aws-cdk-lib 2.145.0__py3-none-any.whl → 2.147.0__py3-none-any.whl

aws_cdk/aws_securityhub/__init__.py

@@ -2933,7 +2933,9 @@ class CfnConfigurationPolicy(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_securityhub.CfnConfigurationPolicy",
 ):
-    '''The AWS::SecurityHub::ConfigurationPolicy resource represents the Central Configuration Policy in your account.
+    '''The ``AWS::SecurityHub::ConfigurationPolicy`` resource creates a central configuration policy with the defined settings.
+
+    Only the AWS Security Hub delegated administrator can create this resource in the home Region. For more information, see `Central configuration in Security Hub <https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html>`_ in the *AWS Security Hub User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html
     :cloudformationResource: AWS::SecurityHub::ConfigurationPolicy
@@ -2999,10 +3001,10 @@ class CfnConfigurationPolicy(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param configuration_policy: An object that defines how Security Hub is configured.
-        :param name: The name of the configuration policy.
+        :param configuration_policy: An object that defines how AWS Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
+        :param name: The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: ``-, ., !, *, /`` .
         :param description: The description of the configuration policy.
-        :param tags: A key-value pair to associate with a resource.
+        :param tags: User-defined tags associated with a configuration policy. For more information, see `Tagging AWS Security Hub resources <https://docs.aws.amazon.com/securityhub/latest/userguide/tagging-resources.html>`_ in the *Security Hub user guide* .
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e2cee5cf3fe5ba0b354ff30ea357f97d4a69893bed692305ae2919f0061404d2)
@@ -3050,7 +3052,7 @@ class CfnConfigurationPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrArn")
     def attr_arn(self) -> builtins.str:
-        '''The Amazon Resource Name (ARN) of the configuration policy.
+        '''The ARN of the configuration policy.
 
         :cloudformationAttribute: Arn
         '''
@@ -3070,6 +3072,8 @@ class CfnConfigurationPolicy(
     def attr_id(self) -> builtins.str:
         '''The universally unique identifier (UUID) of the configuration policy.
 
+        A self-managed configuration has no UUID. The identifier of a self-managed configuration is ``SELF_MANAGED_SECURITY_HUB`` .
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -3086,7 +3090,7 @@ class CfnConfigurationPolicy(
     @builtins.property
     @jsii.member(jsii_name="attrUpdatedAt")
     def attr_updated_at(self) -> builtins.str:
-        '''The date and time, in UTC and ISO 8601 format.
+        '''The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
 
         :cloudformationAttribute: UpdatedAt
         '''
@@ -3108,7 +3112,7 @@ class CfnConfigurationPolicy(
     def configuration_policy(
         self,
     ) -> typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.PolicyProperty"]:
-        '''An object that defines how Security Hub is configured.'''
+        '''An object that defines how AWS Security Hub is configured.'''
         return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.PolicyProperty"], jsii.get(self, "configurationPolicy"))
 
     @configuration_policy.setter
@@ -3150,7 +3154,7 @@ class CfnConfigurationPolicy(
     @builtins.property
     @jsii.member(jsii_name="tags")
     def tags(self) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
-        '''A key-value pair to associate with a resource.'''
+        '''User-defined tags associated with a configuration policy.'''
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], jsii.get(self, "tags"))
 
     @tags.setter
@@ -3177,8 +3181,8 @@ class CfnConfigurationPolicy(
         ) -> None:
             '''An object that provides the current value of a security control parameter and identifies whether it has been customized.
 
-            :param value_type: Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub behavior.
-            :param value: An object that includes the data type of a security control parameter and its current value.
+            :param value_type: Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub behavior. When ``ValueType`` is set equal to ``DEFAULT`` , the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ``ValueType`` is set equal to ``DEFAULT`` , Security Hub ignores user-provided input for the ``Value`` field. When ``ValueType`` is set equal to ``CUSTOM`` , the ``Value`` field can't be empty.
+            :param value: The current value of a control parameter.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parameterconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -3219,6 +3223,10 @@ class CfnConfigurationPolicy(
         def value_type(self) -> builtins.str:
             '''Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub behavior.
 
+            When ``ValueType`` is set equal to ``DEFAULT`` , the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ``ValueType`` is set equal to ``DEFAULT`` , Security Hub ignores user-provided input for the ``Value`` field.
+
+            When ``ValueType`` is set equal to ``CUSTOM`` , the ``Value`` field can't be empty.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parameterconfiguration.html#cfn-securityhub-configurationpolicy-parameterconfiguration-valuetype
             '''
             result = self._values.get("value_type")
@@ -3229,7 +3237,7 @@ class CfnConfigurationPolicy(
         def value(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.ParameterValueProperty"]]:
-            '''An object that includes the data type of a security control parameter and its current value.
+            '''The current value of a control parameter.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-parameterconfiguration.html#cfn-securityhub-configurationpolicy-parameterconfiguration-value
             '''
@@ -3431,9 +3439,11 @@ class CfnConfigurationPolicy(
             *,
             security_hub: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.SecurityHubPolicyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''An object that defines how Security Hub is configured.
+            '''An object that defines how AWS Security Hub is configured.
+
+            It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
 
-            :param security_hub: An object that defines how AWS Security Hub is configured.
+            :param security_hub: The AWS service that the configuration policy applies to.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-policy.html
             :exampleMetadata: fixture=_generated
@@ -3486,7 +3496,7 @@ class CfnConfigurationPolicy(
         def security_hub(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityHubPolicyProperty"]]:
-            '''An object that defines how AWS Security Hub is configured.
+            '''The AWS service that the configuration policy applies to.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-policy.html#cfn-securityhub-configurationpolicy-policy-securityhub
             '''
@@ -3519,7 +3529,7 @@ class CfnConfigurationPolicy(
             parameters: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, typing.Union["CfnConfigurationPolicy.ParameterConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
             security_control_id: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''An object of security control and control parameter value that are included in a configuration policy.
+            '''A list of security controls and control parameter values that are included in a configuration policy.
 
             :param parameters: An object that specifies parameter values for a control in a configuration policy.
             :param security_control_id: The ID of the security control.
@@ -3614,8 +3624,10 @@ class CfnConfigurationPolicy(
         ) -> None:
             '''An object that defines which security controls are enabled in an AWS Security Hub configuration policy.
 
-            :param disabled_security_control_identifiers: A list of security controls that are disabled in the configuration policy.
-            :param enabled_security_control_identifiers: A list of security controls that are enabled in the configuration policy.
+            The enablement status of a control is aligned across all of the enabled standards in an account.
+
+            :param disabled_security_control_identifiers: A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.
+            :param enabled_security_control_identifiers: A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.
             :param security_control_custom_parameters: A list of security controls and control parameter values that are included in a configuration policy.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.html
@@ -3671,6 +3683,8 @@ class CfnConfigurationPolicy(
         ) -> typing.Optional[typing.List[builtins.str]]:
             '''A list of security controls that are disabled in the configuration policy.
 
+            Security Hub enables all other controls (including newly released controls) other than the listed controls.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.html#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-disabledsecuritycontrolidentifiers
             '''
             result = self._values.get("disabled_security_control_identifiers")
@@ -3682,6 +3696,8 @@ class CfnConfigurationPolicy(
         ) -> typing.Optional[typing.List[builtins.str]]:
             '''A list of security controls that are enabled in the configuration policy.
 
+            Security Hub disables all other controls (including newly released controls) other than the listed controls.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securitycontrolsconfiguration.html#cfn-securityhub-configurationpolicy-securitycontrolsconfiguration-enabledsecuritycontrolidentifiers
             '''
             result = self._values.get("enabled_security_control_identifiers")
@@ -3728,8 +3744,10 @@ class CfnConfigurationPolicy(
         ) -> None:
             '''An object that defines how AWS Security Hub is configured.
 
+            The configuration policy includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
+
             :param enabled_standard_identifiers: A list that defines which security standards are enabled in the configuration policy.
-            :param security_controls_configuration: An object that defines which security controls are enabled in an AWS Security Hub configuration policy.
+            :param security_controls_configuration: An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
             :param service_enabled: Indicates whether Security Hub is enabled in the policy.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securityhubpolicy.html
@@ -3798,7 +3816,9 @@ class CfnConfigurationPolicy(
         def security_controls_configuration(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnConfigurationPolicy.SecurityControlsConfigurationProperty"]]:
-            '''An object that defines which security controls are enabled in an AWS Security Hub configuration policy.
+            '''An object that defines which security controls are enabled in the configuration policy.
+
+            The enablement status of a control is aligned across all of the enabled standards in an account.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-configurationpolicy-securityhubpolicy.html#cfn-securityhub-configurationpolicy-securityhubpolicy-securitycontrolsconfiguration
             '''
@@ -3849,10 +3869,10 @@ class CfnConfigurationPolicyProps:
     ) -> None:
         '''Properties for defining a ``CfnConfigurationPolicy``.
 
-        :param configuration_policy: An object that defines how Security Hub is configured.
-        :param name: The name of the configuration policy.
+        :param configuration_policy: An object that defines how AWS Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
+        :param name: The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: ``-, ., !, *, /`` .
         :param description: The description of the configuration policy.
-        :param tags: A key-value pair to associate with a resource.
+        :param tags: User-defined tags associated with a configuration policy. For more information, see `Tagging AWS Security Hub resources <https://docs.aws.amazon.com/securityhub/latest/userguide/tagging-resources.html>`_ in the *Security Hub user guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html
         :exampleMetadata: fixture=_generated
@@ -3922,7 +3942,9 @@ class CfnConfigurationPolicyProps:
     def configuration_policy(
         self,
     ) -> typing.Union[_IResolvable_da3f097b, CfnConfigurationPolicy.PolicyProperty]:
-        '''An object that defines how Security Hub is configured.
+        '''An object that defines how AWS Security Hub is configured.
+
+        It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html#cfn-securityhub-configurationpolicy-configurationpolicy
         '''
@@ -3934,6 +3956,8 @@ class CfnConfigurationPolicyProps:
     def name(self) -> builtins.str:
         '''The name of the configuration policy.
 
+        Alphanumeric characters and the following ASCII characters are permitted: ``-, ., !, *, /`` .
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html#cfn-securityhub-configurationpolicy-name
         '''
         result = self._values.get("name")
@@ -3951,7 +3975,9 @@ class CfnConfigurationPolicyProps:
 
     @builtins.property
     def tags(self) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
-        '''A key-value pair to associate with a resource.
+        '''User-defined tags associated with a configuration policy.
+
+        For more information, see `Tagging AWS Security Hub resources <https://docs.aws.amazon.com/securityhub/latest/userguide/tagging-resources.html>`_ in the *Security Hub user guide* .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-configurationpolicy.html#cfn-securityhub-configurationpolicy-tags
         '''
@@ -4147,9 +4173,13 @@ class CfnFindingAggregator(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_securityhub.CfnFindingAggregator",
 ):
-    '''The AWS::SecurityHub::FindingAggregator resource represents the AWS Security Hub Finding Aggregator in your account.
+    '''The ``AWS::SecurityHub::FindingAggregator`` resource enables cross-Region aggregation.
 
-    One finding aggregator resource is created for each account in non opt-in region in which you configure region linking mode.
+    When cross-Region aggregation is enabled, you can aggregate findings, finding updates, insights, control compliance statuses, and security scores from one or more linked Regions to a single aggregation Region. You can then view and manage all of this data from the aggregation Region. For more details about cross-Region aggregation, see `Cross-Region aggregation <https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html>`_ in the *AWS Security Hub User Guide*
+
+    This resource must be created in the Region that you want to designate as your aggregation Region.
+
+    Cross-Region aggregation is also a prerequisite for using `central configuration <https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html>`_ in Security Hub .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html
     :cloudformationResource: AWS::SecurityHub::FindingAggregator
@@ -4180,8 +4210,8 @@ class CfnFindingAggregator(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param region_linking_mode: Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.
-        :param regions: The list of excluded Regions or included Regions.
+        :param region_linking_mode: Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. The selected option also determines how to use the Regions provided in the Regions list. The options are as follows: - ``ALL_REGIONS`` - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. - ``ALL_REGIONS_EXCEPT_SPECIFIED`` - Indicates to aggregate findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the ``Regions`` parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. - ``SPECIFIED_REGIONS`` - Indicates to aggregate findings only from the Regions listed in the ``Regions`` parameter. Security Hub does not automatically aggregate findings from new Regions.
+        :param regions: If ``RegionLinkingMode`` is ``ALL_REGIONS_EXCEPT_SPECIFIED`` , then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region. If ``RegionLinkingMode`` is ``SPECIFIED_REGIONS`` , then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__def955d28b5fec6358172b72efd12a764fe7f7be8d0ea9076bc99608ed72dd3c)
@@ -4226,7 +4256,8 @@ class CfnFindingAggregator(
     @builtins.property
     @jsii.member(jsii_name="attrFindingAggregationRegion")
     def attr_finding_aggregation_region(self) -> builtins.str:
-        '''
+        '''The aggregation Region.
+
         :cloudformationAttribute: FindingAggregationRegion
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrFindingAggregationRegion"))
@@ -4234,7 +4265,9 @@ class CfnFindingAggregator(
     @builtins.property
     @jsii.member(jsii_name="attrFindingAggregatorArn")
     def attr_finding_aggregator_arn(self) -> builtins.str:
-        '''The ARN of the FindingAggregator being created and assigned as the unique identifier.
+        '''The ARN of the finding aggregator.
+
+        You use the finding aggregator ARN to retrieve details for, update, and delete the finding aggregator.
 
         :cloudformationAttribute: FindingAggregatorArn
         '''
@@ -4248,7 +4281,7 @@ class CfnFindingAggregator(
     @builtins.property
     @jsii.member(jsii_name="regionLinkingMode")
     def region_linking_mode(self) -> builtins.str:
-        '''Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.'''
+        '''Indicates whether to aggregate findings from all of the available Regions in the current partition.'''
         return typing.cast(builtins.str, jsii.get(self, "regionLinkingMode"))
 
     @region_linking_mode.setter
@@ -4261,7 +4294,7 @@ class CfnFindingAggregator(
     @builtins.property
     @jsii.member(jsii_name="regions")
     def regions(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The list of excluded Regions or included Regions.'''
+        '''If ``RegionLinkingMode`` is ``ALL_REGIONS_EXCEPT_SPECIFIED`` , then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.'''
         return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "regions"))
 
     @regions.setter
@@ -4286,8 +4319,8 @@ class CfnFindingAggregatorProps:
     ) -> None:
         '''Properties for defining a ``CfnFindingAggregator``.
 
-        :param region_linking_mode: Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.
-        :param regions: The list of excluded Regions or included Regions.
+        :param region_linking_mode: Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. The selected option also determines how to use the Regions provided in the Regions list. The options are as follows: - ``ALL_REGIONS`` - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. - ``ALL_REGIONS_EXCEPT_SPECIFIED`` - Indicates to aggregate findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the ``Regions`` parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. - ``SPECIFIED_REGIONS`` - Indicates to aggregate findings only from the Regions listed in the ``Regions`` parameter. Security Hub does not automatically aggregate findings from new Regions.
+        :param regions: If ``RegionLinkingMode`` is ``ALL_REGIONS_EXCEPT_SPECIFIED`` , then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region. If ``RegionLinkingMode`` is ``SPECIFIED_REGIONS`` , then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html
         :exampleMetadata: fixture=_generated
@@ -4317,7 +4350,17 @@ class CfnFindingAggregatorProps:
 
     @builtins.property
     def region_linking_mode(self) -> builtins.str:
-        '''Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions.
+        '''Indicates whether to aggregate findings from all of the available Regions in the current partition.
+
+        Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.
+
+        The selected option also determines how to use the Regions provided in the Regions list.
+
+        The options are as follows:
+
+        - ``ALL_REGIONS`` - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
+        - ``ALL_REGIONS_EXCEPT_SPECIFIED`` - Indicates to aggregate findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the ``Regions`` parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
+        - ``SPECIFIED_REGIONS`` - Indicates to aggregate findings only from the Regions listed in the ``Regions`` parameter. Security Hub does not automatically aggregate findings from new Regions.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html#cfn-securityhub-findingaggregator-regionlinkingmode
         '''
@@ -4327,7 +4370,9 @@ class CfnFindingAggregatorProps:
 
     @builtins.property
     def regions(self) -> typing.Optional[typing.List[builtins.str]]:
-        '''The list of excluded Regions or included Regions.
+        '''If ``RegionLinkingMode`` is ``ALL_REGIONS_EXCEPT_SPECIFIED`` , then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.
+
+        If ``RegionLinkingMode`` is ``SPECIFIED_REGIONS`` , then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-findingaggregator.html#cfn-securityhub-findingaggregator-regions
         '''
@@ -8878,9 +8923,9 @@ class CfnOrganizationConfiguration(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_securityhub.CfnOrganizationConfiguration",
 ):
-    '''The AWS::SecurityHub::OrganizationConfiguration resource represents the configuration of your organization in Security Hub.
+    '''The ``AWS::SecurityHub::OrganizationConfiguration`` resource specifies the way that your AWS organization is configured in AWS Security Hub .
 
-    Only the Security Hub administrator account can create Organization Configuration resource in each region and can opt-in to Central Configuration only in the aggregation region of FindingAggregator.
+    Specifically, you can use this resource to specify the configuration type for your organization and whether to automatically Security Hub and security standards in new member accounts. For more information, see `Managing administrator and member accounts <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-accounts.html>`_ in the *AWS Security Hub User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html
     :cloudformationResource: AWS::SecurityHub::OrganizationConfiguration
@@ -8913,9 +8958,9 @@ class CfnOrganizationConfiguration(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param auto_enable: Whether to automatically enable Security Hub in new member accounts when they join the organization.
-        :param auto_enable_standards: Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
-        :param configuration_type: Indicates whether the organization uses local or central configuration.
+        :param auto_enable: Whether to automatically enable Security Hub in new member accounts when they join the organization. If set to ``true`` , then Security Hub is automatically enabled in new accounts. If set to ``false`` , then Security Hub isn't enabled in new accounts automatically. The default value is ``false`` . If the ``ConfigurationType`` of your organization is set to ``CENTRAL`` , then this field is set to ``false`` and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.
+        :param auto_enable_standards: Whether to automatically enable Security Hub `default standards <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html>`_ in new member accounts when they join the organization. The default value of this parameter is equal to ``DEFAULT`` . If equal to ``DEFAULT`` , then Security Hub default standards are automatically enabled for new member accounts. If equal to ``NONE`` , then default standards are not automatically enabled for new member accounts. If the ``ConfigurationType`` of your organization is set to ``CENTRAL`` , then this field is set to ``NONE`` and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.
+        :param configuration_type: Indicates whether the organization uses local or central configuration. If you use local configuration, the Security Hub delegated administrator can set ``AutoEnable`` to ``true`` and ``AutoEnableStandards`` to ``DEFAULT`` . This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each AWS Region , and settings may be different in each Region. If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__186515c514aa6c3a2fef9e692700a118bb6ae2548e12249056898382ffeb0d85)
@@ -8971,7 +9016,9 @@ class CfnOrganizationConfiguration(
     @builtins.property
     @jsii.member(jsii_name="attrOrganizationConfigurationIdentifier")
     def attr_organization_configuration_identifier(self) -> builtins.str:
-        '''The identifier of the OrganizationConfiguration being created and assigned as the unique identifier.
+        '''The organization configuration identifier, formatted as ``AccountId/Region/securityhub-organization-configuration`` .
+
+        For example, ``123456789012/us-east-1/securityhub-organization-configuration`` .
 
         :cloudformationAttribute: OrganizationConfigurationIdentifier
         '''
@@ -8980,7 +9027,9 @@ class CfnOrganizationConfiguration(
     @builtins.property
     @jsii.member(jsii_name="attrStatus")
     def attr_status(self) -> builtins.str:
-        '''Describes whether central configuration could be enabled as the ConfigurationType for the organization.
+        '''Describes whether central configuration could be enabled as the ``ConfigurationType`` for the organization.
+
+        If your ``ConfigurationType`` is local configuration, then the value of ``Status`` is always ``ENABLED`` .
 
         :cloudformationAttribute: Status
         '''
@@ -8989,7 +9038,7 @@ class CfnOrganizationConfiguration(
     @builtins.property
     @jsii.member(jsii_name="attrStatusMessage")
     def attr_status_message(self) -> builtins.str:
-        '''Provides an explanation if the value of Status is equal to FAILED when ConfigurationType is equal to CENTRAL.
+        '''Provides an explanation if the value of ``Status`` is equal to ``FAILED`` when ``ConfigurationType`` is equal to ``CENTRAL`` .
 
         :cloudformationAttribute: StatusMessage
         '''
@@ -9019,7 +9068,7 @@ class CfnOrganizationConfiguration(
     @builtins.property
     @jsii.member(jsii_name="autoEnableStandards")
     def auto_enable_standards(self) -> typing.Optional[builtins.str]:
-        '''Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.'''
+        '''Whether to automatically enable Security Hub `default standards <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html>`_ in new member accounts when they join the organization.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "autoEnableStandards"))
 
     @auto_enable_standards.setter
@@ -9062,9 +9111,9 @@ class CfnOrganizationConfigurationProps:
     ) -> None:
         '''Properties for defining a ``CfnOrganizationConfiguration``.
 
-        :param auto_enable: Whether to automatically enable Security Hub in new member accounts when they join the organization.
-        :param auto_enable_standards: Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
-        :param configuration_type: Indicates whether the organization uses local or central configuration.
+        :param auto_enable: Whether to automatically enable Security Hub in new member accounts when they join the organization. If set to ``true`` , then Security Hub is automatically enabled in new accounts. If set to ``false`` , then Security Hub isn't enabled in new accounts automatically. The default value is ``false`` . If the ``ConfigurationType`` of your organization is set to ``CENTRAL`` , then this field is set to ``false`` and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.
+        :param auto_enable_standards: Whether to automatically enable Security Hub `default standards <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html>`_ in new member accounts when they join the organization. The default value of this parameter is equal to ``DEFAULT`` . If equal to ``DEFAULT`` , then Security Hub default standards are automatically enabled for new member accounts. If equal to ``NONE`` , then default standards are not automatically enabled for new member accounts. If the ``ConfigurationType`` of your organization is set to ``CENTRAL`` , then this field is set to ``NONE`` and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.
+        :param configuration_type: Indicates whether the organization uses local or central configuration. If you use local configuration, the Security Hub delegated administrator can set ``AutoEnable`` to ``true`` and ``AutoEnableStandards`` to ``DEFAULT`` . This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each AWS Region , and settings may be different in each Region. If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html
         :exampleMetadata: fixture=_generated
@@ -9100,6 +9149,10 @@ class CfnOrganizationConfigurationProps:
     def auto_enable(self) -> typing.Union[builtins.bool, _IResolvable_da3f097b]:
         '''Whether to automatically enable Security Hub in new member accounts when they join the organization.
 
+        If set to ``true`` , then Security Hub is automatically enabled in new accounts. If set to ``false`` , then Security Hub isn't enabled in new accounts automatically. The default value is ``false`` .
+
+        If the ``ConfigurationType`` of your organization is set to ``CENTRAL`` , then this field is set to ``false`` and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html#cfn-securityhub-organizationconfiguration-autoenable
         '''
         result = self._values.get("auto_enable")
@@ -9108,7 +9161,13 @@ class CfnOrganizationConfigurationProps:
 
     @builtins.property
     def auto_enable_standards(self) -> typing.Optional[builtins.str]:
-        '''Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
+        '''Whether to automatically enable Security Hub `default standards <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html>`_ in new member accounts when they join the organization.
+
+        The default value of this parameter is equal to ``DEFAULT`` .
+
+        If equal to ``DEFAULT`` , then Security Hub default standards are automatically enabled for new member accounts. If equal to ``NONE`` , then default standards are not automatically enabled for new member accounts.
+
+        If the ``ConfigurationType`` of your organization is set to ``CENTRAL`` , then this field is set to ``NONE`` and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html#cfn-securityhub-organizationconfiguration-autoenablestandards
         '''
@@ -9119,6 +9178,10 @@ class CfnOrganizationConfigurationProps:
     def configuration_type(self) -> typing.Optional[builtins.str]:
         '''Indicates whether the organization uses local or central configuration.
 
+        If you use local configuration, the Security Hub delegated administrator can set ``AutoEnable`` to ``true`` and ``AutoEnableStandards`` to ``DEFAULT`` . This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each AWS Region , and settings may be different in each Region.
+
+        If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-organizationconfiguration.html#cfn-securityhub-organizationconfiguration-configurationtype
         '''
         result = self._values.get("configuration_type")
@@ -9142,9 +9205,9 @@ class CfnPolicyAssociation(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_securityhub.CfnPolicyAssociation",
 ):
-    '''The AWS::SecurityHub::PolicyAssociation resource represents the AWS Security Hub Central Configuration Policy associations in your Target.
+    '''The ``AWS::SecurityHub::PolicyAssociation`` resource specifies associations for a configuration policy or a self-managed configuration.
 
-    Only the AWS Security Hub delegated administrator can create the resouce from the home region.
+    You can associate a AWS Security Hub configuration policy or self-managed configuration with the organization root, organizational units (OUs), or AWS accounts . After a successful association, the configuration policy takes effect in the specified targets. For more information, see `Creating and associating Security Hub configuration policies <https://docs.aws.amazon.com/securityhub/latest/userguide/create-associate-policy.html>`_ in the *AWS Security Hub User Guide* .
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html
     :cloudformationResource: AWS::SecurityHub::PolicyAssociation
@@ -9175,9 +9238,9 @@ class CfnPolicyAssociation(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param configuration_policy_id: The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.
+        :param configuration_policy_id: The universally unique identifier (UUID) of the configuration policy. A self-managed configuration has no UUID. The identifier of a self-managed configuration is ``SELF_MANAGED_SECURITY_HUB`` .
         :param target_id: The identifier of the target account, organizational unit, or the root.
-        :param target_type: Indicates whether the target is an AWS account, organizational unit, or the organization root.
+        :param target_type: Specifies whether the target is an AWS account , organizational unit, or the root.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__692795b18a46bd27d463b04c85753cc984649b4661bf3ac69e7b6db22ea687f8)
@@ -9224,7 +9287,9 @@ class CfnPolicyAssociation(
     @builtins.property
     @jsii.member(jsii_name="attrAssociationIdentifier")
     def attr_association_identifier(self) -> builtins.str:
-        '''A unique identifier to indicates if the target has an association.
+        '''The association identifier, formatted as ``TargetType/TargetId`` .
+
+        For example, ``ACCOUNT/123456789012`` .
 
         :cloudformationAttribute: AssociationIdentifier
         '''
@@ -9242,7 +9307,7 @@ class CfnPolicyAssociation(
     @builtins.property
     @jsii.member(jsii_name="attrAssociationStatusMessage")
     def attr_association_status_message(self) -> builtins.str:
-        '''An explanation for a FAILED value for AssociationStatus.
+        '''The explanation for a ``FAILED`` value for ``AssociationStatus`` .
 
         :cloudformationAttribute: AssociationStatusMessage
         '''
@@ -9251,7 +9316,7 @@ class CfnPolicyAssociation(
     @builtins.property
     @jsii.member(jsii_name="attrAssociationType")
     def attr_association_type(self) -> builtins.str:
-        '''Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
+        '''Indicates whether the association between the specified target and the configuration was directly applied by the AWS Security Hub delegated administrator or inherited from a parent.
 
         :cloudformationAttribute: AssociationType
         '''
@@ -9274,7 +9339,7 @@ class CfnPolicyAssociation(
     @builtins.property
     @jsii.member(jsii_name="configurationPolicyId")
     def configuration_policy_id(self) -> builtins.str:
-        '''The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.'''
+        '''The universally unique identifier (UUID) of the configuration policy.'''
         return typing.cast(builtins.str, jsii.get(self, "configurationPolicyId"))
 
     @configuration_policy_id.setter
@@ -9300,7 +9365,7 @@ class CfnPolicyAssociation(
     @builtins.property
     @jsii.member(jsii_name="targetType")
     def target_type(self) -> builtins.str:
-        '''Indicates whether the target is an AWS account, organizational unit, or the organization root.'''
+        '''Specifies whether the target is an AWS account , organizational unit, or the root.'''
         return typing.cast(builtins.str, jsii.get(self, "targetType"))
 
     @target_type.setter
@@ -9330,9 +9395,9 @@ class CfnPolicyAssociationProps:
     ) -> None:
         '''Properties for defining a ``CfnPolicyAssociation``.
 
-        :param configuration_policy_id: The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.
+        :param configuration_policy_id: The universally unique identifier (UUID) of the configuration policy. A self-managed configuration has no UUID. The identifier of a self-managed configuration is ``SELF_MANAGED_SECURITY_HUB`` .
         :param target_id: The identifier of the target account, organizational unit, or the root.
-        :param target_type: Indicates whether the target is an AWS account, organizational unit, or the organization root.
+        :param target_type: Specifies whether the target is an AWS account , organizational unit, or the root.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html
         :exampleMetadata: fixture=_generated
@@ -9362,7 +9427,9 @@ class CfnPolicyAssociationProps:
 
     @builtins.property
     def configuration_policy_id(self) -> builtins.str:
-        '''The universally unique identifier (UUID) of the configuration policy or a value of SELF_MANAGED_SECURITY_HUB for a self-managed configuration.
+        '''The universally unique identifier (UUID) of the configuration policy.
+
+        A self-managed configuration has no UUID. The identifier of a self-managed configuration is ``SELF_MANAGED_SECURITY_HUB`` .
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html#cfn-securityhub-policyassociation-configurationpolicyid
         '''
@@ -9382,7 +9449,7 @@ class CfnPolicyAssociationProps:
 
     @builtins.property
     def target_type(self) -> builtins.str:
-        '''Indicates whether the target is an AWS account, organizational unit, or the organization root.
+        '''Specifies whether the target is an AWS account , organizational unit, or the root.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-policyassociation.html#cfn-securityhub-policyassociation-targettype
         '''
@@ -9568,7 +9635,11 @@ class CfnSecurityControl(
     metaclass=jsii.JSIIMeta,
     jsii_type="aws-cdk-lib.aws_securityhub.CfnSecurityControl",
 ):
-    '''A security control in Security Hub describes a security best practice related to a specific resource.
+    '''The ``AWS::SecurityHub::SecurityControl`` resource specifies custom parameter values for an AWS Security Hub control.
+
+    For a list of controls that support custom parameters, see `Security Hub controls reference <https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html>`_ . You can also use this resource to specify the use of default parameter values for a control. For more information about custom parameters, see `Custom control parameters <https://docs.aws.amazon.com/securityhub/latest/userguide/custom-control-parameters.html>`_ in the *AWS Security Hub User Guide* .
+
+    Tags aren't supported for this resource.
 
     :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-securitycontrol.html
     :cloudformationResource: AWS::SecurityHub::SecurityControl
@@ -9607,10 +9678,10 @@ class CfnSecurityControl(
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param parameters: 
-        :param last_update_reason: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
-        :param security_control_arn: 
-        :param security_control_id: 
+        :param parameters: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
+        :param last_update_reason: The most recent reason for updating the customizable properties of a security control. This differs from the ``UpdateReason`` field of the ```BatchUpdateStandardsControlAssociations`` <https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html>`_ API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
+        :param security_control_arn: The Amazon Resource Name (ARN) for a security control across standards, such as ``arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`` . This parameter doesn't mention a specific standard.
+        :param security_control_id: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__726fa705fd558de76e132e75c55b8475c62b8dc48c449b5a702f64b1f4bff214)
@@ -9665,6 +9736,7 @@ class CfnSecurityControl(
     def parameters(
         self,
     ) -> typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, "CfnSecurityControl.ParameterConfigurationProperty"]]]:
+        '''An object that identifies the name of a control parameter, its current value, and whether it has been customized.'''
         return typing.cast(typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, "CfnSecurityControl.ParameterConfigurationProperty"]]], jsii.get(self, "parameters"))
 
     @parameters.setter
@@ -9693,6 +9765,7 @@ class CfnSecurityControl(
     @builtins.property
     @jsii.member(jsii_name="securityControlArn")
     def security_control_arn(self) -> typing.Optional[builtins.str]:
+        '''The Amazon Resource Name (ARN) for a security control across standards, such as ``arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`` . This parameter doesn't mention a specific standard.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "securityControlArn"))
 
     @security_control_arn.setter
@@ -9705,6 +9778,7 @@ class CfnSecurityControl(
     @builtins.property
     @jsii.member(jsii_name="securityControlId")
     def security_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of a security control across standards.'''
         return typing.cast(typing.Optional[builtins.str], jsii.get(self, "securityControlId"))
 
     @security_control_id.setter
@@ -9721,8 +9795,9 @@ class CfnSecurityControl(
     )
     class ParameterConfigurationProperty:
         def __init__(self, *, value_type: builtins.str) -> None:
-            '''
-            :param value_type: 
+            '''An object that provides the current value of a security control parameter and identifies whether it has been customized.
+
+            :param value_type: Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub behavior. When ``ValueType`` is set equal to ``DEFAULT`` , the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ``ValueType`` is set equal to ``DEFAULT`` , Security Hub ignores user-provided input for the ``Value`` field. When ``ValueType`` is set equal to ``CUSTOM`` , the ``Value`` field can't be empty.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-securitycontrol-parameterconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -9746,7 +9821,12 @@ class CfnSecurityControl(
 
         @builtins.property
         def value_type(self) -> builtins.str:
-            '''
+            '''Identifies whether a control parameter uses a custom user-defined value or subscribes to the default AWS Security Hub behavior.
+
+            When ``ValueType`` is set equal to ``DEFAULT`` , the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When ``ValueType`` is set equal to ``DEFAULT`` , Security Hub ignores user-provided input for the ``Value`` field.
+
+            When ``ValueType`` is set equal to ``CUSTOM`` , the ``Value`` field can't be empty.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-securityhub-securitycontrol-parameterconfiguration.html#cfn-securityhub-securitycontrol-parameterconfiguration-valuetype
             '''
             result = self._values.get("value_type")
@@ -9786,10 +9866,10 @@ class CfnSecurityControlProps:
     ) -> None:
         '''Properties for defining a ``CfnSecurityControl``.
 
-        :param parameters: 
-        :param last_update_reason: The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
-        :param security_control_arn: 
-        :param security_control_id: 
+        :param parameters: An object that identifies the name of a control parameter, its current value, and whether it has been customized.
+        :param last_update_reason: The most recent reason for updating the customizable properties of a security control. This differs from the ``UpdateReason`` field of the ```BatchUpdateStandardsControlAssociations`` <https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html>`_ API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
+        :param security_control_arn: The Amazon Resource Name (ARN) for a security control across standards, such as ``arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`` . This parameter doesn't mention a specific standard.
+        :param security_control_id: The unique identifier of a security control across standards. Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-securitycontrol.html
         :exampleMetadata: fixture=_generated
@@ -9833,7 +9913,8 @@ class CfnSecurityControlProps:
     def parameters(
         self,
     ) -> typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, CfnSecurityControl.ParameterConfigurationProperty]]]:
-        '''
+        '''An object that identifies the name of a control parameter, its current value, and whether it has been customized.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-securitycontrol.html#cfn-securityhub-securitycontrol-parameters
         '''
         result = self._values.get("parameters")
@@ -9844,7 +9925,7 @@ class CfnSecurityControlProps:
     def last_update_reason(self) -> typing.Optional[builtins.str]:
         '''The most recent reason for updating the customizable properties of a security control.
 
-        This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
+        This differs from the ``UpdateReason`` field of the ```BatchUpdateStandardsControlAssociations`` <https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateStandardsControlAssociations.html>`_ API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-securitycontrol.html#cfn-securityhub-securitycontrol-lastupdatereason
         '''
@@ -9853,7 +9934,8 @@ class CfnSecurityControlProps:
 
     @builtins.property
     def security_control_arn(self) -> typing.Optional[builtins.str]:
-        '''
+        '''The Amazon Resource Name (ARN) for a security control across standards, such as ``arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1`` . This parameter doesn't mention a specific standard.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-securitycontrol.html#cfn-securityhub-securitycontrol-securitycontrolarn
         '''
         result = self._values.get("security_control_arn")
@@ -9861,7 +9943,10 @@ class CfnSecurityControlProps:
 
     @builtins.property
     def security_control_id(self) -> typing.Optional[builtins.str]:
-        '''
+        '''The unique identifier of a security control across standards.
+
+        Values for this field typically consist of an AWS service name and a number, such as APIGateway.3.
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-securityhub-securitycontrol.html#cfn-securityhub-securitycontrol-securitycontrolid
         '''
         result = self._values.get("security_control_id")