feat(client-securityhub): New fields have been added to the AWS Secur…

…ity Finding Format. Compliance.SecurityControlId is a unique identifier for a security control across standards. Compliance.AssociatedStandards contains all enabled standards in which a security control is enabled.
aws · Jan 31, 2023 · 51a6cc8 · 51a6cc8
1 parent 0865158
commit 51a6cc8
Show file tree

Hide file tree

Showing 7 changed files with 828 additions and 1,164 deletions.
diff --git a/clients/client-securityhub/src/commands/DescribeProductsCommand.ts b/clients/client-securityhub/src/commands/DescribeProductsCommand.ts
@@ -13,12 +13,8 @@ import {
   SerdeContext as __SerdeContext,
 } from "@aws-sdk/types";
 
-import {
-  DescribeProductsRequest,
-  DescribeProductsRequestFilterSensitiveLog,
-  DescribeProductsResponse,
-  DescribeProductsResponseFilterSensitiveLog,
-} from "../models/models_1";
+import { DescribeProductsRequest, DescribeProductsRequestFilterSensitiveLog } from "../models/models_1";
+import { DescribeProductsResponse, DescribeProductsResponseFilterSensitiveLog } from "../models/models_2";
 import {
   deserializeAws_restJson1DescribeProductsCommand,
   serializeAws_restJson1DescribeProductsCommand,

diff --git a/clients/client-securityhub/src/endpoint/ruleset.ts b/clients/client-securityhub/src/endpoint/ruleset.ts
@@ -25,5 +25,5 @@ m={[q]:"booleanEquals",[r]:[true,{[q]:"getAttr",[r]:[{[s]:d},"supportsFIPS"]}]},
 n={[q]:"booleanEquals",[r]:[true,{[q]:"getAttr",[r]:[{[s]:d},"supportsDualStack"]}]},
 o=[j],
 p=[k];
-const _data={version:"1.0",parameters:{Region:{required:a,type:c},UseDualStack:h,UseFIPS:h,Endpoint:{required:b,type:c}},rules:[{conditions:[{[q]:"aws.partition",[r]:[{[s]:"Region"}],assign:d}],type:e,rules:[{conditions:[{[q]:"isSet",[r]:[i]}],type:e,rules:[{conditions:o,error:"Invalid Configuration: FIPS and custom endpoint are not supported",type:f},{type:e,rules:[{conditions:p,error:"Invalid Configuration: Dualstack and custom endpoint are not supported",type:f},{endpoint:{url:i,properties:l,headers:l},type:g}]}]},{conditions:[j,k],type:e,rules:[{conditions:[m,n],type:e,rules:[{endpoint:{url:"https://securityhub-fips.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:l,headers:l},type:g}]},{error:"FIPS and DualStack are enabled, but this partition does not support one or both",type:f}]},{conditions:o,type:e,rules:[{conditions:[m],type:e,rules:[{type:e,rules:[{endpoint:{url:"https://securityhub-fips.{Region}.{PartitionResult#dnsSuffix}",properties:l,headers:l},type:g}]}]},{error:"FIPS is enabled but this partition does not support FIPS",type:f}]},{conditions:p,type:e,rules:[{conditions:[n],type:e,rules:[{endpoint:{url:"https://securityhub.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:l,headers:l},type:g}]},{error:"DualStack is enabled but this partition does not support DualStack",type:f}]},{endpoint:{url:"https://securityhub.{Region}.{PartitionResult#dnsSuffix}",properties:l,headers:l},type:g}]}]};
+const _data={version:"1.0",parameters:{Region:{required:a,type:c},UseDualStack:h,UseFIPS:h,Endpoint:{required:b,type:c}},rules:[{conditions:[{[q]:"aws.partition",[r]:[{[s]:"Region"}],assign:d}],type:e,rules:[{conditions:[{[q]:"isSet",[r]:[i]}],type:e,rules:[{conditions:o,error:"Invalid Configuration: FIPS and custom endpoint are not supported",type:f},{type:e,rules:[{conditions:p,error:"Invalid Configuration: Dualstack and custom endpoint are not supported",type:f},{endpoint:{url:i,properties:l,headers:l},type:g}]}]},{conditions:[j,k],type:e,rules:[{conditions:[m,n],type:e,rules:[{type:e,rules:[{endpoint:{url:"https://securityhub-fips.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:l,headers:l},type:g}]}]},{error:"FIPS and DualStack are enabled, but this partition does not support one or both",type:f}]},{conditions:o,type:e,rules:[{conditions:[m],type:e,rules:[{type:e,rules:[{endpoint:{url:"https://securityhub-fips.{Region}.{PartitionResult#dnsSuffix}",properties:l,headers:l},type:g}]}]},{error:"FIPS is enabled but this partition does not support FIPS",type:f}]},{conditions:p,type:e,rules:[{conditions:[n],type:e,rules:[{type:e,rules:[{endpoint:{url:"https://securityhub.{Region}.{PartitionResult#dualStackDnsSuffix}",properties:l,headers:l},type:g}]}]},{error:"DualStack is enabled but this partition does not support DualStack",type:f}]},{type:e,rules:[{endpoint:{url:"https://securityhub.{Region}.{PartitionResult#dnsSuffix}",properties:l,headers:l},type:g}]}]}]};
 export const ruleSet: RuleSetObject = _data;
diff --git a/clients/client-securityhub/src/models/models_0.ts b/clients/client-securityhub/src/models/models_0.ts
@@ -613,6 +613,20 @@ export interface AdminAccount {
   Status?: AdminStatus | string;
 }
 
+/**
+ * <p>
+ *          Information about an enabled security standard in which a security control is enabled.
+ *       </p>
+ */
+export interface AssociatedStandard {
+  /**
+   * <p>The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the
+   *          Amazon Resource Name (ARN) returned for a standard in the <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html">DescribeStandards</a> API response.
+   *       </p>
+   */
+  StandardsId?: string;
+}
+
 export enum AutoEnableStandards {
   DEFAULT = "DEFAULT",
   NONE = "NONE",
@@ -10285,44 +10299,6 @@ export interface AwsIamGroupPolicy {
   PolicyName?: string;
 }
 
-/**
- * <p>Contains details about an IAM group.</p>
- */
-export interface AwsIamGroupDetails {
-  /**
-   * <p>A list of the managed policies that are attached to the IAM group.</p>
-   */
-  AttachedManagedPolicies?: AwsIamAttachedManagedPolicy[];
-
-  /**
-   * <p>Indicates when the IAM group was created.</p>
-   *          <p>Uses the <code>date-time</code> format specified in <a href="https://tools.ietf.org/html/rfc3339#section-5.6">RFC 3339 section 5.6, Internet
-   *             Date/Time Format</a>. The value cannot contain spaces. For example,
-   *             <code>2020-03-22T13:22:13.933Z</code>.</p>
-   */
-  CreateDate?: string;
-
-  /**
-   * <p>The identifier of the IAM group.</p>
-   */
-  GroupId?: string;
-
-  /**
-   * <p>The name of the IAM group.</p>
-   */
-  GroupName?: string;
-
-  /**
-   * <p>The list of inline policies that are embedded in the group.</p>
-   */
-  GroupPolicyList?: AwsIamGroupPolicy[];
-
-  /**
-   * <p>The path to the group.</p>
-   */
-  Path?: string;
-}
-
 /**
  * @internal
  */
@@ -10488,6 +10464,13 @@ export const AdminAccountFilterSensitiveLog = (obj: AdminAccount): any => ({
   ...obj,
 });
 
+/**
+ * @internal
+ */
+export const AssociatedStandardFilterSensitiveLog = (obj: AssociatedStandard): any => ({
+  ...obj,
+});
+
 /**
  * @internal
  */
@@ -12686,10 +12669,3 @@ export const AwsIamAttachedManagedPolicyFilterSensitiveLog = (obj: AwsIamAttache
 export const AwsIamGroupPolicyFilterSensitiveLog = (obj: AwsIamGroupPolicy): any => ({
   ...obj,
 });
-
-/**
- * @internal
- */
-export const AwsIamGroupDetailsFilterSensitiveLog = (obj: AwsIamGroupDetails): any => ({
-  ...obj,
-});
diff --git a/clients/client-securityhub/src/models/models_1.ts b/clients/client-securityhub/src/models/models_1.ts
@@ -6,6 +6,7 @@ import {
   Action,
   ActionTarget,
   Adjustment,
+  AssociatedStandard,
   AutoEnableStandards,
   AwsApiGatewayRestApiDetails,
   AwsApiGatewayStageDetails,
@@ -51,10 +52,48 @@ import {
   AwsElbv2LoadBalancerDetails,
   AwsIamAccessKeyDetails,
   AwsIamAttachedManagedPolicy,
-  AwsIamGroupDetails,
+  AwsIamGroupPolicy,
 } from "./models_0";
 import { SecurityHubServiceException as __BaseException } from "./SecurityHubServiceException";
 
+/**
+ * <p>Contains details about an IAM group.</p>
+ */
+export interface AwsIamGroupDetails {
+  /**
+   * <p>A list of the managed policies that are attached to the IAM group.</p>
+   */
+  AttachedManagedPolicies?: AwsIamAttachedManagedPolicy[];
+
+  /**
+   * <p>Indicates when the IAM group was created.</p>
+   *          <p>Uses the <code>date-time</code> format specified in <a href="https://tools.ietf.org/html/rfc3339#section-5.6">RFC 3339 section 5.6, Internet
+   *             Date/Time Format</a>. The value cannot contain spaces. For example,
+   *             <code>2020-03-22T13:22:13.933Z</code>.</p>
+   */
+  CreateDate?: string;
+
+  /**
+   * <p>The identifier of the IAM group.</p>
+   */
+  GroupId?: string;
+
+  /**
+   * <p>The name of the IAM group.</p>
+   */
+  GroupName?: string;
+
+  /**
+   * <p>The list of inline policies that are embedded in the group.</p>
+   */
+  GroupPolicyList?: AwsIamGroupPolicy[];
+
+  /**
+   * <p>The path to the group.</p>
+   */
+  Path?: string;
+}
+
 /**
  * <p>Information about a role associated with an instance profile.</p>
  */
@@ -4568,15 +4607,15 @@ export interface AwsSageMakerNotebookInstanceDetails {
 
   /**
    * <p>
-   *          An array of up to three Git repositories associated with the notebook instance. These can be either the names of Git repositories stored as resources in your account, or the URL of Git repositories in <a href="https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html">AWS CodeCommit</a> or in any other Git repository.
+   *          An array of up to three Git repositories associated with the notebook instance. These can be either the names of Git repositories stored as resources in your account, or the URL of Git repositories in <a href="https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html">CodeCommit</a> or in any other Git repository.
    *          These repositories are cloned at the same level as the default repository of your notebook instance. For more information, see <a href="https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-git-repo.html">Associating Git repositories with SageMaker notebook instances</a> in the <i>Amazon SageMaker Developer Guide</i>.
    *       </p>
    */
   AdditionalCodeRepositories?: string[];
 
   /**
    * <p>
-   *          The Git repository associated with the notebook instance as its default code repository. This can be either the name of a Git repository stored as a resource in your account, or the URL of a Git repository in <a href="https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html">AWS CodeCommit</a> or in any other Git repository.
+   *          The Git repository associated with the notebook instance as its default code repository. This can be either the name of a Git repository stored as a resource in your account, or the URL of a Git repository in <a href="https://docs.aws.amazon.com/codecommit/latest/userguide/welcome.html">CodeCommit</a> or in any other Git repository.
    *          When you open a notebook instance, it opens in the directory that contains this repository. For more information, see <a href="https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-git-repo.html">Associating Git repositories with SageMaker notebook instances</a> in the <i>Amazon SageMaker Developer Guide</i>.
    *       </p>
    */
@@ -4836,6 +4875,20 @@ export interface Compliance {
    *             <i>Security Hub User Guide</i>. </p>
    */
   StatusReasons?: StatusReason[];
+
+  /**
+   * <p>
+   *          The unique identifier of a control across standards. Values for this field typically consist of an
+   *          Amazon Web Service and a number, such as APIGateway.5.
+   *       </p>
+   */
+  SecurityControlId?: string;
+
+  /**
+   * <p>The enabled security standards in which a security control is currently enabled.
+   *       </p>
+   */
+  AssociatedStandards?: AssociatedStandard[];
 }
 
 /**
@@ -6565,7 +6618,7 @@ export interface AwsWafv2VisibilityConfigDetails {
 
 /**
  * <p>
- *          Provides details about rules in a rule group. A rule identifies web requests that you want to allow, block, or count. Each rule includes one top-level Statement that AWS WAF uses to identify matching web requests, and parameters that govern how AWS WAF handles them.
+ *          Provides details about rules in a rule group. A rule identifies web requests that you want to allow, block, or count. Each rule includes one top-level Statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.
  *       </p>
  */
 export interface AwsWafv2RulesDetails {
@@ -9134,6 +9187,22 @@ export interface AwsSecurityFindingFilters {
    * <p>Indicates whether or not sample findings are included in the filter results.</p>
    */
   Sample?: BooleanFilter[];
+
+  /**
+   * <p>
+   *          The unique identifier of a control across standards. Values for this field typically consist of an
+   *          Amazon Web Service and a number, such as APIGateway.5.
+   *       </p>
+   */
+  ComplianceSecurityControlId?: StringFilter[];
+
+  /**
+   * <p>
+   *          The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the
+   *          Amazon Resource Name (ARN) returned for a standard in the <a href="https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html">DescribeStandards</a> API response.
+   *       </p>
+   */
+  ComplianceAssociatedStandardsId?: StringFilter[];
 }
 
 /**
@@ -10083,17 +10152,12 @@ export interface Product {
   ProductSubscriptionResourcePolicy?: string;
 }
 
-export interface DescribeProductsResponse {
-  /**
-   * <p>A list of products, including details for each product.</p>
-   */
-  Products: Product[] | undefined;
-
-  /**
-   * <p>The pagination token to use to request the next page of results.</p>
-   */
-  NextToken?: string;
-}
+/**
+ * @internal
+ */
+export const AwsIamGroupDetailsFilterSensitiveLog = (obj: AwsIamGroupDetails): any => ({
+  ...obj,
+});
 
 /**
  * @internal
@@ -12191,10 +12255,3 @@ export const DescribeProductsRequestFilterSensitiveLog = (obj: DescribeProductsR
 export const ProductFilterSensitiveLog = (obj: Product): any => ({
   ...obj,
 });
-
-/**
- * @internal
- */
-export const DescribeProductsResponseFilterSensitiveLog = (obj: DescribeProductsResponse): any => ({
-  ...obj,
-});
diff --git a/clients/client-securityhub/src/models/models_2.ts b/clients/client-securityhub/src/models/models_2.ts
@@ -5,11 +5,24 @@ import {
   AwsSecurityFindingFilters,
   ControlStatus,
   NoteUpdate,
+  Product,
   RecordState,
   Result,
   StandardsSubscription,
 } from "./models_1";
 
+export interface DescribeProductsResponse {
+  /**
+   * <p>A list of products, including details for each product.</p>
+   */
+  Products: Product[] | undefined;
+
+  /**
+   * <p>The pagination token to use to request the next page of results.</p>
+   */
+  NextToken?: string;
+}
+
 export interface DescribeStandardsRequest {
   /**
    * <p>The token that is required for pagination. On your first call to the
@@ -623,38 +636,38 @@ export interface Member {
    *          <ul>
    *             <li>
    *                <p>
-   *                   <code>CREATED</code> - Indicates that the administrator account added the member account,
+   *                   <code>Created</code> - Indicates that the administrator account added the member account,
    *                but has not yet invited the member account.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>INVITED</code> - Indicates that the administrator account invited the member
+   *                   <code>Invited</code> - Indicates that the administrator account invited the member
    *                account. The member account has not yet responded to the invitation.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>ENABLED</code> - Indicates that the member account is currently active. For
+   *                   <code>Enabled</code> - Indicates that the member account is currently active. For
    *                manually invited member accounts, indicates that the member account accepted the
    *                invitation.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>REMOVED</code> - Indicates that the administrator account disassociated the member
+   *                   <code>Removed</code> - Indicates that the administrator account disassociated the member
    *                account.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>RESIGNED</code> - Indicates that the member account disassociated themselves
+   *                   <code>Resigned</code> - Indicates that the member account disassociated themselves
    *                from the administrator account.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>DELETED</code> - Indicates that the administrator account deleted the member
+   *                   <code>Deleted</code> - Indicates that the administrator account deleted the member
    *                account.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>ACCOUNT_SUSPENDED</code> - Indicates that an organization account was suspended from Amazon Web Services at the same time that the administrator account tried to enable the organization account as a member account.</p>
+   *                   <code>AccountSuspended</code> - Indicates that an organization account was suspended from Amazon Web Services at the same time that the administrator account tried to enable the organization account as a member account.</p>
    *             </li>
    *          </ul>
    */
@@ -1063,6 +1076,13 @@ export interface UpdateStandardsControlRequest {
 
 export interface UpdateStandardsControlResponse {}
 
+/**
+ * @internal
+ */
+export const DescribeProductsResponseFilterSensitiveLog = (obj: DescribeProductsResponse): any => ({
+  ...obj,
+});
+
 /**
  * @internal
  */