Provides the rule owner (Amazon Web Services or customer), the rule identifier,\n\t\t\tand the notifications that cause the function to evaluate your Amazon Web Services\n\t\t\tresources.
", + "smithy.api#documentation": "Provides the rule owner (Amazon Web Services for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier,\n\t\t\tand the notifications that cause the function to evaluate your Amazon Web Services\n\t\t\tresources.
Service principal name of the service that created the\n\t\t\trule.
\n\t\tThe field is populated only if the service linked rule is\n\t\t\t\tcreated by a service. The field is empty if you create your own\n\t\t\t\trule.
\n\t\tService principal name of the service that created the\n\t\t\trule.
\n\t\tThe field is populated only if the service-linked rule is\n\t\t\t\tcreated by a service. The field is empty if you create your own\n\t\t\t\trule.
\n\t\tAn Config rule represents an Lambda function that you\n\t\t\tcreate for a custom rule or a predefined function for an Config managed\n\t\t\trule. The function evaluates configuration items to assess whether\n\t\t\tyour Amazon Web Services resources comply with your desired configurations. This\n\t\t\tfunction can run when Config detects a configuration change to\n\t\t\tan Amazon Web Services resource and at a periodic frequency that you choose (for\n\t\t\texample, every 24 hours).
\n\n\t\tYou can use the Amazon Web Services CLI and Amazon Web Services SDKs if you want to create\n\t\t\t\ta rule that triggers evaluations for your resources when Config delivers the configuration snapshot. For more\n\t\t\t\tinformation, see ConfigSnapshotDeliveryProperties.
\n\t\tFor more information about developing and using Config\n\t\t\trules, see Evaluating Amazon Web Services resource Configurations with Config\n\t\t\tin the Config Developer Guide.
" + "smithy.api#documentation": "Config rules evaluate the configuration settings of your Amazon Web Services resources. A rule can run when Config detects a configuration change to\n\t\t\tan Amazon Web Services resource or at a periodic frequency that you choose (for\n\t\t\texample, every 24 hours). There are two types of rules: Config Managed Rules and Config Custom Rules.\n\t\t\tManaged rules are predefined, customizable rules created by Config. For a list of managed rules, see\n\t\t\t\tList of Config\n\t\t\t\t\tManaged Rules.
\n\t\t\n\t\tCustom rules are rules that you can create using either Guard or Lambda functions.\n\t\t\tGuard (Guard GitHub\n\t\t\t\tRepository) is a policy-as-code language that allows you to write policies that\n\t\t\tare enforced by Config Custom Policy rules. Lambda uses custom code that you upload to\n\t\t\tevaluate a custom rule. It is invoked by events that are published to it by an event source, which Config invokes when the custom rule is initiated.
\n\t\t\n\t\tFor more information about developing and using Config\n\t\t\trules, see Evaluating Amazon Web Services resource Configurations with Config\n\t\t\tin the Config Developer Guide.
\n\n\t\tYou can use the Amazon Web Services CLI and Amazon Web Services SDKs if you want to create\n\t\t\t\ta rule that triggers evaluations for your resources when Config delivers the configuration snapshot. For more\n\t\t\t\tinformation, see ConfigSnapshotDeliveryProperties.
\n\t\tCompliance score for the conformance pack.
" + "smithy.api#documentation": "Compliance score for the conformance pack. Conformance packs with no evaluation results will have a compliance score of INSUFFICIENT_DATA.
A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack.\n\t\t\tThis metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand\n\t\t\tcompliance deviations in your conformance packs.
" + "smithy.api#documentation": "A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack.\n\t\t\tThis metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand\n\t\t\tthe level of compliance in your conformance packs.
" } }, "com.amazonaws.configservice#ConformancePackComplianceScores": { @@ -1880,13 +1880,13 @@ "ConformancePackNames": { "target": "com.amazonaws.configservice#ConformancePackNameFilter", "traits": { - "smithy.api#documentation": "The name of a conformance pack whose score should be included in the compliance score result.
", + "smithy.api#documentation": "The names of the conformance packs whose compliance scores you want to include in the conformance pack compliance score result set.\n\t\t\tYou can include up to 25 conformance packs in the ConformancePackNames array of strings, each with a character limit of 256 characters for the conformance pack name.
A list of filters to apply to the conformance pack compliance score result set.
" + "smithy.api#documentation": "A list of filters to apply to the conformance pack compliance score result set.
" } }, "com.amazonaws.configservice#ConformancePackComplianceSummary": { @@ -3039,7 +3039,7 @@ "s3BucketName": { "target": "com.amazonaws.configservice#String", "traits": { - "smithy.api#documentation": "The name of the Amazon S3 bucket to which Config delivers\n\t\t\tconfiguration snapshots and configuration history files.
\n\t\tIf you specify a bucket that belongs to another Amazon Web Services account,\n\t\t\tthat bucket must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon S3 Bucket in the Config\n\t\t\tDeveloper Guide.
" + "smithy.api#documentation": "The name of the Amazon S3 bucket to which Config delivers\n\t\t\tconfiguration snapshots and configuration history files.
\n\t\tIf you specify a bucket that belongs to another Amazon Web Services account,\n\t\t\tthat bucket must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon S3 Bucket in the Config\n\t\t\tDeveloper Guide.
" } }, "s3KeyPrefix": { @@ -3057,7 +3057,7 @@ "snsTopicARN": { "target": "com.amazonaws.configservice#String", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the Amazon SNS topic to which\n\t\t\tConfig sends notifications about configuration\n\t\t\tchanges.
\n\t\tIf you choose a topic from another account, the topic must have\n\t\t\tpolicies that grant access permissions to Config. For more\n\t\t\tinformation, see Permissions for the Amazon SNS Topic in the Config\n\t\t\tDeveloper Guide.
" + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the Amazon SNS topic to which\n\t\t\tConfig sends notifications about configuration\n\t\t\tchanges.
\n\t\tIf you choose a topic from another account, the topic must have\n\t\t\tpolicies that grant access permissions to Config. For more\n\t\t\tinformation, see Permissions for the Amazon SNS Topic in the Config\n\t\t\tDeveloper Guide.
" } }, "configSnapshotDeliveryProperties": { @@ -6573,7 +6573,7 @@ } }, "traits": { - "smithy.api#documentation": "Indicates one of the following errors:
\n\t\tFor PutConfigRule, the rule cannot be created because the IAM role assigned to Config lacks permissions to perform the config:Put* action.
\nFor PutConfigRule, the Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
\nFor PutOrganizationConfigRule, organization Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service linked role.
For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have permissions:
\n\t\t\t\tTo call IAM GetRole action or create a service linked role.
To read Amazon S3 bucket.
\nIndicates one of the following errors:
\n\t\tFor PutConfigRule, the rule cannot be created because the IAM role assigned to Config lacks permissions to perform the config:Put* action.
\nFor PutConfigRule, the Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
\nFor PutOrganizationConfigRule, organization Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service-linked role.
For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have permissions:
\n\t\t\t\tTo call IAM GetRole action or create a service-linked role.
To read Amazon S3 bucket.
\nReturns a list of conformance pack compliance scores. \n\t\t\tA compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack.\n\t\t\tThis metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand\n\t\t\tcompliance deviations in your conformance packs.
", + "smithy.api#documentation": "Returns a list of conformance pack compliance scores. \n\t\t\tA compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack.\n\t\t\tThis metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand\n\t\t\tthe level of compliance in your conformance packs.
\n\t\tConformance packs with no evaluation results will have a compliance score of INSUFFICIENT_DATA.
Determines the order in which conformance pack compliance scores are sorted. Either in ascending or descending order.
" + "smithy.api#documentation": "Determines the order in which conformance pack compliance scores are sorted. Either in ascending or descending order.
\n\t\tConformance packs with a compliance score of INSUFFICIENT_DATA will be first when sorting by ascending order and last when sorting by descending order.
Sorts your conformance pack compliance scores in either ascending or descending order, depending on SortOrder.
Sorts your conformance pack compliance scores in either ascending or descending order, depending on SortOrder.
By default, conformance pack compliance scores are sorted in ascending order by compliance score and alphabetically by name of the conformance pack if there is more than one conformance pack with the same compliance score.
" } }, "Limit": { @@ -6981,7 +6981,7 @@ "ConformancePackComplianceScores": { "target": "com.amazonaws.configservice#ConformancePackComplianceScores", "traits": { - "smithy.api#documentation": "A list of ConformancePackComplianceScore objects
A list of ConformancePackComplianceScore objects.
Adds or updates an Config rule for evaluating whether your\n\t\t\tAmazon Web Services resources comply with your desired configurations.
\n\t\tYou can use this action for Config custom rules and Config\n\t\t\tmanaged rules. A Config custom rule is a rule that you\n\t\t\tdevelop and maintain. An Config managed rule is a customizable,\n\t\t\tpredefined rule that Config provides.
\n\t\tIf you are adding a new Config custom rule, you must first\n\t\t\tcreate the Lambda function that the rule invokes to evaluate\n\t\t\tyour resources. When you use the PutConfigRule action\n\t\t\tto add the rule to Config, you must specify the Amazon Resource\n\t\t\tName (ARN) that Lambda assigns to the function. Specify the ARN\n\t\t\tfor the SourceIdentifier key. This key is part of the\n\t\t\t\tSource object, which is part of the\n\t\t\t\tConfigRule object.
If you are adding an Config managed rule, specify the\n\t\t\trule's identifier for the SourceIdentifier key. To\n\t\t\treference Config managed rule identifiers, see About Config managed rules.
For any new rule that you add, specify the\n\t\t\t\tConfigRuleName in the ConfigRule\n\t\t\tobject. Do not specify the ConfigRuleArn or the\n\t\t\tConfigRuleId. These values are generated by Config for new rules.
If you are updating a rule that you added previously, you can\n\t\t\tspecify the rule by ConfigRuleName,\n\t\t\t\tConfigRuleId, or ConfigRuleArn in the\n\t\t\t\tConfigRule data type that you use in this\n\t\t\trequest.
For information on how many Config rules you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\n\t\tFor more information about developing and using Config\n\t\t\trules, see Evaluating Amazon Web Services resource Configurations with Config\n\t\t\tin the Config Developer Guide.
" + "smithy.api#documentation": "Adds or updates an Config rule to evaluate if your\n\t\t\tAmazon Web Services resources comply with your desired configurations. For information on how many Config rules you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\t\t\n\t\tThere are two types of rules: Config Custom Rules and Config Managed Rules.\n\t\t\tYou can use PutConfigRule to create both Config custom rules and Config managed rules.
Custom rules are rules that you can create using either Guard or Lambda functions.\n\t\t\tGuard (Guard GitHub\n\t\t\t\tRepository) is a policy-as-code language that allows you to write policies that\n\t\t\tare enforced by Config Custom Policy rules. Lambda uses custom code that you upload to\n\t\t\tevaluate a custom rule. If you are adding a new Custom Lambda rule,\n\t\t\tyou first need to create an Lambda function that the rule invokes to evaluate\n\t\t\tyour resources. When you use PutConfigRule to add a Custom Lambda rule to Config, you must specify the Amazon Resource\n\t\t\tName (ARN) that Lambda assigns to the function. You specify the ARN\n\t\t\tin the SourceIdentifier key. This key is part of the\n\t\t\tSource object, which is part of the\n\t\t\tConfigRule object.
Managed rules are predefined,\n\t\t\tcustomizable rules created by Config. For a list of managed rules, see\n\t\t\tList of Config\n\t\t\t\tManaged Rules. If you are adding an Config managed rule, you must specify the\n\t\t\trule's identifier for the SourceIdentifier key.
For any new rule that you add, specify the\n\t\t\t\tConfigRuleName in the ConfigRule\n\t\t\tobject. Do not specify the ConfigRuleArn or the\n\t\t\tConfigRuleId. These values are generated by Config for new rules.
If you are updating a rule that you added previously, you can\n\t\t\tspecify the rule by ConfigRuleName,\n\t\t\t\tConfigRuleId, or ConfigRuleArn in the\n\t\t\t\tConfigRule data type that you use in this\n\t\t\trequest.
For more information about developing and using Config\n\t\t\trules, see Evaluating Amazon Web Services resource Configurations with Config\n\t\t\tin the Config Developer Guide.
" } }, "com.amazonaws.configservice#PutConfigRuleRequest": { @@ -8818,7 +8818,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates and updates the configuration aggregator with the\n\t\t\tselected source accounts and regions. The source account can be\n\t\t\tindividual account(s) or an organization.
\n\t\t\n\t\t\n accountIds that are passed will be replaced with existing accounts.\n\t\t\tIf you want to add additional accounts into the aggregator, call DescribeConfigurationAggregators to get the previous accounts and then append new ones.
Config should be enabled in source accounts and regions\n\t\t\t\tyou want to aggregate.
\n\t\t\t\n\t\t\tIf your source type is an organization, you must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization. \n\t\t\t\tIf the caller is a management account, Config calls EnableAwsServiceAccess API to enable integration between Config and Organizations.\n\t\t\t\tIf the caller is a registered delegated administrator, Config calls ListDelegatedAdministrators API to verify whether the caller is a valid delegated administrator.
To register a delegated administrator, see Register a Delegated Administrator in the Config developer guide.
\n\t\tCreates and updates the configuration aggregator with the\n\t\t\tselected source accounts and regions. The source account can be\n\t\t\tindividual account(s) or an organization.
\n\t\t\n\t\t\n accountIds that are passed will be replaced with existing accounts.\n\t\t\tIf you want to add additional accounts into the aggregator, call DescribeConfigurationAggregators to get the previous accounts and then append new ones.
Config should be enabled in source accounts and regions\n\t\t\t\tyou want to aggregate.
\n\t\t\t\n\t\t\tIf your source type is an organization, you must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization. \n\t\t\t\tIf the caller is a management account, Config calls EnableAwsServiceAccess API to enable integration between Config and Organizations.\n\t\t\t\tIf the caller is a registered delegated administrator, Config calls ListDelegatedAdministrators API to verify whether the caller is a valid delegated administrator.
To register a delegated administrator, see Register a Delegated Administrator in the Config developer guide.
\n\t\tCreates or updates a conformance pack. A conformance pack is a collection of Config rules that can be easily deployed in an account and a region and across Amazon Web Services Organization.\n\t\t\tFor information on how many conformance packs you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\t\tThis API creates a service linked role AWSServiceRoleForConfigConforms in your account. \n\t\tThe service linked role is created only when the role does not exist in your account.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. \n\t\t\tIf you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Creates or updates a conformance pack. A conformance pack is a collection of Config rules that can be easily deployed in an account and a region and across Amazon Web Services Organization.\n\t\t\tFor information on how many conformance packs you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\t\tThis API creates a service-linked role AWSServiceRoleForConfigConforms in your account. \n\t\tThe service-linked role is created only when the role does not exist in your account.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. \n\t\t\tIf you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Adds or updates organization Config rule for your entire organization evaluating whether your Amazon Web Services resources comply with your \n\t\t\tdesired configurations. For information on how many organization Config rules you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\t Only a master account and a delegated administrator can create or update an organization Config rule.\n\t\tWhen calling this API with a delegated administrator, you must ensure Organizations \n\t\tListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access through the EnableAWSServiceAccess action and creates a service linked \n\t\t\trole AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. \n\t\t\tThe service linked role is created only when the role does not exist in the caller account. \n\t\t\tConfig verifies the existence of role with GetRole action.
To use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization\n\t\t\tregister-delegated-administrator for config-multiaccountsetup.amazonaws.com.
You can use this action to create both Config custom rules and Config managed rules. \n\t\t\tIf you are adding a new Config custom rule, you must first create Lambda function in the master account or a delegated \n\t\t\tadministrator that the rule invokes to evaluate your resources. You also need to create an IAM role in the managed-account that can be assumed by the Lambda function.\n\t\t\tWhen you use the PutOrganizationConfigRule action to add the rule to Config, you must \n\t\t\tspecify the Amazon Resource Name (ARN) that Lambda assigns to the function. \n\t\t\tIf you are adding an Config managed rule, specify the rule's identifier for the RuleIdentifier key.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata.
Adds or updates an Config rule for your entire organization to evaluate if your Amazon Web Services resources comply with your \n\t\t\tdesired configurations. For information on how many organization Config rules you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\t Only a master account and a delegated administrator can create or update an organization Config rule.\n\t\tWhen calling this API with a delegated administrator, you must ensure Organizations \n\t\tListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access through the EnableAWSServiceAccess action and creates a service-linked \n\t\t\trole AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. \n\t\t\tThe service-linked role is created only when the role does not exist in the caller account. \n\t\t\tConfig verifies the existence of role with GetRole action.
To use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization\n\t\t\tregister-delegated-administrator for config-multiaccountsetup.amazonaws.com.
There are two types of rules: Config Custom Rules and Config Managed Rules.\n\t\t\tYou can use PutOrganizationConfigRule to create both Config custom rules and Config managed rules.
Custom rules are rules that you can create using either Guard or Lambda functions.\n\t\t\tGuard (Guard GitHub\n\t\t\t\tRepository) is a policy-as-code language that allows you to write policies that\n\t\t\tare enforced by Config Custom Policy rules. Lambda uses custom code that you upload to\n\t\t\tevaluate a custom rule. If you are adding a new Custom Lambda rule, you first need to create an Lambda function in the master account or a delegated \n\t\tadministrator that the rule invokes to evaluate your resources. You also need to create an IAM role in the managed account that can be assumed by the Lambda function.\n\t\tWhen you use PutOrganizationConfigRule to add a Custom Lambda rule to Config, you must \n\t\t\tspecify the Amazon Resource Name (ARN) that Lambda assigns to the function.
Managed rules are predefined,\n\t\t\tcustomizable rules created by Config. For a list of managed rules, see\n\t\t\tList of Config\n\t\t\t\tManaged Rules. If you are adding an Config managed rule, you must specify the rule's identifier for the RuleIdentifier key.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
Make sure to specify one of either OrganizationCustomPolicyRuleMetadata for Custom Policy rules, OrganizationCustomRuleMetadata for Custom Lambda rules, or OrganizationManagedRuleMetadata for managed rules.
An OrganizationManagedRuleMetadata object.
An OrganizationManagedRuleMetadata object. This object specifies organization\n\t\t\tmanaged rule metadata such as resource type and ID of Amazon Web Services resource along with the rule identifier.\n\t\t\tIt also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
An OrganizationCustomRuleMetadata object.
An OrganizationCustomRuleMetadata object. This object specifies organization custom rule metadata such as resource type,\n\t\t\tresource ID of Amazon Web Services resource, Lambda function ARN, and organization trigger types that trigger Config to evaluate your Amazon Web Services resources against a rule.\n\t\t\tIt also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
An object that specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug\n\t\t\tlogging enabled, and other custom rule metadata, such as resource type, resource ID of\n\t\t\t\tAmazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
" + "smithy.api#documentation": "An OrganizationCustomPolicyRuleMetadata object. This object specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug\n\t\t\tlogging enabled, and other custom rule metadata, such as resource type, resource ID of\n\t\t\tAmazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
Deploys conformance packs across member accounts in an Amazon Web Services Organization. For information on how many organization conformance packs and how many Config rules you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\t\tOnly a master account and a delegated administrator can call this API. \n\t\t\tWhen calling this API with a delegated administrator, you must ensure Organizations \n\t\t\tListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access for config-multiaccountsetup.amazonaws.com\n\t\t\tthrough the EnableAWSServiceAccess action and creates a \n\t\t\tservice linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. \n\t\t\tThe service linked role is created only when the role does not exist in the caller account. \n\t\t\tTo use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization \n\t\t\tregister-delegate-admin for config-multiaccountsetup.amazonaws.com.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. \n\t\t\tIf you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Config sets the state of a conformance pack to CREATE_IN_PROGRESS and UPDATE_IN_PROGRESS until the conformance pack is created or updated. \n\t\t\t\tYou cannot update a conformance pack while it is in this state.
\nDeploys conformance packs across member accounts in an Amazon Web Services Organization. For information on how many organization conformance packs and how many Config rules you can have per account, \n\t\t\tsee \n Service Limits\n in the Config Developer Guide.
\n\t\tOnly a master account and a delegated administrator can call this API. \n\t\t\tWhen calling this API with a delegated administrator, you must ensure Organizations \n\t\t\tListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access for config-multiaccountsetup.amazonaws.com\n\t\t\tthrough the EnableAWSServiceAccess action and creates a \n\t\t\tservice-linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. \n\t\t\tThe service-linked role is created only when the role does not exist in the caller account. \n\t\t\tTo use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization \n\t\t\tregister-delegate-admin for config-multiaccountsetup.amazonaws.com.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. \n\t\t\tIf you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Config sets the state of a conformance pack to CREATE_IN_PROGRESS and UPDATE_IN_PROGRESS until the conformance pack is created or updated. \n\t\t\t\tYou cannot update a conformance pack while it is in this state.
\nName of the service that owns the service linked rule, if applicable.
" + "smithy.api#documentation": "Name of the service that owns the service-linked rule, if applicable.
" } } }, @@ -11251,7 +11251,7 @@ } ], "traits": { - "smithy.api#documentation": "Accepts a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.
For more information about query components, see the \n\t\t\t\n Query Components\n section in the Config Developer Guide.
", + "smithy.api#documentation": "Accepts a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.
For more information about query components, see the \n\t\t\t\n Query Components\n section in the Config Developer Guide.
", "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", @@ -11339,7 +11339,7 @@ "Owner": { "target": "com.amazonaws.configservice#Owner", "traits": { - "smithy.api#documentation": "Indicates whether Amazon Web Services or the customer owns and manages the Config rule.
\n\t\t\n\t\tConfig Managed Rules are predefined rules owned by Amazon Web Services. For more information, see Config Managed Rules in the Config developer guide.
\n\t\t\n\t\tConfig Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY) or Lambda (CUSTOM_LAMBDA). For more information, see Config Custom Rules in the Config developer guide.
Indicates whether Amazon Web Services or the customer owns and manages the Config rule.
\n\t\t\n\t\tConfig Managed Rules are predefined rules owned by Amazon Web Services. For more information, see Config Managed Rules in the Config developer guide.
\n\t\t\n\t\tConfig Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY) or Lambda (CUSTOM_LAMBDA). For more information, see Config Custom Rules in the Config developer guide.
Provides the CustomPolicyDetails, the rule owner (Amazon Web Services or customer), the rule\n\t\t\tidentifier, and the events that cause the evaluation of your Amazon Web Services\n\t\t\tresources.
" + "smithy.api#documentation": "Provides the CustomPolicyDetails, the rule owner (Amazon Web Services for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule\n\t\t\tidentifier, and the events that cause the evaluation of your Amazon Web Services\n\t\t\tresources.
Describes the default values that are used to create WorkSpaces. For more information,\n see Update Directory\n Details for Your WorkSpaces.
" } }, + "com.amazonaws.workspaces#DeletableSamlPropertiesList": { + "type": "list", + "member": { + "target": "com.amazonaws.workspaces#DeletableSamlProperty" + } + }, + "com.amazonaws.workspaces#DeletableSamlProperty": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "SAML_PROPERTIES_USER_ACCESS_URL", + "name": "SAML_PROPERTIES_USER_ACCESS_URL" + }, + { + "value": "SAML_PROPERTIES_RELAY_STATE_PARAMETER_NAME", + "name": "SAML_PROPERTIES_RELAY_STATE_PARAMETER_NAME" + } + ] + } + }, "com.amazonaws.workspaces#DeleteClientBranding": { "type": "operation", "input": { @@ -3999,6 +4020,60 @@ "type": "structure", "members": {} }, + "com.amazonaws.workspaces#ModifySamlProperties": { + "type": "operation", + "input": { + "target": "com.amazonaws.workspaces#ModifySamlPropertiesRequest" + }, + "output": { + "target": "com.amazonaws.workspaces#ModifySamlPropertiesResult" + }, + "errors": [ + { + "target": "com.amazonaws.workspaces#AccessDeniedException" + }, + { + "target": "com.amazonaws.workspaces#InvalidParameterValuesException" + }, + { + "target": "com.amazonaws.workspaces#OperationNotSupportedException" + }, + { + "target": "com.amazonaws.workspaces#ResourceNotFoundException" + } + ], + "traits": { + "smithy.api#documentation": "Modifies multiple properties related to SAML 2.0 authentication, including the enablement status, \n user access URL, and relay state parameter name that are used for configuring federation with an \n SAML 2.0 identity provider.
" + } + }, + "com.amazonaws.workspaces#ModifySamlPropertiesRequest": { + "type": "structure", + "members": { + "ResourceId": { + "target": "com.amazonaws.workspaces#DirectoryId", + "traits": { + "smithy.api#documentation": "The directory identifier for which you want to configure SAML properties.
", + "smithy.api#required": {} + } + }, + "SamlProperties": { + "target": "com.amazonaws.workspaces#SamlProperties", + "traits": { + "smithy.api#documentation": "The properties for configuring SAML 2.0 authentication.
" + } + }, + "PropertiesToDelete": { + "target": "com.amazonaws.workspaces#DeletableSamlPropertiesList", + "traits": { + "smithy.api#documentation": "The SAML properties to delete as part of your request.
\nSpecify one of the following options:
\n\n SAML_PROPERTIES_USER_ACCESS_URL to delete the user access URL.
\n SAML_PROPERTIES_RELAY_STATE_PARAMETER_NAME to delete the\n relay state parameter name.
Indicates the status of SAML 2.0 authentication. These statuses include the following.
\nIf the setting is DISABLED, end users will be directed to login with their directory credentials.
If the setting is ENABLED, end users will be directed to login via the user access URL. Users attempting \n to connect to WorkSpaces from a client application that does not support SAML 2.0 authentication will not be able to \n connect.
If the setting is ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK, end users will be directed to login via the user \n access URL on supported client applications, but will not prevent clients that do not support SAML 2.0 authentication \n from connecting as if SAML 2.0 authentication was disabled.
The SAML 2.0 identity provider (IdP) user access URL is the URL a user would navigate to in their web browser in \n order to federate from the IdP and directly access the application, without any SAML 2.0 service provider (SP) \n bindings.
" + } + }, + "RelayStateParameterName": { + "target": "com.amazonaws.workspaces#NonEmptyString", + "traits": { + "smithy.api#documentation": "The relay state parameter name supported by the SAML 2.0 identity provider (IdP). When the end user is redirected to \n the user access URL from the WorkSpaces client application, this relay state parameter name is appended as a query \n parameter to the URL along with the relay state endpoint to return the user to the client application session.
\n \nTo use SAML 2.0 authentication with WorkSpaces, the IdP must support IdP-initiated deep linking for the relay state \n URL. Consult your IdP documentation for more information.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes the enablement status, user access URL, and relay state parameter name that \n are used for configuring federation with an SAML 2.0 identity provider.
" + } + }, + "com.amazonaws.workspaces#SamlStatusEnum": { + "type": "string", + "traits": { + "smithy.api#enum": [ + { + "value": "DISABLED", + "name": "DISABLED" + }, + { + "value": "ENABLED", + "name": "ENABLED" + }, + { + "value": "ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK", + "name": "ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK" + } + ] + } + }, + "com.amazonaws.workspaces#SamlUserAccessUrl": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 8, + "max": 200 + }, + "smithy.api#pattern": "^(http|https)\\://\\S+$" + } + }, "com.amazonaws.workspaces#SecurityGroupId": { "type": "string", "traits": { @@ -5937,6 +6067,12 @@ "traits": { "smithy.api#documentation": "The default self-service permissions for WorkSpaces in the directory.
" } + }, + "SamlProperties": { + "target": "com.amazonaws.workspaces#SamlProperties", + "traits": { + "smithy.api#documentation": "Describes the enablement status, user access URL, and relay state parameter name that are used for configuring \n federation with an SAML 2.0 identity provider.
" + } } }, "traits": { @@ -6582,6 +6718,9 @@ { "target": "com.amazonaws.workspaces#ModifyClientProperties" }, + { + "target": "com.amazonaws.workspaces#ModifySamlProperties" + }, { "target": "com.amazonaws.workspaces#ModifySelfservicePermissions" },