Initiates the copy of an AMI. You can copy an AMI from one Region to another, or from a Region to an Outpost. You can't copy an AMI from an Outpost to a Region, from one Outpost to another, or within the same Outpost. To copy an AMI to another partition, see CreateStoreImageTask.
To copy an AMI from one Region to another, specify the source Region using the SourceRegion parameter, and specify the destination Region using its endpoint. Copies of encrypted backing snapshots for the AMI are encrypted. Copies of unencrypted backing snapshots remain unencrypted, unless you set Encrypted during the copy operation. You cannot create an unencrypted copy of an encrypted backing snapshot.
To copy an AMI from a Region to an Outpost, specify the source Region using the SourceRegion parameter, and specify the ARN of the destination Outpost using DestinationOutpostArn. Backing snapshots copied to an Outpost are encrypted by default using the default encryption key for the Region, or a different key that you specify in the request using KmsKeyId. Outposts do not support unencrypted snapshots. For more information, Amazon EBS local snapshots on Outposts in the Amazon EBS User Guide.
For more information about the prerequisites and limits when copying an AMI, see Copy an AMI in the Amazon EC2 User Guide.
" + "documentation":"Initiates an AMI copy operation. You can copy an AMI from one Region to another, or from a Region to an Outpost. You can't copy an AMI from an Outpost to a Region, from one Outpost to another, or within the same Outpost. To copy an AMI to another partition, see CreateStoreImageTask.
When you copy an AMI from one Region to another, the destination Region is the current Region.
When you copy an AMI from a Region to an Outpost, specify the ARN of the Outpost as the destination. Backing snapshots copied to an Outpost are encrypted by default using the default encryption key for the Region or the key that you specify. Outposts do not support unencrypted snapshots.
For information about the prerequisites when copying an AMI, see Copy an AMI in the Amazon EC2 User Guide.
" }, "CopySnapshot":{ "name":"CopySnapshot", @@ -1805,7 +1805,7 @@ "requestUri":"/" }, "input":{"shape":"DeleteSecurityGroupRequest"}, - "documentation":"Deletes a security group.
If you attempt to delete a security group that is associated with an instance or network interface or is referenced by another security group, the operation fails with DependencyViolation.
Deletes a security group.
If you attempt to delete a security group that is associated with an instance or network interface or is referenced by another security group in the same VPC, the operation fails with DependencyViolation.
Describes the stale security group rules for security groups in a specified VPC. Rules are stale when they reference a deleted security group in the same VPC or peered VPC. Rules can also be stale if they reference a security group in a peer VPC for which the VPC peering connection has been deleted.
" + "documentation":"Describes the stale security group rules for security groups in a specified VPC. Rules are stale when they reference a deleted security group in a peered VPC. Rules can also be stale if they reference a security group in a peer VPC for which the VPC peering connection has been deleted.
" }, "DescribeStoreImageTasks":{ "name":"DescribeStoreImageTasks", @@ -3902,7 +3902,7 @@ }, "input":{"shape":"DisableSnapshotBlockPublicAccessRequest"}, "output":{"shape":"DisableSnapshotBlockPublicAccessResult"}, - "documentation":"Disables the block public access for snapshots setting at the account level for the specified Amazon Web Services Region. After you disable block public access for snapshots in a Region, users can publicly share snapshots in that Region.
If block public access is enabled in block-all-sharing mode, and you disable block public access, all snapshots that were previously publicly shared are no longer treated as private and they become publicly accessible again.
For more information, see Block public access for snapshots in the Amazon EBS User Guide .
" + "documentation":"Disables the block public access for snapshots setting at the account level for the specified Amazon Web Services Region. After you disable block public access for snapshots in a Region, users can publicly share snapshots in that Region.
Enabling block public access for snapshots in block-all-sharing mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.
If you disable block public access , these snapshots will become publicly available again.
For more information, see Block public access for snapshots in the Amazon EBS User Guide .
" }, "DisableTransitGatewayRouteTablePropagation":{ "name":"DisableTransitGatewayRouteTablePropagation", @@ -4219,7 +4219,7 @@ }, "input":{"shape":"EnableSnapshotBlockPublicAccessRequest"}, "output":{"shape":"EnableSnapshotBlockPublicAccessResult"}, - "documentation":"Enables or modifies the block public access for snapshots setting at the account level for the specified Amazon Web Services Region. After you enable block public access for snapshots in a Region, users can no longer request public sharing for snapshots in that Region. Snapshots that are already publicly shared are either treated as private or they remain publicly shared, depending on the State that you specify.
If block public access is enabled in block-all-sharing mode, and you change the mode to block-new-sharing, all snapshots that were previously publicly shared are no longer treated as private and they become publicly accessible again.
For more information, see Block public access for snapshots in the Amazon EBS User Guide.
" + "documentation":"Enables or modifies the block public access for snapshots setting at the account level for the specified Amazon Web Services Region. After you enable block public access for snapshots in a Region, users can no longer request public sharing for snapshots in that Region. Snapshots that are already publicly shared are either treated as private or they remain publicly shared, depending on the State that you specify.
Enabling block public access for snapshots in block all sharing mode does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.
If you later disable block public access or change the mode to block new sharing, these snapshots will become publicly available again.
For more information, see Block public access for snapshots in the Amazon EBS User Guide.
" }, "EnableTransitGatewayRouteTablePropagation":{ "name":"EnableTransitGatewayRouteTablePropagation", @@ -11956,7 +11956,7 @@ }, "Encrypted":{ "shape":"Boolean", - "documentation":"Specifies whether the destination snapshots of the copied image should be encrypted. You can encrypt a copy of an unencrypted snapshot, but you cannot create an unencrypted copy of an encrypted snapshot. The default KMS key for Amazon EBS is used unless you specify a non-default Key Management Service (KMS) KMS key using KmsKeyId. For more information, see Amazon EBS encryption in the Amazon EBS User Guide.
Specifies whether the destination snapshots of the copied image should be encrypted. You can encrypt a copy of an unencrypted snapshot, but you cannot create an unencrypted copy of an encrypted snapshot. The default KMS key for Amazon EBS is used unless you specify a non-default Key Management Service (KMS) KMS key using KmsKeyId. For more information, see Use encryption with EBS-backed AMIs in the Amazon EC2 User Guide.
The metric, aggregation-latency, indicating that network latency is aggregated for the query. This is the only supported metric.
The metric used for the network performance request.
" }, "Statistic":{ "shape":"StatisticType", @@ -16677,7 +16677,7 @@ }, "Metric":{ "shape":"MetricType", - "documentation":"The metric used for the network performance request. Only aggregate-latency is supported, which shows network latency during a specified period.
The metric used for the network performance request.
", "locationName":"metric" }, "Statistic":{ @@ -21228,7 +21228,7 @@ "members":{ "Filters":{ "shape":"FilterList", - "documentation":"The filters.
availability-zone - The Availability Zone of the instance.
event.code - The code for the scheduled event (instance-reboot | system-reboot | system-maintenance | instance-retirement | instance-stop).
event.description - A description of the event.
event.instance-event-id - The ID of the event whose date and time you are modifying.
event.not-after - The latest end time for the scheduled event (for example, 2014-09-15T17:15:20.000Z).
event.not-before - The earliest start time for the scheduled event (for example, 2014-09-15T17:15:20.000Z).
event.not-before-deadline - The deadline for starting the event (for example, 2014-09-15T17:15:20.000Z).
instance-state-code - The code for the instance state, as a 16-bit unsigned integer. The high byte is used for internal purposes and should be ignored. The low byte is set based on the state represented. The valid values are 0 (pending), 16 (running), 32 (shutting-down), 48 (terminated), 64 (stopping), and 80 (stopped).
instance-state-name - The state of the instance (pending | running | shutting-down | terminated | stopping | stopped).
instance-status.reachability - Filters on instance status where the name is reachability (passed | failed | initializing | insufficient-data).
instance-status.status - The status of the instance (ok | impaired | initializing | insufficient-data | not-applicable).
system-status.reachability - Filters on system status where the name is reachability (passed | failed | initializing | insufficient-data).
system-status.status - The system status of the instance (ok | impaired | initializing | insufficient-data | not-applicable).
The filters.
availability-zone - The Availability Zone of the instance.
event.code - The code for the scheduled event (instance-reboot | system-reboot | system-maintenance | instance-retirement | instance-stop).
event.description - A description of the event.
event.instance-event-id - The ID of the event whose date and time you are modifying.
event.not-after - The latest end time for the scheduled event (for example, 2014-09-15T17:15:20.000Z).
event.not-before - The earliest start time for the scheduled event (for example, 2014-09-15T17:15:20.000Z).
event.not-before-deadline - The deadline for starting the event (for example, 2014-09-15T17:15:20.000Z).
instance-state-code - The code for the instance state, as a 16-bit unsigned integer. The high byte is used for internal purposes and should be ignored. The low byte is set based on the state represented. The valid values are 0 (pending), 16 (running), 32 (shutting-down), 48 (terminated), 64 (stopping), and 80 (stopped).
instance-state-name - The state of the instance (pending | running | shutting-down | terminated | stopping | stopped).
instance-status.reachability - Filters on instance status where the name is reachability (passed | failed | initializing | insufficient-data).
instance-status.status - The status of the instance (ok | impaired | initializing | insufficient-data | not-applicable).
system-status.reachability - Filters on system status where the name is reachability (passed | failed | initializing | insufficient-data).
system-status.status - The system status of the instance (ok | impaired | initializing | insufficient-data | not-applicable).
attached-ebs-status.status - The status of the attached EBS volume for the instance (ok | impaired | initializing | insufficient-data | not-applicable).
The date and time when the attached EBS status check failed.
", + "locationName":"impairedSince" + }, + "Name":{ + "shape":"StatusName", + "documentation":"The name of the attached EBS status check.
", + "locationName":"name" + }, + "Status":{ + "shape":"StatusType", + "documentation":"The result of the attached EBS status check.
", + "locationName":"status" + } + }, + "documentation":"Describes the attached EBS status check for an instance.
" + }, + "EbsStatusDetailsList":{ + "type":"list", + "member":{ + "shape":"EbsStatusDetails", + "locationName":"item" + } + }, + "EbsStatusSummary":{ + "type":"structure", + "members":{ + "Details":{ + "shape":"EbsStatusDetailsList", + "documentation":"Details about the attached EBS status check for an instance.
", + "locationName":"details" + }, + "Status":{ + "shape":"SummaryStatus", + "documentation":"The current status.
", + "locationName":"status" + } + }, + "documentation":"Provides a summary of the attached EBS volume status for an instance.
" + }, "Ec2InstanceConnectEndpoint":{ "type":"structure", "members":{ @@ -28512,7 +28556,7 @@ "members":{ "State":{ "shape":"SnapshotBlockPublicAccessState", - "documentation":"The mode in which to enable block public access for snapshots for the Region. Specify one of the following values:
block-all-sharing - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available.
If you enable block public access for snapshots in block-all-sharing mode, it does not change the permissions for snapshots that are already publicly shared. Instead, it prevents these snapshots from be publicly visible and publicly accessible. Therefore, the attributes for these snapshots still indicate that they are publicly shared, even though they are not publicly available.
block-new-sharing - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available.
unblocked is not a valid value for EnableSnapshotBlockPublicAccess.
The mode in which to enable block public access for snapshots for the Region. Specify one of the following values:
block-all-sharing - Prevents all public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. Additionally, snapshots that are already publicly shared are treated as private and they are no longer publicly available.
block-new-sharing - Prevents only new public sharing of snapshots in the Region. Users in the account will no longer be able to request new public sharing. However, snapshots that are already publicly shared, remain publicly available.
unblocked is not a valid value for EnableSnapshotBlockPublicAccess.
Reports impaired functionality that stems from issues related to the systems that support an instance, such as hardware failures and network connectivity problems.
", "locationName":"systemStatus" + }, + "AttachedEbsStatus":{ + "shape":"EbsStatusSummary", + "documentation":"Reports impaired functionality that stems from an attached Amazon EBS volume that is unreachable and unable to complete I/O operations.
", + "locationName":"attachedEbsStatus" } }, "documentation":"Describes the status of an instance.
" @@ -43874,7 +43923,7 @@ }, "EnableDns64":{ "shape":"AttributeBooleanValue", - "documentation":"Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations.
" + "documentation":"Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations.
You must first configure a NAT gateway in a public subnet (separate from the subnet containing the IPv6-only workloads). For example, the subnet containing the NAT gateway should have a 0.0.0.0/0 route pointing to the internet gateway. For more information, see Configure DNS64 and NAT64 in the Amazon VPC User Guide.
A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
The modify ASN operation is not allowed on a transit gateway with active BGP sessions. You must first delete all transit gateway attachments that have BGP configured prior to modifying the ASN on the transit gateway.
" + "documentation":"A private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs.
The modify ASN operation is not allowed on a transit gateway if it has the following attachments:
Dynamic VPN
Static VPN
Direct Connect Gateway
Connect
You must first delete all transit gateway attachments configured prior to modifying the ASN on the transit gateway.
" } }, "documentation":"The transit gateway options.
" @@ -50154,7 +50203,7 @@ }, "ImageId":{ "shape":"ImageId", - "documentation":"The ID of the AMI in the format ami-17characters00000.
Alternatively, you can specify a Systems Manager parameter, using one of the following formats. The Systems Manager parameter will resolve to an AMI ID on launch.
To reference a public parameter:
resolve:ssm:public-parameter
To reference a parameter stored in the same account:
resolve:ssm:parameter-name
resolve:ssm:parameter-name:version-number
resolve:ssm:parameter-name:label
To reference a parameter shared from another Amazon Web Services account:
resolve:ssm:parameter-ARN
resolve:ssm:parameter-ARN:version-number
resolve:ssm:parameter-ARN:label
For more information, see Use a Systems Manager parameter instead of an AMI ID in the Amazon EC2 User Guide.
If the launch template will be used for an EC2 Fleet or Spot Fleet, note the following:
Only EC2 Fleets of type instant support specifying a Systems Manager parameter.
For EC2 Fleets of type maintain or request, or for Spot Fleets, you must specify the AMI ID.
The ID of the AMI in the format ami-0ac394d6a3example.
Alternatively, you can specify a Systems Manager parameter, using one of the following formats. The Systems Manager parameter will resolve to an AMI ID on launch.
To reference a public parameter:
resolve:ssm:public-parameter
To reference a parameter stored in the same account:
resolve:ssm:parameter-name
resolve:ssm:parameter-name:version-number
resolve:ssm:parameter-name:label
To reference a parameter shared from another Amazon Web Services account:
resolve:ssm:parameter-ARN
resolve:ssm:parameter-ARN:version-number
resolve:ssm:parameter-ARN:label
For more information, see Use a Systems Manager parameter instead of an AMI ID in the Amazon EC2 User Guide.
If the launch template will be used for an EC2 Fleet or Spot Fleet, note the following:
Only EC2 Fleets of type instant support specifying a Systems Manager parameter.
For EC2 Fleets of type maintain or request, or for Spot Fleets, you must specify the AMI ID.
A mode that describes how a job was created. Valid values are:
SCRIPT - The job was created using the Glue Studio script editor.
VISUAL - The job was created using the Glue Studio visual editor.
NOTEBOOK - The job was created using an interactive sessions notebook.
When the JobMode field is missing or null, SCRIPT is assigned as the default value.
Specifies whether job run queuing is enabled for the job runs for this job.
A value of true means job run queuing is enabled for the job runs. If false or not populated, the job runs will not be considered for queueing.
If this field does not match the value set in the job run, then the value from the job run field will be used.
" + }, "Description":{ "shape":"DescriptionString", "documentation":"Description of the job being defined.
" @@ -14664,6 +14668,10 @@ "shape":"JobMode", "documentation":"A mode that describes how a job was created. Valid values are:
SCRIPT - The job was created using the Glue Studio script editor.
VISUAL - The job was created using the Glue Studio visual editor.
NOTEBOOK - The job was created using an interactive sessions notebook.
When the JobMode field is missing or null, SCRIPT is assigned as the default value.
Specifies whether job run queuing is enabled for the job runs for this job.
A value of true means job run queuing is enabled for the job runs. If false or not populated, the job runs will not be considered for queueing.
If this field does not match the value set in the job run, then the value from the job run field will be used.
" + }, "Description":{ "shape":"DescriptionString", "documentation":"A description of the job.
" @@ -14896,6 +14904,10 @@ "shape":"JobMode", "documentation":"A mode that describes how a job was created. Valid values are:
SCRIPT - The job was created using the Glue Studio script editor.
VISUAL - The job was created using the Glue Studio visual editor.
NOTEBOOK - The job was created using an interactive sessions notebook.
When the JobMode field is missing or null, SCRIPT is assigned as the default value.
Specifies whether job run queuing is enabled for the job run.
A value of true means job run queuing is enabled for the job run. If false or not populated, the job run will not be considered for queueing.
" + }, "StartedOn":{ "shape":"TimestampValue", "documentation":"The date and time at which this job run was started.
" @@ -14981,6 +14993,10 @@ "ProfileName":{ "shape":"NameString", "documentation":"The name of an Glue usage profile associated with the job run.
" + }, + "StateDetail":{ + "shape":"OrchestrationMessageString", + "documentation":"This field holds details that pertain to the state of a job run. The field is nullable.
For example, when a job run is in a WAITING state as a result of job run queuing, the field has the reason why the job run is in that state.
" } }, "documentation":"Contains information about a job run.
" @@ -15011,6 +15027,10 @@ "shape":"JobMode", "documentation":"A mode that describes how a job was created. Valid values are:
SCRIPT - The job was created using the Glue Studio script editor.
VISUAL - The job was created using the Glue Studio visual editor.
NOTEBOOK - The job was created using an interactive sessions notebook.
When the JobMode field is missing or null, SCRIPT is assigned as the default value.
Specifies whether job run queuing is enabled for the job runs for this job.
A value of true means job run queuing is enabled for the job runs. If false or not populated, the job runs will not be considered for queueing.
If this field does not match the value set in the job run, then the value from the job run field will be used.
" + }, "Description":{ "shape":"DescriptionString", "documentation":"Description of the job being defined.
" @@ -17195,6 +17215,10 @@ "min":1, "pattern":"arn:aws[^:]*:iam::[0-9]*:role/.+" }, + "OrchestrationMessageString":{ + "type":"string", + "max":400000 + }, "OrchestrationNameString":{ "type":"string", "max":128, @@ -20671,6 +20695,10 @@ "shape":"NameString", "documentation":"The name of the job definition to use.
" }, + "JobRunQueuingEnabled":{ + "shape":"NullableBoolean", + "documentation":"Specifies whether job run queuing is enabled for the job run.
A value of true means job run queuing is enabled for the job run. If false or not populated, the job run will not be considered for queueing.
" + }, "JobRunId":{ "shape":"IdString", "documentation":"The ID of a previous JobRun to retry.
Grants an Amazon Web Service, Amazon Web Services account, or Amazon Web Services organization permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function. Note: Lambda does not support adding policies to version $LATEST.
To grant permission to another account, specify the account ID as the Principal. To grant permission to an organization defined in Organizations, specify the organization ID as the PrincipalOrgID. For Amazon Web Services, the principal is a domain-style identifier that the service defines, such as s3.amazonaws.com or sns.amazonaws.com. For Amazon Web Services, you can also specify the ARN of the associated resource as the SourceArn. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.
This operation adds a statement to a resource-based permissions policy for the function. For more information about function policies, see Using resource-based policies for Lambda.
" + "documentation":"Grants an Amazon Web Servicesservice, Amazon Web Services account, or Amazon Web Services organization permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function. Note: Lambda does not support adding policies to version $LATEST.
To grant permission to another account, specify the account ID as the Principal. To grant permission to an organization defined in Organizations, specify the organization ID as the PrincipalOrgID. For Amazon Web Servicesservices, the principal is a domain-style identifier that the service defines, such as s3.amazonaws.com or sns.amazonaws.com. For Amazon Web Servicesservices, you can also specify the ARN of the associated resource as the SourceArn. If you grant permission to a service principal without specifying the source, other accounts could potentially configure resources in their account to invoke your Lambda function.
This operation adds a statement to a resource-based permissions policy for the function. For more information about function policies, see Using resource-based policies for Lambda.
" }, "CreateAlias":{ "name":"CreateAlias", @@ -123,7 +123,7 @@ {"shape":"InvalidCodeSignatureException"}, {"shape":"CodeSigningConfigNotFoundException"} ], - "documentation":"Creates a Lambda function. To create a function, you need a deployment package and an execution role. The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use Amazon Web Services, such as Amazon CloudWatch Logs for log streaming and X-Ray for request tracing.
If the deployment package is a container image, then you set the package type to Image. For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties.
If the deployment package is a .zip file archive, then you set the package type to Zip. For a .zip file archive, the code property specifies the location of the .zip file. You must also specify the handler and runtime properties. The code in the deployment package must be compatible with the target instruction set architecture of the function (x86-64 or arm64). If you do not specify the architecture, then the default value is x86-64.
When you create a function, Lambda provisions an instance of the function and its supporting resources. If your function connects to a VPC, this process can take a minute or so. During this time, you can't invoke or modify the function. The State, StateReason, and StateReasonCode fields in the response from GetFunctionConfiguration indicate when the function is ready to invoke. For more information, see Lambda function states.
A function has an unpublished version, and can have published versions and aliases. The unpublished version changes when you update your function's code and configuration. A published version is a snapshot of your function code and configuration that can't be changed. An alias is a named resource that maps to a version, and can be changed to map to a different version. Use the Publish parameter to create version 1 of your function from its initial configuration.
The other parameters let you configure version-specific and function-level settings. You can modify version-specific settings later with UpdateFunctionConfiguration. Function-level settings apply to both the unpublished and published versions of the function, and include tags (TagResource) and per-function concurrency limits (PutFunctionConcurrency).
You can use code signing if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with UpdateFunctionCode, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes set of signing profiles, which define the trusted publishers for this function.
If another Amazon Web Services account or an Amazon Web Service invokes your function, use AddPermission to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.
To invoke your function directly, use Invoke. To invoke your function in response to events in other Amazon Web Services, create an event source mapping (CreateEventSourceMapping), or configure a function trigger in the other service. For more information, see Invoking Lambda functions.
" + "documentation":"Creates a Lambda function. To create a function, you need a deployment package and an execution role. The deployment package is a .zip file archive or container image that contains your function code. The execution role grants the function permission to use Amazon Web Servicesservices, such as Amazon CloudWatch Logs for log streaming and X-Ray for request tracing.
If the deployment package is a container image, then you set the package type to Image. For a container image, the code property must include the URI of a container image in the Amazon ECR registry. You do not need to specify the handler and runtime properties.
If the deployment package is a .zip file archive, then you set the package type to Zip. For a .zip file archive, the code property specifies the location of the .zip file. You must also specify the handler and runtime properties. The code in the deployment package must be compatible with the target instruction set architecture of the function (x86-64 or arm64). If you do not specify the architecture, then the default value is x86-64.
When you create a function, Lambda provisions an instance of the function and its supporting resources. If your function connects to a VPC, this process can take a minute or so. During this time, you can't invoke or modify the function. The State, StateReason, and StateReasonCode fields in the response from GetFunctionConfiguration indicate when the function is ready to invoke. For more information, see Lambda function states.
A function has an unpublished version, and can have published versions and aliases. The unpublished version changes when you update your function's code and configuration. A published version is a snapshot of your function code and configuration that can't be changed. An alias is a named resource that maps to a version, and can be changed to map to a different version. Use the Publish parameter to create version 1 of your function from its initial configuration.
The other parameters let you configure version-specific and function-level settings. You can modify version-specific settings later with UpdateFunctionConfiguration. Function-level settings apply to both the unpublished and published versions of the function, and include tags (TagResource) and per-function concurrency limits (PutFunctionConcurrency).
You can use code signing if your deployment package is a .zip file archive. To enable code signing for this function, specify the ARN of a code-signing configuration. When a user attempts to deploy a code package with UpdateFunctionCode, Lambda checks that the code package has a valid signature from a trusted publisher. The code-signing configuration includes set of signing profiles, which define the trusted publishers for this function.
If another Amazon Web Services account or an Amazon Web Servicesservice invokes your function, use AddPermission to grant permission by creating a resource-based Identity and Access Management (IAM) policy. You can grant permissions at the function level, on a version, or on an alias.
To invoke your function directly, use Invoke. To invoke your function in response to events in other Amazon Web Servicesservices, create an event source mapping (CreateEventSourceMapping), or configure a function trigger in the other service. For more information, see Invoking Lambda functions.
" }, "CreateFunctionUrlConfig":{ "name":"CreateFunctionUrlConfig", @@ -210,7 +210,7 @@ {"shape":"InvalidParameterValueException"}, {"shape":"ResourceConflictException"} ], - "documentation":"Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter. Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit permissions for DeleteAlias.
To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Services and resources that invoke your function directly, delete the trigger in the service where you originally configured it.
" + "documentation":"Deletes a Lambda function. To delete a specific function version, use the Qualifier parameter. Otherwise, all versions and aliases are deleted. This doesn't require the user to have explicit permissions for DeleteAlias.
To delete Lambda event source mappings that invoke a function, use DeleteEventSourceMapping. For Amazon Web Servicesservices and resources that invoke your function directly, delete the trigger in the service where you originally configured it.
" }, "DeleteFunctionCodeSigningConfig":{ "name":"DeleteFunctionCodeSigningConfig", @@ -1078,7 +1078,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"PreconditionFailedException"} ], - "documentation":"Revokes function-use permission from an Amazon Web Service or another Amazon Web Services account. You can get the ID of the statement from the output of GetPolicy.
" + "documentation":"Revokes function-use permission from an Amazon Web Servicesservice or another Amazon Web Services account. You can get the ID of the statement from the output of GetPolicy.
" }, "TagResource":{ "name":"TagResource", @@ -1211,7 +1211,7 @@ {"shape":"InvalidCodeSignatureException"}, {"shape":"CodeSigningConfigNotFoundException"} ], - "documentation":"Modify the version-specific settings of a Lambda function.
When you update a function, Lambda provisions an instance of the function and its supporting resources. If your function connects to a VPC, this process can take a minute. During this time, you can't modify the function, but you can still invoke it. The LastUpdateStatus, LastUpdateStatusReason, and LastUpdateStatusReasonCode fields in the response from GetFunctionConfiguration indicate when the update is complete and the function is processing events with the new configuration. For more information, see Lambda function states.
These settings can vary between versions of a function and are locked when you publish a version. You can't modify the configuration of a published version, only the unpublished version.
To configure function concurrency, use PutFunctionConcurrency. To grant invoke permissions to an Amazon Web Services account or Amazon Web Service, use AddPermission.
" + "documentation":"Modify the version-specific settings of a Lambda function.
When you update a function, Lambda provisions an instance of the function and its supporting resources. If your function connects to a VPC, this process can take a minute. During this time, you can't modify the function, but you can still invoke it. The LastUpdateStatus, LastUpdateStatusReason, and LastUpdateStatusReasonCode fields in the response from GetFunctionConfiguration indicate when the update is complete and the function is processing events with the new configuration. For more information, see Lambda function states.
These settings can vary between versions of a function and are locked when you publish a version. You can't modify the configuration of a published version, only the unpublished version.
To configure function concurrency, use PutFunctionConcurrency. To grant invoke permissions to an Amazon Web Services account or Amazon Web Servicesservice, use AddPermission.
" }, "UpdateFunctionEventInvokeConfig":{ "name":"UpdateFunctionEventInvokeConfig", @@ -1379,15 +1379,15 @@ }, "Principal":{ "shape":"Principal", - "documentation":"The Amazon Web Service or Amazon Web Services account that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
The Amazon Web Servicesservice or Amazon Web Services account that invokes the function. If you specify a service, use SourceArn or SourceAccount to limit who can invoke the function through that service.
For Amazon Web Services, the ARN of the Amazon Web Services resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the StringLike operator.
For Amazon Web Servicesservices, the ARN of the Amazon Web Services resource that invokes the function. For example, an Amazon S3 bucket or Amazon SNS topic.
Note that Lambda configures the comparison using the StringLike operator.
For Amazon Web Service, the ID of the Amazon Web Services account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
For Amazon Web Servicesservice, the ID of the Amazon Web Services account that owns the resource. Use this together with SourceArn to ensure that the specified account owns the resource. It is possible for an Amazon S3 bucket to be deleted by its owner and recreated by another account.
Specific configuration settings for a DocumentDB event source.
" + }, + "KMSKeyArn":{ + "shape":"KMSKeyArn", + "documentation":"The ARN of the Key Management Service (KMS) customer managed key that Lambda uses to encrypt your function's filter criteria. By default, Lambda does not encrypt your filter criteria object. Specify this property to encrypt data using your own customer managed key.
" } } }, @@ -2482,7 +2486,7 @@ }, "FilterCriteria":{ "shape":"FilterCriteria", - "documentation":"An object that defines the filter criteria that determine whether Lambda should process an event. For more information, see Lambda event filtering.
" + "documentation":"An object that defines the filter criteria that determine whether Lambda should process an event. For more information, see Lambda event filtering.
If filter criteria is encrypted, this field shows up as null in the response of ListEventSourceMapping API calls. You can view this field in plaintext in the response of GetEventSourceMapping and DeleteEventSourceMapping calls if you have kms:Decrypt permissions for the correct KMS key.
Specific configuration settings for a DocumentDB event source.
" + }, + "KMSKeyArn":{ + "shape":"KMSKeyArn", + "documentation":"The ARN of the Key Management Service (KMS) customer managed key that Lambda uses to encrypt your function's filter criteria.
" + }, + "FilterCriteriaError":{ + "shape":"FilterCriteriaError", + "documentation":"An object that contains details about an error related to filter criteria encryption.
" } }, "documentation":"A mapping between an Amazon Web Services resource and a Lambda function. For details, see CreateEventSourceMapping.
" @@ -2629,6 +2641,32 @@ }, "documentation":"An object that contains the filters for an event source.
" }, + "FilterCriteriaError":{ + "type":"structure", + "members":{ + "ErrorCode":{ + "shape":"FilterCriteriaErrorCode", + "documentation":"The KMS exception that resulted from filter criteria encryption or decryption.
" + }, + "Message":{ + "shape":"FilterCriteriaErrorMessage", + "documentation":"The error message.
" + } + }, + "documentation":"An object that contains details about an error related to filter criteria encryption.
" + }, + "FilterCriteriaErrorCode":{ + "type":"string", + "max":50, + "min":10, + "pattern":"[A-Za-z]+Exception" + }, + "FilterCriteriaErrorMessage":{ + "type":"string", + "max":2048, + "min":10, + "pattern":".*" + }, "FilterList":{ "type":"list", "member":{"shape":"Filter"} @@ -5968,6 +6006,10 @@ "DocumentDBEventSourceConfig":{ "shape":"DocumentDBEventSourceConfig", "documentation":"Specific configuration settings for a DocumentDB event source.
" + }, + "KMSKeyArn":{ + "shape":"KMSKeyArn", + "documentation":"The ARN of the Key Management Service (KMS) customer managed key that Lambda uses to encrypt your function's filter criteria. By default, Lambda does not encrypt your filter criteria object. Specify this property to encrypt data using your own customer managed key.
" } } }, diff --git a/botocore/data/securityhub/2018-10-26/service-2.json b/botocore/data/securityhub/2018-10-26/service-2.json index 8781e7fbed..d90539e107 100644 --- a/botocore/data/securityhub/2018-10-26/service-2.json +++ b/botocore/data/securityhub/2018-10-26/service-2.json @@ -1264,7 +1264,7 @@ {"shape":"InvalidAccessException"}, {"shape":"ResourceNotFoundException"} ], - "documentation":" UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation.
Updates the Note and RecordState of the Security Hub-aggregated findings that the filter attributes specify. Any member account that can view the finding also sees the update to the finding.
Finding updates made with UpdateFindings might not be persisted if the same finding is later updated by the finding provider through the BatchImportFindings operation.
UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation.
The UpdateFindings operation updates the Note and RecordState of the Security Hub aggregated findings that the filter attributes specify. Any member account that can view the finding can also see the update to the finding.
Finding updates made with UpdateFindings aren't persisted if the same finding is later updated by the finding provider through the BatchImportFindings operation. In addition, Security Hub doesn't record updates made with UpdateFindings in the finding history.
The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
" + "documentation":"The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Servicesservice that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
" }, "ResourcePartition":{ "shape":"StringFilterList", @@ -14275,7 +14275,7 @@ }, "ComplianceSecurityControlId":{ "shape":"StringFilterList", - "documentation":"The unique identifier of a control across standards. Values for this field typically consist of an Amazon Web Service and a number, such as APIGateway.5.
" + "documentation":"The unique identifier of a control across standards. Values for this field typically consist of an Amazon Web Servicesservice and a number, such as APIGateway.5.
" }, "ComplianceAssociatedStandardsId":{ "shape":"StringFilterList", @@ -15857,7 +15857,7 @@ }, "SecurityControlId":{ "shape":"NonEmptyString", - "documentation":"The unique identifier of a control across standards. Values for this field typically consist of an Amazon Web Service and a number, such as APIGateway.5.
" + "documentation":"The unique identifier of a control across standards. Values for this field typically consist of an Amazon Web Servicesservice and a number, such as APIGateway.5.
" }, "AssociatedStandards":{ "shape":"AssociatedStandardsList", @@ -16227,11 +16227,11 @@ "members":{ "RegionLinkingMode":{ "shape":"NonEmptyString", - "documentation":"Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.
The selected option also determines how to use the Regions provided in the Regions list.
The options are as follows:
ALL_REGIONS - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
ALL_REGIONS_EXCEPT_SPECIFIED - Indicates to aggregate findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the Regions parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
SPECIFIED_REGIONS - Indicates to aggregate findings only from the Regions listed in the Regions parameter. Security Hub does not automatically aggregate findings from new Regions.
Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.
The selected option also determines how to use the Regions provided in the Regions list.
The options are as follows:
ALL_REGIONS - Aggregates findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
ALL_REGIONS_EXCEPT_SPECIFIED - Aggregates findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the Regions parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
SPECIFIED_REGIONS - Aggregates findings only from the Regions listed in the Regions parameter. Security Hub does not automatically aggregate findings from new Regions.
NO_REGIONS - Aggregates no data because no Regions are selected as linked Regions.
If RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.
If RegionLinkingMode is SPECIFIED_REGIONS, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
If RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.
If RegionLinkingMode is SPECIFIED_REGIONS, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
An InvalidInputException error results if you populate this field while RegionLinkingMode is NO_REGIONS.
Identifies the source of the event that changed the finding. For example, an integrated Amazon Web Service or third-party partner integration may call BatchImportFindings , or an Security Hub customer may call BatchUpdateFindings .
Identifies the source of the event that changed the finding. For example, an integrated Amazon Web Servicesservice or third-party partner integration may call BatchImportFindings , or an Security Hub customer may call BatchUpdateFindings .
Describes the type of finding change event, such as a call to BatchImportFindings (by an integrated Amazon Web Service or third party partner integration) or BatchUpdateFindings (by a Security Hub customer).
Describes the type of finding change event, such as a call to BatchImportFindings (by an integrated Amazon Web Servicesservice or third party partner integration) or BatchUpdateFindings (by a Security Hub customer).
The less-than-equal condition to be applied to a single field when querying for findings.
" }, + "Eq":{ + "shape":"Double", + "documentation":"The equal-to condition to be applied to a single field when querying for findings.
" + }, "Gt":{ "shape":"Double", "documentation":"The greater-than condition to be applied to a single field when querying for findings.
" @@ -18639,10 +18643,6 @@ "Lt":{ "shape":"Double", "documentation":"The less-than condition to be applied to a single field when querying for findings.
" - }, - "Eq":{ - "shape":"Double", - "documentation":"The equal-to condition to be applied to a single field when querying for findings.
" } }, "documentation":"A number filter for querying findings.
" @@ -18885,7 +18885,7 @@ "members":{ "SecurityHub":{ "shape":"SecurityHubPolicy", - "documentation":"The Amazon Web Service that the configuration policy applies to.
" + "documentation":"The Amazon Web Servicesservice that the configuration policy applies to.
" } }, "documentation":"An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
", @@ -19680,7 +19680,7 @@ }, "DestinationPrefixListId":{ "shape":"NonEmptyString", - "documentation":"The prefix of the destination Amazon Web Service.
" + "documentation":"The prefix of the destination Amazon Web Servicesservice.
" }, "EgressOnlyInternetGatewayId":{ "shape":"NonEmptyString", @@ -20101,7 +20101,7 @@ "members":{ "SecurityControlId":{ "shape":"NonEmptyString", - "documentation":"The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a number, such as APIGateway.3.
" + "documentation":"The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Servicesservice name and a number, such as APIGateway.3.
" }, "SecurityControlArn":{ "shape":"NonEmptyString", @@ -20129,7 +20129,7 @@ }, "UpdateStatus":{ "shape":"UpdateStatus", - "documentation":" Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of READY indicates findings include the current parameter values. A status of UPDATING indicates that all findings may not include the current parameter values.
Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of READY indicates that Security Hub uses the current control parameter values when running security checks of the control. A status of UPDATING indicates that all security checks might not use the current parameter values.
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a number (for example, APIGateway.3). This parameter differs from SecurityControlArn, which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Servicesservice name and a number (for example, APIGateway.3). This parameter differs from SecurityControlArn, which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Service name and a number, such as APIGateway.3.
" + "documentation":"The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Servicesservice name and a number, such as APIGateway.3.
" }, "SecurityControlArn":{ "shape":"NonEmptyString", @@ -20636,7 +20636,7 @@ }, "SecurityControlId":{ "shape":"NonEmptyString", - "documentation":"A unique standard-agnostic identifier for a control. Values for this field typically consist of an Amazon Web Service and a number, such as APIGateway.5. This field doesn't reference a specific standard.
" + "documentation":"A unique standard-agnostic identifier for a control. Values for this field typically consist of an Amazon Web Servicesservice and a number, such as APIGateway.5. This field doesn't reference a specific standard.
" }, "SecurityControlArn":{ "shape":"NonEmptyString", @@ -21479,11 +21479,11 @@ }, "RegionLinkingMode":{ "shape":"NonEmptyString", - "documentation":"Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.
The selected option also determines how to use the Regions provided in the Regions list.
The options are as follows:
ALL_REGIONS - Indicates to aggregate findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
ALL_REGIONS_EXCEPT_SPECIFIED - Indicates to aggregate findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the Regions parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
SPECIFIED_REGIONS - Indicates to aggregate findings only from the Regions listed in the Regions parameter. Security Hub does not automatically aggregate findings from new Regions.
Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.
The selected option also determines how to use the Regions provided in the Regions list.
The options are as follows:
ALL_REGIONS - Aggregates findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
ALL_REGIONS_EXCEPT_SPECIFIED - Aggregates findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the Regions parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them.
SPECIFIED_REGIONS - Aggregates findings only from the Regions listed in the Regions parameter. Security Hub does not automatically aggregate findings from new Regions.
NO_REGIONS - Aggregates no data because no Regions are selected as linked Regions.
If RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.
If RegionLinkingMode is SPECIFIED_REGIONS, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
If RegionLinkingMode is ALL_REGIONS_EXCEPT_SPECIFIED, then this is a space-separated list of Regions that do not aggregate findings to the aggregation Region.
If RegionLinkingMode is SPECIFIED_REGIONS, then this is a space-separated list of Regions that do aggregate findings to the aggregation Region.
An InvalidInputException error results if you populate this field while RegionLinkingMode is NO_REGIONS.
Used to update information about the investigation into the finding.
" } }, - "documentation":"Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry standards and best practices.
Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.
To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.
In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services, such as Amazon GuardDuty and Amazon Inspector, and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Services and supported third-party products.
Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.
This guide, the Security Hub API Reference, provides information about the Security Hub API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Security Hub, you might find it helpful to also review the Security Hub User Guide . The user guide explains key concepts and provides procedures that demonstrate how to use Security Hub features. It also provides information about topics such as integrating Security Hub with other Amazon Web Services.
In addition to interacting with Security Hub by making calls to the Security Hub API, you can use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Services . They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools and SDKs, see Tools to Build on Amazon Web Services.
With the exception of operations that are related to central configuration, Security Hub API requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, API requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of central configuration operations, see the Central configuration terms and concepts section of the Security Hub User Guide.
The following throttling limits apply to Security Hub API operations.
BatchEnableStandards - RateLimit of 1 request per second. BurstLimit of 1 request per second.
GetFindings - RateLimit of 3 requests per second. BurstLimit of 6 requests per second.
BatchImportFindings - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.
BatchUpdateFindings - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.
UpdateStandardsControl - RateLimit of 1 request per second. BurstLimit of 5 requests per second.
All other operations - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.
Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry standards and best practices.
Security Hub collects security data across Amazon Web Services accounts, Amazon Web Servicesservices, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.
To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.
In addition to generating control findings, Security Hub also receives findings from other Amazon Web Servicesservices, such as Amazon GuardDuty and Amazon Inspector, and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Servicesservices and supported third-party products.
Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.
This guide, the Security Hub API Reference, provides information about the Security Hub API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Security Hub, you might find it helpful to also review the Security Hub User Guide . The user guide explains key concepts and provides procedures that demonstrate how to use Security Hub features. It also provides information about topics such as integrating Security Hub with other Amazon Web Servicesservices.
In addition to interacting with Security Hub by making calls to the Security Hub API, you can use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Servicesservices . They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools and SDKs, see Tools to Build on Amazon Web Services.
With the exception of operations that are related to central configuration, Security Hub API requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, API requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of central configuration operations, see the Central configuration terms and concepts section of the Security Hub User Guide.
The following throttling limits apply to Security Hub API operations.
BatchEnableStandards - RateLimit of 1 request per second. BurstLimit of 1 request per second.
GetFindings - RateLimit of 3 requests per second. BurstLimit of 6 requests per second.
BatchImportFindings - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.
BatchUpdateFindings - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.
UpdateStandardsControl - RateLimit of 1 request per second. BurstLimit of 5 requests per second.
All other operations - RateLimit of 10 requests per second. BurstLimit of 30 requests per second.
The customer master key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket. You can use the default master key or a custom master key that you created in Amazon Web Services KMS as follows:
To use the default master key, provide an ARN in the form of arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses. For example, if your Amazon Web Services account ID is 123456789012 and you want to use the default master key in the US West (Oregon) Region, the ARN of the default master key would be arn:aws:kms:us-west-2:123456789012:alias/aws/ses. If you use the default master key, you don't need to perform any extra steps to give Amazon SES permission to use the key.
To use a custom master key that you created in Amazon Web Services KMS, provide the ARN of the master key and ensure that you add a statement to your key's policy to give Amazon SES permission to use it. For more information about giving permissions, see the Amazon SES Developer Guide.
For more information about key policies, see the Amazon Web Services KMS Developer Guide. If you do not specify a master key, Amazon SES does not encrypt your emails.
Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your Amazon Web Services KMS keys for decryption. This encryption client is currently available with the Amazon Web Services SDK for Java and Amazon Web Services SDK for Ruby only. For more information about client-side encryption using Amazon Web Services KMS master keys, see the Amazon S3 Developer Guide.
The customer managed key that Amazon SES should use to encrypt your emails before saving them to the Amazon S3 bucket. You can use the default managed key or a custom managed key that you created in Amazon Web Services KMS as follows:
To use the default managed key, provide an ARN in the form of arn:aws:kms:REGION:ACCOUNT-ID-WITHOUT-HYPHENS:alias/aws/ses. For example, if your Amazon Web Services account ID is 123456789012 and you want to use the default managed key in the US West (Oregon) Region, the ARN of the default master key would be arn:aws:kms:us-west-2:123456789012:alias/aws/ses. If you use the default managed key, you don't need to perform any extra steps to give Amazon SES permission to use the key.
To use a custom managed key that you created in Amazon Web Services KMS, provide the ARN of the managed key and ensure that you add a statement to your key's policy to give Amazon SES permission to use it. For more information about giving permissions, see the Amazon SES Developer Guide.
For more information about key policies, see the Amazon Web Services KMS Developer Guide. If you do not specify a managed key, Amazon SES does not encrypt your emails.
Your mail is encrypted by Amazon SES using the Amazon S3 encryption client before the mail is submitted to Amazon S3 for storage. It is not encrypted using Amazon S3 server-side encryption. This means that you must use the Amazon S3 encryption client to decrypt the email after retrieving it from Amazon S3, as the service has no access to use your Amazon Web Services KMS keys for decryption. This encryption client is currently available with the Amazon Web Services SDK for Java and Amazon Web Services SDK for Ruby only. For more information about client-side encryption using Amazon Web Services KMS managed keys, see the Amazon S3 Developer Guide.
The ARN of the IAM role to be used by Amazon Simple Email Service while writing to the Amazon S3 bucket, optionally encrypting your mail via the provided customer managed key, and publishing to the Amazon SNS topic. This role should have access to the following APIs:
s3:PutObject, kms:Encrypt and kms:GenerateDataKey for the given Amazon S3 bucket.
kms:GenerateDataKey for the given Amazon Web Services KMS customer managed key.
sns:Publish for the given Amazon SNS topic.
If an IAM role ARN is provided, the role (and only the role) is used to access all the given resources (Amazon S3 bucket, Amazon Web Services KMS customer managed key and Amazon SNS topic). Therefore, setting up individual resource access permissions is not required.
When included in a receipt rule, this action saves the received message to an Amazon Simple Storage Service (Amazon S3) bucket and, optionally, publishes a notification to Amazon Simple Notification Service (Amazon SNS).
To enable Amazon SES to write emails to your Amazon S3 bucket, use an Amazon Web Services KMS key to encrypt your emails, or publish to an Amazon SNS topic of another account, Amazon SES must have permission to access those resources. For information about granting permissions, see the Amazon SES Developer Guide.
When you save your emails to an Amazon S3 bucket, the maximum email size (including headers) is 40 MB. Emails larger than that bounces.
For information about specifying Amazon S3 actions in receipt rules, see the Amazon SES Developer Guide.
" @@ -3581,6 +3591,7 @@ "required":[ "Source", "Template", + "DefaultTemplateData", "Destinations" ], "members":{ diff --git a/docs/source/conf.py b/docs/source/conf.py index 98a3f64cd8..23266881c9 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -59,7 +59,7 @@ # The short X.Y version. version = '1.35' # The full version, including alpha/beta/rc tags. -release = '1.35.2' +release = '1.35.3' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.