    #   summary, see [Understanding the delete inventory summary][1] in the
-    #   *Amazon Web Services Systems Manager User Guide*.
+    #   summary, see [Deleting custom inventory][1] in the *Amazon Web
+    #   Services Systems Manager User Guide*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-custom.html#sysman-inventory-delete-summary
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/inventory-custom.html#delete-custom-inventory-summary
     #   @return [Types::InventoryDeletionSummary]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/DeleteInventoryResult AWS API Documentation
@@ -5363,9 +5588,9 @@ module Aws::SSM
     #     Sample values: `Installed` \| `InstalledOther` \|
     #     `InstalledPendingReboot`
     #
-    #     For lists of all `State` values, see [Understanding patch
-    #     compliance state values][1] in the *Amazon Web Services Systems
-    #     Manager User Guide*.
+    #     For lists of all `State` values, see [Patch compliance state
+    #     values][1] in the *Amazon Web Services Systems Manager User
+    #     Guide*.
     #
     #
     #
@@ -5638,7 +5863,7 @@ module Aws::SSM
     #
     #   * Values. An array of strings, each between 1 and 256 characters.
     #     Supported values are date/time strings in a valid ISO 8601
-    #     date/time format, such as `2021-11-04T05:00:00Z`.
+    #     date/time format, such as `2024-11-04T05:00:00Z`.
     #   @return [Array<Types::MaintenanceWindowFilter>]
     #
     # @!attribute [rw] max_results
@@ -6003,7 +6228,7 @@ module Aws::SSM
     #
     #   **If you filter the response by using the OperationalData
     #   operator, specify a key-value pair by using the following JSON
-    #   format: \\\{"key":"key\_name","value":"a\_value"\\}
+    #   format: \{"key":"key\_name","value":"a\_value"}
     #   @return [Array<Types::OpsItemFilter>]
     #
     # @!attribute [rw] max_results
@@ -6234,7 +6459,7 @@ module Aws::SSM
     # @!attribute [rw] instances_with_unreported_not_applicable_patches
     #   The number of managed nodes with `NotApplicable` patches beyond the
     #   supported limit, which aren't reported by name to Inventory.
-    #   Inventory is a capability of Amazon Web Services Systems Manager.
+    #   Inventory is a tool in Amazon Web Services Systems Manager.
     #   @return [Integer]
     #
     # @!attribute [rw] instances_with_critical_non_compliant_patches
@@ -6260,6 +6485,16 @@ module Aws::SSM
     #   is `NON_COMPLIANT`.
     #   @return [Integer]
     #
+    # @!attribute [rw] instances_with_available_security_updates
+    #   The number of managed nodes for which security-related patches are
+    #   available but not approved because because they didn't meet the
+    #   patch baseline requirements. For example, an updated version of a
+    #   patch might have been released before the specified auto-approval
+    #   period was over.
+    #
+    #   Applies to Windows Server managed nodes only.
+    #   @return [Integer]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/DescribePatchGroupStateResult AWS API Documentation
     #
     class DescribePatchGroupStateResult < Struct.new(
@@ -6274,7 +6509,8 @@ module Aws::SSM
       :instances_with_unreported_not_applicable_patches,
       :instances_with_critical_non_compliant_patches,
       :instances_with_security_non_compliant_patches,
-      :instances_with_other_non_compliant_patches)
+      :instances_with_other_non_compliant_patches,
+      :instances_with_available_security_updates)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -6317,7 +6553,7 @@ module Aws::SSM
     #   Each entry in the array contains:
     #
     #   * `PatchGroup`: string (between 1 and 256 characters. Regex:
-    #     `^([\p\{L\}\p\{Z\}\p\{N\}_.:/=+\-@]*)$)`
+    #     `^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$)`
     #
     #   * `PatchBaselineIdentity`: A `PatchBaselineIdentity` element.
     #   @return [Array<Types::PatchGroupPatchBaselineMapping>]
@@ -7268,6 +7504,51 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # Information about the inputs for an execution preview.
+    #
+    # @note ExecutionInputs is a union - when making an API calls you must set exactly one of the members.
+    #
+    # @!attribute [rw] automation
+    #   Information about the optional inputs that can be specified for an
+    #   automation execution preview.
+    #   @return [Types::AutomationExecutionInputs]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ExecutionInputs AWS API Documentation
+    #
+    class ExecutionInputs < Struct.new(
+      :automation,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class Automation < ExecutionInputs; end
+      class Unknown < ExecutionInputs; end
+    end
+
+    # Information about the changes that would be made if an execution were
+    # run.
+    #
+    # @note ExecutionPreview is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of ExecutionPreview corresponding to the set member.
+    #
+    # @!attribute [rw] automation
+    #   Information about the changes that would be made if an Automation
+    #   workflow were run.
+    #   @return [Types::AutomationExecutionPreview]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ExecutionPreview AWS API Documentation
+    #
+    class ExecutionPreview < Struct.new(
+      :automation,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class Automation < ExecutionPreview; end
+      class Unknown < ExecutionPreview; end
+    end
+
     # Describes a failed association.
     #
     # @!attribute [rw] entry
@@ -7333,6 +7614,36 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # @!attribute [rw] access_request_id
+    #   The ID of a just-in-time node access request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/GetAccessTokenRequest AWS API Documentation
+    #
+    class GetAccessTokenRequest < Struct.new(
+      :access_request_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] credentials
+    #   The temporary security credentials which can be used to start
+    #   just-in-time node access sessions.
+    #   @return [Types::Credentials]
+    #
+    # @!attribute [rw] access_request_status
+    #   The status of the access request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/GetAccessTokenResponse AWS API Documentation
+    #
+    class GetAccessTokenResponse < Struct.new(
+      :credentials,
+      :access_request_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] automation_execution_id
     #   The unique identifier for an existing automation execution to
     #   examine. The execution ID is returned by StartAutomationExecution
@@ -7361,7 +7672,7 @@ module Aws::SSM
     end
 
     # @!attribute [rw] calendar_names
-    #   The names or Amazon Resource Names (ARNs) of the Systems Manager
+    #   The names of Amazon Resource Names (ARNs) of the Systems Manager
     #   documents (SSM documents) that represent the calendar entries for
     #   which you want to get the state.
     #   @return [Array<String>]
@@ -7876,6 +8187,53 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # @!attribute [rw] execution_preview_id
+    #   The ID of the existing execution preview.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/GetExecutionPreviewRequest AWS API Documentation
+    #
+    class GetExecutionPreviewRequest < Struct.new(
+      :execution_preview_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] execution_preview_id
+    #   The generated ID for the existing execution preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] ended_at
+    #   A UTC timestamp indicating when the execution preview operation
+    #   ended.
+    #   @return [Time]
+    #
+    # @!attribute [rw] status
+    #   The current status of the execution preview operation.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   Supplemental information about the current status of the execution
+    #   preview.
+    #   @return [String]
+    #
+    # @!attribute [rw] execution_preview
+    #   Information about the changes that would be made if an execution
+    #   were run.
+    #   @return [Types::ExecutionPreview]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/GetExecutionPreviewResponse AWS API Documentation
+    #
+    class GetExecutionPreviewResponse < Struct.new(
+      :execution_preview_id,
+      :ended_at,
+      :status,
+      :status_message,
+      :execution_preview)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] filters
     #   One or more filters. Use a filter to return a more specific list of
     #   results.
@@ -8407,10 +8765,24 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] service_role_arn
-    #   The Amazon Resource Name (ARN) of the Identity and Access Management
-    #   (IAM) service role to use to publish Amazon Simple Notification
-    #   Service (Amazon SNS) notifications for maintenance window Run
-    #   Command tasks.
+    #   The Amazon Resource Name (ARN) of the IAM service role for Amazon
+    #   Web Services Systems Manager to assume when running a maintenance
+    #   window task. If you do not specify a service role ARN, Systems
+    #   Manager uses a service-linked role in your account. If no
+    #   appropriate service-linked role for Systems Manager exists in your
+    #   account, it is created when you run
+    #   `RegisterTaskWithMaintenanceWindow`.
+    #
+    #   However, for an improved security posture, we strongly recommend
+    #   creating a custom policy and custom service role for running your
+    #   maintenance window tasks. The policy can be crafted to provide only
+    #   the permissions needed for your particular maintenance window tasks.
+    #   For more information, see [Setting up Maintenance Windows][1] in the
+    #   in the *Amazon Web Services Systems Manager User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html
     #   @return [String]
     #
     # @!attribute [rw] task_type
@@ -8726,7 +9098,7 @@ module Aws::SSM
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sharing.html
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-shared-parameters.html
     #   @return [String]
     #
     # @!attribute [rw] with_decryption
@@ -9021,6 +9393,15 @@ module Aws::SSM
     #   to Linux managed nodes only.
     #   @return [Array<Types::PatchSource>]
     #
+    # @!attribute [rw] available_security_updates_compliance_status
+    #   Indicates the compliance status of managed nodes for which
+    #   security-related patches are available but were not approved. This
+    #   preference is specified when the `CreatePatchBaseline` or
+    #   `UpdatePatchBaseline` commands are run.
+    #
+    #   Applies to Windows Server managed nodes only.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/GetPatchBaselineResult AWS API Documentation
     #
     class GetPatchBaselineResult < Struct.new(
@@ -9038,7 +9419,8 @@ module Aws::SSM
       :created_date,
       :modified_date,
       :description,
-      :sources)
+      :sources,
+      :available_security_updates_compliance_status)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -9129,16 +9511,20 @@ module Aws::SSM
     #   The ID of the service setting to get. The setting ID can be one of
     #   the following.
     #
-    #   * `/ssm/managed-instance/default-ec2-instance-management-role`
+    #   * `/ssm/appmanager/appmanager-enabled`
     #
     #   * `/ssm/automation/customer-script-log-destination`
     #
     #   * `/ssm/automation/customer-script-log-group-name`
     #
+    #   * /ssm/automation/enable-adaptive-concurrency
+    #
     #   * `/ssm/documents/console/public-sharing-permission`
     #
     #   * `/ssm/managed-instance/activation-tier`
     #
+    #   * `/ssm/managed-instance/default-ec2-instance-management-role`
+    #
     #   * `/ssm/opsinsights/opscenter`
     #
     #   * `/ssm/parameter-store/default-parameter-tier`
@@ -9400,35 +9786,96 @@ module Aws::SSM
       include Aws::Structure
     end
 
-    # Describes a filter for a specific list of managed nodes.
+    # Details about a specific managed node.
     #
-    # @!attribute [rw] instance_id
-    #   The managed node ID.
+    # @!attribute [rw] agent_type
+    #   The type of agent installed on the node.
     #   @return [String]
     #
-    # @!attribute [rw] ping_status
-    #   Connection status of SSM Agent.
+    # @!attribute [rw] agent_version
+    #   The version number of the agent installed on the node.
+    #   @return [String]
     #
-    #   <note markdown="1"> The status `Inactive` has been deprecated and is no longer in use.
+    # @!attribute [rw] computer_name
+    #   The fully qualified host name of the managed node.
+    #   @return [String]
     #
-    #    </note>
+    # @!attribute [rw] instance_status
+    #   The current status of the managed node.
     #   @return [String]
     #
-    # @!attribute [rw] last_ping_date_time
-    #   The date and time when the agent last pinged the Systems Manager
-    #   service.
-    #   @return [Time]
+    # @!attribute [rw] ip_address
+    #   The IP address of the managed node.
+    #   @return [String]
     #
-    # @!attribute [rw] agent_version
-    #   The version of SSM Agent running on your Linux managed node.
+    # @!attribute [rw] managed_status
+    #   Indicates whether the node is managed by Systems Manager.
     #   @return [String]
     #
-    # @!attribute [rw] is_latest_version
-    #   Indicates whether the latest version of SSM Agent is running on your
-    #   Linux managed node. This field doesn't indicate whether or not the
-    #   latest version is installed on Windows managed nodes, because some
-    #   older versions of Windows Server use the EC2Config service to
-    #   process Systems Manager requests.
+    # @!attribute [rw] platform_type
+    #   The operating system platform type of the managed node.
+    #   @return [String]
+    #
+    # @!attribute [rw] platform_name
+    #   The name of the operating system platform running on your managed
+    #   node.
+    #   @return [String]
+    #
+    # @!attribute [rw] platform_version
+    #   The version of the OS platform running on your managed node.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The type of instance, either an EC2 instance or another supported
+    #   machine type in a hybrid fleet.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/InstanceInfo AWS API Documentation
+    #
+    class InstanceInfo < Struct.new(
+      :agent_type,
+      :agent_version,
+      :computer_name,
+      :instance_status,
+      :ip_address,
+      :managed_status,
+      :platform_type,
+      :platform_name,
+      :platform_version,
+      :resource_type)
+      SENSITIVE = [:ip_address]
+      include Aws::Structure
+    end
+
+    # Describes a filter for a specific list of managed nodes.
+    #
+    # @!attribute [rw] instance_id
+    #   The managed node ID.
+    #   @return [String]
+    #
+    # @!attribute [rw] ping_status
+    #   Connection status of SSM Agent.
+    #
+    #   <note markdown="1"> The status `Inactive` has been deprecated and is no longer in use.
+    #
+    #    </note>
+    #   @return [String]
+    #
+    # @!attribute [rw] last_ping_date_time
+    #   The date and time when the agent last pinged the Systems Manager
+    #   service.
+    #   @return [Time]
+    #
+    # @!attribute [rw] agent_version
+    #   The version of SSM Agent running on your Linux managed node.
+    #   @return [String]
+    #
+    # @!attribute [rw] is_latest_version
+    #   Indicates whether the latest version of SSM Agent is running on your
+    #   Linux managed node. This field doesn't indicate whether or not the
+    #   latest version is installed on Windows managed nodes, because some
+    #   older versions of Windows Server use the EC2Config service to
+    #   process Systems Manager requests.
     #   @return [Boolean]
     #
     # @!attribute [rw] platform_type
@@ -9450,11 +9897,14 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] iam_role
-    #   The Identity and Access Management (IAM) role assigned to the
-    #   on-premises Systems Manager managed node. This call doesn't return
-    #   the IAM role for Amazon Elastic Compute Cloud (Amazon EC2)
-    #   instances. To retrieve the IAM role for an EC2 instance, use the
-    #   Amazon EC2 `DescribeInstances` operation. For information, see
+    #   The role assigned to an Amazon EC2 instance configured with a
+    #   Systems Manager Quick Setup host management configuration or the
+    #   role assigned to an on-premises managed node.
+    #
+    #   This call doesn't return the IAM role for *unmanaged* Amazon EC2
+    #   instances (instances not configured for Systems Manager). To
+    #   retrieve the role for an unmanaged instance, use the Amazon EC2
+    #   `DescribeInstances` operation. For information, see
     #   [DescribeInstances][1] in the *Amazon EC2 API Reference* or
     #   [describe-instances][2] in the *Amazon Web Services CLI Command
     #   Reference*.
@@ -9481,19 +9931,18 @@ module Aws::SSM
     #   The name is specified as the `DefaultInstanceName` property using
     #   the CreateActivation command. It is applied to the managed node by
     #   specifying the Activation Code and Activation ID when you install
-    #   SSM Agent on the node, as explained in [Install SSM Agent for a
-    #   hybrid and multicloud environment (Linux)][1] and [Install SSM Agent
-    #   for a hybrid and multicloud environment (Windows)][2]. To retrieve
-    #   the `Name` tag of an EC2 instance, use the Amazon EC2
-    #   `DescribeInstances` operation. For information, see
-    #   [DescribeInstances][3] in the *Amazon EC2 API Reference* or
-    #   [describe-instances][4] in the *Amazon Web Services CLI Command
-    #   Reference*.
+    #   SSM Agent on the node, as explained in [How to install SSM Agent on
+    #   hybrid Linux nodes][1] and [How to install SSM Agent on hybrid
+    #   Windows Server nodes][2]. To retrieve the `Name` tag of an EC2
+    #   instance, use the Amazon EC2 `DescribeInstances` operation. For
+    #   information, see [DescribeInstances][3] in the *Amazon EC2 API
+    #   Reference* or [describe-instances][4] in the *Amazon Web Services
+    #   CLI Command Reference*.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-linux.html
-    #   [2]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-managed-win.html
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-ssm-agent-install-linux.html
+    #   [2]: https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-ssm-agent-install-windows.html
     #   [3]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
     #   [4]: https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html
     #   @return [String]
@@ -9594,7 +10043,7 @@ module Aws::SSM
     #   Valid filter key values: ActivationIds \| AgentVersion \|
     #   AssociationStatus \| IamRole \| InstanceIds \| PingStatus \|
     #   PlatformTypes \| ResourceType \| SourceIds \| SourceTypes \|
-    #   "tag-key" \| "tag:`\{keyname\}`
+    #   "tag-key" \| "tag:`{keyname}`
     #
     #   * Valid values for the `AssociationStatus` filter key: Success \|
     #     Pending \| Failed
@@ -9659,8 +10108,8 @@ module Aws::SSM
     #   the patches specified by the default patch baseline.
     #
     #   For more information about the `InstallOverrideList` parameter, see
-    #   [About the `AWS-RunPatchBaseline SSM document` ][1] in the *Amazon
-    #   Web Services Systems Manager User Guide*.
+    #   [SSM Command document for patching: `AWS-RunPatchBaseline` ][1] in
+    #   the *Amazon Web Services Systems Manager User Guide*.
     #
     #
     #
@@ -9714,7 +10163,7 @@ module Aws::SSM
     # @!attribute [rw] unreported_not_applicable_count
     #   The number of patches beyond the supported limit of
     #   `NotApplicableCount` that aren't reported by name to Inventory.
-    #   Inventory is a capability of Amazon Web Services Systems Manager.
+    #   Inventory is a tool in Amazon Web Services Systems Manager.
     #   @return [Integer]
     #
     # @!attribute [rw] not_applicable_count
@@ -9725,6 +10174,15 @@ module Aws::SSM
     #   `UnreportedNotApplicableCount`.
     #   @return [Integer]
     #
+    # @!attribute [rw] available_security_update_count
+    #   The number of security-related patches that are available but not
+    #   approved because they didn't meet the patch baseline requirements.
+    #   For example, an updated version of a patch might have been released
+    #   before the specified auto-approval period was over.
+    #
+    #   Applies to Windows Server managed nodes only.
+    #   @return [Integer]
+    #
     # @!attribute [rw] operation_start_time
     #   The time the most recent patching operation was started on the
     #   managed node.
@@ -9805,6 +10263,7 @@ module Aws::SSM
       :failed_count,
       :unreported_not_applicable_count,
       :not_applicable_count,
+      :available_security_update_count,
       :operation_start_time,
       :operation_end_time,
       :operation,
@@ -9899,7 +10358,7 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] architecture
-    #   The CPU architecture of the node. For example, x86\_64.
+    #   The CPU architecture of the node. For example, `x86_64`.
     #   @return [String]
     #
     # @!attribute [rw] ip_address
@@ -9926,7 +10385,7 @@ module Aws::SSM
     #
     # @!attribute [rw] platform_type
     #   The operating system platform type of the managed node. For example,
-    #   Windows.
+    #   Windows Server or Amazon Linux 2.
     #   @return [String]
     #
     # @!attribute [rw] platform_name
@@ -10090,7 +10549,7 @@ module Aws::SSM
       include Aws::Structure
     end
 
-    # The activation ID isn't valid. Verify the you entered the correct
+    # The activation ID isn't valid. Verify that you entered the correct
     # ActivationId or ActivationCode and try again.
     #
     # @!attribute [rw] message
@@ -10104,9 +10563,8 @@ module Aws::SSM
       include Aws::Structure
     end
 
-    # The specified aggregator isn't valid for inventory groups. Verify
-    # that the aggregator uses a valid inventory type such as
-    # `AWS:Application` or `AWS:InstanceInformation`.
+    # The specified aggregator isn't valid for the group type. Verify that
+    # the aggregator you provided is supported.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -10320,7 +10778,7 @@ module Aws::SSM
       include Aws::Structure
     end
 
-    # The filter name isn't valid. Verify the you entered the correct name
+    # The filter name isn't valid. Verify that you entered the correct name
     # and try again.
     #
     # @!attribute [rw] message
@@ -10796,7 +11254,7 @@ module Aws::SSM
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-custom.html#sysman-inventory-delete
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/inventory-custom.html#delete-custom-inventory
     #   @return [Types::InventoryDeletionSummary]
     #
     # @!attribute [rw] last_status_update_time
@@ -10892,7 +11350,7 @@ module Aws::SSM
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-aggregate.html
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/inventory-aggregate.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/InventoryFilter AWS API Documentation
@@ -11759,6 +12217,129 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # @!attribute [rw] sync_name
+    #   The name of the Amazon Web Services managed resource data sync to
+    #   retrieve information about.
+    #
+    #   For cross-account/cross-Region configurations, this parameter is
+    #   required, and the name of the supported resource data sync is
+    #   `AWS-QuickSetup-ManagedNode`.
+    #
+    #   For single account/single-Region configurations, the parameter is
+    #   not required.
+    #   @return [String]
+    #
+    # @!attribute [rw] filters
+    #   One or more filters. Use a filter to return a more specific list of
+    #   managed nodes.
+    #   @return [Array<Types::NodeFilter>]
+    #
+    # @!attribute [rw] next_token
+    #   The token for the next set of items to return. (You received this
+    #   token from a previous call.)
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of items to return for this call. The call also
+    #   returns a token that you can specify in a subsequent call to get the
+    #   next set of results.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ListNodesRequest AWS API Documentation
+    #
+    class ListNodesRequest < Struct.new(
+      :sync_name,
+      :filters,
+      :next_token,
+      :max_results)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] nodes
+    #   A list of managed nodes that match the specified filter criteria.
+    #   @return [Array<Types::Node>]
+    #
+    # @!attribute [rw] next_token
+    #   The token to use when requesting the next set of items. If there are
+    #   no additional items to return, the string is empty.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ListNodesResult AWS API Documentation
+    #
+    class ListNodesResult < Struct.new(
+      :nodes,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] sync_name
+    #   The name of the Amazon Web Services managed resource data sync to
+    #   retrieve information about.
+    #
+    #   For cross-account/cross-Region configurations, this parameter is
+    #   required, and the name of the supported resource data sync is
+    #   `AWS-QuickSetup-ManagedNode`.
+    #
+    #   For single account/single-Region configurations, the parameter is
+    #   not required.
+    #   @return [String]
+    #
+    # @!attribute [rw] filters
+    #   One or more filters. Use a filter to generate a summary that matches
+    #   your specified filter criteria.
+    #   @return [Array<Types::NodeFilter>]
+    #
+    # @!attribute [rw] aggregators
+    #   Specify one or more aggregators to return a count of managed nodes
+    #   that match that expression. For example, a count of managed nodes by
+    #   operating system.
+    #   @return [Array<Types::NodeAggregator>]
+    #
+    # @!attribute [rw] next_token
+    #   The token for the next set of items to return. (You received this
+    #   token from a previous call.) The call also returns a token that you
+    #   can specify in a subsequent call to get the next set of results.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of items to return for this call. The call also
+    #   returns a token that you can specify in a subsequent call to get the
+    #   next set of results.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ListNodesSummaryRequest AWS API Documentation
+    #
+    class ListNodesSummaryRequest < Struct.new(
+      :sync_name,
+      :filters,
+      :aggregators,
+      :next_token,
+      :max_results)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] summary
+    #   A collection of objects reporting information about your managed
+    #   nodes, such as the count of nodes by operating system.
+    #   @return [Array<Hash<String,String>>]
+    #
+    # @!attribute [rw] next_token
+    #   The token to use when requesting the next set of items. If there are
+    #   no additional items to return, the string is empty.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ListNodesSummaryResult AWS API Documentation
+    #
+    class ListNodesSummaryResult < Struct.new(
+      :summary,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] filters
     #   One or more OpsItem filters. Use a filter to return a more specific
     #   list of results.
@@ -12539,10 +13120,24 @@ module Aws::SSM
     #   @return [Hash<String,Array<String>>]
     #
     # @!attribute [rw] service_role_arn
-    #   The Amazon Resource Name (ARN) of the Identity and Access Management
-    #   (IAM) service role to use to publish Amazon Simple Notification
-    #   Service (Amazon SNS) notifications for maintenance window Run
-    #   Command tasks.
+    #   The Amazon Resource Name (ARN) of the IAM service role for Amazon
+    #   Web Services Systems Manager to assume when running a maintenance
+    #   window task. If you do not specify a service role ARN, Systems
+    #   Manager uses a service-linked role in your account. If no
+    #   appropriate service-linked role for Systems Manager exists in your
+    #   account, it is created when you run
+    #   `RegisterTaskWithMaintenanceWindow`.
+    #
+    #   However, for an improved security posture, we strongly recommend
+    #   creating a custom policy and custom service role for running your
+    #   maintenance window tasks. The policy can be crafted to provide only
+    #   the permissions needed for your particular maintenance window tasks.
+    #   For more information, see [Setting up Maintenance Windows][1] in the
+    #   in the *Amazon Web Services Systems Manager User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html
     #   @return [String]
     #
     # @!attribute [rw] timeout_seconds
@@ -12726,10 +13321,24 @@ module Aws::SSM
     #   @return [Types::LoggingInfo]
     #
     # @!attribute [rw] service_role_arn
-    #   The Amazon Resource Name (ARN) of the Identity and Access Management
-    #   (IAM) service role to use to publish Amazon Simple Notification
-    #   Service (Amazon SNS) notifications for maintenance window Run
-    #   Command tasks.
+    #   The Amazon Resource Name (ARN) of the IAM service role for Amazon
+    #   Web Services Systems Manager to assume when running a maintenance
+    #   window task. If you do not specify a service role ARN, Systems
+    #   Manager uses a service-linked role in your account. If no
+    #   appropriate service-linked role for Systems Manager exists in your
+    #   account, it is created when you run
+    #   `RegisterTaskWithMaintenanceWindow`.
+    #
+    #   However, for an improved security posture, we strongly recommend
+    #   creating a custom policy and custom service role for running your
+    #   maintenance window tasks. The policy can be crafted to provide only
+    #   the permissions needed for your particular maintenance window tasks.
+    #   For more information, see [Setting up Maintenance Windows][1] in the
+    #   in the *Amazon Web Services Systems Manager User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html
     #   @return [String]
     #
     # @!attribute [rw] max_concurrency
@@ -12908,7 +13517,8 @@ module Aws::SSM
     # @!attribute [rw] account_ids_to_add
     #   The Amazon Web Services users that should have access to the
     #   document. The account IDs can either be a group of account IDs or
-    #   *All*.
+    #   *All*. You must specify a value for this parameter or the
+    #   `AccountIdsToRemove` parameter.
     #   @return [Array<String>]
     #
     # @!attribute [rw] account_ids_to_remove
@@ -12916,7 +13526,8 @@ module Aws::SSM
     #   the document. The Amazon Web Services user can either be a group of
     #   account IDs or *All*. This action has a higher priority than
     #   `AccountIdsToAdd`. If you specify an ID to add and the same ID to
-    #   remove, the system removes access to the document.
+    #   remove, the system removes access to the document. You must specify
+    #   a value for this parameter or the `AccountIdsToAdd` parameter.
     #   @return [Array<String>]
     #
     # @!attribute [rw] shared_document_version
@@ -12940,6 +13551,149 @@ module Aws::SSM
     #
     class ModifyDocumentPermissionResponse < Aws::EmptyStructure; end
 
+    # Details about an individual managed node.
+    #
+    # @!attribute [rw] capture_time
+    #   The UTC timestamp for when the managed node data was last captured.
+    #   @return [Time]
+    #
+    # @!attribute [rw] id
+    #   The ID of the managed node.
+    #   @return [String]
+    #
+    # @!attribute [rw] owner
+    #   Information about the ownership of the managed node.
+    #   @return [Types::NodeOwnerInfo]
+    #
+    # @!attribute [rw] region
+    #   The Amazon Web Services Region that a managed node was created in or
+    #   assigned to.
+    #   @return [String]
+    #
+    # @!attribute [rw] node_type
+    #   Information about the type of node.
+    #   @return [Types::NodeType]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/Node AWS API Documentation
+    #
+    class Node < Struct.new(
+      :capture_time,
+      :id,
+      :owner,
+      :region,
+      :node_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # One or more aggregators for viewing counts of nodes using different
+    # dimensions.
+    #
+    # @!attribute [rw] aggregator_type
+    #   The aggregator type for limiting a node summary. Currently, only
+    #   `Count` is supported.
+    #   @return [String]
+    #
+    # @!attribute [rw] type_name
+    #   The data type name to use for viewing counts of nodes. Currently,
+    #   only `Instance` is supported.
+    #   @return [String]
+    #
+    # @!attribute [rw] attribute_name
+    #   The name of a node attribute on which to limit the count of nodes.
+    #   @return [String]
+    #
+    # @!attribute [rw] aggregators
+    #   Information about aggregators used to refine a node summary.
+    #   @return [Array<Types::NodeAggregator>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/NodeAggregator AWS API Documentation
+    #
+    class NodeAggregator < Struct.new(
+      :aggregator_type,
+      :type_name,
+      :attribute_name,
+      :aggregators)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The filters for the operation.
+    #
+    # @!attribute [rw] key
+    #   The name of the filter.
+    #   @return [String]
+    #
+    # @!attribute [rw] values
+    #   A filter value supported by the specified key. For example, for the
+    #   key `PlatformType`, supported values include `Linux` and `Windows`.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] type
+    #   The type of filter operator.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/NodeFilter AWS API Documentation
+    #
+    class NodeFilter < Struct.new(
+      :key,
+      :values,
+      :type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Information about ownership of a managed node.
+    #
+    # @!attribute [rw] account_id
+    #   The ID of the Amazon Web Services account that owns the managed
+    #   node.
+    #   @return [String]
+    #
+    # @!attribute [rw] organizational_unit_id
+    #   The ID of the organization unit (OU) that the account is part of.
+    #   @return [String]
+    #
+    # @!attribute [rw] organizational_unit_path
+    #   The path for the organizational unit (OU) that owns the managed
+    #   node. The path for the OU is built using the IDs of the
+    #   organization, root, and all OUs in the path down to and including
+    #   the OU. For example:
+    #
+    #   `o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/`
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/NodeOwnerInfo AWS API Documentation
+    #
+    class NodeOwnerInfo < Struct.new(
+      :account_id,
+      :organizational_unit_id,
+      :organizational_unit_path)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Information about a managed node's type.
+    #
+    # @note NodeType is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of NodeType corresponding to the set member.
+    #
+    # @!attribute [rw] instance
+    #   Information about a specific managed node.
+    #   @return [Types::InstanceInfo]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/NodeType AWS API Documentation
+    #
+    class NodeType < Struct.new(
+      :instance,
+      :unknown)
+      SENSITIVE = []
+      include Aws::Structure
+      include Aws::Structure::Union
+
+      class Instance < NodeType; end
+      class Unknown < NodeType; end
+    end
+
     # A summary of resources that aren't compliant. The summary is
     # organized according to resource type.
     #
@@ -13192,9 +13946,8 @@ module Aws::SSM
     #   @return [Array<Types::RelatedOpsItem>]
     #
     # @!attribute [rw] status
-    #   The OpsItem status. Status can be `Open`, `In Progress`, or
-    #   `Resolved`. For more information, see [Editing OpsItem details][1]
-    #   in the *Amazon Web Services Systems Manager User Guide*.
+    #   The OpsItem status. For more information, see [Editing OpsItem
+    #   details][1] in the *Amazon Web Services Systems Manager User Guide*.
     #
     #
     #
@@ -13714,8 +14467,7 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] status
-    #   The OpsItem status. Status can be `Open`, `In Progress`, or
-    #   `Resolved`.
+    #   The OpsItem status.
     #   @return [String]
     #
     # @!attribute [rw] ops_item_id
@@ -14159,9 +14911,9 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] policy_type
-    #   The type of policy. Parameter Store, a capability of Amazon Web
-    #   Services Systems Manager, supports the following policy types:
-    #   Expiration, ExpirationNotification, and NoChangeNotification.
+    #   The type of policy. Parameter Store, a tool in Amazon Web Services
+    #   Systems Manager, supports the following policy types: Expiration,
+    #   ExpirationNotification, and NoChangeNotification.
     #   @return [String]
     #
     # @!attribute [rw] policy_status
@@ -14241,7 +14993,7 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] arn
-    #   The (ARN) of the last user to update the parameter.
+    #   The Amazon Resource Name (ARN) of the parameter.
     #   @return [String]
     #
     # @!attribute [rw] type
@@ -14311,6 +15063,12 @@ module Aws::SSM
 
     # The parameter couldn't be found. Verify the name and try again.
     #
+    # <note markdown="1"> For the `DeleteParameter` and `GetParameter` actions, if the specified
+    # parameter doesn't exist, the `ParameterNotFound` exception is *not*
+    # recorded in CloudTrail event logs.
+    #
+    #  </note>
+    #
     # @!attribute [rw] message
     #   @return [String]
     #
@@ -14637,10 +15395,10 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] default_baseline
-    #   Whether this is the default baseline. Amazon Web Services Systems
-    #   Manager supports creating multiple default patch baselines. For
-    #   example, you can create a default patch baseline for each operating
-    #   system.
+    #   Indicates whether this is the default baseline. Amazon Web Services
+    #   Systems Manager supports creating multiple default patch baselines.
+    #   For example, you can create a default patch baseline for each
+    #   operating system.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/PatchBaselineIdentity AWS API Documentation
@@ -14686,7 +15444,7 @@ module Aws::SSM
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-compliance-about.html#sysman-compliance-monitor-patch
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/compliance-about.html#compliance-monitor-patch
     #   @return [String]
     #
     # @!attribute [rw] installed_time
@@ -14840,16 +15598,48 @@ module Aws::SSM
     #   The number of days after the release date of each patch matched by
     #   the rule that the patch is marked as approved in the patch baseline.
     #   For example, a value of `7` means that patches are approved seven
-    #   days after they are released. Not supported on Debian Server or
-    #   Ubuntu Server.
+    #   days after they are released.
+    #
+    #   This parameter is marked as `Required: No`, but your request must
+    #   include a value for either `ApproveAfterDays` or `ApproveUntilDate`.
+    #
+    #   Not supported for Debian Server or Ubuntu Server.
+    #
+    #   Use caution when setting this value for Windows Server patch
+    #   baselines. Because patch updates that are replaced by later updates
+    #   are removed, setting too broad a value for this parameter can result
+    #   in crucial patches not being installed. For more information, see
+    #   the **Windows Server** tab in the topic [How security patches are
+    #   selected][1] in the *Amazon Web Services Systems Manager User
+    #   Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html
     #   @return [Integer]
     #
     # @!attribute [rw] approve_until_date
     #   The cutoff date for auto approval of released patches. Any patches
-    #   released on or before this date are installed automatically. Not
-    #   supported on Debian Server or Ubuntu Server.
+    #   released on or before this date are installed automatically.
+    #
+    #   Enter dates in the format `YYYY-MM-DD`. For example, `2024-12-31`.
+    #
+    #   This parameter is marked as `Required: No`, but your request must
+    #   include a value for either `ApproveUntilDate` or `ApproveAfterDays`.
     #
-    #   Enter dates in the format `YYYY-MM-DD`. For example, `2021-12-31`.
+    #   Not supported for Debian Server or Ubuntu Server.
+    #
+    #   Use caution when setting this value for Windows Server patch
+    #   baselines. Because patch updates that are replaced by later updates
+    #   are removed, setting too broad a value for this parameter can result
+    #   in crucial patches not being installed. For more information, see
+    #   the **Windows Server** tab in the topic [How security patches are
+    #   selected][1] in the *Amazon Web Services Systems Manager User
+    #   Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-selecting-patches.html
     #   @return [String]
     #
     # @!attribute [rw] enable_non_security
@@ -15115,8 +15905,8 @@ module Aws::SSM
     end
 
     # @!attribute [rw] name
-    #   The fully qualified name of the parameter that you want to add to
-    #   the system.
+    #   The fully qualified name of the parameter that you want to create or
+    #   update.
     #
     #   <note markdown="1"> You can't enter the Amazon Resource Name (ARN) for a parameter,
     #   only the parameter name itself.
@@ -15155,11 +15945,16 @@ module Aws::SSM
     #   see [Creating Systems Manager parameters][1] in the *Amazon Web
     #   Services Systems Manager User Guide*.
     #
-    #   <note markdown="1"> The maximum length constraint of 2048 characters listed below
-    #   includes 1037 characters reserved for internal use by Systems
-    #   Manager. The maximum length for a parameter name that you create is
-    #   1011 characters. This includes the characters in the ARN that
-    #   precede the name you specify, such as
+    #   <note markdown="1"> The reported maximum length of 2048 characters for a parameter name
+    #   includes 1037 characters that are reserved for internal use by
+    #   Systems Manager. The maximum length for a parameter name that you
+    #   specify is 1011 characters.
+    #
+    #    This count of 1011 characters includes the characters in the ARN
+    #   that precede the name you specify. This ARN length will vary
+    #   depending on your partition and Region. For example, the following
+    #   45 characters count toward the 1011 character maximum for a
+    #   parameter created in the US East (Ohio) Region:
     #   `arn:aws:ssm:us-east-2:111122223333:parameter/`.
     #
     #    </note>
@@ -15182,14 +15977,14 @@ module Aws::SSM
     #   value limit of 8 KB.
     #
     #   <note markdown="1"> Parameters can't be referenced or nested in the values of other
-    #   parameters. You can't include `\{\{\}\}` or
-    #   `\{\{ssm:parameter-name\}\}` in a parameter value.
+    #   parameters. You can't include values wrapped in double brackets
+    #   `{{}}` or `{{ssm:parameter-name}}` in a parameter value.
     #
     #    </note>
     #   @return [String]
     #
     # @!attribute [rw] type
-    #   The type of parameter that you want to add to the system.
+    #   The type of parameter that you want to create.
     #
     #   <note markdown="1"> `SecureString` isn't currently supported for CloudFormation
     #   templates.
@@ -15212,7 +16007,7 @@ module Aws::SSM
     #   parameters that use the `SecureString` data type.
     #
     #   If you don't specify a key ID, the system uses the default key
-    #   associated with your Amazon Web Services account which is not as
+    #   associated with your Amazon Web Services account, which is not as
     #   secure as using a custom key.
     #
     #   * To use a custom KMS key, choose the `SecureString` data type with
@@ -15332,8 +16127,8 @@ module Aws::SSM
     #
     # @!attribute [rw] policies
     #   One or more policies to apply to a parameter. This operation takes a
-    #   JSON array. Parameter Store, a capability of Amazon Web Services
-    #   Systems Manager supports the following policy types:
+    #   JSON array. Parameter Store, a tool in Amazon Web Services Systems
+    #   Manager supports the following policy types:
     #
     #   Expiration: This policy deletes the parameter after it expires. When
     #   you create the policy, you specify the expiration date. You can
@@ -15706,7 +16501,7 @@ module Aws::SSM
     #   creating a custom policy and custom service role for running your
     #   maintenance window tasks. The policy can be crafted to provide only
     #   the permissions needed for your particular maintenance window tasks.
-    #   For more information, see [Setting up maintenance windows][1] in the
+    #   For more information, see [Setting up Maintenance Windows][1] in the
     #   in the *Amazon Web Services Systems Manager User Guide*.
     #
     #
@@ -15830,7 +16625,6 @@ module Aws::SSM
     #       the command associated with the task. However, there is no
     #       guarantee that the command will be terminated and the underlying
     #       process stopped.
-    #
     #     The status for tasks that are not completed is `TIMED_OUT`.
     #   @return [String]
     #
@@ -15974,16 +16768,20 @@ module Aws::SSM
     #   The Amazon Resource Name (ARN) of the service setting to reset. The
     #   setting ID can be one of the following.
     #
-    #   * `/ssm/managed-instance/default-ec2-instance-management-role`
+    #   * `/ssm/appmanager/appmanager-enabled`
     #
     #   * `/ssm/automation/customer-script-log-destination`
     #
     #   * `/ssm/automation/customer-script-log-group-name`
     #
+    #   * /ssm/automation/enable-adaptive-concurrency
+    #
     #   * `/ssm/documents/console/public-sharing-permission`
     #
     #   * `/ssm/managed-instance/activation-tier`
     #
+    #   * `/ssm/managed-instance/default-ec2-instance-management-role`
+    #
     #   * `/ssm/opsinsights/opscenter`
     #
     #   * `/ssm/parameter-store/default-parameter-tier`
@@ -17015,8 +17813,8 @@ module Aws::SSM
     #
     # @!attribute [rw] cloud_watch_output_config
     #   Enables Amazon Web Services Systems Manager to send Run Command
-    #   output to Amazon CloudWatch Logs. Run Command is a capability of
-    #   Amazon Web Services Systems Manager.
+    #   output to Amazon CloudWatch Logs. Run Command is a tool in Amazon
+    #   Web Services Systems Manager.
     #   @return [Types::CloudWatchOutputConfig]
     #
     # @!attribute [rw] alarm_configuration
@@ -17061,6 +17859,42 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # The request exceeds the service quota. Service quotas, also referred
+    # to as limits, are the maximum number of service resources or
+    # operations for your Amazon Web Services account.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_id
+    #   The unique ID of the resource referenced in the failed request.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_type
+    #   The resource type of the resource referenced in the failed request.
+    #   @return [String]
+    #
+    # @!attribute [rw] quota_code
+    #   The quota code recognized by the Amazon Web Services Service Quotas
+    #   service.
+    #   @return [String]
+    #
+    # @!attribute [rw] service_code
+    #   The code for the Amazon Web Services service that owns the quota.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ServiceQuotaExceededException AWS API Documentation
+    #
+    class ServiceQuotaExceededException < Struct.new(
+      :message,
+      :resource_id,
+      :resource_type,
+      :quota_code,
+      :service_code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The service setting data structure.
     #
     # `ServiceSetting` is an account-level setting for an Amazon Web
@@ -17223,12 +18057,12 @@ module Aws::SSM
     #   The filter value. Valid values for each filter key are as follows:
     #
     #   * InvokedAfter: Specify a timestamp to limit your results. For
-    #     example, specify 2018-08-29T00:00:00Z to see sessions that started
-    #     August 29, 2018, and later.
+    #     example, specify 2024-08-29T00:00:00Z to see sessions that started
+    #     August 29, 2024, and later.
     #
     #   * InvokedBefore: Specify a timestamp to limit your results. For
-    #     example, specify 2018-08-29T00:00:00Z to see sessions that started
-    #     before August 29, 2018.
+    #     example, specify 2024-08-29T00:00:00Z to see sessions that started
+    #     before August 29, 2024.
     #
     #   * Target: Specify a managed node to which session connections have
     #     been made.
@@ -17250,7 +18084,6 @@ module Aws::SSM
     #     * Terminating
     #
     #     * Failed
-    #
     #   * SessionId: Specify a session ID to return details about the
     #     session.
     #   @return [String]
@@ -17335,6 +18168,42 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # @!attribute [rw] reason
+    #   A brief description explaining why you are requesting access to the
+    #   node.
+    #   @return [String]
+    #
+    # @!attribute [rw] targets
+    #   The node you are requesting access to.
+    #   @return [Array<Types::Target>]
+    #
+    # @!attribute [rw] tags
+    #   Key-value pairs of metadata you want to assign to the access
+    #   request.
+    #   @return [Array<Types::Tag>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/StartAccessRequestRequest AWS API Documentation
+    #
+    class StartAccessRequestRequest < Struct.new(
+      :reason,
+      :targets,
+      :tags)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] access_request_id
+    #   The ID of the access request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/StartAccessRequestResponse AWS API Documentation
+    #
+    class StartAccessRequestResponse < Struct.new(
+      :access_request_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] association_ids
     #   The association IDs that you want to run immediately and only one
     #   time.
@@ -17391,6 +18260,9 @@ module Aws::SSM
     # @!attribute [rw] targets
     #   A key-value mapping to target resources. Required if you specify
     #   TargetParameterName.
+    #
+    #   If both this parameter and the `TargetLocation:Targets` parameter
+    #   are supplied, `TargetLocation:Targets` takes precedence.
     #   @return [Array<Types::Target>]
     #
     # @!attribute [rw] target_maps
@@ -17402,6 +18274,10 @@ module Aws::SSM
     #   The maximum number of targets allowed to run this task in parallel.
     #   You can specify a number, such as 10, or a percentage, such as 10%.
     #   The default value is `10`.
+    #
+    #   If both this parameter and the
+    #   `TargetLocation:TargetsMaxConcurrency` are supplied,
+    #   `TargetLocation:TargetsMaxConcurrency` takes precedence.
     #   @return [String]
     #
     # @!attribute [rw] max_errors
@@ -17421,6 +18297,10 @@ module Aws::SSM
     #   fail as well. If you need to ensure that there won't be more than
     #   max-errors failed executions, set max-concurrency to 1 so the
     #   executions proceed one at a time.
+    #
+    #   If this parameter and the `TargetLocation:TargetsMaxErrors`
+    #   parameter are both supplied, `TargetLocation:TargetsMaxErrors` takes
+    #   precedence.
     #   @return [String]
     #
     # @!attribute [rw] target_locations
@@ -17428,9 +18308,9 @@ module Aws::SSM
     #   Amazon Web Services accounts where you want to run the automation.
     #   Use this operation to start an automation in multiple Amazon Web
     #   Services Regions and multiple Amazon Web Services accounts. For more
-    #   information, see [Running Automation workflows in multiple Amazon
-    #   Web Services Regions and Amazon Web Services accounts][1] in the
-    #   *Amazon Web Services Systems Manager User Guide*.
+    #   information, see [Running automations in multiple Amazon Web
+    #   Services Regions and accounts][1] in the *Amazon Web Services
+    #   Systems Manager User Guide*.
     #
     #
     #
@@ -17449,8 +18329,11 @@ module Aws::SSM
     #
     #   * `Key=OS,Value=Windows`
     #
-    #   <note markdown="1"> To add tags to an existing automation, use the AddTagsToResource
-    #   operation.
+    #   <note markdown="1"> The `Array Members` maximum value is reported as 1000. This number
+    #   includes capacity reserved for internal operations. When calling the
+    #   `StartAutomationExecution` action, you can specify a maximum of 5
+    #   tags. You can, however, use the AddTagsToResource action to add up
+    #   to a total of 50 tags to an existing automation configuration.
     #
     #    </note>
     #   @return [Array<Types::Tag>]
@@ -17459,6 +18342,12 @@ module Aws::SSM
     #   The CloudWatch alarm you want to apply to your automation.
     #   @return [Types::AlarmConfiguration]
     #
+    # @!attribute [rw] target_locations_url
+    #   Specify a publicly accessible URL for a file that contains the
+    #   `TargetLocations` body. Currently, only files in presigned Amazon S3
+    #   buckets are supported.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/StartAutomationExecutionRequest AWS API Documentation
     #
     class StartAutomationExecutionRequest < Struct.new(
@@ -17474,7 +18363,8 @@ module Aws::SSM
       :max_errors,
       :target_locations,
       :tags,
-      :alarm_configuration)
+      :alarm_configuration,
+      :target_locations_url)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -17566,6 +18456,14 @@ module Aws::SSM
     #   * `Key=Environment,Value=Production`
     #
     #   * `Key=Region,Value=us-east-2`
+    #
+    #   <note markdown="1"> The `Array Members` maximum value is reported as 1000. This number
+    #   includes capacity reserved for internal operations. When calling the
+    #   `StartChangeRequestExecution` action, you can specify a maximum of 5
+    #   tags. You can, however, use the AddTagsToResource action to add up
+    #   to a total of 50 tags to an existing change request configuration.
+    #
+    #    </note>
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] scheduled_end_time
@@ -17611,6 +18509,44 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # @!attribute [rw] document_name
+    #   The name of the Automation runbook to run. The result of the
+    #   execution preview indicates what the impact would be of running this
+    #   runbook.
+    #   @return [String]
+    #
+    # @!attribute [rw] document_version
+    #   The version of the Automation runbook to run. The default value is
+    #   `$DEFAULT`.
+    #   @return [String]
+    #
+    # @!attribute [rw] execution_inputs
+    #   Information about the inputs that can be specified for the preview
+    #   operation.
+    #   @return [Types::ExecutionInputs]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/StartExecutionPreviewRequest AWS API Documentation
+    #
+    class StartExecutionPreviewRequest < Struct.new(
+      :document_name,
+      :document_version,
+      :execution_inputs)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] execution_preview_id
+    #   The ID of the execution preview generated by the system.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/StartExecutionPreviewResponse AWS API Documentation
+    #
+    class StartExecutionPreviewResponse < Struct.new(
+      :execution_preview_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] target
     #   The managed node to connect to for the session.
     #   @return [String]
@@ -17637,7 +18573,13 @@ module Aws::SSM
     #
     # @!attribute [rw] parameters
     #   The values you want to specify for the parameters defined in the
-    #   Session document.
+    #   Session document. For more information about these parameters, see
+    #   [Create a Session Manager preferences document][1] in the *Amazon
+    #   Web Services Systems Manager User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-preferences-cli.html
     #   @return [Hash<String,Array<String>>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/StartSessionRequest AWS API Documentation
@@ -17935,7 +18877,7 @@ module Aws::SSM
     #
     # Supported formats include the following.
     #
-    # **For all Systems Manager capabilities:**
+    # **For all Systems Manager tools:**
     #
     # * `Key=tag-key,Values=tag-value-1,tag-value-2`
     #
@@ -18064,6 +19006,39 @@ module Aws::SSM
     #   automation or command.
     #   @return [Types::AlarmConfiguration]
     #
+    # @!attribute [rw] include_child_organization_units
+    #   Indicates whether to include child organizational units (OUs) that
+    #   are children of the targeted OUs. The default is `false`.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] exclude_accounts
+    #   Amazon Web Services accounts or organizational units to exclude as
+    #   expanded targets.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] targets
+    #   A list of key-value mappings to target resources. If you specify
+    #   values for this data type, you must also specify a value for
+    #   `TargetParameterName`.
+    #
+    #   This `Targets` parameter takes precedence over the
+    #   `StartAutomationExecution:Targets` parameter if both are supplied.
+    #   @return [Array<Types::Target>]
+    #
+    # @!attribute [rw] targets_max_concurrency
+    #   The maximum number of targets allowed to run this task in parallel.
+    #   This `TargetsMaxConcurrency` takes precedence over the
+    #   `StartAutomationExecution:MaxConcurrency` parameter if both are
+    #   supplied.
+    #   @return [String]
+    #
+    # @!attribute [rw] targets_max_errors
+    #   The maximum number of errors that are allowed before the system
+    #   stops running the automation on additional targets. This
+    #   `TargetsMaxErrors` parameter takes precedence over the
+    #   `StartAutomationExecution:MaxErrors` parameter if both are supplied.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/TargetLocation AWS API Documentation
     #
     class TargetLocation < Struct.new(
@@ -18072,17 +19047,22 @@ module Aws::SSM
       :target_location_max_concurrency,
       :target_location_max_errors,
       :execution_role_name,
-      :target_location_alarm_configuration)
+      :target_location_alarm_configuration,
+      :include_child_organization_units,
+      :exclude_accounts,
+      :targets,
+      :targets_max_concurrency,
+      :targets_max_errors)
       SENSITIVE = []
       include Aws::Structure
     end
 
     # The specified target managed node for the session isn't fully
     # configured for use with Session Manager. For more information, see
-    # [Getting started with Session Manager][1] in the *Amazon Web Services
-    # Systems Manager User Guide*. This error is also returned if you
-    # attempt to start a session on a managed node that is located in a
-    # different account or Region
+    # [Setting up Session Manager][1] in the *Amazon Web Services Systems
+    # Manager User Guide*. This error is also returned if you attempt to
+    # start a session on a managed node that is located in a different
+    # account or Region
     #
     #
     #
@@ -18099,6 +19079,27 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # Information about the resources that would be included in the actual
+    # runbook execution, if it were to be run.
+    #
+    # @!attribute [rw] count
+    #   The number of resources of a certain type included in an execution
+    #   preview.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] target_type
+    #   A type of resource that was included in the execution preview.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/TargetPreview AWS API Documentation
+    #
+    class TargetPreview < Struct.new(
+      :count,
+      :target_type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] session_id
     #   The ID of the session to terminate.
     #   @return [String]
@@ -18123,6 +19124,31 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # The request or operation couldn't be performed because the service is
+    # throttling requests.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] quota_code
+    #   The quota code recognized by the Amazon Web Services Service Quotas
+    #   service.
+    #   @return [String]
+    #
+    # @!attribute [rw] service_code
+    #   The code for the Amazon Web Services service that owns the quota.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ThrottlingException AWS API Documentation
+    #
+    class ThrottlingException < Struct.new(
+      :message,
+      :quota_code,
+      :service_code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The `Targets` parameter includes too many tags. Remove one or more
     # tags and try the command again.
     #
@@ -18288,6 +19314,21 @@ module Aws::SSM
       include Aws::Structure
     end
 
+    # This operation is not supported for the current account. You must
+    # first enable the Systems Manager integrated experience in your
+    # account.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/UnsupportedOperationException AWS API Documentation
+    #
+    class UnsupportedOperationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The parameter type isn't supported.
     #
     # @!attribute [rw] message
@@ -18322,9 +19363,9 @@ module Aws::SSM
     #
     # @!attribute [rw] parameters
     #   The parameters you want to update for the association. If you create
-    #   a parameter using Parameter Store, a capability of Amazon Web
-    #   Services Systems Manager, you can reference the parameter using
-    #   `\{\{ssm:parameter-name\}\}`.
+    #   a parameter using Parameter Store, a tool in Amazon Web Services
+    #   Systems Manager, you can reference the parameter using
+    #   `{{ssm:parameter-name}}`.
     #   @return [Hash<String,Array<String>>]
     #
     # @!attribute [rw] document_version
@@ -18390,7 +19431,7 @@ module Aws::SSM
     #   Choose the parameter that will define how your automation will
     #   branch out. This target is required for associations that use an
     #   Automation runbook and target resources by using rate controls.
-    #   Automation is a capability of Amazon Web Services Systems Manager.
+    #   Automation is a tool in Amazon Web Services Systems Manager.
     #   @return [String]
     #
     # @!attribute [rw] max_errors
@@ -18438,9 +19479,9 @@ module Aws::SSM
     #
     #   In `MANUAL` mode, you must specify the `AssociationId` as a
     #   parameter for the PutComplianceItems API operation. In this case,
-    #   compliance data isn't managed by State Manager, a capability of
-    #   Amazon Web Services Systems Manager. It is managed by your direct
-    #   call to the PutComplianceItems API operation.
+    #   compliance data isn't managed by State Manager, a tool in Amazon
+    #   Web Services Systems Manager. It is managed by your direct call to
+    #   the PutComplianceItems API operation.
     #
     #   By default, all associations use `AUTO` mode.
     #   @return [String]
@@ -18448,27 +19489,39 @@ module Aws::SSM
     # @!attribute [rw] apply_only_at_cron_interval
     #   By default, when you update an association, the system runs it
     #   immediately after it is updated and then according to the schedule
-    #   you specified. Specify this option if you don't want an association
-    #   to run immediately after you update it. This parameter isn't
-    #   supported for rate expressions.
+    #   you specified. Specify `true` for `ApplyOnlyAtCronInterval` if you
+    #   want the association to run only according to the schedule you
+    #   specified.
     #
     #   If you chose this option when you created an association and later
-    #   you edit that association or you make changes to the SSM document on
-    #   which that association is based (by using the Documents page in the
-    #   console), State Manager applies the association at the next
-    #   specified cron interval. For example, if you chose the `Latest`
-    #   version of an SSM document when you created an association and you
-    #   edit the association by choosing a different document version on the
-    #   Documents page, State Manager applies the association at the next
-    #   specified cron interval if you previously selected this option. If
-    #   this option wasn't selected, State Manager immediately runs the
+    #   you edit that association or you make changes to the Automation
+    #   runbook or SSM document on which that association is based, State
+    #   Manager applies the association at the next specified cron interval.
+    #   For example, if you chose the `Latest` version of an SSM document
+    #   when you created an association and you edit the association by
+    #   choosing a different document version on the Documents page, State
+    #   Manager applies the association at the next specified cron interval
+    #   if you previously set `ApplyOnlyAtCronInterval` to `true`. If this
+    #   option wasn't selected, State Manager immediately runs the
     #   association.
     #
-    #   You can reset this option. To do so, specify the
+    #   For more information, see [Understanding when associations are
+    #   applied to resources][1] and [About target updates with Automation
+    #   runbooks][2] in the *Amazon Web Services Systems Manager User
+    #   Guide*.
+    #
+    #   This parameter isn't supported for rate expressions.
+    #
+    #   You can reset this parameter. To do so, specify the
     #   `no-apply-only-at-cron-interval` parameter when you update the
     #   association from the command line. This parameter forces the
     #   association to run immediately after updating it and according to
     #   the interval specified.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#state-manager-about-scheduling
+    #   [2]: https://docs.aws.amazon.com/systems-manager/latest/userguide/state-manager-about.html#runbook-target-updates
     #   @return [Boolean]
     #
     # @!attribute [rw] calendar_names
@@ -18476,7 +19529,8 @@ module Aws::SSM
     #   type documents you want to gate your associations under. The
     #   associations only run when that change calendar is open. For more
     #   information, see [Amazon Web Services Systems Manager Change
-    #   Calendar][1].
+    #   Calendar][1] in the *Amazon Web Services Systems Manager User
+    #   Guide*.
     #
     #
     #
@@ -19068,7 +20122,7 @@ module Aws::SSM
     #   creating a custom policy and custom service role for running your
     #   maintenance window tasks. The policy can be crafted to provide only
     #   the permissions needed for your particular maintenance window tasks.
-    #   For more information, see [Setting up maintenance windows][1] in the
+    #   For more information, see [Setting up Maintenance Windows][1] in the
     #   in the *Amazon Web Services Systems Manager User Guide*.
     #
     #
@@ -19207,7 +20261,6 @@ module Aws::SSM
     #       the command associated with the task. However, there is no
     #       guarantee that the command will be terminated and the underlying
     #       process stopped.
-    #
     #     The status for tasks that are not completed is `TIMED_OUT`.
     #   @return [String]
     #
@@ -19256,10 +20309,24 @@ module Aws::SSM
     #   @return [String]
     #
     # @!attribute [rw] service_role_arn
-    #   The Amazon Resource Name (ARN) of the Identity and Access Management
-    #   (IAM) service role to use to publish Amazon Simple Notification
-    #   Service (Amazon SNS) notifications for maintenance window Run
-    #   Command tasks.
+    #   The Amazon Resource Name (ARN) of the IAM service role for Amazon
+    #   Web Services Systems Manager to assume when running a maintenance
+    #   window task. If you do not specify a service role ARN, Systems
+    #   Manager uses a service-linked role in your account. If no
+    #   appropriate service-linked role for Systems Manager exists in your
+    #   account, it is created when you run
+    #   `RegisterTaskWithMaintenanceWindow`.
+    #
+    #   However, for an improved security posture, we strongly recommend
+    #   creating a custom policy and custom service role for running your
+    #   maintenance window tasks. The policy can be crafted to provide only
+    #   the permissions needed for your particular maintenance window tasks.
+    #   For more information, see [Setting up Maintenance Windows][1] in the
+    #   in the *Amazon Web Services Systems Manager User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-maintenance-permissions.html
     #   @return [String]
     #
     # @!attribute [rw] task_parameters
@@ -19353,9 +20420,9 @@ module Aws::SSM
     #   want to assign to the managed node. This IAM role must provide
     #   AssumeRole permissions for the Amazon Web Services Systems Manager
     #   service principal `ssm.amazonaws.com`. For more information, see
-    #   [Create an IAM service role for a hybrid and multicloud
-    #   environment][1] in the *Amazon Web Services Systems Manager User
-    #   Guide*.
+    #   [Create the IAM service role required for Systems Manager in hybrid
+    #   and multicloud environments][1] in the *Amazon Web Services Systems
+    #   Manager User Guide*.
     #
     #   <note markdown="1"> You can't specify an IAM service-linked role for this parameter.
     #   You must create a unique role.
@@ -19364,7 +20431,7 @@ module Aws::SSM
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html
+    #   [1]: https://docs.aws.amazon.com/systems-manager/latest/userguide/hybrid-multicloud-service-role.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/UpdateManagedInstanceRoleRequest AWS API Documentation
@@ -19441,9 +20508,8 @@ module Aws::SSM
     #   @return [Array<Types::RelatedOpsItem>]
     #
     # @!attribute [rw] status
-    #   The OpsItem status. Status can be `Open`, `In Progress`, or
-    #   `Resolved`. For more information, see [Editing OpsItem details][1]
-    #   in the *Amazon Web Services Systems Manager User Guide*.
+    #   The OpsItem status. For more information, see [Editing OpsItem
+    #   details][1] in the *Amazon Web Services Systems Manager User Guide*.
     #
     #
     #
@@ -19565,6 +20631,11 @@ module Aws::SSM
     #
     # @!attribute [rw] global_filters
     #   A set of global filters used to include patches in the baseline.
+    #
+    #   The `GlobalFilters` parameter can be configured only by using the
+    #   CLI or an Amazon Web Services SDK. It can't be configured from the
+    #   Patch Manager console, and its value isn't displayed in the
+    #   console.
     #   @return [Types::PatchFilterGroup]
     #
     # @!attribute [rw] approval_rules
@@ -19575,9 +20646,9 @@ module Aws::SSM
     #   A list of explicitly approved patches for the baseline.
     #
     #   For information about accepted formats for lists of approved patches
-    #   and rejected patches, see [About package name formats for approved
-    #   and rejected patch lists][1] in the *Amazon Web Services Systems
-    #   Manager User Guide*.
+    #   and rejected patches, see [Package name formats for approved and
+    #   rejected patch lists][1] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
     #
     #
     #
@@ -19599,9 +20670,9 @@ module Aws::SSM
     #   A list of explicitly rejected patches for the baseline.
     #
     #   For information about accepted formats for lists of approved patches
-    #   and rejected patches, see [About package name formats for approved
-    #   and rejected patch lists][1] in the *Amazon Web Services Systems
-    #   Manager User Guide*.
+    #   and rejected patches, see [Package name formats for approved and
+    #   rejected patch lists][1] in the *Amazon Web Services Systems Manager
+    #   User Guide*.
     #
     #
     #
@@ -19612,19 +20683,28 @@ module Aws::SSM
     #   The action for Patch Manager to take on patches included in the
     #   `RejectedPackages` list.
     #
-    #   * <b> <code>ALLOW_AS_DEPENDENCY</code> </b>: A package in the
-    #     `Rejected` patches list is installed only if it is a dependency of
-    #     another package. It is considered compliant with the patch
-    #     baseline, and its status is reported as `InstalledOther`. This is
-    #     the default action if no option is specified.
+    #   ALLOW\_AS\_DEPENDENCY
+    #
+    #   : **Linux and macOS**: A package in the rejected patches list is
+    #     installed only if it is a dependency of another package. It is
+    #     considered compliant with the patch baseline, and its status is
+    #     reported as `INSTALLED_OTHER`. This is the default action if no
+    #     option is specified.
+    #
+    #     **Windows Server**: Windows Server doesn't support the concept of
+    #     package dependencies. If a package in the rejected patches list
+    #     and already installed on the node, its status is reported as
+    #     `INSTALLED_OTHER`. Any package not already installed on the node
+    #     is skipped. This is the default action if no option is specified.
     #
-    #   * **BLOCK**: Packages in the **Rejected patches** list, and packages
+    #   BLOCK
+    #
+    #   : **All OSs**: Packages in the rejected patches list, and packages
     #     that include them as dependencies, aren't installed by Patch
     #     Manager under any circumstances. If a package was installed before
-    #     it was added to the **Rejected patches** list, or is installed
-    #     outside of Patch Manager afterward, it's considered noncompliant
-    #     with the patch baseline and its status is reported as
-    #     *InstalledRejected*.
+    #     it was added to the rejected patches list, or is installed outside
+    #     of Patch Manager afterward, it's considered noncompliant with the
+    #     patch baseline and its status is reported as `INSTALLED_REJECTED`.
     #   @return [String]
     #
     # @!attribute [rw] description
@@ -19637,6 +20717,22 @@ module Aws::SSM
     #   to Linux managed nodes only.
     #   @return [Array<Types::PatchSource>]
     #
+    # @!attribute [rw] available_security_updates_compliance_status
+    #   Indicates the status to be assigned to security patches that are
+    #   available but not approved because they don't meet the installation
+    #   criteria specified in the patch baseline.
+    #
+    #   Example scenario: Security patches that you might want installed can
+    #   be skipped if you have specified a long period to wait after a patch
+    #   is released before installation. If an update to the patch is
+    #   released during your specified waiting period, the waiting period
+    #   for installing the patch starts over. If the waiting period is too
+    #   long, multiple versions of the patch could be released but never
+    #   installed.
+    #
+    #   Supported for Windows Server managed nodes only.
+    #   @return [String]
+    #
     # @!attribute [rw] replace
     #   If True, then all fields that are required by the
     #   CreatePatchBaseline operation are also required for this API
@@ -19657,6 +20753,7 @@ module Aws::SSM
       :rejected_patches_action,
       :description,
       :sources,
+      :available_security_updates_compliance_status,
       :replace)
       SENSITIVE = []
       include Aws::Structure
@@ -19726,6 +20823,15 @@ module Aws::SSM
     #   to Linux managed nodes only.
     #   @return [Array<Types::PatchSource>]
     #
+    # @!attribute [rw] available_security_updates_compliance_status
+    #   Indicates the compliance status of managed nodes for which
+    #   security-related patches are available but were not approved. This
+    #   preference is specified when the `CreatePatchBaseline` or
+    #   `UpdatePatchBaseline` commands are run.
+    #
+    #   Applies to Windows Server managed nodes only.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/UpdatePatchBaselineResult AWS API Documentation
     #
     class UpdatePatchBaselineResult < Struct.new(
@@ -19742,7 +20848,8 @@ module Aws::SSM
       :created_date,
       :modified_date,
       :description,
-      :sources)
+      :sources,
+      :available_security_updates_compliance_status)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -19782,16 +20889,20 @@ module Aws::SSM
     #   `arn:aws:ssm:us-east-1:111122223333:servicesetting/ssm/parameter-store/high-throughput-enabled`.
     #   The setting ID can be one of the following.
     #
-    #   * `/ssm/managed-instance/default-ec2-instance-management-role`
+    #   * `/ssm/appmanager/appmanager-enabled`
     #
     #   * `/ssm/automation/customer-script-log-destination`
     #
     #   * `/ssm/automation/customer-script-log-group-name`
     #
+    #   * /ssm/automation/enable-adaptive-concurrency
+    #
     #   * `/ssm/documents/console/public-sharing-permission`
     #
     #   * `/ssm/managed-instance/activation-tier`
     #
+    #   * `/ssm/managed-instance/default-ec2-instance-management-role`
+    #
     #   * `/ssm/opsinsights/opscenter`
     #
     #   * `/ssm/parameter-store/default-parameter-tier`
@@ -19811,8 +20922,7 @@ module Aws::SSM
     #   The new value to specify for the service setting. The following list
     #   specifies the available values for each setting.
     #
-    #   * For `/ssm/managed-instance/default-ec2-instance-management-role`,
-    #     enter the name of an IAM role.
+    #   * For `/ssm/appmanager/appmanager-enabled`, enter `True` or `False`.
     #
     #   * For `/ssm/automation/customer-script-log-destination`, enter
     #     `CloudWatch`.
@@ -19826,6 +20936,9 @@ module Aws::SSM
     #   * For `/ssm/managed-instance/activation-tier`, enter `standard` or
     #     `advanced`.
     #
+    #   * For `/ssm/managed-instance/default-ec2-instance-management-role`,
+    #     enter the name of an IAM role.
+    #
     #   * For `/ssm/opsinsights/opscenter`, enter `Enabled` or `Disabled`.
     #
     #   * For `/ssm/parameter-store/default-parameter-tier`, enter
@@ -19850,5 +20963,25 @@ module Aws::SSM
     #
     class UpdateServiceSettingResult < Aws::EmptyStructure; end
 
+    # The request isn't valid. Verify that you entered valid contents for
+    # the command and try again.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @!attribute [rw] reason_code
+    #   The reason code for the invalid request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/ssm-2014-11-06/ValidationException AWS API Documentation
+    #
+    class ValidationException < Struct.new(
+      :message,
+      :reason_code)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
   end
 end
+