npm - cdk-lambda-subminute - Versions diffs - 2.0.310 → 2.0.312 - Mend

cdk-lambda-subminute 2.0.310 → 2.0.312

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (176) hide show

package/node_modules/aws-sdk/clients/securityhub.d.ts CHANGED Viewed

@@ -59,6 +59,14 @@ declare class SecurityHub extends Service {
    *  Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).
    */
   batchGetAutomationRules(callback?: (err: AWSError, data: SecurityHub.Types.BatchGetAutomationRulesResponse) => void): Request<SecurityHub.Types.BatchGetAutomationRulesResponse, AWSError>;
+  /**
+   *  Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.
+   */
+  batchGetConfigurationPolicyAssociations(params: SecurityHub.Types.BatchGetConfigurationPolicyAssociationsRequest, callback?: (err: AWSError, data: SecurityHub.Types.BatchGetConfigurationPolicyAssociationsResponse) => void): Request<SecurityHub.Types.BatchGetConfigurationPolicyAssociationsResponse, AWSError>;
+  /**
+   *  Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.
+   */
+  batchGetConfigurationPolicyAssociations(callback?: (err: AWSError, data: SecurityHub.Types.BatchGetConfigurationPolicyAssociationsResponse) => void): Request<SecurityHub.Types.BatchGetConfigurationPolicyAssociationsResponse, AWSError>;
   /**
    *  Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.
    */
@@ -123,6 +131,14 @@ declare class SecurityHub extends Service {
    *  Creates an automation rule based on input parameters.
    */
   createAutomationRule(callback?: (err: AWSError, data: SecurityHub.Types.CreateAutomationRuleResponse) => void): Request<SecurityHub.Types.CreateAutomationRuleResponse, AWSError>;
+  /**
+   *  Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  createConfigurationPolicy(params: SecurityHub.Types.CreateConfigurationPolicyRequest, callback?: (err: AWSError, data: SecurityHub.Types.CreateConfigurationPolicyResponse) => void): Request<SecurityHub.Types.CreateConfigurationPolicyResponse, AWSError>;
+  /**
+   *  Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  createConfigurationPolicy(callback?: (err: AWSError, data: SecurityHub.Types.CreateConfigurationPolicyResponse) => void): Request<SecurityHub.Types.CreateConfigurationPolicyResponse, AWSError>;
   /**
    * Used to enable finding aggregation. Must be called from the aggregation Region. For more details about cross-Region replication, see Configuring finding aggregation in the Security Hub User Guide.
    */
@@ -163,6 +179,14 @@ declare class SecurityHub extends Service {
    * Deletes a custom action target from Security Hub. Deleting a custom action target does not affect any findings or insights that were already sent to Amazon CloudWatch Events using the custom action.
    */
   deleteActionTarget(callback?: (err: AWSError, data: SecurityHub.Types.DeleteActionTargetResponse) => void): Request<SecurityHub.Types.DeleteActionTargetResponse, AWSError>;
+  /**
+   *  Deletes a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.
+   */
+  deleteConfigurationPolicy(params: SecurityHub.Types.DeleteConfigurationPolicyRequest, callback?: (err: AWSError, data: SecurityHub.Types.DeleteConfigurationPolicyResponse) => void): Request<SecurityHub.Types.DeleteConfigurationPolicyResponse, AWSError>;
+  /**
+   *  Deletes a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.
+   */
+  deleteConfigurationPolicy(callback?: (err: AWSError, data: SecurityHub.Types.DeleteConfigurationPolicyResponse) => void): Request<SecurityHub.Types.DeleteConfigurationPolicyResponse, AWSError>;
   /**
    * Deletes a finding aggregator. When you delete the finding aggregator, you stop finding aggregation. When you stop finding aggregation, findings that were already aggregated to the aggregation Region are still visible from the aggregation Region. New findings and finding updates are not aggregated.
    */
@@ -212,11 +236,11 @@ declare class SecurityHub extends Service {
    */
   describeHub(callback?: (err: AWSError, data: SecurityHub.Types.DescribeHubResponse) => void): Request<SecurityHub.Types.DescribeHubResponse, AWSError>;
   /**
-   * Returns information about the Organizations configuration for Security Hub. Can only be called from a Security Hub administrator account.
+   * Returns information about the way your organization is configured in Security Hub. Only the Security Hub administrator account can invoke this operation.
    */
   describeOrganizationConfiguration(params: SecurityHub.Types.DescribeOrganizationConfigurationRequest, callback?: (err: AWSError, data: SecurityHub.Types.DescribeOrganizationConfigurationResponse) => void): Request<SecurityHub.Types.DescribeOrganizationConfigurationResponse, AWSError>;
   /**
-   * Returns information about the Organizations configuration for Security Hub. Can only be called from a Security Hub administrator account.
+   * Returns information about the way your organization is configured in Security Hub. Only the Security Hub administrator account can invoke this operation.
    */
   describeOrganizationConfiguration(callback?: (err: AWSError, data: SecurityHub.Types.DescribeOrganizationConfigurationResponse) => void): Request<SecurityHub.Types.DescribeOrganizationConfigurationResponse, AWSError>;
   /**
@@ -323,6 +347,22 @@ declare class SecurityHub extends Service {
    * Provides the details for the Security Hub administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually.
    */
   getAdministratorAccount(callback?: (err: AWSError, data: SecurityHub.Types.GetAdministratorAccountResponse) => void): Request<SecurityHub.Types.GetAdministratorAccountResponse, AWSError>;
+  /**
+   *  Provides information about a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  getConfigurationPolicy(params: SecurityHub.Types.GetConfigurationPolicyRequest, callback?: (err: AWSError, data: SecurityHub.Types.GetConfigurationPolicyResponse) => void): Request<SecurityHub.Types.GetConfigurationPolicyResponse, AWSError>;
+  /**
+   *  Provides information about a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  getConfigurationPolicy(callback?: (err: AWSError, data: SecurityHub.Types.GetConfigurationPolicyResponse) => void): Request<SecurityHub.Types.GetConfigurationPolicyResponse, AWSError>;
+  /**
+   *  Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  getConfigurationPolicyAssociation(params: SecurityHub.Types.GetConfigurationPolicyAssociationRequest, callback?: (err: AWSError, data: SecurityHub.Types.GetConfigurationPolicyAssociationResponse) => void): Request<SecurityHub.Types.GetConfigurationPolicyAssociationResponse, AWSError>;
+  /**
+   *  Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  getConfigurationPolicyAssociation(callback?: (err: AWSError, data: SecurityHub.Types.GetConfigurationPolicyAssociationResponse) => void): Request<SecurityHub.Types.GetConfigurationPolicyAssociationResponse, AWSError>;
   /**
    * Returns a list of the standards that are currently enabled.
    */
@@ -395,6 +435,14 @@ declare class SecurityHub extends Service {
    * Returns the details for the Security Hub member accounts for the specified account IDs. An administrator account can be either the delegated Security Hub administrator account for an organization or an administrator account that enabled Security Hub manually. The results include both member accounts that are managed using Organizations and accounts that were invited manually.
    */
   getMembers(callback?: (err: AWSError, data: SecurityHub.Types.GetMembersResponse) => void): Request<SecurityHub.Types.GetMembersResponse, AWSError>;
+  /**
+   *  Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details.
+   */
+  getSecurityControlDefinition(params: SecurityHub.Types.GetSecurityControlDefinitionRequest, callback?: (err: AWSError, data: SecurityHub.Types.GetSecurityControlDefinitionResponse) => void): Request<SecurityHub.Types.GetSecurityControlDefinitionResponse, AWSError>;
+  /**
+   *  Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details.
+   */
+  getSecurityControlDefinition(callback?: (err: AWSError, data: SecurityHub.Types.GetSecurityControlDefinitionResponse) => void): Request<SecurityHub.Types.GetSecurityControlDefinitionResponse, AWSError>;
   /**
    * Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that the invitation is sent from. This operation is only used to invite accounts that do not belong to an organization. Organization accounts do not receive invitations. Before you can use this action to invite a member, you must first use the CreateMembers action to create the member account in Security Hub. When the account owner enables Security Hub and accepts the invitation to become a member account, the administrator account can view the findings generated from the member account.
    */
@@ -411,6 +459,22 @@ declare class SecurityHub extends Service {
    *  A list of automation rules and their metadata for the calling account.
    */
   listAutomationRules(callback?: (err: AWSError, data: SecurityHub.Types.ListAutomationRulesResponse) => void): Request<SecurityHub.Types.ListAutomationRulesResponse, AWSError>;
+  /**
+   *  Lists the configuration policies that the Security Hub delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region.
+   */
+  listConfigurationPolicies(params: SecurityHub.Types.ListConfigurationPoliciesRequest, callback?: (err: AWSError, data: SecurityHub.Types.ListConfigurationPoliciesResponse) => void): Request<SecurityHub.Types.ListConfigurationPoliciesResponse, AWSError>;
+  /**
+   *  Lists the configuration policies that the Security Hub delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region.
+   */
+  listConfigurationPolicies(callback?: (err: AWSError, data: SecurityHub.Types.ListConfigurationPoliciesResponse) => void): Request<SecurityHub.Types.ListConfigurationPoliciesResponse, AWSError>;
+  /**
+   *  Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  listConfigurationPolicyAssociations(params: SecurityHub.Types.ListConfigurationPolicyAssociationsRequest, callback?: (err: AWSError, data: SecurityHub.Types.ListConfigurationPolicyAssociationsResponse) => void): Request<SecurityHub.Types.ListConfigurationPolicyAssociationsResponse, AWSError>;
+  /**
+   *  Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  listConfigurationPolicyAssociations(callback?: (err: AWSError, data: SecurityHub.Types.ListConfigurationPolicyAssociationsResponse) => void): Request<SecurityHub.Types.ListConfigurationPolicyAssociationsResponse, AWSError>;
   /**
    * Lists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub.
    */
@@ -475,6 +539,22 @@ declare class SecurityHub extends Service {
    * Returns a list of tags associated with a resource.
    */
   listTagsForResource(callback?: (err: AWSError, data: SecurityHub.Types.ListTagsForResourceResponse) => void): Request<SecurityHub.Types.ListTagsForResourceResponse, AWSError>;
+  /**
+   *  Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  startConfigurationPolicyAssociation(params: SecurityHub.Types.StartConfigurationPolicyAssociationRequest, callback?: (err: AWSError, data: SecurityHub.Types.StartConfigurationPolicyAssociationResponse) => void): Request<SecurityHub.Types.StartConfigurationPolicyAssociationResponse, AWSError>;
+  /**
+   *  Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  startConfigurationPolicyAssociation(callback?: (err: AWSError, data: SecurityHub.Types.StartConfigurationPolicyAssociationResponse) => void): Request<SecurityHub.Types.StartConfigurationPolicyAssociationResponse, AWSError>;
+  /**
+   *  Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  startConfigurationPolicyDisassociation(params: SecurityHub.Types.StartConfigurationPolicyDisassociationRequest, callback?: (err: AWSError, data: SecurityHub.Types.StartConfigurationPolicyDisassociationResponse) => void): Request<SecurityHub.Types.StartConfigurationPolicyDisassociationResponse, AWSError>;
+  /**
+   *  Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  startConfigurationPolicyDisassociation(callback?: (err: AWSError, data: SecurityHub.Types.StartConfigurationPolicyDisassociationResponse) => void): Request<SecurityHub.Types.StartConfigurationPolicyDisassociationResponse, AWSError>;
   /**
    * Adds one or more tags to a resource.
    */
@@ -499,6 +579,14 @@ declare class SecurityHub extends Service {
    * Updates the name and description of a custom action target in Security Hub.
    */
   updateActionTarget(callback?: (err: AWSError, data: SecurityHub.Types.UpdateActionTargetResponse) => void): Request<SecurityHub.Types.UpdateActionTargetResponse, AWSError>;
+  /**
+   *  Updates a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  updateConfigurationPolicy(params: SecurityHub.Types.UpdateConfigurationPolicyRequest, callback?: (err: AWSError, data: SecurityHub.Types.UpdateConfigurationPolicyResponse) => void): Request<SecurityHub.Types.UpdateConfigurationPolicyResponse, AWSError>;
+  /**
+   *  Updates a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
+   */
+  updateConfigurationPolicy(callback?: (err: AWSError, data: SecurityHub.Types.UpdateConfigurationPolicyResponse) => void): Request<SecurityHub.Types.UpdateConfigurationPolicyResponse, AWSError>;
   /**
    * Updates the finding aggregation configuration. Used to update the Region linking mode and the list of included or excluded Regions. You cannot use UpdateFindingAggregator to change the aggregation Region. You must run UpdateFindingAggregator from the current aggregation Region.
    */
@@ -524,13 +612,21 @@ declare class SecurityHub extends Service {
    */
   updateInsight(callback?: (err: AWSError, data: SecurityHub.Types.UpdateInsightResponse) => void): Request<SecurityHub.Types.UpdateInsightResponse, AWSError>;
   /**
-   * Used to update the configuration related to Organizations. Can only be called from a Security Hub administrator account.
+   * Updates the configuration of your organization in Security Hub. Only the Security Hub administrator account can invoke this operation.
    */
   updateOrganizationConfiguration(params: SecurityHub.Types.UpdateOrganizationConfigurationRequest, callback?: (err: AWSError, data: SecurityHub.Types.UpdateOrganizationConfigurationResponse) => void): Request<SecurityHub.Types.UpdateOrganizationConfigurationResponse, AWSError>;
   /**
-   * Used to update the configuration related to Organizations. Can only be called from a Security Hub administrator account.
+   * Updates the configuration of your organization in Security Hub. Only the Security Hub administrator account can invoke this operation.
    */
   updateOrganizationConfiguration(callback?: (err: AWSError, data: SecurityHub.Types.UpdateOrganizationConfigurationResponse) => void): Request<SecurityHub.Types.UpdateOrganizationConfigurationResponse, AWSError>;
+  /**
+   *  Updates the properties of a security control.
+   */
+  updateSecurityControl(params: SecurityHub.Types.UpdateSecurityControlRequest, callback?: (err: AWSError, data: SecurityHub.Types.UpdateSecurityControlResponse) => void): Request<SecurityHub.Types.UpdateSecurityControlResponse, AWSError>;
+  /**
+   *  Updates the properties of a security control.
+   */
+  updateSecurityControl(callback?: (err: AWSError, data: SecurityHub.Types.UpdateSecurityControlResponse) => void): Request<SecurityHub.Types.UpdateSecurityControlResponse, AWSError>;
   /**
    * Updates configuration options for Security Hub.
    */
@@ -696,6 +792,7 @@ declare namespace SecurityHub {
   export type AdminAccounts = AdminAccount[];
   export type AdminStatus = "ENABLED"|"DISABLE_IN_PROGRESS"|string;
   export type AdminsMaxResults = number;
+  export type AlphaNumericNonEmptyString = string;
   export type ArnList = NonEmptyString[];
   export interface AssociatedStandard {
     /**
@@ -704,6 +801,20 @@ declare namespace SecurityHub {
     StandardsId?: NonEmptyString;
   }
   export type AssociatedStandardsList = AssociatedStandard[];
+  export interface AssociationFilters {
+    /**
+     *  The ARN or UUID of the configuration policy.
+     */
+    ConfigurationPolicyId?: NonEmptyString;
+    /**
+     *  Indicates whether the association between a target and a configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
+     */
+    AssociationType?: AssociationType;
+    /**
+     *  The current status of the association between a target and a configuration policy.
+     */
+    AssociationStatus?: ConfigurationPolicyAssociationStatus;
+  }
   export interface AssociationSetDetails {
     /**
      *  The state of the association between a route table and a subnet or gateway.
@@ -742,6 +853,7 @@ declare namespace SecurityHub {
     StatusMessage?: NonEmptyString;
   }
   export type AssociationStatus = "ENABLED"|"DISABLED"|string;
+  export type AssociationType = "INHERITED"|"APPLIED"|string;
   export type AutoEnableStandards = "NONE"|"DEFAULT"|string;
   export interface AutomationRulesAction {
     /**
@@ -837,7 +949,7 @@ declare namespace SecurityHub {
      */
     ProductArn?: StringFilterList;
     /**
-     *  The Amazon Web Services account ID in which a finding was generated.   Array Members: Minimum number of 1 item. Maximum number of 100 items.
+     * The Amazon Web Services account ID in which a finding was generated.  Array Members: Minimum number of 1 item. Maximum number of 100 items.
      */
     AwsAccountId?: StringFilterList;
     /**
@@ -972,6 +1084,18 @@ declare namespace SecurityHub {
      *  A list of user-defined name and value string pairs added to a finding.   Array Members: Minimum number of 1 item. Maximum number of 20 items.
      */
     UserDefinedFields?: MapFilterList;
+    /**
+     *  The Amazon Resource Name (ARN) of the application that is related to a finding.   Array Members: Minimum number of 1 item. Maximum number of 20 items.
+     */
+    ResourceApplicationArn?: StringFilterList;
+    /**
+     *  The name of the application that is related to a finding.   Array Members: Minimum number of 1 item. Maximum number of 20 items.
+     */
+    ResourceApplicationName?: StringFilterList;
+    /**
+     * The name of the Amazon Web Services account in which a finding was generated.   Array Members: Minimum number of 1 item. Maximum number of 20 items.
+     */
+    AwsAccountName?: StringFilterList;
   }
   export interface AutomationRulesMetadata {
     /**
@@ -10415,6 +10539,14 @@ declare namespace SecurityHub {
      * Provides metadata for the Amazon CodeGuru detector associated with a finding. This field pertains to findings that relate to Lambda functions. Amazon Inspector identifies policy violations and vulnerabilities in Lambda function code based on internal detectors developed in collaboration with Amazon CodeGuru. Security Hub receives those findings.
      */
     GeneratorDetails?: GeneratorDetails;
+    /**
+     * An ISO8601-formatted timestamp that indicates when Security Hub received a finding and begins to process it. A correctly formatted example is 2020-05-21T20:16:34.724Z. The value cannot contain spaces, and date and time should be separated by T. For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
+     */
+    ProcessedAt?: NonEmptyString;
+    /**
+     * The name of the Amazon Web Services account from which a finding was generated.
+     */
+    AwsAccountName?: NonEmptyString;
   }
   export interface AwsSecurityFindingFilters {
     /**
@@ -10422,7 +10554,7 @@ declare namespace SecurityHub {
      */
     ProductArn?: StringFilterList;
     /**
-     * The Amazon Web Services account ID that a finding is generated in.
+     * The Amazon Web Services account ID in which a finding is generated.
      */
     AwsAccountId?: StringFilterList;
     /**
@@ -10805,6 +10937,34 @@ declare namespace SecurityHub {
      *  The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
      */
     ComplianceAssociatedStandardsId?: StringFilterList;
+    /**
+     *  Indicates whether a software vulnerability in your environment has a known exploit. You can filter findings by this field only if you use Security Hub and Amazon Inspector.
+     */
+    VulnerabilitiesExploitAvailable?: StringFilterList;
+    /**
+     *  Indicates whether a vulnerability is fixed in a newer version of the affected software packages. You can filter findings by this field only if you use Security Hub and Amazon Inspector.
+     */
+    VulnerabilitiesFixAvailable?: StringFilterList;
+    /**
+     *  The name of a security control parameter.
+     */
+    ComplianceSecurityControlParametersName?: StringFilterList;
+    /**
+     *  The current value of a security control parameter.
+     */
+    ComplianceSecurityControlParametersValue?: StringFilterList;
+    /**
+     * The name of the Amazon Web Services account in which a finding is generated.
+     */
+    AwsAccountName?: StringFilterList;
+    /**
+     *  The name of the application that is related to a finding.
+     */
+    ResourceApplicationName?: StringFilterList;
+    /**
+     *  The ARN of the application that is related to a finding.
+     */
+    ResourceApplicationArn?: StringFilterList;
   }
   export interface AwsSecurityFindingIdentifier {
     /**
@@ -11660,6 +11820,22 @@ declare namespace SecurityHub {
      */
     UnprocessedAutomationRules?: UnprocessedAutomationRulesList;
   }
+  export interface BatchGetConfigurationPolicyAssociationsRequest {
+    /**
+     *  Specifies one or more target account IDs, organizational unit (OU) IDs, or the root ID to retrieve associations for.
+     */
+    ConfigurationPolicyAssociationIdentifiers: ConfigurationPolicyAssociationsList;
+  }
+  export interface BatchGetConfigurationPolicyAssociationsResponse {
+    /**
+     *  Describes associations for the target accounts, OUs, or the root.
+     */
+    ConfigurationPolicyAssociations?: ConfigurationPolicyAssociationList;
+    /**
+     *  An array of configuration policy associations, one for each configuration policy association identifier, that was specified in the request but couldn’t be processed due to an error.
+     */
+    UnprocessedConfigurationPolicyAssociations?: UnprocessedConfigurationPolicyAssociationList;
+  }
   export interface BatchGetSecurityControlsRequest {
     /**
      *  A list of security controls (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters). The security control ID or Amazon Resource Name (ARN) is the same across standards.
@@ -11806,6 +11982,12 @@ declare namespace SecurityHub {
     UnprocessedAssociationUpdates?: UnprocessedStandardsControlAssociationUpdates;
   }
   export type Boolean = boolean;
+  export interface BooleanConfigurationOptions {
+    /**
+     *  The Security Hub default value for a boolean parameter.
+     */
+    DefaultValue?: Boolean;
+  }
   export interface BooleanFilter {
     /**
      * The value of the boolean.
@@ -11943,8 +12125,113 @@ declare namespace SecurityHub {
      * The enabled security standards in which a security control is currently enabled.
      */
     AssociatedStandards?: AssociatedStandardsList;
+    /**
+     *  An object that includes security control parameter names and values.
+     */
+    SecurityControlParameters?: SecurityControlParametersList;
   }
   export type ComplianceStatus = "PASSED"|"WARNING"|"FAILED"|"NOT_AVAILABLE"|string;
+  export interface ConfigurationOptions {
+    /**
+     *  The options for customizing a security control parameter that is an integer.
+     */
+    Integer?: IntegerConfigurationOptions;
+    /**
+     *  The options for customizing a security control parameter that is a list of integers.
+     */
+    IntegerList?: IntegerListConfigurationOptions;
+    /**
+     *  The options for customizing a security control parameter that is a double.
+     */
+    Double?: DoubleConfigurationOptions;
+    /**
+     *  The options for customizing a security control parameter that is a string data type.
+     */
+    String?: StringConfigurationOptions;
+    /**
+     *  The options for customizing a security control parameter that is a list of strings.
+     */
+    StringList?: StringListConfigurationOptions;
+    /**
+     *  The options for customizing a security control parameter that is a boolean. For a boolean parameter, the options are true and false.
+     */
+    Boolean?: BooleanConfigurationOptions;
+    /**
+     *  The options for customizing a security control parameter that is an enum.
+     */
+    Enum?: EnumConfigurationOptions;
+    /**
+     *  The options for customizing a security control parameter that is a list of enums.
+     */
+    EnumList?: EnumListConfigurationOptions;
+  }
+  export interface ConfigurationPolicyAssociation {
+    /**
+     *  The target account, organizational unit, or the root.
+     */
+    Target?: Target;
+  }
+  export type ConfigurationPolicyAssociationList = ConfigurationPolicyAssociationSummary[];
+  export type ConfigurationPolicyAssociationStatus = "PENDING"|"SUCCESS"|"FAILED"|string;
+  export interface ConfigurationPolicyAssociationSummary {
+    /**
+     *  The universally unique identifier (UUID) of the configuration policy.
+     */
+    ConfigurationPolicyId?: NonEmptyString;
+    /**
+     *  The identifier of the target account, organizational unit, or the root.
+     */
+    TargetId?: NonEmptyString;
+    /**
+     *  Specifies whether the target is an Amazon Web Services account, organizational unit, or the root.
+     */
+    TargetType?: TargetType;
+    /**
+     *  Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
+     */
+    AssociationType?: AssociationType;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
+     */
+    UpdatedAt?: Timestamp;
+    /**
+     *  The current status of the association between the specified target and the configuration.
+     */
+    AssociationStatus?: ConfigurationPolicyAssociationStatus;
+    /**
+     *  The explanation for a FAILED value for AssociationStatus.
+     */
+    AssociationStatusMessage?: NonEmptyString;
+  }
+  export type ConfigurationPolicyAssociationSummaryList = ConfigurationPolicyAssociationSummary[];
+  export type ConfigurationPolicyAssociationsList = ConfigurationPolicyAssociation[];
+  export interface ConfigurationPolicySummary {
+    /**
+     *  The Amazon Resource Name (ARN) of the configuration policy.
+     */
+    Arn?: NonEmptyString;
+    /**
+     *  The universally unique identifier (UUID) of the configuration policy.
+     */
+    Id?: NonEmptyString;
+    /**
+     *  The name of the configuration policy.
+     */
+    Name?: NonEmptyString;
+    /**
+     *  The description of the configuration policy.
+     */
+    Description?: NonEmptyString;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
+     */
+    UpdatedAt?: Timestamp;
+    /**
+     *  Indicates whether the service that the configuration policy applies to is enabled in the policy.
+     */
+    ServiceEnabled?: Boolean;
+  }
+  export type ConfigurationPolicySummaryList = ConfigurationPolicySummary[];
   export interface ContainerDetails {
     /**
      * The runtime of the container.
@@ -12009,7 +12296,7 @@ declare namespace SecurityHub {
   }
   export interface CreateAutomationRuleRequest {
     /**
-     *  User-defined tags that help you label the purpose of a rule.
+     *  User-defined tags associated with an automation rule.
      */
     Tags?: TagMap;
     /**
@@ -12047,6 +12334,54 @@ declare namespace SecurityHub {
      */
     RuleArn?: NonEmptyString;
   }
+  export interface CreateConfigurationPolicyRequest {
+    /**
+     *  The name of the configuration policy.
+     */
+    Name: NonEmptyString;
+    /**
+     *  The description of the configuration policy.
+     */
+    Description?: NonEmptyString;
+    /**
+     *  An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
+     */
+    ConfigurationPolicy: Policy;
+    /**
+     *  User-defined tags associated with a configuration policy. For more information, see Tagging Security Hub resources in the Security Hub user guide.
+     */
+    Tags?: TagMap;
+  }
+  export interface CreateConfigurationPolicyResponse {
+    /**
+     *  The Amazon Resource Name (ARN) of the configuration policy.
+     */
+    Arn?: NonEmptyString;
+    /**
+     *  The universally unique identifier (UUID) of the configuration policy.
+     */
+    Id?: NonEmptyString;
+    /**
+     *  The name of the configuration policy.
+     */
+    Name?: NonEmptyString;
+    /**
+     *  The description of the configuration policy.
+     */
+    Description?: NonEmptyString;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
+     */
+    UpdatedAt?: Timestamp;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy was created.
+     */
+    CreatedAt?: Timestamp;
+    /**
+     *  An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the request included a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If the request included a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
+     */
+    ConfigurationPolicy?: Policy;
+  }
   export interface CreateFindingAggregatorRequest {
     /**
      * Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. The selected option also determines how to use the Regions provided in the Regions list. The options are as follows:    ALL_REGIONS - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.     ALL_REGIONS_EXCEPT_SPECIFIED - Indicates to aggregate findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the Regions parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.     SPECIFIED_REGIONS - Indicates to aggregate findings only from the Regions listed in the Regions parameter. Security Hub does not automatically aggregate findings from new Regions.
@@ -12137,6 +12472,7 @@ declare namespace SecurityHub {
      */
     TotalCount?: Long;
   }
+  export type CustomizableProperties = SecurityControlProperty[];
   export interface Cvss {
     /**
      * The version of CVSS for the CVSS score.
@@ -12220,6 +12556,14 @@ declare namespace SecurityHub {
      */
     ActionTargetArn: NonEmptyString;
   }
+  export interface DeleteConfigurationPolicyRequest {
+    /**
+     *  The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
+     */
+    Identifier: NonEmptyString;
+  }
+  export interface DeleteConfigurationPolicyResponse {
+  }
   export interface DeleteFindingAggregatorRequest {
     /**
      * The ARN of the finding aggregator to delete. To obtain the ARN, use ListFindingAggregators.
@@ -12316,7 +12660,7 @@ declare namespace SecurityHub {
   }
   export interface DescribeOrganizationConfigurationResponse {
     /**
-     * Whether to automatically enable Security Hub for new accounts in the organization. If set to true, then Security Hub is enabled for new accounts. If set to false, then new accounts are not added automatically.
+     * Whether to automatically enable Security Hub in new member accounts when they join the organization. If set to true, then Security Hub is automatically enabled in new accounts. If set to false, then Security Hub isn't enabled in new accounts automatically. The default value is false. If the ConfigurationType of your organization is set to CENTRAL, then this field is set to false and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.
      */
     AutoEnable?: Boolean;
     /**
@@ -12324,9 +12668,10 @@ declare namespace SecurityHub {
      */
     MemberAccountLimitReached?: Boolean;
     /**
-     * Whether to automatically enable Security Hub default standards for new member accounts in the organization. The default value of this parameter is equal to DEFAULT. If equal to DEFAULT, then Security Hub default standards are automatically enabled for new member accounts. If equal to NONE, then default standards are not automatically enabled for new member accounts.
+     * Whether to automatically enable Security Hub default standards in new member accounts when they join the organization. If equal to DEFAULT, then Security Hub default standards are automatically enabled for new member accounts. If equal to NONE, then default standards are not automatically enabled for new member accounts. The default value of this parameter is equal to DEFAULT. If the ConfigurationType of your organization is set to CENTRAL, then this field is set to NONE and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.
      */
     AutoEnableStandards?: AutoEnableStandards;
+    OrganizationConfiguration?: OrganizationConfiguration;
   }
   export interface DescribeProductsRequest {
     /**
@@ -12416,6 +12761,7 @@ declare namespace SecurityHub {
   }
   export interface DisableSecurityHubResponse {
   }
+  export type DisabledSecurityControlIdentifierList = NonEmptyString[];
   export interface DisassociateFromAdministratorAccountRequest {
   }
   export interface DisassociateFromAdministratorAccountResponse {
@@ -12447,6 +12793,20 @@ declare namespace SecurityHub {
     Blocked?: Boolean;
   }
   export type Double = number;
+  export interface DoubleConfigurationOptions {
+    /**
+     *  The Security Hub default value for a control parameter that is a double.
+     */
+    DefaultValue?: Double;
+    /**
+     *  The minimum valid value for a control parameter that is a double.
+     */
+    Min?: Double;
+    /**
+     *  The maximum valid value for a control parameter that is a double.
+     */
+    Max?: Double;
+  }
   export interface EnableImportFindingsForProductRequest {
     /**
      * The ARN of the product to enable the integration for.
@@ -12483,6 +12843,32 @@ declare namespace SecurityHub {
   }
   export interface EnableSecurityHubResponse {
   }
+  export type EnabledSecurityControlIdentifierList = NonEmptyString[];
+  export type EnabledStandardIdentifierList = NonEmptyString[];
+  export interface EnumConfigurationOptions {
+    /**
+     *  The Security Hub default value for a control parameter that is an enum.
+     */
+    DefaultValue?: NonEmptyString;
+    /**
+     *  The valid values for a control parameter that is an enum.
+     */
+    AllowedValues?: StringList;
+  }
+  export interface EnumListConfigurationOptions {
+    /**
+     *  The Security Hub default value for a control parameter that is a list of enums.
+     */
+    DefaultValue?: StringList;
+    /**
+     *  The maximum number of list items that an enum list control parameter can accept.
+     */
+    MaxItems?: Integer;
+    /**
+     *  The valid values for a control parameter that is a list of enums.
+     */
+    AllowedValues?: StringList;
+  }
   export type FieldMap = {[key: string]: NonEmptyString};
   export type FilePathList = FilePaths[];
   export interface FilePaths {
@@ -12672,6 +13058,78 @@ declare namespace SecurityHub {
   export interface GetAdministratorAccountResponse {
     Administrator?: Invitation;
   }
+  export interface GetConfigurationPolicyAssociationRequest {
+    /**
+     *  The target account ID, organizational unit ID, or the root ID to retrieve the association for.
+     */
+    Target: Target;
+  }
+  export interface GetConfigurationPolicyAssociationResponse {
+    /**
+     *  The universally unique identifier (UUID) of a configuration policy. For self-managed behavior, the value is SELF_MANAGED_SECURITY_HUB.
+     */
+    ConfigurationPolicyId?: NonEmptyString;
+    /**
+     *  The target account ID, organizational unit ID, or the root ID for which the association is retrieved.
+     */
+    TargetId?: NonEmptyString;
+    /**
+     *  Specifies whether the target is an Amazon Web Services account, organizational unit, or the organization root.
+     */
+    TargetType?: TargetType;
+    /**
+     *  Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
+     */
+    AssociationType?: AssociationType;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
+     */
+    UpdatedAt?: Timestamp;
+    /**
+     *  The current status of the association between the specified target and the configuration.
+     */
+    AssociationStatus?: ConfigurationPolicyAssociationStatus;
+    /**
+     *  The explanation for a FAILED value for AssociationStatus.
+     */
+    AssociationStatusMessage?: NonEmptyString;
+  }
+  export interface GetConfigurationPolicyRequest {
+    /**
+     *  The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
+     */
+    Identifier: NonEmptyString;
+  }
+  export interface GetConfigurationPolicyResponse {
+    /**
+     *  The ARN of the configuration policy.
+     */
+    Arn?: NonEmptyString;
+    /**
+     *  The UUID of the configuration policy.
+     */
+    Id?: NonEmptyString;
+    /**
+     *  The name of the configuration policy.
+     */
+    Name?: NonEmptyString;
+    /**
+     *  The description of the configuration policy.
+     */
+    Description?: NonEmptyString;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
+     */
+    UpdatedAt?: Timestamp;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy was created.
+     */
+    CreatedAt?: Timestamp;
+    /**
+     *  An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the policy includes a list of security controls that are enabled, Security Hub disables all other controls (including newly released controls). If the policy includes a list of security controls that are disabled, Security Hub enables all other controls (including newly released controls).
+     */
+    ConfigurationPolicy?: Policy;
+  }
   export interface GetEnabledStandardsRequest {
     /**
      * The list of the standards subscription ARNs for the standards to retrieve.
@@ -12845,6 +13303,15 @@ declare namespace SecurityHub {
      */
     UnprocessedAccounts?: ResultList;
   }
+  export interface GetSecurityControlDefinitionRequest {
+    /**
+     *  The ID of the security control to retrieve the definition for. This field doesn’t accept an Amazon Resource Name (ARN).
+     */
+    SecurityControlId: NonEmptyString;
+  }
+  export interface GetSecurityControlDefinitionResponse {
+    SecurityControlDefinition: SecurityControlDefinition;
+  }
   export interface IcmpTypeCode {
     /**
      * The ICMP code for which to deny or allow access. To deny or allow all codes, use the value -1.
@@ -12915,7 +13382,39 @@ declare namespace SecurityHub {
     ResultValues: InsightResultValueList;
   }
   export type Integer = number;
+  export interface IntegerConfigurationOptions {
+    /**
+     *  The Security Hub default value for a control parameter that is an integer.
+     */
+    DefaultValue?: Integer;
+    /**
+     *  The minimum valid value for a control parameter that is an integer.
+     */
+    Min?: Integer;
+    /**
+     *  The maximum valid value for a control parameter that is an integer.
+     */
+    Max?: Integer;
+  }
   export type IntegerList = Integer[];
+  export interface IntegerListConfigurationOptions {
+    /**
+     *  The Security Hub default value for a control parameter that is a list of integers.
+     */
+    DefaultValue?: IntegerList;
+    /**
+     *  The minimum valid value for a control parameter that is a list of integers.
+     */
+    Min?: Integer;
+    /**
+     *  The maximum valid value for a control parameter that is a list of integers.
+     */
+    Max?: Integer;
+    /**
+     *  The maximum number of list items that an interger list control parameter can accept.
+     */
+    MaxItems?: Integer;
+  }
   export type IntegrationType = "SEND_FINDINGS_TO_SECURITY_HUB"|"RECEIVE_FINDINGS_FROM_SECURITY_HUB"|"UPDATE_FINDINGS_IN_SECURITY_HUB"|string;
   export type IntegrationTypeList = IntegrationType[];
   export interface Invitation {
@@ -13016,6 +13515,50 @@ declare namespace SecurityHub {
      */
     NextToken?: NextToken;
   }
+  export interface ListConfigurationPoliciesRequest {
+    /**
+     *  The NextToken value that's returned from a previous paginated ListConfigurationPolicies request where MaxResults was used but the results exceeded the value of that parameter. Pagination continues from the MaxResults was used but the results exceeded the value of that parameter. Pagination continues from the end of the previous response that returned the NextToken value. This value is null when there are no more results to return.
+     */
+    NextToken?: NextToken;
+    /**
+     *  The maximum number of results that's returned by ListConfigurationPolicies in each page of the response. When this parameter is used, ListConfigurationPolicies returns the specified number of results in a single page and a NextToken response element. You can see the remaining results of the initial request by sending another ListConfigurationPolicies request with the returned NextToken value. A valid range for MaxResults is between 1 and 100.
+     */
+    MaxResults?: MaxResults;
+  }
+  export interface ListConfigurationPoliciesResponse {
+    /**
+     *  Provides metadata for each of your configuration policies.
+     */
+    ConfigurationPolicySummaries?: ConfigurationPolicySummaryList;
+    /**
+     *  The NextToken value to include in the next ListConfigurationPolicies request. When the results of a ListConfigurationPolicies request exceed MaxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
+     */
+    NextToken?: NextToken;
+  }
+  export interface ListConfigurationPolicyAssociationsRequest {
+    /**
+     *  The NextToken value that's returned from a previous paginated ListConfigurationPolicyAssociations request where MaxResults was used but the results exceeded the value of that parameter. Pagination continues from the end of the previous response that returned the NextToken value. This value is null when there are no more results to return.
+     */
+    NextToken?: NextToken;
+    /**
+     *  The maximum number of results that's returned by ListConfigurationPolicies in each page of the response. When this parameter is used, ListConfigurationPolicyAssociations returns the specified number of results in a single page and a NextToken response element. You can see the remaining results of the initial request by sending another ListConfigurationPolicyAssociations request with the returned NextToken value. A valid range for MaxResults is between 1 and 100.
+     */
+    MaxResults?: MaxResults;
+    /**
+     *  Options for filtering the ListConfigurationPolicyAssociations response. You can filter by the Amazon Resource Name (ARN) or universally unique identifier (UUID) of a configuration, AssociationType, or AssociationStatus.
+     */
+    Filters?: AssociationFilters;
+  }
+  export interface ListConfigurationPolicyAssociationsResponse {
+    /**
+     *  An object that contains the details of each configuration policy association that’s returned in a ListConfigurationPolicyAssociations request.
+     */
+    ConfigurationPolicyAssociationSummaries?: ConfigurationPolicyAssociationSummaryList;
+    /**
+     *  The NextToken value to include in the next ListConfigurationPolicyAssociations request. When the results of a ListConfigurationPolicyAssociations request exceed MaxResults, this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
+     */
+    NextToken?: NextToken;
+  }
   export interface ListEnabledProductsForImportRequest {
     /**
      * The token that is required for pagination. On your first call to the ListEnabledProductsForImport operation, set the value of this parameter to NULL. For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.
@@ -13420,6 +13963,14 @@ declare namespace SecurityHub {
      * The equal-to condition to be applied to a single field when querying for findings.
      */
     Eq?: Double;
+    /**
+     *  The greater-than condition to be applied to a single field when querying for findings.
+     */
+    Gt?: Double;
+    /**
+     *  The less-than condition to be applied to a single field when querying for findings.
+     */
+    Lt?: Double;
   }
   export type NumberFilterList = NumberFilter[];
   export interface Occurrences {
@@ -13444,6 +13995,22 @@ declare namespace SecurityHub {
      */
     Cells?: Cells;
   }
+  export interface OrganizationConfiguration {
+    /**
+     *  Indicates whether the organization uses local or central configuration.  If you use local configuration, the Security Hub delegated administrator can set AutoEnable to true and AutoEnableStandards to DEFAULT. This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each Amazon Web Services Region, and settings may be different in each Region.   If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.
+     */
+    ConfigurationType?: OrganizationConfigurationConfigurationType;
+    /**
+     *  Describes whether central configuration could be enabled as the ConfigurationType for the organization. If your ConfigurationType is local configuration, then the value of Status is always ENABLED.
+     */
+    Status?: OrganizationConfigurationStatus;
+    /**
+     *  Provides an explanation if the value of Status is equal to FAILED when ConfigurationType is equal to CENTRAL.
+     */
+    StatusMessage?: NonEmptyString;
+  }
+  export type OrganizationConfigurationConfigurationType = "CENTRAL"|"LOCAL"|string;
+  export type OrganizationConfigurationStatus = "PENDING"|"ENABLED"|"FAILED"|string;
   export interface Page {
     /**
      * The page number of the page that contains the sensitive data.
@@ -13459,6 +14026,63 @@ declare namespace SecurityHub {
     OffsetRange?: Range;
   }
   export type Pages = Page[];
+  export interface ParameterConfiguration {
+    /**
+     *  Identifies whether a control parameter uses a custom user-defined value or the Security Hub default value.
+     */
+    ValueType: ParameterValueType;
+    /**
+     *  The current value of a control parameter.
+     */
+    Value?: ParameterValue;
+  }
+  export interface ParameterDefinition {
+    /**
+     *  Description of a control parameter.
+     */
+    Description: NonEmptyString;
+    /**
+     *  The options for customizing a control parameter. Customization options vary based on the data type of the parameter.
+     */
+    ConfigurationOptions: ConfigurationOptions;
+  }
+  export type ParameterDefinitions = {[key: string]: ParameterDefinition};
+  export interface ParameterValue {
+    /**
+     *  A control parameter that is an integer.
+     */
+    Integer?: Integer;
+    /**
+     *  A control parameter that is a list of integers.
+     */
+    IntegerList?: IntegerList;
+    /**
+     *  A control parameter that is a double.
+     */
+    Double?: Double;
+    /**
+     *  A control parameter that is a string.
+     */
+    String?: NonEmptyString;
+    /**
+     *  A control parameter that is a list of strings.
+     */
+    StringList?: StringList;
+    /**
+     *  A control parameter that is a boolean.
+     */
+    Boolean?: Boolean;
+    /**
+     *  A control parameter that is an enum.
+     */
+    Enum?: NonEmptyString;
+    /**
+     *  A control parameter that is a list of enums.
+     */
+    EnumList?: StringList;
+  }
+  export type ParameterValueType = "DEFAULT"|"CUSTOM"|string;
+  export type Parameters = {[key: string]: ParameterConfiguration};
   export type Partition = "aws"|"aws-cn"|"aws-us-gov"|string;
   export interface PatchSummary {
     /**
@@ -13506,6 +14130,12 @@ declare namespace SecurityHub {
      */
     Operation?: NonEmptyString;
   }
+  export interface Policy {
+    /**
+     *  The Amazon Web Service that the configuration policy applies to.
+     */
+    SecurityHub?: SecurityHubPolicy;
+  }
   export interface PortProbeAction {
     /**
      * Information about the ports affected by the port probe.
@@ -13715,6 +14345,14 @@ declare namespace SecurityHub {
      * Additional details about the resource related to a finding.
      */
     Details?: ResourceDetails;
+    /**
+     *  The name of the application that is related to a finding.
+     */
+    ApplicationName?: NonEmptyString;
+    /**
+     *  The Amazon Resource Name (ARN) of the application that is related to a finding.
+     */
+    ApplicationArn?: NonEmptyString;
   }
   export type ResourceArn = string;
   export interface ResourceDetails {
@@ -14438,7 +15076,30 @@ declare namespace SecurityHub {
      *  The enablement status of a security control in a specific standard.
      */
     SecurityControlStatus: ControlStatus;
+    /**
+     *  Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of READY indicates findings include the current parameter values. A status of UPDATING indicates that all findings may not include the current parameter values.
+     */
+    UpdateStatus?: UpdateStatus;
+    /**
+     *  An object that identifies the name of a control parameter, its current value, and whether it has been customized.
+     */
+    Parameters?: Parameters;
+    /**
+     *  The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the  BatchUpdateStandardsControlAssociations  API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
+     */
+    LastUpdateReason?: AlphaNumericNonEmptyString;
   }
+  export interface SecurityControlCustomParameter {
+    /**
+     *  The ID of the security control.
+     */
+    SecurityControlId?: NonEmptyString;
+    /**
+     *  An object that specifies parameter values for a control in a configuration policy.
+     */
+    Parameters?: Parameters;
+  }
+  export type SecurityControlCustomParametersList = SecurityControlCustomParameter[];
   export interface SecurityControlDefinition {
     /**
      *  The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a number (for example, APIGateway.3). This parameter differs from SecurityControlArn, which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).
@@ -14464,10 +15125,58 @@ declare namespace SecurityHub {
      *  Specifies whether a security control is available in the current Amazon Web Services Region.
      */
     CurrentRegionAvailability: RegionAvailabilityStatus;
+    /**
+     *  Security control properties that you can customize. Currently, only parameter customization is supported for select controls. An empty array is returned for controls that don’t support custom properties.
+     */
+    CustomizableProperties?: CustomizableProperties;
+    /**
+     *  An object that provides a security control parameter name, description, and the options for customizing it. This object is excluded for a control that doesn't support custom parameters.
+     */
+    ParameterDefinitions?: ParameterDefinitions;
   }
   export type SecurityControlDefinitions = SecurityControlDefinition[];
+  export interface SecurityControlParameter {
+    /**
+     *  The name of a
+     */
+    Name?: NonEmptyString;
+    /**
+     *  The current value of a control parameter.
+     */
+    Value?: TypeList;
+  }
+  export type SecurityControlParametersList = SecurityControlParameter[];
+  export type SecurityControlProperty = "Parameters"|string;
   export type SecurityControls = SecurityControl[];
+  export interface SecurityControlsConfiguration {
+    /**
+     *  A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.
+     */
+    EnabledSecurityControlIdentifiers?: EnabledSecurityControlIdentifierList;
+    /**
+     *  A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.
+     */
+    DisabledSecurityControlIdentifiers?: DisabledSecurityControlIdentifierList;
+    /**
+     *  A list of security controls and control parameter values that are included in a configuration policy.
+     */
+    SecurityControlCustomParameters?: SecurityControlCustomParametersList;
+  }
   export type SecurityGroups = NonEmptyString[];
+  export interface SecurityHubPolicy {
+    /**
+     *  Indicates whether Security Hub is enabled in the policy.
+     */
+    ServiceEnabled?: Boolean;
+    /**
+     *  A list that defines which security standards are enabled in the configuration policy.
+     */
+    EnabledStandardIdentifiers?: EnabledStandardIdentifierList;
+    /**
+     *  An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
+     */
+    SecurityControlsConfiguration?: SecurityControlsConfiguration;
+  }
   export interface SensitiveDataDetections {
     /**
      * The total number of occurrences of sensitive data that were detected.
@@ -14500,7 +15209,7 @@ declare namespace SecurityHub {
   export type SensitiveDataResultList = SensitiveDataResult[];
   export interface Severity {
     /**
-     * Deprecated. This attribute is being deprecated. Instead of providing Product, provide Original. The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
+     * Deprecated. This attribute isn't included in findings. Instead of providing Product, provide Original. The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
      */
     Product?: Double;
     /**
@@ -14508,7 +15217,7 @@ declare namespace SecurityHub {
      */
     Label?: SeverityLabel;
     /**
-     * Deprecated. The normalized severity of a finding. This attribute is being deprecated. Instead of providing Normalized, provide Label. If you provide Label and do not provide Normalized, then Normalized is set automatically as follows.    INFORMATIONAL - 0    LOW - 1    MEDIUM - 40    HIGH - 70    CRITICAL - 90
+     * Deprecated. The normalized severity of a finding. Instead of providing Normalized, provide Label. If you provide Label and do not provide Normalized, then Normalized is set automatically as follows.    INFORMATIONAL - 0    LOW - 1    MEDIUM - 40    HIGH - 70    CRITICAL - 90
      */
     Normalized?: Integer;
     /**
@@ -14735,11 +15444,11 @@ declare namespace SecurityHub {
      */
     RelatedRequirements?: RelatedRequirementsList;
     /**
-     *  The last time that a control's enablement status in a specified standard was updated.
+     * The last time that a control's enablement status in a specified standard was updated.
      */
     UpdatedAt?: Timestamp;
     /**
-     *  The reason for updating the control's enablement status in a specified standard.
+     * The reason for updating a control's enablement status in a specified standard.
      */
     UpdatedReason?: NonEmptyString;
     /**
@@ -14824,6 +15533,58 @@ declare namespace SecurityHub {
   }
   export type StandardsSubscriptionRequests = StandardsSubscriptionRequest[];
   export type StandardsSubscriptions = StandardsSubscription[];
+  export interface StartConfigurationPolicyAssociationRequest {
+    /**
+     *  The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
+     */
+    ConfigurationPolicyIdentifier: NonEmptyString;
+    /**
+     *  The identifier of the target account, organizational unit, or the root to associate with the specified configuration.
+     */
+    Target: Target;
+  }
+  export interface StartConfigurationPolicyAssociationResponse {
+    /**
+     *  The UUID of the configuration policy.
+     */
+    ConfigurationPolicyId?: NonEmptyString;
+    /**
+     *  The identifier of the target account, organizational unit, or the organization root with which the configuration is associated.
+     */
+    TargetId?: NonEmptyString;
+    /**
+     *  Indicates whether the target is an Amazon Web Services account, organizational unit, or the organization root.
+     */
+    TargetType?: TargetType;
+    /**
+     *  Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
+     */
+    AssociationType?: AssociationType;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
+     */
+    UpdatedAt?: Timestamp;
+    /**
+     *  The current status of the association between the specified target and the configuration.
+     */
+    AssociationStatus?: ConfigurationPolicyAssociationStatus;
+    /**
+     *  An explanation for a FAILED value for AssociationStatus.
+     */
+    AssociationStatusMessage?: NonEmptyString;
+  }
+  export interface StartConfigurationPolicyDisassociationRequest {
+    /**
+     *  The identifier of the target account, organizational unit, or the root to disassociate from the specified configuration.
+     */
+    Target?: Target;
+    /**
+     *  The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
+     */
+    ConfigurationPolicyIdentifier: NonEmptyString;
+  }
+  export interface StartConfigurationPolicyDisassociationResponse {
+  }
   export interface StatelessCustomActionDefinition {
     /**
      * Information about metrics to publish to CloudWatch.
@@ -14855,6 +15616,20 @@ declare namespace SecurityHub {
   }
   export type StatusReasonCode = "NO_AVAILABLE_CONFIGURATION_RECORDER"|"INTERNAL_ERROR"|string;
   export type StatusReasonsList = StatusReason[];
+  export interface StringConfigurationOptions {
+    /**
+     *  The Security Hub default value for a control parameter that is a string.
+     */
+    DefaultValue?: NonEmptyString;
+    /**
+     *  An RE2 regular expression that Security Hub uses to validate a user-provided control parameter string.
+     */
+    Re2Expression?: NonEmptyString;
+    /**
+     *  The description of the RE2 regular expression.
+     */
+    ExpressionDescription?: NonEmptyString;
+  }
   export interface StringFilter {
     /**
      * The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub. If you provide security hub as the filter value, there's no match.
@@ -14868,6 +15643,24 @@ declare namespace SecurityHub {
   export type StringFilterComparison = "EQUALS"|"PREFIX"|"NOT_EQUALS"|"PREFIX_NOT_EQUALS"|"CONTAINS"|"NOT_CONTAINS"|string;
   export type StringFilterList = StringFilter[];
   export type StringList = NonEmptyString[];
+  export interface StringListConfigurationOptions {
+    /**
+     *  The Security Hub default value for a control parameter that is a list of strings.
+     */
+    DefaultValue?: StringList;
+    /**
+     *  An RE2 regular expression that Security Hub uses to validate a user-provided list of strings for a control parameter.
+     */
+    Re2Expression?: NonEmptyString;
+    /**
+     *  The maximum number of list items that a string list control parameter can accept.
+     */
+    MaxItems?: Integer;
+    /**
+     *  The description of the RE2 regular expression.
+     */
+    ExpressionDescription?: NonEmptyString;
+  }
   export type TagKey = string;
   export type TagKeyList = TagKey[];
   export type TagMap = {[key: string]: TagValue};
@@ -14884,6 +15677,21 @@ declare namespace SecurityHub {
   export interface TagResourceResponse {
   }
   export type TagValue = string;
+  export interface Target {
+    /**
+     *  The Amazon Web Services account ID of the target account.
+     */
+    AccountId?: NonEmptyString;
+    /**
+     *  The organizational unit ID of the target organizational unit.
+     */
+    OrganizationalUnitId?: NonEmptyString;
+    /**
+     *  The ID of the organization root.
+     */
+    RootId?: NonEmptyString;
+  }
+  export type TargetType = "ACCOUNT"|"ORGANIZATIONAL_UNIT"|string;
   export interface Threat {
     /**
      * The name of the threat.
@@ -14949,6 +15757,21 @@ declare namespace SecurityHub {
     ErrorMessage?: NonEmptyString;
   }
   export type UnprocessedAutomationRulesList = UnprocessedAutomationRule[];
+  export interface UnprocessedConfigurationPolicyAssociation {
+    /**
+     *  Configuration policy association identifiers that were specified in a BatchGetConfigurationPolicyAssociations request but couldn’t be processed due to an error.
+     */
+    ConfigurationPolicyAssociationIdentifiers?: ConfigurationPolicyAssociation;
+    /**
+     *  An HTTP status code that identifies why the configuration policy association failed.
+     */
+    ErrorCode?: NonEmptyString;
+    /**
+     *  A string that identifies why the configuration policy association failed.
+     */
+    ErrorReason?: NonEmptyString;
+  }
+  export type UnprocessedConfigurationPolicyAssociationList = UnprocessedConfigurationPolicyAssociation[];
   export type UnprocessedErrorCode = "INVALID_INPUT"|"ACCESS_DENIED"|"NOT_FOUND"|"LIMIT_EXCEEDED"|string;
   export interface UnprocessedSecurityControl {
     /**
@@ -15058,6 +15881,58 @@ declare namespace SecurityHub {
     Actions?: ActionList;
   }
   export type UpdateAutomationRulesRequestItemsList = UpdateAutomationRulesRequestItem[];
+  export interface UpdateConfigurationPolicyRequest {
+    /**
+     *  The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
+     */
+    Identifier: NonEmptyString;
+    /**
+     *  The name of the configuration policy.
+     */
+    Name?: NonEmptyString;
+    /**
+     *  The description of the configuration policy.
+     */
+    Description?: NonEmptyString;
+    /**
+     *  The reason for updating the configuration policy.
+     */
+    UpdatedReason?: NonEmptyString;
+    /**
+     *  An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).  When updating a configuration policy, provide a complete list of standards that you want to enable and a complete list of controls that you want to enable or disable. The updated configuration replaces the current configuration.
+     */
+    ConfigurationPolicy?: Policy;
+  }
+  export interface UpdateConfigurationPolicyResponse {
+    /**
+     *  The ARN of the configuration policy.
+     */
+    Arn?: NonEmptyString;
+    /**
+     *  The UUID of the configuration policy.
+     */
+    Id?: NonEmptyString;
+    /**
+     *  The name of the configuration policy.
+     */
+    Name?: NonEmptyString;
+    /**
+     *  The description of the configuration policy.
+     */
+    Description?: NonEmptyString;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
+     */
+    UpdatedAt?: Timestamp;
+    /**
+     *  The date and time, in UTC and ISO 8601 format, that the configuration policy was created.
+     */
+    CreatedAt?: Timestamp;
+    /**
+     *  An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the request included a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If the request included a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
+     */
+    ConfigurationPolicy?: Policy;
+  }
   export interface UpdateFindingAggregatorRequest {
     /**
      * The ARN of the finding aggregator. To obtain the ARN, use ListFindingAggregators.
@@ -15128,16 +16003,33 @@ declare namespace SecurityHub {
   }
   export interface UpdateOrganizationConfigurationRequest {
     /**
-     * Whether to automatically enable Security Hub for new accounts in the organization. By default, this is false, and new accounts are not added automatically. To automatically enable Security Hub for new accounts, set this to true.
+     * Whether to automatically enable Security Hub in new member accounts when they join the organization. If set to true, then Security Hub is automatically enabled in new accounts. If set to false, then Security Hub isn't enabled in new accounts automatically. The default value is false. If the ConfigurationType of your organization is set to CENTRAL, then this field is set to false and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.
      */
     AutoEnable: Boolean;
     /**
-     * Whether to automatically enable Security Hub default standards for new member accounts in the organization. By default, this parameter is equal to DEFAULT, and new member accounts are automatically enabled with default Security Hub standards. To opt out of enabling default standards for new member accounts, set this parameter equal to NONE.
+     * Whether to automatically enable Security Hub default standards in new member accounts when they join the organization. The default value of this parameter is equal to DEFAULT. If equal to DEFAULT, then Security Hub default standards are automatically enabled for new member accounts. If equal to NONE, then default standards are not automatically enabled for new member accounts. If the ConfigurationType of your organization is set to CENTRAL, then this field is set to NONE and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.
      */
     AutoEnableStandards?: AutoEnableStandards;
+    OrganizationConfiguration?: OrganizationConfiguration;
   }
   export interface UpdateOrganizationConfigurationResponse {
   }
+  export interface UpdateSecurityControlRequest {
+    /**
+     *  The Amazon Resource Name (ARN) or ID of the control to update.
+     */
+    SecurityControlId: NonEmptyString;
+    /**
+     *  An object that specifies which security control parameters to update.
+     */
+    Parameters: Parameters;
+    /**
+     *  The most recent reason for updating the properties of the security control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
+     */
+    LastUpdateReason?: AlphaNumericNonEmptyString;
+  }
+  export interface UpdateSecurityControlResponse {
+  }
   export interface UpdateSecurityHubConfigurationRequest {
     /**
      * Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to true, and new controls are enabled automatically. To not automatically enable new controls, set this to false.
@@ -15166,6 +16058,7 @@ declare namespace SecurityHub {
   }
   export interface UpdateStandardsControlResponse {
   }
+  export type UpdateStatus = "READY"|"UPDATING"|string;
   export type VerificationState = "UNKNOWN"|"TRUE_POSITIVE"|"FALSE_POSITIVE"|"BENIGN_POSITIVE"|string;
   export interface VolumeMount {
     /**