@pgarbe/cdk-ecr-sync 0.5.22 → 0.5.26

package/node_modules/aws-sdk/clients/securityhub.d.ts

@@ -44,11 +44,11 @@ declare class SecurityHub extends Service {
    */
   batchEnableStandards(callback?: (err: AWSError, data: SecurityHub.Types.BatchEnableStandardsResponse) => void): Request<SecurityHub.Types.BatchEnableStandardsResponse, AWSError>;
   /**
-   * Imports security findings generated from an integrated product into Security Hub. This action is requested by the integrated product to import its findings into Security Hub. The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.    Note     UserDefinedFields     VerificationState     Workflow    Finding providers also should not use BatchImportFindings to update the following attributes.    Confidence     Criticality     RelatedFindings     Severity     Types    Instead, finding providers use FindingProviderFields to provide values for these attributes.
+   * Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.  BatchImportFindings must be called by one of the following:   The account that is associated with the findings. The identifier of the associated account is the value of the AwsAccountId attribute for the finding.   An account that is allow-listed for an official Security Hub partner integration.   The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.    Note     UserDefinedFields     VerificationState     Workflow    Finding providers also should not use BatchImportFindings to update the following attributes.    Confidence     Criticality     RelatedFindings     Severity     Types    Instead, finding providers use FindingProviderFields to provide values for these attributes.
    */
   batchImportFindings(params: SecurityHub.Types.BatchImportFindingsRequest, callback?: (err: AWSError, data: SecurityHub.Types.BatchImportFindingsResponse) => void): Request<SecurityHub.Types.BatchImportFindingsResponse, AWSError>;
   /**
-   * Imports security findings generated from an integrated product into Security Hub. This action is requested by the integrated product to import its findings into Security Hub. The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.    Note     UserDefinedFields     VerificationState     Workflow    Finding providers also should not use BatchImportFindings to update the following attributes.    Confidence     Criticality     RelatedFindings     Severity     Types    Instead, finding providers use FindingProviderFields to provide values for these attributes.
+   * Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.  BatchImportFindings must be called by one of the following:   The account that is associated with the findings. The identifier of the associated account is the value of the AwsAccountId attribute for the finding.   An account that is allow-listed for an official Security Hub partner integration.   The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.    Note     UserDefinedFields     VerificationState     Workflow    Finding providers also should not use BatchImportFindings to update the following attributes.    Confidence     Criticality     RelatedFindings     Severity     Types    Instead, finding providers use FindingProviderFields to provide values for these attributes.
    */
   batchImportFindings(callback?: (err: AWSError, data: SecurityHub.Types.BatchImportFindingsResponse) => void): Request<SecurityHub.Types.BatchImportFindingsResponse, AWSError>;
   /**
@@ -966,6 +966,13 @@ declare namespace SecurityHub {
      */
     ApiGatewayManaged?: Boolean;
   }
+  export type AwsAutoScalingAutoScalingGroupAvailabilityZonesList = AwsAutoScalingAutoScalingGroupAvailabilityZonesListDetails[];
+  export interface AwsAutoScalingAutoScalingGroupAvailabilityZonesListDetails {
+    /**
+     * The name of the Availability Zone.
+     */
+    Value?: NonEmptyString;
+  }
   export interface AwsAutoScalingAutoScalingGroupDetails {
     /**
      * The name of the launch configuration.
@@ -987,6 +994,85 @@ declare namespace SecurityHub {
      * Indicates when the auto scaling group was created. Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z.
      */
     CreatedTime?: NonEmptyString;
+    /**
+     * The mixed instances policy for the automatic scaling group.
+     */
+    MixedInstancesPolicy?: AwsAutoScalingAutoScalingGroupMixedInstancesPolicyDetails;
+    /**
+     * The list of Availability Zones for the automatic scaling group.
+     */
+    AvailabilityZones?: AwsAutoScalingAutoScalingGroupAvailabilityZonesList;
+  }
+  export interface AwsAutoScalingAutoScalingGroupMixedInstancesPolicyDetails {
+    /**
+     * The instances distribution. The instances distribution specifies the distribution of On-Demand Instances and Spot Instances, the maximum price to pay for Spot Instances, and how the Auto Scaling group allocates instance types to fulfill On-Demand and Spot capacity.
+     */
+    InstancesDistribution?: AwsAutoScalingAutoScalingGroupMixedInstancesPolicyInstancesDistributionDetails;
+    /**
+     * The launch template to use and the instance types (overrides) to use to provision EC2 instances to fulfill On-Demand and Spot capacities.
+     */
+    LaunchTemplate?: AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateDetails;
+  }
+  export interface AwsAutoScalingAutoScalingGroupMixedInstancesPolicyInstancesDistributionDetails {
+    /**
+     * How to allocate instance types to fulfill On-Demand capacity.
+     */
+    OnDemandAllocationStrategy?: NonEmptyString;
+    /**
+     * The minimum amount of the Auto Scaling group's capacity that must be fulfilled by On-Demand Instances.
+     */
+    OnDemandBaseCapacity?: Integer;
+    /**
+     * The percentage of On-Demand Instances and Spot Instances for additional capacity beyond OnDemandBaseCapacity.
+     */
+    OnDemandPercentageAboveBaseCapacity?: Integer;
+    /**
+     * How to allocate instances across Spot Instance pools.
+     */
+    SpotAllocationStrategy?: NonEmptyString;
+    /**
+     * The number of Spot Instance pools across which to allocate your Spot Instances.
+     */
+    SpotInstancePools?: Integer;
+    /**
+     * The maximum price per unit hour that you are willing to pay for a Spot Instance.
+     */
+    SpotMaxPrice?: NonEmptyString;
+  }
+  export interface AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateDetails {
+    /**
+     * The launch template to use.
+     */
+    LaunchTemplateSpecification?: AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateLaunchTemplateSpecification;
+    /**
+     * Property values to use to override the values in the launch template.
+     */
+    Overrides?: AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateOverridesList;
+  }
+  export interface AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateLaunchTemplateSpecification {
+    /**
+     * The identifier of the launch template. You must specify either LaunchTemplateId or LaunchTemplateName.
+     */
+    LaunchTemplateId?: NonEmptyString;
+    /**
+     * The name of the launch template. You must specify either LaunchTemplateId or LaunchTemplateName.
+     */
+    LaunchTemplateName?: NonEmptyString;
+    /**
+     * Identifies the version of the launch template. You can specify a version identifier, or use the values $Latest or $Default.
+     */
+    Version?: NonEmptyString;
+  }
+  export type AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateOverridesList = AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateOverridesListDetails[];
+  export interface AwsAutoScalingAutoScalingGroupMixedInstancesPolicyLaunchTemplateOverridesListDetails {
+    /**
+     * The instance type. For example, m3.xlarge.
+     */
+    InstanceType?: NonEmptyString;
+    /**
+     * The number of capacity units provided by the specified instance type in terms of virtual CPUs, memory, storage, throughput, or other relative performance characteristic.
+     */
+    WeightedCapacity?: NonEmptyString;
   }
   export interface AwsAutoScalingLaunchConfigurationBlockDeviceMappingsDetails {
     /**
@@ -1106,6 +1192,10 @@ declare namespace SecurityHub {
      * The user data to make available to the launched EC2 instances. Must be base64-encoded text.
      */
     UserData?: NonEmptyString;
+    /**
+     * The metadata options for the instances.
+     */
+    MetadataOptions?: AwsAutoScalingLaunchConfigurationMetadataOptions;
   }
   export interface AwsAutoScalingLaunchConfigurationInstanceMonitoringDetails {
     /**
@@ -1113,6 +1203,20 @@ declare namespace SecurityHub {
      */
     Enabled?: Boolean;
   }
+  export interface AwsAutoScalingLaunchConfigurationMetadataOptions {
+    /**
+     * Enables or disables the HTTP metadata endpoint on your instances. By default, the metadata endpoint is enabled.
+     */
+    HttpEndpoint?: NonEmptyString;
+    /**
+     * The HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel.
+     */
+    HttpPutResponseHopLimit?: Integer;
+    /**
+     * Indicates whether token usage is required or optional for metadata requests. By default, token usage is optional.
+     */
+    HttpTokens?: NonEmptyString;
+  }
   export interface AwsCertificateManagerCertificateDetails {
     /**
      * The ARN of the private certificate authority (CA) that will be used to issue the certificate.
@@ -4918,6 +5022,107 @@ declare namespace SecurityHub {
     CreatedDate?: NonEmptyString;
   }
   export type AwsLambdaLayerVersionNumber = number;
+  export interface AwsNetworkFirewallFirewallDetails {
+    /**
+     * Whether the firewall is protected from deletion. If set to true, then the firewall cannot be deleted.
+     */
+    DeleteProtection?: Boolean;
+    /**
+     * A description of the firewall.
+     */
+    Description?: NonEmptyString;
+    /**
+     * The ARN of the firewall.
+     */
+    FirewallArn?: NonEmptyString;
+    /**
+     * The identifier of the firewall.
+     */
+    FirewallId?: NonEmptyString;
+    /**
+     * A descriptive name of the firewall.
+     */
+    FirewallName?: NonEmptyString;
+    /**
+     * The ARN of the firewall policy.
+     */
+    FirewallPolicyArn?: NonEmptyString;
+    /**
+     * Whether the firewall is protected from a change to the firewall policy. If set to true, you cannot associate a different policy with the firewall.
+     */
+    FirewallPolicyChangeProtection?: Boolean;
+    /**
+     * Whether the firewall is protected from a change to the subnet associations. If set to true, you cannot map different subnets to the firewall.
+     */
+    SubnetChangeProtection?: Boolean;
+    /**
+     * The public subnets that Network Firewall uses for the firewall. Each subnet must belong to a different Availability Zone.
+     */
+    SubnetMappings?: AwsNetworkFirewallFirewallSubnetMappingsList;
+    /**
+     * The identifier of the VPC where the firewall is used.
+     */
+    VpcId?: NonEmptyString;
+  }
+  export interface AwsNetworkFirewallFirewallPolicyDetails {
+    /**
+     * The firewall policy configuration.
+     */
+    FirewallPolicy?: FirewallPolicyDetails;
+    /**
+     * The ARN of the firewall policy.
+     */
+    FirewallPolicyArn?: NonEmptyString;
+    /**
+     * The identifier of the firewall policy.
+     */
+    FirewallPolicyId?: NonEmptyString;
+    /**
+     * The name of the firewall policy.
+     */
+    FirewallPolicyName?: NonEmptyString;
+    /**
+     * A description of the firewall policy.
+     */
+    Description?: NonEmptyString;
+  }
+  export interface AwsNetworkFirewallFirewallSubnetMappingsDetails {
+    /**
+     * The identifier of the subnet
+     */
+    SubnetId?: NonEmptyString;
+  }
+  export type AwsNetworkFirewallFirewallSubnetMappingsList = AwsNetworkFirewallFirewallSubnetMappingsDetails[];
+  export interface AwsNetworkFirewallRuleGroupDetails {
+    /**
+     * The maximum number of operating resources that this rule group can use.
+     */
+    Capacity?: Integer;
+    /**
+     * A description of the rule group.
+     */
+    Description?: NonEmptyString;
+    /**
+     * Details about the rule group.
+     */
+    RuleGroup?: RuleGroupDetails;
+    /**
+     * The ARN of the rule group.
+     */
+    RuleGroupArn?: NonEmptyString;
+    /**
+     * The identifier of the rule group.
+     */
+    RuleGroupId?: NonEmptyString;
+    /**
+     * The descriptive name of the rule group.
+     */
+    RuleGroupName?: NonEmptyString;
+    /**
+     * The type of rule group. A rule group can be stateful or stateless.
+     */
+    Type?: NonEmptyString;
+  }
   export interface AwsOpenSearchServiceDomainClusterConfigDetails {
     /**
      * The number of data nodes to use in the OpenSearch domain.
@@ -6567,6 +6772,16 @@ declare namespace SecurityHub {
     StorageClass?: NonEmptyString;
   }
   export type AwsS3BucketBucketLifecycleConfigurationRulesTransitionsList = AwsS3BucketBucketLifecycleConfigurationRulesTransitionsDetails[];
+  export interface AwsS3BucketBucketVersioningConfiguration {
+    /**
+     * Specifies whether MFA delete is currently enabled in the S3 bucket versioning configuration. If the S3 bucket was never configured with MFA delete, then this attribute is not included.
+     */
+    IsMfaDeleteEnabled?: Boolean;
+    /**
+     * The versioning status of the S3 bucket.
+     */
+    Status?: NonEmptyString;
+  }
   export interface AwsS3BucketDetails {
     /**
      * The canonical user ID of the owner of the S3 bucket.
@@ -6612,6 +6827,10 @@ declare namespace SecurityHub {
      * The notification configuration for the S3 bucket.
      */
     BucketNotificationConfiguration?: AwsS3BucketNotificationConfiguration;
+    /**
+     * The versioning state of an S3 bucket.
+     */
+    BucketVersioningConfiguration?: AwsS3BucketBucketVersioningConfiguration;
   }
   export interface AwsS3BucketLoggingConfiguration {
     /**
@@ -6990,6 +7209,10 @@ declare namespace SecurityHub {
      * In a BatchImportFindings request, finding providers use FindingProviderFields to provide and update their own values for confidence, criticality, related findings, severity, and types.
      */
     FindingProviderFields?: FindingProviderFields;
+    /**
+     * Indicates whether the finding is a sample finding.
+     */
+    Sample?: Boolean;
   }
   export interface AwsSecurityFindingFilters {
     /**
@@ -7309,7 +7532,7 @@ declare namespace SecurityHub {
      */
     WorkflowState?: StringFilterList;
     /**
-     * The status of the investigation into a finding. Allowed values are the following.    NEW - The initial state of a finding, before it is reviewed. Security Hub also resets the workflow status from NOTIFIED or RESOLVED to NEW in the following cases:   The record state changes from ARCHIVED to ACTIVE.   The compliance status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.      NOTIFIED - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.    SUPPRESSED - The finding will not be reviewed again and will not be acted upon.    RESOLVED - The finding was reviewed and remediated and is now considered resolved.   
+     * The status of the investigation into a finding. Allowed values are the following.    NEW - The initial state of a finding, before it is reviewed. Security Hub also resets the workflow status from NOTIFIED or RESOLVED to NEW in the following cases:    RecordState changes from ARCHIVED to ACTIVE.    Compliance.Status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.      NOTIFIED - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. If one of the following occurs, the workflow status is changed automatically from NOTIFIED to NEW:    RecordState changes from ARCHIVED to ACTIVE.    Compliance.Status changes from PASSED to FAILED, WARNING, or NOT_AVAILABLE.      SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed. The workflow status of a SUPPRESSED finding does not change if RecordState changes from ARCHIVED to ACTIVE.    RESOLVED - The finding was reviewed and remediated and is now considered resolved.  The finding remains RESOLVED unless one of the following occurs:    RecordState changes from ARCHIVED to ACTIVE.    Compliance.Status changes from PASSED to FAILED, WARNING, or NOT_AVAILABLE.   In those cases, the workflow status is automatically reset to NEW. For findings from controls, if Compliance.Status is PASSED, then Security Hub automatically sets the workflow status to RESOLVED.  
      */
     WorkflowStatus?: StringFilterList;
     /**
@@ -7368,6 +7591,10 @@ declare namespace SecurityHub {
      * One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding. Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
      */
     FindingProviderFieldsTypes?: StringFilterList;
+    /**
+     * Indicates whether or not sample findings are included in the filter results.
+     */
+    Sample?: BooleanFilterList;
   }
   export interface AwsSecurityFindingIdentifier {
     /**
@@ -7765,6 +7992,13 @@ declare namespace SecurityHub {
   }
   export type BatchUpdateFindingsUnprocessedFindingsList = BatchUpdateFindingsUnprocessedFinding[];
   export type Boolean = boolean;
+  export interface BooleanFilter {
+    /**
+     * The value of the boolean.
+     */
+    Value?: Boolean;
+  }
+  export type BooleanFilterList = BooleanFilter[];
   export type CategoryList = NonEmptyString[];
   export interface Cell {
     /**
@@ -8370,6 +8604,57 @@ declare namespace SecurityHub {
      */
     Original?: NonEmptyString;
   }
+  export interface FirewallPolicyDetails {
+    /**
+     * The stateful rule groups that are used in the firewall policy.
+     */
+    StatefulRuleGroupReferences?: FirewallPolicyStatefulRuleGroupReferencesList;
+    /**
+     * The custom action definitions that are available to use in the firewall policy's StatelessDefaultActions setting.
+     */
+    StatelessCustomActions?: FirewallPolicyStatelessCustomActionsList;
+    /**
+     * The actions to take on a packet if it doesn't match any of the stateless rules in the policy. You must specify a standard action (aws:pass, aws:drop, aws:forward_to_sfe), and can optionally include a custom action from StatelessCustomActions. 
+     */
+    StatelessDefaultActions?: NonEmptyStringList;
+    /**
+     * The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. You must specify a standard action (aws:pass, aws:drop, aws:forward_to_sfe), and can optionally include a custom action from StatelessCustomActions. 
+     */
+    StatelessFragmentDefaultActions?: NonEmptyStringList;
+    /**
+     * The stateless rule groups that are used in the firewall policy.
+     */
+    StatelessRuleGroupReferences?: FirewallPolicyStatelessRuleGroupReferencesList;
+  }
+  export interface FirewallPolicyStatefulRuleGroupReferencesDetails {
+    /**
+     * The ARN of the stateful rule group.
+     */
+    ResourceArn?: NonEmptyString;
+  }
+  export type FirewallPolicyStatefulRuleGroupReferencesList = FirewallPolicyStatefulRuleGroupReferencesDetails[];
+  export interface FirewallPolicyStatelessCustomActionsDetails {
+    /**
+     * The definition of the custom action.
+     */
+    ActionDefinition?: StatelessCustomActionDefinition;
+    /**
+     * The name of the custom action.
+     */
+    ActionName?: NonEmptyString;
+  }
+  export type FirewallPolicyStatelessCustomActionsList = FirewallPolicyStatelessCustomActionsDetails[];
+  export interface FirewallPolicyStatelessRuleGroupReferencesDetails {
+    /**
+     * The order in which to run the stateless rule group.
+     */
+    Priority?: Integer;
+    /**
+     * The ARN of the stateless rule group.
+     */
+    ResourceArn?: NonEmptyString;
+  }
+  export type FirewallPolicyStatelessRuleGroupReferencesList = FirewallPolicyStatelessRuleGroupReferencesDetails[];
   export interface GeoLocation {
     /**
      * The longitude of the location.
@@ -9562,6 +9847,18 @@ declare namespace SecurityHub {
      * Details about an Amazon EKS cluster.
      */
     AwsEksCluster?: AwsEksClusterDetails;
+    /**
+     * Details about an Network Firewall firewall policy.
+     */
+    AwsNetworkFirewallFirewallPolicy?: AwsNetworkFirewallFirewallPolicyDetails;
+    /**
+     * Details about an Network Firewall firewall.
+     */
+    AwsNetworkFirewallFirewall?: AwsNetworkFirewallFirewallDetails;
+    /**
+     * Details about an Network Firewall rule group.
+     */
+    AwsNetworkFirewallRuleGroup?: AwsNetworkFirewallRuleGroupDetails;
   }
   export type ResourceList = Resource[];
   export interface Result {
@@ -9575,6 +9872,239 @@ declare namespace SecurityHub {
     ProcessingResult?: NonEmptyString;
   }
   export type ResultList = Result[];
+  export interface RuleGroupDetails {
+    /**
+     * Additional settings to use in the specified rules.
+     */
+    RuleVariables?: RuleGroupVariables;
+    /**
+     * The rules and actions for the rule group. For stateful rule groups, can contain RulesString, RulesSourceList, or StatefulRules. For stateless rule groups, contains StatelessRulesAndCustomActions.
+     */
+    RulesSource?: RuleGroupSource;
+  }
+  export interface RuleGroupSource {
+    /**
+     * Stateful inspection criteria for a domain list rule group. A domain list rule group determines access by specific protocols to specific domains.
+     */
+    RulesSourceList?: RuleGroupSourceListDetails;
+    /**
+     * Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules.
+     */
+    RulesString?: NonEmptyString;
+    /**
+     * Suricata rule specifications.
+     */
+    StatefulRules?: RuleGroupSourceStatefulRulesList;
+    /**
+     * The stateless rules and custom actions used by a stateless rule group.
+     */
+    StatelessRulesAndCustomActions?: RuleGroupSourceStatelessRulesAndCustomActionsDetails;
+  }
+  export interface RuleGroupSourceCustomActionsDetails {
+    /**
+     * The definition of a custom action.
+     */
+    ActionDefinition?: StatelessCustomActionDefinition;
+    /**
+     * A descriptive name of the custom action.
+     */
+    ActionName?: NonEmptyString;
+  }
+  export type RuleGroupSourceCustomActionsList = RuleGroupSourceCustomActionsDetails[];
+  export interface RuleGroupSourceListDetails {
+    /**
+     * Indicates whether to allow or deny access to the domains listed in Targets.
+     */
+    GeneratedRulesType?: NonEmptyString;
+    /**
+     * The protocols that you want to inspect. Specify LS_SNI for HTTPS. Specify HTTP_HOST for HTTP. You can specify either or both.
+     */
+    TargetTypes?: NonEmptyStringList;
+    /**
+     * The domains that you want to inspect for in your traffic flows. You can provide full domain names, or use the '.' prefix as a wildcard. For example, .example.com matches all domains that end with example.com.
+     */
+    Targets?: NonEmptyStringList;
+  }
+  export interface RuleGroupSourceStatefulRulesDetails {
+    /**
+     * Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria.
+     */
+    Action?: NonEmptyString;
+    /**
+     * The stateful inspection criteria for the rule.
+     */
+    Header?: RuleGroupSourceStatefulRulesHeaderDetails;
+    /**
+     * Additional options for the rule.
+     */
+    RuleOptions?: RuleGroupSourceStatefulRulesOptionsList;
+  }
+  export interface RuleGroupSourceStatefulRulesHeaderDetails {
+    /**
+     * The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
+     */
+    Destination?: NonEmptyString;
+    /**
+     * The destination port to inspect for. You can specify an individual port, such as 1994. You also can specify a port range, such as 1990:1994. To match with any port, specify ANY.
+     */
+    DestinationPort?: NonEmptyString;
+    /**
+     * The direction of traffic flow to inspect. If set to ANY, the inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source. If set to FORWARD, the inspection only matches traffic going from the source to the destination.
+     */
+    Direction?: NonEmptyString;
+    /**
+     * The protocol to inspect for. To inspector for all protocols, use IP.
+     */
+    Protocol?: NonEmptyString;
+    /**
+     * The source IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
+     */
+    Source?: NonEmptyString;
+    /**
+     * The source port to inspect for. You can specify an individual port, such as 1994. You also can specify a port range, such as 1990:1994. To match with any port, specify ANY.
+     */
+    SourcePort?: NonEmptyString;
+  }
+  export type RuleGroupSourceStatefulRulesList = RuleGroupSourceStatefulRulesDetails[];
+  export interface RuleGroupSourceStatefulRulesOptionsDetails {
+    /**
+     * A keyword to look for.
+     */
+    Keyword?: NonEmptyString;
+    /**
+     * A list of settings.
+     */
+    Settings?: RuleGroupSourceStatefulRulesRuleOptionsSettingsList;
+  }
+  export type RuleGroupSourceStatefulRulesOptionsList = RuleGroupSourceStatefulRulesOptionsDetails[];
+  export type RuleGroupSourceStatefulRulesRuleOptionsSettingsList = NonEmptyString[];
+  export interface RuleGroupSourceStatelessRuleDefinition {
+    /**
+     * The actions to take on a packet that matches one of the stateless rule definition's match attributes. You must specify a standard action (aws:pass, aws:drop, or aws:forward_to_sfe). You can then add custom actions.
+     */
+    Actions?: NonEmptyStringList;
+    /**
+     * The criteria for Network Firewall to use to inspect an individual packet in a stateless rule inspection.
+     */
+    MatchAttributes?: RuleGroupSourceStatelessRuleMatchAttributes;
+  }
+  export interface RuleGroupSourceStatelessRuleMatchAttributes {
+    /**
+     * A list of port ranges to specify the destination ports to inspect for.
+     */
+    DestinationPorts?: RuleGroupSourceStatelessRuleMatchAttributesDestinationPortsList;
+    /**
+     * The destination IP addresses and address ranges to inspect for, in CIDR notation.
+     */
+    Destinations?: RuleGroupSourceStatelessRuleMatchAttributesDestinationsList;
+    /**
+     * The protocols to inspect for.
+     */
+    Protocols?: RuleGroupSourceStatelessRuleMatchAttributesProtocolsList;
+    /**
+     * A list of port ranges to specify the source ports to inspect for.
+     */
+    SourcePorts?: RuleGroupSourceStatelessRuleMatchAttributesSourcePortsList;
+    /**
+     * The source IP addresses and address ranges to inspect for, in CIDR notation.
+     */
+    Sources?: RuleGroupSourceStatelessRuleMatchAttributesSourcesList;
+    /**
+     * The TCP flags and masks to inspect for.
+     */
+    TcpFlags?: RuleGroupSourceStatelessRuleMatchAttributesTcpFlagsList;
+  }
+  export interface RuleGroupSourceStatelessRuleMatchAttributesDestinationPorts {
+    /**
+     * The starting port value for the port range.
+     */
+    FromPort?: Integer;
+    /**
+     * The ending port value for the port range.
+     */
+    ToPort?: Integer;
+  }
+  export type RuleGroupSourceStatelessRuleMatchAttributesDestinationPortsList = RuleGroupSourceStatelessRuleMatchAttributesDestinationPorts[];
+  export interface RuleGroupSourceStatelessRuleMatchAttributesDestinations {
+    /**
+     * An IP address or a block of IP addresses.
+     */
+    AddressDefinition?: NonEmptyString;
+  }
+  export type RuleGroupSourceStatelessRuleMatchAttributesDestinationsList = RuleGroupSourceStatelessRuleMatchAttributesDestinations[];
+  export type RuleGroupSourceStatelessRuleMatchAttributesProtocolsList = Integer[];
+  export interface RuleGroupSourceStatelessRuleMatchAttributesSourcePorts {
+    /**
+     * The starting port value for the port range.
+     */
+    FromPort?: Integer;
+    /**
+     * The ending port value for the port range.
+     */
+    ToPort?: Integer;
+  }
+  export type RuleGroupSourceStatelessRuleMatchAttributesSourcePortsList = RuleGroupSourceStatelessRuleMatchAttributesSourcePorts[];
+  export interface RuleGroupSourceStatelessRuleMatchAttributesSources {
+    /**
+     * An IP address or a block of IP addresses.
+     */
+    AddressDefinition?: NonEmptyString;
+  }
+  export type RuleGroupSourceStatelessRuleMatchAttributesSourcesList = RuleGroupSourceStatelessRuleMatchAttributesSources[];
+  export interface RuleGroupSourceStatelessRuleMatchAttributesTcpFlags {
+    /**
+     * Defines the flags from the Masks setting that must be set in order for the packet to match. Flags that are listed must be set. Flags that are not listed must not be set.
+     */
+    Flags?: NonEmptyStringList;
+    /**
+     * The set of flags to consider in the inspection. If not specified, then all flags are inspected.
+     */
+    Masks?: NonEmptyStringList;
+  }
+  export type RuleGroupSourceStatelessRuleMatchAttributesTcpFlagsList = RuleGroupSourceStatelessRuleMatchAttributesTcpFlags[];
+  export interface RuleGroupSourceStatelessRulesAndCustomActionsDetails {
+    /**
+     * Custom actions for the rule group.
+     */
+    CustomActions?: RuleGroupSourceCustomActionsList;
+    /**
+     * Stateless rules for the rule group.
+     */
+    StatelessRules?: RuleGroupSourceStatelessRulesList;
+  }
+  export interface RuleGroupSourceStatelessRulesDetails {
+    /**
+     * Indicates the order in which to run this rule relative to all of the rules in the stateless rule group.
+     */
+    Priority?: Integer;
+    /**
+     * Provides the definition of the stateless rule.
+     */
+    RuleDefinition?: RuleGroupSourceStatelessRuleDefinition;
+  }
+  export type RuleGroupSourceStatelessRulesList = RuleGroupSourceStatelessRulesDetails[];
+  export interface RuleGroupVariables {
+    /**
+     * A list of IP addresses and address ranges, in CIDR notation.
+     */
+    IpSets?: RuleGroupVariablesIpSetsDetails;
+    /**
+     * A list of port ranges.
+     */
+    PortSets?: RuleGroupVariablesPortSetsDetails;
+  }
+  export interface RuleGroupVariablesIpSetsDetails {
+    /**
+     * The list of IP addresses and ranges.
+     */
+    Definition?: NonEmptyStringList;
+  }
+  export interface RuleGroupVariablesPortSetsDetails {
+    /**
+     * The list of port ranges.
+     */
+    Definition?: NonEmptyStringList;
+  }
   export type SecurityGroups = NonEmptyString[];
   export interface SensitiveDataDetections {
     /**
@@ -9748,6 +10278,12 @@ declare namespace SecurityHub {
   export type StandardsControls = StandardsControl[];
   export type StandardsInputParameterMap = {[key: string]: NonEmptyString};
   export type StandardsStatus = "PENDING"|"READY"|"FAILED"|"DELETING"|"INCOMPLETE"|string;
+  export interface StandardsStatusReason {
+    /**
+     * The reason code that represents the reason for the current status of a standard subscription.
+     */
+    StatusReasonCode: StatusReasonCode;
+  }
   export interface StandardsSubscription {
     /**
      * The ARN of a resource that represents your subscription to a supported standard.
@@ -9765,6 +10301,10 @@ declare namespace SecurityHub {
      * The status of the standard subscription. The status values are as follows:    PENDING - Standard is in the process of being enabled.    READY - Standard is enabled.    INCOMPLETE - Standard could not be enabled completely. Some controls may not be available.    DELETING - Standard is in the process of being disabled.    FAILED - Standard could not be disabled.  
      */
     StandardsStatus: StandardsStatus;
+    /**
+     * The reason for the current status.
+     */
+    StandardsStatusReason?: StandardsStatusReason;
   }
   export type StandardsSubscriptionArns = NonEmptyString[];
   export interface StandardsSubscriptionRequest {
@@ -9779,6 +10319,25 @@ declare namespace SecurityHub {
   }
   export type StandardsSubscriptionRequests = StandardsSubscriptionRequest[];
   export type StandardsSubscriptions = StandardsSubscription[];
+  export interface StatelessCustomActionDefinition {
+    /**
+     * Information about metrics to publish to CloudWatch.
+     */
+    PublishMetricAction?: StatelessCustomPublishMetricAction;
+  }
+  export interface StatelessCustomPublishMetricAction {
+    /**
+     * Defines CloudWatch dimension values to publish.
+     */
+    Dimensions?: StatelessCustomPublishMetricActionDimensionsList;
+  }
+  export interface StatelessCustomPublishMetricActionDimension {
+    /**
+     * The value to use for the custom metric dimension.
+     */
+    Value?: NonEmptyString;
+  }
+  export type StatelessCustomPublishMetricActionDimensionsList = StatelessCustomPublishMetricActionDimension[];
   export interface StatusReason {
     /**
      * A code that represents a reason for the control status. For the list of status reason codes and their meanings, see Standards-related information in the ASFF in the Security Hub User Guide. 
@@ -9789,6 +10348,7 @@ declare namespace SecurityHub {
      */
     Description?: NonEmptyString;
   }
+  export type StatusReasonCode = "NO_AVAILABLE_CONFIGURATION_RECORDER"|"INTERNAL_ERROR"|string;
   export type StatusReasonsList = StatusReason[];
   export interface StringFilter {
     /**