The DetectEntities operation is deprecated. You should use the DetectEntitiesV2 operation instead.
Inspects the clinical text for a variety of medical entities and returns specific information about them such as entity category, location, and confidence score on that information .
", + "documentation":"The DetectEntities operation is deprecated. You should use the DetectEntitiesV2 operation instead.
Inspects the clinical text for a variety of medical entities and returns specific information about them such as entity category, location, and confidence score on that information.
", "deprecated":true, "deprecatedMessage":"This operation is deprecated, use DetectEntitiesV2 instead." }, @@ -148,7 +148,7 @@ {"shape":"InvalidEncodingException"}, {"shape":"TextSizeLimitExceededException"} ], - "documentation":"Inspects the clinical text for protected health information (PHI) entities and returns the entity category, location, and confidence score for each entity. Amazon Comprehend Medical only detects entities in English language texts.
" + "documentation":"Inspects the clinical text for protected health information (PHI) entities and returns the entity category, location, and confidence score for each entity. Amazon Comprehend Medical only detects entities in English language texts.
" }, "InferICD10CM":{ "name":"InferICD10CM", @@ -250,7 +250,7 @@ {"shape":"TooManyRequestsException"}, {"shape":"InternalServerException"} ], - "documentation":"Gets a list of protected health information (PHI) detection jobs that you have submitted.
" + "documentation":"Gets a list of protected health information (PHI) detection jobs you have submitted.
" }, "ListRxNormInferenceJobs":{ "name":"ListRxNormInferenceJobs", @@ -452,11 +452,11 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical; has that the segment of text is correctly recognized as an attribute.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has that the segment of text is correctly recognized as an attribute.
" }, "RelationshipScore":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical; has that this attribute is correctly related to this entity.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has that this attribute is correctly related to this entity.
" }, "RelationshipType":{ "shape":"RelationshipType", @@ -517,7 +517,7 @@ "members":{ "OriginalTextCharacters":{ "shape":"Integer", - "documentation":"The number of characters present in the input text document as processed by Comprehend Medical.
" + "documentation":"The number of characters present in the input text document as processed by Amazon Comprehend Medical.
" } }, "documentation":"The number of characters in the input text to be analyzed.
" @@ -595,7 +595,7 @@ }, "DataAccessRoleArn":{ "shape":"IamRoleArn", - "documentation":"The Amazon Resource Name (ARN) that gives Comprehend Medical; read access to your input data.
" + "documentation":"The Amazon Resource Name (ARN) that gives Amazon Comprehend Medical read access to your input data.
" }, "ManifestFilePath":{ "shape":"ManifestFilePath", @@ -622,7 +622,7 @@ "members":{ "JobId":{ "shape":"JobId", - "documentation":"The identifier that Comprehend Medical; generated for the job. The StartEntitiesDetectionV2Job operation returns this identifier in its response.
The identifier that Amazon Comprehend Medical generated for the job. The StartEntitiesDetectionV2Job operation returns this identifier in its response.
The identifier that Comprehend Medical; generated for the job. The StartPHIDetectionJob operation returns this identifier in its response.
The identifier that Amazon Comprehend Medical generated for the job. The StartPHIDetectionJob operation returns this identifier in its response.
A UTF-8 text string containing the clinical content being examined for entities. Each string must contain fewer than 20,000 bytes of characters.
" + "documentation":"A UTF-8 text string containing the clinical content being examined for entities.
" } } }, @@ -727,15 +727,15 @@ "members":{ "Entities":{ "shape":"EntityList", - "documentation":"The collection of medical entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Comprehend Medical; has in the detection and analysis. Attributes and traits of the entity are also returned.
" + "documentation":"The collection of medical entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Amazon Comprehend Medical has in the detection and analysis. Attributes and traits of the entity are also returned.
" }, "UnmappedAttributes":{ "shape":"UnmappedAttributeList", - "documentation":"Attributes extracted from the input text that we were unable to relate to an entity.
" + "documentation":"Attributes extracted from the input text that we were unable to relate to an entity.
" }, "PaginationToken":{ "shape":"String", - "documentation":" If the result of the previous request to DetectEntities was truncated, include the PaginationToken to fetch the next page of entities.
If the result of the previous request to DetectEntities was truncated, include the PaginationToken to fetch the next page of entities.
A UTF-8 string containing the clinical content being examined for entities. Each string must contain fewer than 20,000 bytes of characters.
" + "documentation":"A UTF-8 string containing the clinical content being examined for entities.
" } } }, @@ -784,7 +784,7 @@ "members":{ "Text":{ "shape":"BoundedLengthString", - "documentation":"A UTF-8 text string containing the clinical content being examined for PHI entities. Each string must contain fewer than 20,000 bytes of characters.
" + "documentation":"A UTF-8 text string containing the clinical content being examined for PHI entities.
" } } }, @@ -797,11 +797,11 @@ "members":{ "Entities":{ "shape":"EntityList", - "documentation":"The collection of PHI entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Comprehend Medical; has in its detection.
" + "documentation":"The collection of PHI entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Amazon Comprehend Medical has in its detection.
" }, "PaginationToken":{ "shape":"String", - "documentation":" If the result of the previous request to DetectPHI was truncated, include the PaginationToken to fetch the next page of PHI entities.
If the result of the previous request to DetectPHI was truncated, include the PaginationToken to fetch the next page of PHI entities.
The level of confidence that Comprehend Medical; has in the accuracy of the detection.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has in the accuracy of the detection.
" }, "Text":{ "shape":"String", @@ -1080,7 +1080,7 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical; has that the segment of text is correctly recognized as a trait.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has that the segment of text is correctly recognized as a trait.
" } }, "documentation":"Contextual information for the entity. The traits recognized by InferICD10CM are DIAGNOSIS, SIGN, SYMPTOM, and NEGATION.
The input text used for analysis. The input for InferICD10CM is a string from 1 to 10000 characters.
" + "documentation":"The input text used for analysis.
" } } }, @@ -1141,7 +1141,7 @@ "members":{ "Text":{ "shape":"OntologyLinkingBoundedLengthString", - "documentation":"The input text used for analysis. The input for InferRxNorm is a string from 1 to 10000 characters.
" + "documentation":"The input text used for analysis.
" } } }, @@ -1169,7 +1169,7 @@ "members":{ "Text":{ "shape":"OntologyLinkingBoundedLengthString", - "documentation":"The input text to be analyzed using InferSNOMEDCT. The text should be a string with 1 to 10000 characters.
" + "documentation":"The input text to be analyzed using InferSNOMEDCT.
" } } }, @@ -1179,7 +1179,7 @@ "members":{ "Entities":{ "shape":"SNOMEDCTEntityList", - "documentation":"The collection of medical concept entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Comprehend Medical has in the detection and analysis. Attributes and traits of the entity are also returned.
" + "documentation":"The collection of medical concept entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Amazon Comprehend Medical has in the detection and analysis. Attributes and traits of the entity are also returned.
" }, "PaginationToken":{ "shape":"String", @@ -1205,7 +1205,7 @@ "members":{ "S3Bucket":{ "shape":"S3Bucket", - "documentation":"The URI of the S3 bucket that contains the input data. The bucket must be in the same region as the API endpoint that you are calling.
Each file in the document collection must be less than 40 KB. You can store a maximum of 30 GB in the bucket.
" + "documentation":"The URI of the S3 bucket that contains the input data. The bucket must be in the same region as the API endpoint that you are calling.
" }, "S3Key":{ "shape":"S3Key", @@ -1447,7 +1447,7 @@ }, "S3Key":{ "shape":"S3Key", - "documentation":"The path to the output data files in the S3 bucket. Comprehend Medical; creates an output directory using the job ID so that the output from one job does not overwrite the output of another.
" + "documentation":"The path to the output data files in the S3 bucket. Amazon Comprehend Medical creates an output directory using the job ID so that the output from one job does not overwrite the output of another.
" } }, "documentation":"The output properties for a detection job.
" @@ -1496,7 +1496,7 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical has that the segment of text is correctly recognized as an attribute.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has that the segment of text is correctly recognized as an attribute.
" }, "RelationshipScore":{ "shape":"Float", @@ -1600,11 +1600,11 @@ }, "Traits":{ "shape":"RxNormTraitList", - "documentation":"Contextual information for the entity.
" + "documentation":"Contextual information for the entity.
" }, "RxNormConcepts":{ "shape":"RxNormConceptList", - "documentation":"The RxNorm concepts that the entity could refer to, along with a score indicating the likelihood of the match.
" + "documentation":"The RxNorm concepts that the entity could refer to, along with a score indicating the likelihood of the match.
" } }, "documentation":"The collection of medical entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Amazon Comprehend Medical has in the detection and analysis. Attributes and traits of the entity are also returned.
" @@ -1673,11 +1673,11 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical has that the segment of text is correctly recognized as an attribute.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has that the segment of text is correctly recognized as an attribute.
" }, "RelationshipScore":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical has that this attribute is correctly related to this entity.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has that this attribute is correctly related to this entity.
" }, "RelationshipType":{ "shape":"SNOMEDCTRelationshipType", @@ -1738,7 +1738,7 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence Comprehend Medical has that the entity should be linked to the identified SNOMED-CT concept.
" + "documentation":"The level of confidence Amazon Comprehend Medical has that the entity should be linked to the identified SNOMED-CT concept.
" } }, "documentation":"The SNOMED-CT concepts that the entity could refer to, along with a score indicating the likelihood of the match.
" @@ -1786,7 +1786,7 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical has in the accuracy of the detected entity.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has in the accuracy of the detected entity.
" }, "BeginOffset":{ "shape":"Integer", @@ -1809,7 +1809,7 @@ "documentation":"The SNOMED concepts that the entity could refer to, along with a score indicating the likelihood of the match.
" } }, - "documentation":"The collection of medical entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Comprehend Medical has in the detection and analysis. Attributes and traits of the entity are also returned.
" + "documentation":"The collection of medical entities extracted from the input text and their associated information. For each entity, the response provides the entity text, the entity category, where the entity text begins and ends, and the level of confidence that Amazon Comprehend Medical has in the detection and analysis. Attributes and traits of the entity are also returned.
" }, "SNOMEDCTEntityCategory":{ "type":"string", @@ -1853,7 +1853,7 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical has in the accuracy of a detected trait.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has in the accuracy of a detected trait.
" } }, "documentation":"Contextual information for an entity.
" @@ -1881,7 +1881,7 @@ "members":{ "Message":{"shape":"String"} }, - "documentation":"The Comprehend Medical; service is temporarily unavailable. Please wait and then retry your request.
", + "documentation":"The Amazon Comprehend Medical service is temporarily unavailable. Please wait and then retry your request.
", "exception":true }, "StartEntitiesDetectionV2JobRequest":{ @@ -1903,7 +1903,7 @@ }, "DataAccessRoleArn":{ "shape":"IamRoleArn", - "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Comprehend Medical; read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" + "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Amazon Comprehend Medical read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" }, "JobName":{ "shape":"JobName", @@ -1911,7 +1911,7 @@ }, "ClientRequestToken":{ "shape":"ClientRequestTokenString", - "documentation":"A unique identifier for the request. If you don't set the client request token, Comprehend Medical; generates one for you.
", + "documentation":"A unique identifier for the request. If you don't set the client request token, Amazon Comprehend Medical generates one for you.
", "idempotencyToken":true }, "KMSKey":{ @@ -1920,7 +1920,7 @@ }, "LanguageCode":{ "shape":"LanguageCode", - "documentation":"The language of the input documents. All documents must be in the same language. Comprehend Medical; processes files in US English (en).
" + "documentation":"The language of the input documents. All documents must be in the same language. Amazon Comprehend Medical processes files in US English (en).
" } } }, @@ -1952,7 +1952,7 @@ }, "DataAccessRoleArn":{ "shape":"IamRoleArn", - "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Comprehend Medical; read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" + "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Amazon Comprehend Medical read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" }, "JobName":{ "shape":"JobName", @@ -1960,7 +1960,7 @@ }, "ClientRequestToken":{ "shape":"ClientRequestTokenString", - "documentation":"A unique identifier for the request. If you don't set the client request token, Comprehend Medical; generates one.
", + "documentation":"A unique identifier for the request. If you don't set the client request token, Amazon Comprehend Medical generates one.
", "idempotencyToken":true }, "KMSKey":{ @@ -2001,7 +2001,7 @@ }, "DataAccessRoleArn":{ "shape":"IamRoleArn", - "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Comprehend Medical; read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" + "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Amazon Comprehend Medical read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" }, "JobName":{ "shape":"JobName", @@ -2009,7 +2009,7 @@ }, "ClientRequestToken":{ "shape":"ClientRequestTokenString", - "documentation":"A unique identifier for the request. If you don't set the client request token, Comprehend Medical; generates one.
", + "documentation":"A unique identifier for the request. If you don't set the client request token, Amazon Comprehend Medical generates one.
", "idempotencyToken":true }, "KMSKey":{ @@ -2050,7 +2050,7 @@ }, "DataAccessRoleArn":{ "shape":"IamRoleArn", - "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Comprehend Medical; read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" + "documentation":"The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that grants Amazon Comprehend Medical read access to your input data. For more information, see Role-Based Permissions Required for Asynchronous Operations.
" }, "JobName":{ "shape":"JobName", @@ -2058,7 +2058,7 @@ }, "ClientRequestToken":{ "shape":"ClientRequestTokenString", - "documentation":"A unique identifier for the request. If you don't set the client request token, Comprehend Medical; generates one.
", + "documentation":"A unique identifier for the request. If you don't set the client request token, Amazon Comprehend Medical generates one.
", "idempotencyToken":true }, "KMSKey":{ @@ -2248,7 +2248,7 @@ }, "Score":{ "shape":"Float", - "documentation":"The level of confidence that Comprehend Medical; has in the accuracy of this trait.
" + "documentation":"The level of confidence that Amazon Comprehend Medical has in the accuracy of this trait.
" } }, "documentation":"Provides contextual information about the extracted entity.
" @@ -2269,7 +2269,7 @@ "documentation":"The specific attribute that has been extracted but not mapped to an entity.
" } }, - "documentation":"An attribute that was extracted, but Comprehend Medical; was unable to relate to an entity.
" + "documentation":"An attribute that was extracted, but Amazon Comprehend Medical was unable to relate to an entity.
" }, "UnmappedAttributeList":{ "type":"list", @@ -2284,5 +2284,5 @@ "exception":true } }, - "documentation":"Comprehend Medical; extracts structured information from unstructured clinical text. Use these actions to gain insight in your documents.
" + "documentation":"Amazon Comprehend Medical extracts structured information from unstructured clinical text. Use these actions to gain insight in your documents. Amazon Comprehend Medical only detects entities in English language texts. Amazon Comprehend Medical places limits on the sizes of files allowed for different API operations. To learn more, see Guidelines and quotas in the Amazon Comprehend Medical Developer Guide.
" } diff --git a/botocore/data/connect/2017-08-08/service-2.json b/botocore/data/connect/2017-08-08/service-2.json index effb497b05..37cc6a6c04 100644 --- a/botocore/data/connect/2017-08-08/service-2.json +++ b/botocore/data/connect/2017-08-08/service-2.json @@ -408,7 +408,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServiceException"} ], - "documentation":"This API is in preview release for Amazon Connect and is subject to change.
Creates a new queue for the specified Amazon Connect instance.
If the number being used in the input is claimed to a traffic distribution group, and you are calling this API using an instance in the Amazon Web Services Region where the traffic distribution group was created, you can use either a full phone number ARN or UUID value for the OutboundCallerIdNumberId value of the OutboundCallerConfig request body parameter. However, if the number is claimed to a traffic distribution group and you are calling this API using an instance in the alternate Amazon Web Services Region associated with the traffic distribution group, you must provide a full phone number ARN. If a UUID is provided in this scenario, you will receive a ResourceNotFoundException.
This API is in preview release for Amazon Connect and is subject to change.
Creates a new queue for the specified Amazon Connect instance.
If the number being used in the input is claimed to a traffic distribution group, and you are calling this API using an instance in the Amazon Web Services Region where the traffic distribution group was created, you can use either a full phone number ARN or UUID value for the OutboundCallerIdNumberId value of the OutboundCallerConfig request body parameter. However, if the number is claimed to a traffic distribution group and you are calling this API using an instance in the alternate Amazon Web Services Region associated with the traffic distribution group, you must provide a full phone number ARN. If a UUID is provided in this scenario, you will receive a ResourceNotFoundException.
Only use the phone number ARN format that doesn't contain instance in the path, for example, arn:aws:connect:us-east-1:1234567890:phone-number/uuid. This is the same ARN format that is returned when you call the ListPhoneNumbersV2 API.
This API is in preview release for Amazon Connect and is subject to change.
Searches queues in an Amazon Connect instance, with optional filtering.
" + "documentation":"Searches queues in an Amazon Connect instance, with optional filtering.
" }, "SearchQuickConnects":{ "name":"SearchQuickConnects", @@ -2373,7 +2373,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServiceException"} ], - "documentation":"This API is in preview release for Amazon Connect and is subject to change.
Searches routing profiles in an Amazon Connect instance, with optional filtering.
" + "documentation":"Searches routing profiles in an Amazon Connect instance, with optional filtering.
" }, "SearchSecurityProfiles":{ "name":"SearchSecurityProfiles", @@ -2390,7 +2390,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServiceException"} ], - "documentation":"This API is in preview release for Amazon Connect and is subject to change.
Searches security profiles in an Amazon Connect instance, with optional filtering.
" + "documentation":"Searches security profiles in an Amazon Connect instance, with optional filtering.
" }, "SearchUsers":{ "name":"SearchUsers", @@ -3024,7 +3024,7 @@ {"shape":"ThrottlingException"}, {"shape":"InternalServiceException"} ], - "documentation":"This API is in preview release for Amazon Connect and is subject to change.
Updates the outbound caller ID name, number, and outbound whisper flow for a specified queue.
If the number being used in the input is claimed to a traffic distribution group, and you are calling this API using an instance in the Amazon Web Services Region where the traffic distribution group was created, you can use either a full phone number ARN or UUID value for the OutboundCallerIdNumberId value of the OutboundCallerConfig request body parameter. However, if the number is claimed to a traffic distribution group and you are calling this API using an instance in the alternate Amazon Web Services Region associated with the traffic distribution group, you must provide a full phone number ARN. If a UUID is provided in this scenario, you will receive a ResourceNotFoundException.
This API is in preview release for Amazon Connect and is subject to change.
Updates the outbound caller ID name, number, and outbound whisper flow for a specified queue.
If the number being used in the input is claimed to a traffic distribution group, and you are calling this API using an instance in the Amazon Web Services Region where the traffic distribution group was created, you can use either a full phone number ARN or UUID value for the OutboundCallerIdNumberId value of the OutboundCallerConfig request body parameter. However, if the number is claimed to a traffic distribution group and you are calling this API using an instance in the alternate Amazon Web Services Region associated with the traffic distribution group, you must provide a full phone number ARN. If a UUID is provided in this scenario, you will receive a ResourceNotFoundException.
Only use the phone number ARN format that doesn't contain instance in the path, for example, arn:aws:connect:us-east-1:1234567890:phone-number/uuid. This is the same ARN format that is returned when you call the ListPhoneNumbersV2 API.
The filters to apply to returned metrics. You can filter on the following resources:
Queues
Routing profiles
Agents
Channels
User hierarchy groups
At least one filter must be passed from queues, routing profiles, agents, or user hierarchy groups.
To filter by phone number, see Create a historical metrics report in the Amazon Connect Administrator's Guide.
Note the following limits:
Filter keys: A maximum of 5 filter keys are supported in a single request. Valid filter keys: QUEUE | ROUTING_PROFILE | AGENT | CHANNEL | AGENT_HIERARCHY_LEVEL_ONE | AGENT_HIERARCHY_LEVEL_TWO | AGENT_HIERARCHY_LEVEL_THREE | AGENT_HIERARCHY_LEVEL_FOUR | AGENT_HIERARCHY_LEVEL_FIVE
Filter values: A maximum of 100 filter values are supported in a single request. For example, a GetMetricDataV2 request can filter by 50 queues, 35 agents, and 15 routing profiles for a total of 100 filter values. VOICE, CHAT, and TASK are valid filterValue for the CHANNEL filter key.
The filters to apply to returned metrics. You can filter on the following resources:
Queues
Routing profiles
Agents
Channels
User hierarchy groups
At least one filter must be passed from queues, routing profiles, agents, or user hierarchy groups.
To filter by phone number, see Create a historical metrics report in the Amazon Connect Administrator's Guide.
Note the following limits:
Filter keys: A maximum of 5 filter keys are supported in a single request. Valid filter keys: QUEUE | ROUTING_PROFILE | AGENT | CHANNEL | AGENT_HIERARCHY_LEVEL_ONE | AGENT_HIERARCHY_LEVEL_TWO | AGENT_HIERARCHY_LEVEL_THREE | AGENT_HIERARCHY_LEVEL_FOUR | AGENT_HIERARCHY_LEVEL_FIVE
Filter values: A maximum of 100 filter values are supported in a single request. VOICE, CHAT, and TASK are valid filterValue for the CHANNEL filter key. They do not count towards limitation of 100 filter values. For example, a GetMetricDataV2 request can filter by 50 queues, 35 agents, and 15 routing profiles for a total of 100 filter values, along with 3 channel filters.
Adds a grant to a KMS key.
A grant is a policy instrument that allows Amazon Web Services principals to use KMS keys in cryptographic operations. It also can allow them to view a KMS key (DescribeKey) and create and manage grants. When authorizing access to a KMS key, grants are considered along with key policies and IAM policies. Grants are often used for temporary permissions because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.
For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of working with grants in several programming languages, see Programming grants.
The CreateGrant operation returns a GrantToken and a GrantId.
When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. Once the grant has achieved eventual consistency, the grantee principal can use the permissions in the grant without identifying the grant.
However, to use the permissions in the grant immediately, use the GrantToken that CreateGrant returns. For details, see Using a grant token in the Key Management Service Developer Guide .
The CreateGrant operation also returns a GrantId. You can use the GrantId and a key identifier to identify the grant in the RetireGrant and RevokeGrant operations. To find the grant ID, use the ListGrants or ListRetirableGrants operations.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the KeyId parameter.
Required permissions: kms:CreateGrant (key policy)
Related operations:
" }, @@ -157,7 +158,8 @@ {"shape":"DependencyTimeoutException"}, {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Decrypts ciphertext that was encrypted by a KMS key using any of the following operations:
You can use this operation to decrypt ciphertext that was encrypted under a symmetric encryption KMS key or an asymmetric encryption KMS key. When the KMS key is asymmetric, you must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
The Decrypt operation also decrypts ciphertext that was encrypted outside of KMS by the public key in an KMS asymmetric KMS key. However, it cannot decrypt symmetric ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with KMS.
If the ciphertext was encrypted under a symmetric encryption KMS key, the KeyId parameter is optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even if they've lost track of the key ID. However, specifying the KMS key is always recommended as a best practice. When you use the KeyId parameter to specify a KMS key, KMS only uses the KMS key you specify. If the ciphertext was encrypted under a different KMS key, the Decrypt operation fails. This practice ensures that you use the KMS key that you intend.
Whenever possible, use key policies to give users permission to call the Decrypt operation on a particular KMS key, instead of using &IAM; policies. Otherwise, you might create an &IAM; policy that gives the user Decrypt permission on all KMS keys. This user could decrypt ciphertext that was encrypted by KMS keys in other accounts if the key policy for the cross-account KMS key permits it. If you must use an IAM policy for Decrypt permissions, limit the user to particular KMS keys or particular trusted accounts. For details, see Best practices for IAM policies in the Key Management Service Developer Guide.
Decrypt also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute environment in Amazon EC2. To call Decrypt for a Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the attestation document for the enclave. Instead of the plaintext data, the response includes the plaintext data encrypted with the public key from the attestation document (CiphertextForRecipient).For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. If you use the KeyId parameter to identify a KMS key in a different Amazon Web Services account, specify the key ARN or the alias ARN of the KMS key.
Required permissions: kms:Decrypt (key policy)
Related operations:
" }, @@ -340,7 +342,8 @@ {"shape":"InvalidKeyUsageException"}, {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Encrypts plaintext of up to 4,096 bytes using a KMS key. You can use a symmetric or asymmetric KMS key with a KeyUsage of ENCRYPT_DECRYPT.
You can use this operation to encrypt small amounts of arbitrary data, such as a personal identifier or database password, or other sensitive information. You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey and GenerateDataKeyPair operations return a plaintext data key and an encrypted copy of that data key.
If you use a symmetric encryption KMS key, you can use an encryption context to add additional security to your encryption operation. If you specify an EncryptionContext when encrypting data, you must specify the same encryption context (a case-sensitive exact match) when decrypting the data. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.
If you specify an asymmetric KMS key, you must also specify the encryption algorithm. The algorithm must be compatible with the KMS key spec.
When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
The maximum size of the data that you can encrypt varies with the type of KMS key and the encryption algorithm that you choose.
Symmetric encryption KMS keys
SYMMETRIC_DEFAULT: 4096 bytes
RSA_2048
RSAES_OAEP_SHA_1: 214 bytes
RSAES_OAEP_SHA_256: 190 bytes
RSA_3072
RSAES_OAEP_SHA_1: 342 bytes
RSAES_OAEP_SHA_256: 318 bytes
RSA_4096
RSAES_OAEP_SHA_1: 470 bytes
RSAES_OAEP_SHA_256: 446 bytes
SM2PKE: 1024 bytes (China Regions only)
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:Encrypt (key policy)
Related operations:
" }, @@ -360,7 +363,8 @@ {"shape":"InvalidKeyUsageException"}, {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Returns a unique symmetric data key for use outside of KMS. This operation returns a plaintext copy of the data key and a copy that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the plaintext key are random; they are not related to the caller or the KMS key. You can use the plaintext key to encrypt your data outside of KMS and store the encrypted data key with the encrypted data.
To generate a data key, specify the symmetric encryption KMS key that will be used to encrypt the data key. You cannot use an asymmetric KMS key to encrypt data keys. To get the type of your KMS key, use the DescribeKey operation.
You must also specify the length of the data key. Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.
To generate a 128-bit SM4 data key (China Regions only), specify a KeySpec value of AES_128 or a NumberOfBytes value of 16. The symmetric encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operation. To get a cryptographically secure random byte string, use GenerateRandom.
You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.
GenerateDataKey also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute environment in Amazon EC2. To call GenerateDataKey for an Amazon Web Services Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the attestation document for the enclave. GenerateDataKey returns a copy of the data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the data key, the response includes a copy of the data key encrypted under the public key from the attestation document (CiphertextForRecipient). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
How to use your data key
We recommend that you use the following pattern to encrypt data locally in your application. You can write your own code or use a client-side encryption library, such as the Amazon Web Services Encryption SDK, the Amazon DynamoDB Encryption Client, or Amazon S3 client-side encryption to do these tasks for you.
To encrypt data outside of KMS:
Use the GenerateDataKey operation to get a data key.
Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of KMS. Then erase the plaintext data key from memory.
Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.
To decrypt data outside of KMS:
Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.
Use the plaintext data key to decrypt data outside of KMS, then erase the plaintext data key from memory.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKey (key policy)
Related operations:
Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key, a plaintext private key, and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. You can use the data key pair to perform asymmetric cryptography and implement digital signatures outside of KMS. The bytes in the keys are random; they not related to the caller or to the KMS key that is used to encrypt the private key.
You can use the public key that GenerateDataKeyPair returns to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
If you are using the data key pair to encrypt data, or for any operation where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext operation. GenerateDataKeyPairWithoutPlaintext returns a plaintext public key and an encrypted private key, but omits the plaintext private key that you need only to decrypt ciphertext or sign a message. Later, when you need to decrypt the data or sign a message, use the Decrypt operation to decrypt the encrypted private key in the data key pair.
GenerateDataKeyPair returns a unique data key pair for each request. The bytes in the keys are random; they are not related to the caller or the KMS key that is used to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in RFC 5280. The private key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958.
GenerateDataKeyPair also supports Amazon Web Services Nitro Enclaves, which provide an isolated compute environment in Amazon EC2. To call GenerateDataKeyPair for an Amazon Web Services Nitro enclave, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK. Use the Recipient parameter to provide the attestation document for the enclave. GenerateDataKeyPair returns the public data key and a copy of the private data key encrypted under the specified KMS key, as usual. But instead of a plaintext copy of the private data key (PrivateKeyPlaintext), the response includes a copy of the private data key encrypted under the public key from the attestation document (CiphertextForRecipient). For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide..
You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKeyPair (key policy)
Related operations:
" }, @@ -402,7 +407,8 @@ {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, {"shape":"KMSInvalidStateException"}, - {"shape":"UnsupportedOperationException"} + {"shape":"UnsupportedOperationException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Returns a unique asymmetric data key pair for use outside of KMS. This operation returns a plaintext public key and a copy of the private key that is encrypted under the symmetric encryption KMS key you specify. Unlike GenerateDataKeyPair, this operation does not return a plaintext private key. The bytes in the keys are random; they are not related to the caller or to the KMS key that is used to encrypt the private key.
You can use the public key that GenerateDataKeyPairWithoutPlaintext returns to encrypt data or verify a signature outside of KMS. Then, store the encrypted private key with the data. When you are ready to decrypt data or sign a message, you can use the Decrypt operation to decrypt the encrypted private key.
To generate a data key pair, you must specify a symmetric encryption KMS key to encrypt the private key in a data key pair. You cannot use an asymmetric KMS key or a KMS key in a custom key store. To get the type and origin of your KMS key, use the DescribeKey operation.
Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data key pair. In China Regions, you can also choose an SM2 data key pair. KMS recommends that you use ECC key pairs for signing, and use RSA and SM2 key pairs for either encryption or signing, but not both. However, KMS cannot enforce any restrictions on the use of data key pairs outside of KMS.
GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each request. The bytes in the key are not related to the caller or KMS key that is used to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, as specified in RFC 5280.
You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (key policy)
Related operations:
" }, @@ -422,7 +428,8 @@ {"shape":"InvalidKeyUsageException"}, {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Returns a unique symmetric data key for use outside of KMS. This operation returns a data key that is encrypted under a symmetric encryption KMS key that you specify. The bytes in the key are random; they are not related to the caller or to the KMS key.
GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation except that it does not return a plaintext copy of the data key.
This operation is useful for systems that need to encrypt data at some point, but not immediately. When you need to encrypt the data, you call the Decrypt operation on the encrypted copy of the key.
It's also useful in distributed systems with different levels of trust. For example, you might store encrypted data in containers. One component of your system creates new containers and stores an encrypted data key with each container. Then, a different component puts the data into the containers. That component first decrypts the data key, uses the plaintext data key to encrypt data, puts the encrypted data into the container, and then destroys the plaintext data key. In this system, the component that creates the containers never sees the plaintext data key.
To request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext operations.
To generate a data key, you must specify the symmetric encryption KMS key that is used to encrypt the data key. You cannot use an asymmetric KMS key or a key in a custom key store to generate a data key. To get the type of your KMS key, use the DescribeKey operation.
You must also specify the length of the data key. Use either the KeySpec or NumberOfBytes parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter.
To generate an SM4 data key (China Regions only), specify a KeySpec value of AES_128 or NumberOfBytes value of 16. The symmetric encryption key used in China Regions to encrypt your data key is an SM4 encryption key.
If the operation succeeds, you will find the encrypted copy of the data key in the CiphertextBlob field.
You can use an optional encryption context to add additional security to the encryption operation. If you specify an EncryptionContext, you must specify the same encryption context (a case-sensitive exact match) when decrypting the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. For more information, see Encryption Context in the Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateDataKeyWithoutPlaintext (key policy)
Related operations:
" }, @@ -441,7 +448,8 @@ {"shape":"InvalidKeyUsageException"}, {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Generates a hash-based message authentication code (HMAC) for a message using an HMAC KMS key and a MAC algorithm that the key supports. HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104.
You can use value that GenerateMac returns in the VerifyMac operation to demonstrate that the original message has not changed. Also, because a secret key is used to create the hash, you can verify that the party that generated the hash has the required secret key. You can also use the raw result to implement HMAC-based algorithms such as key derivation functions. This operation is part of KMS support for HMAC KMS keys. For details, see HMAC keys in KMS in the Key Management Service Developer Guide .
Best practices recommend that you limit the time during which any signing mechanism, including an HMAC, is effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. HMAC tags do not include a timestamp, but you can include a timestamp in the token or message to help you detect when its time to refresh the HMAC.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:GenerateMac (key policy)
Related operations: VerifyMac
" }, @@ -697,7 +705,8 @@ {"shape":"InvalidKeyUsageException"}, {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Decrypts ciphertext and then reencrypts it entirely within KMS. You can use this operation to change the KMS key under which data is encrypted, such as when you manually rotate a KMS key or change the KMS key that protects a ciphertext. You can also use it to reencrypt ciphertext under the same KMS key, such as to change the encryption context of a ciphertext.
The ReEncrypt operation can decrypt ciphertext that was encrypted by using a KMS key in an KMS operation, such as Encrypt or GenerateDataKey. It can also decrypt ciphertext that was encrypted by using the public key of an asymmetric KMS key outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, such as the Amazon Web Services Encryption SDK or Amazon S3 client-side encryption. These libraries return a ciphertext format that is incompatible with KMS.
When you use the ReEncrypt operation, you need to provide information for the decrypt operation and the subsequent encrypt operation.
If your ciphertext was encrypted under an asymmetric KMS key, you must use the SourceKeyId parameter to identify the KMS key that encrypted the ciphertext. You must also supply the encryption algorithm that was used. This information is required to decrypt the data.
If your ciphertext was encrypted under a symmetric encryption KMS key, the SourceKeyId parameter is optional. KMS can get this information from metadata that it adds to the symmetric ciphertext blob. This feature adds durability to your implementation by ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even if they've lost track of the key ID. However, specifying the source KMS key is always recommended as a best practice. When you use the SourceKeyId parameter to specify a KMS key, KMS uses only the KMS key you specify. If the ciphertext was encrypted under a different KMS key, the ReEncrypt operation fails. This practice ensures that you use the KMS key that you intend.
To reencrypt the data, you must use the DestinationKeyId parameter to specify the KMS key that re-encrypts the data after it is decrypted. If the destination KMS key is an asymmetric KMS key, you must also provide the encryption algorithm. The algorithm that you choose must be compatible with the KMS key.
When you use an asymmetric KMS key to encrypt or reencrypt data, be sure to record the KMS key and encryption algorithm that you choose. You will be required to provide the same KMS key and encryption algorithm when you decrypt the data. If the KMS key and algorithm do not match the values used to encrypt the data, the decrypt operation fails.
You are not required to supply the key ID and encryption algorithm when you decrypt with symmetric encryption KMS keys because KMS stores this information in the ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric keys. The standard format for asymmetric key ciphertext does not include configurable fields.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. The source KMS key and destination KMS key can be in different Amazon Web Services accounts. Either or both KMS keys can be in a different account than the caller. To specify a KMS key in a different account, you must use its key ARN or alias ARN.
Required permissions:
kms:ReEncryptFrom permission on the source KMS key (key policy)
kms:ReEncryptTo permission on the destination KMS key (key policy)
To permit reencryption from or to a KMS key, include the \"kms:ReEncrypt*\" permission in your key policy. This permission is automatically included in the key policy when you use the console to create a KMS key. But you must include it manually when you create a KMS key programmatically or when you use the PutKeyPolicy operation to set a key policy.
Related operations:
" }, @@ -737,7 +746,8 @@ {"shape":"NotFoundException"}, {"shape":"DependencyTimeoutException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Deletes a grant. Typically, you retire a grant when you no longer need its permissions. To identify the grant to retire, use a grant token, or both the grant ID and a key identifier (key ID or key ARN) of the KMS key. The CreateGrant operation returns both values.
This operation can be called by the retiring principal for a grant, by the grantee principal if the grant allows the RetireGrant operation, and by the Amazon Web Services account in which the grant is created. It can also be called by principals to whom permission for retiring a grant is delegated. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.
For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of working with grants in several programming languages, see Programming grants.
Cross-account use: Yes. You can retire a grant on a KMS key in a different Amazon Web Services account.
Required permissions::Permission to retire a grant is determined primarily by the grant. For details, see Retiring and revoking grants in the Key Management Service Developer Guide.
Related operations:
" }, @@ -754,7 +764,8 @@ {"shape":"InvalidArnException"}, {"shape":"InvalidGrantIdException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Deletes the specified grant. You revoke a grant to terminate the permissions that the grant allows. For more information, see Retiring and revoking grants in the Key Management Service Developer Guide .
When you create, retire, or revoke a grant, there might be a brief delay, usually less than five minutes, until the grant is available throughout KMS. This state is known as eventual consistency. For details, see Eventual consistency in the Key Management Service Developer Guide .
For detailed information about grants, including grant terminology, see Grants in KMS in the Key Management Service Developer Guide . For examples of working with grants in several programming languages, see Programming grants.
Cross-account use: Yes. To perform this operation on a KMS key in a different Amazon Web Services account, specify the key ARN in the value of the KeyId parameter.
Required permissions: kms:RevokeGrant (key policy).
Related operations:
" }, @@ -773,7 +784,7 @@ {"shape":"KMSInternalException"}, {"shape":"KMSInvalidStateException"} ], - "documentation":"Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Before the waiting period ends, you can use CancelKeyDeletion to cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key, its key material, and all KMS data associated with it, including all aliases that refer to it.
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. (The only exception is a multi-Region replica key, or an asymmetric or HMAC KMS key with imported key material[BUGBUG-link to importing-keys-managing.html#import-delete-key.) To prevent the use of a KMS key without deleting it, use DisableKey.
You can schedule the deletion of a multi-Region primary key and its replica keys at any time. However, KMS will not delete a multi-Region primary key with existing replica keys. If you schedule the deletion of a primary key with replicas, its key state changes to PendingReplicaDeletion and it cannot be replicated or used in cryptographic operations. This status can continue indefinitely. When the last of its replicas keys is deleted (not just scheduled), the key state of the primary key changes to PendingDeletion and its waiting period (PendingWindowInDays) begins. For details, see Deleting multi-Region keys in the Key Management Service Developer Guide.
When KMS deletes a KMS key from an CloudHSM key store, it makes a best effort to delete the associated key material from the associated CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups. Deleting a KMS key from an external key store has no effect on the associated external key. However, for both types of custom key stores, deleting a KMS key is destructive and irreversible. You cannot decrypt ciphertext encrypted under the KMS key by using only its associated external key or CloudHSM key. Also, you cannot recreate a KMS key in an external key store by creating a new KMS key with the same key material.
For more information about scheduling a KMS key for deletion, see Deleting KMS keys in the Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions: kms:ScheduleKeyDeletion (key policy)
Related operations
" + "documentation":"Schedules the deletion of a KMS key. By default, KMS applies a waiting period of 30 days, but you can specify a waiting period of 7-30 days. When this operation is successful, the key state of the KMS key changes to PendingDeletion and the key can't be used in any cryptographic operations. It remains in this state for the duration of the waiting period. Before the waiting period ends, you can use CancelKeyDeletion to cancel the deletion of the KMS key. After the waiting period ends, KMS deletes the KMS key, its key material, and all KMS data associated with it, including all aliases that refer to it.
Deleting a KMS key is a destructive and potentially dangerous operation. When a KMS key is deleted, all data that was encrypted under the KMS key is unrecoverable. (The only exception is a multi-Region replica key, or an asymmetric or HMAC KMS key with imported key material.) To prevent the use of a KMS key without deleting it, use DisableKey.
You can schedule the deletion of a multi-Region primary key and its replica keys at any time. However, KMS will not delete a multi-Region primary key with existing replica keys. If you schedule the deletion of a primary key with replicas, its key state changes to PendingReplicaDeletion and it cannot be replicated or used in cryptographic operations. This status can continue indefinitely. When the last of its replicas keys is deleted (not just scheduled), the key state of the primary key changes to PendingDeletion and its waiting period (PendingWindowInDays) begins. For details, see Deleting multi-Region keys in the Key Management Service Developer Guide.
When KMS deletes a KMS key from an CloudHSM key store, it makes a best effort to delete the associated key material from the associated CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups. Deleting a KMS key from an external key store has no effect on the associated external key. However, for both types of custom key stores, deleting a KMS key is destructive and irreversible. You cannot decrypt ciphertext encrypted under the KMS key by using only its associated external key or CloudHSM key. Also, you cannot recreate a KMS key in an external key store by creating a new KMS key with the same key material.
For more information about scheduling a KMS key for deletion, see Deleting KMS keys in the Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions: kms:ScheduleKeyDeletion (key policy)
Related operations
" }, "Sign":{ "name":"Sign", @@ -791,7 +802,8 @@ {"shape":"InvalidKeyUsageException"}, {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Creates a digital signature for a message or message digest by using the private key in an asymmetric signing KMS key. To verify the signature, use the Verify operation, or use the public key in the same asymmetric KMS key outside of KMS. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
Digital signatures are generated and verified by using asymmetric key pair, such as an RSA or ECC pair that is represented by an asymmetric KMS key. The key owner (or an authorized user) uses their private key to sign a message. Anyone with the public key can verify that the message was signed with that particular private key and that the message hasn't changed since it was signed.
To use the Sign operation, provide the following information:
Use the KeyId parameter to identify an asymmetric KMS key with a KeyUsage value of SIGN_VERIFY. To get the KeyUsage value of a KMS key, use the DescribeKey operation. The caller must have kms:Sign permission on the KMS key.
Use the Message parameter to specify the message or message digest to sign. You can submit messages of up to 4096 bytes. To sign a larger message, generate a hash digest of the message, and then provide the hash digest in the Message parameter. To indicate whether the message is a full message or a digest, use the MessageType parameter.
Choose a signing algorithm that is compatible with the KMS key.
When signing a message, be sure to record the KMS key and the signing algorithm. This information is required to verify the signature.
Best practices recommend that you limit the time during which any signature is effective. This deters an attack where the actor uses a signed message to establish validity repeatedly or long after the message is superseded. Signatures do not include a timestamp, but you can include a timestamp in the signed message to help you detect when its time to refresh the signature.
To verify the signature that this operation generates, use the Verify operation. Or use the GetPublicKey operation to download the public key and then use the public key to verify the signature outside of KMS.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:Sign (key policy)
Related operations: Verify
" }, @@ -923,7 +935,8 @@ {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, {"shape":"KMSInvalidStateException"}, - {"shape":"KMSInvalidSignatureException"} + {"shape":"KMSInvalidSignatureException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Verifies a digital signature that was generated by the Sign operation.
Verification confirms that an authorized user signed the message with the specified KMS key and signing algorithm, and the message hasn't changed since it was signed. If the signature is verified, the value of the SignatureValid field in the response is True. If the signature verification fails, the Verify operation fails with an KMSInvalidSignatureException exception.
A digital signature is generated by using the private key in an asymmetric KMS key. The signature is verified by using the public key in the same asymmetric KMS key. For information about asymmetric KMS keys, see Asymmetric KMS keys in the Key Management Service Developer Guide.
To use the Verify operation, specify the same asymmetric KMS key, message, and signing algorithm that were used to produce the signature. The message type does not need to be the same as the one used for signing, but it must indicate whether the value of the Message parameter should be hashed as part of the verification process.
You can also verify the digital signature by using the public key of the KMS key outside of KMS. Use the GetPublicKey operation to download the public key in the asymmetric KMS key and then use the public key to verify the signature outside of KMS. The advantage of using the Verify operation is that it is performed within KMS. As a result, it's easy to call, the operation is performed within the FIPS boundary, it is logged in CloudTrail, and you can use key policy and IAM policy to determine who is authorized to use the KMS key to verify signatures.
To verify a signature outside of KMS with an SM2 public key (China Regions only), you must specify the distinguishing ID. By default, KMS uses 1234567812345678 as the distinguishing ID. For more information, see Offline verification with SM2 key pairs.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:Verify (key policy)
Related operations: Sign
" }, @@ -943,7 +956,8 @@ {"shape":"InvalidGrantTokenException"}, {"shape":"KMSInternalException"}, {"shape":"KMSInvalidMacException"}, - {"shape":"KMSInvalidStateException"} + {"shape":"KMSInvalidStateException"}, + {"shape":"DryRunOperationException"} ], "documentation":"Verifies the hash-based message authentication code (HMAC) for a specified message, HMAC KMS key, and MAC algorithm. To verify the HMAC, VerifyMac computes an HMAC using the message, HMAC KMS key, and MAC algorithm that you specify, and compares the computed HMAC to the HMAC that you specify. If the HMACs are identical, the verification succeeds; otherwise, it fails. Verification indicates that the message hasn't changed since the HMAC was calculated, and the specified key was used to generate and verify the HMAC.
HMAC KMS keys and the HMAC algorithms that KMS uses conform to industry standards defined in RFC 2104.
This operation is part of KMS support for HMAC KMS keys. For details, see HMAC keys in KMS in the Key Management Service Developer Guide.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: Yes. To perform this operation with a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN in the value of the KeyId parameter.
Required permissions: kms:VerifyMac (key policy)
Related operations: GenerateMac
" } @@ -1240,6 +1254,10 @@ "Name":{ "shape":"GrantNameType", "documentation":"A friendly name for the grant. Use this value to prevent the unintended creation of duplicate grants when retrying this request.
Do not include confidential or sensitive information in this field. This field may be displayed in plaintext in CloudTrail logs and other output.
When this value is absent, all CreateGrant requests result in a new grant with a unique GrantId even if all the supplied parameters are identical. This can result in unintended duplicates when you retry the CreateGrant request.
When this value is present, you can retry a CreateGrant request with identical parameters; if the grant already exists, the original GrantId is returned without creating a new grant. Note that the returned grant token is unique with every CreateGrant request, even when a duplicate GrantId is returned. All grant tokens for the same grant ID can be used interchangeably.
Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1479,6 +1497,10 @@ "Recipient":{ "shape":"RecipientInfo", "documentation":"A signed attestation document from an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
When you use this parameter, instead of returning the plaintext data, KMS encrypts the plaintext data with the public key in the attestation document, and returns the resulting ciphertext in the CiphertextForRecipient field in the response. This ciphertext can be decrypted only with the private key in the enclave. The Plaintext field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1656,6 +1678,14 @@ "members":{ } }, + "DryRunOperationException":{ + "type":"structure", + "members":{ + "message":{"shape":"ErrorMessageType"} + }, + "documentation":"The request was rejected because the DryRun parameter was specified.
", + "exception":true + }, "EnableKeyRequest":{ "type":"structure", "required":["KeyId"], @@ -1702,6 +1732,10 @@ "EncryptionAlgorithm":{ "shape":"EncryptionAlgorithmSpec", "documentation":"Specifies the encryption algorithm that KMS will use to encrypt the plaintext message. The algorithm must be compatible with the KMS key that you specify.
This parameter is required only for asymmetric KMS keys. The default value, SYMMETRIC_DEFAULT, is the algorithm used for symmetric encryption KMS keys. If you are using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256.
The SM2PKE algorithm is only available in China Regions.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1784,6 +1818,10 @@ "Recipient":{ "shape":"RecipientInfo", "documentation":"A signed attestation document from an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
When you use this parameter, instead of returning a plaintext copy of the private data key, KMS encrypts the plaintext private data key under the public key in the attestation document, and returns the resulting ciphertext in the CiphertextForRecipient field in the response. This ciphertext can be decrypted only with the private key in the enclave. The CiphertextBlob field in the response contains a copy of the private data key encrypted under the KMS key specified by the KeyId parameter. The PrivateKeyPlaintext field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1838,6 +1876,10 @@ "GrantTokens":{ "shape":"GrantTokenList", "documentation":"A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1889,6 +1931,10 @@ "Recipient":{ "shape":"RecipientInfo", "documentation":"A signed attestation document from an Amazon Web Services Nitro enclave and the encryption algorithm to use with the enclave's public key. The only valid encryption algorithm is RSAES_OAEP_SHA_256.
This parameter only supports attestation documents for Amazon Web Services Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro Enclaves SDK or any Amazon Web Services SDK.
When you use this parameter, instead of returning the plaintext data key, KMS encrypts the plaintext data key under the public key in the attestation document, and returns the resulting ciphertext in the CiphertextForRecipient field in the response. This ciphertext can be decrypted only with the private key in the enclave. The CiphertextBlob field in the response contains a copy of the data key encrypted under the KMS key specified by the KeyId parameter. The Plaintext field in the response is null or empty.
For information about the interaction between KMS and Amazon Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1936,6 +1982,10 @@ "GrantTokens":{ "shape":"GrantTokenList", "documentation":"A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -1975,6 +2025,10 @@ "GrantTokens":{ "shape":"GrantTokenList", "documentation":"A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -3028,6 +3082,10 @@ "GrantTokens":{ "shape":"GrantTokenList", "documentation":"A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -3140,6 +3198,10 @@ "GrantId":{ "shape":"GrantIdType", "documentation":"Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.
Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123
Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -3157,6 +3219,10 @@ "GrantId":{ "shape":"GrantIdType", "documentation":"Identifies the grant to revoke. To get the grant ID, use CreateGrant, ListGrants, or ListRetirableGrants.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -3170,7 +3236,7 @@ }, "PendingWindowInDays":{ "shape":"PendingWindowInDaysType", - "documentation":"The waiting period, specified in number of days. After the waiting period ends, KMS deletes the KMS key.
If the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
This value is optional. If you include a value, it must be between 7 and 30, inclusive. If you do not include a value, it defaults to 30. You can use the kms:ScheduleKeyDeletionPendingWindowInDays condition key to further constrain the values that principals can specify in the PendingWindowInDays parameter.
The waiting period, specified in number of days. After the waiting period ends, KMS deletes the KMS key.
If the KMS key is a multi-Region primary key with replica keys, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
This value is optional. If you include a value, it must be between 7 and 30, inclusive. If you do not include a value, it defaults to 30. You can use the kms:ScheduleKeyDeletionPendingWindowInDays condition key to further constrain the values that principals can specify in the PendingWindowInDays parameter.
Specifies the signing algorithm to use when signing the message.
Choose an algorithm that is compatible with the type and size of the specified asymmetric KMS key. When signing with RSA key pairs, RSASSA-PSS algorithms are preferred. We include RSASSA-PKCS1-v1_5 algorithms for compatibility with existing applications.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -3478,6 +3548,10 @@ "GrantTokens":{ "shape":"GrantTokenList", "documentation":"A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, @@ -3530,6 +3604,10 @@ "GrantTokens":{ "shape":"GrantTokenList", "documentation":"A list of grant tokens.
Use a grant token when your permission to call this operation comes from a new grant that has not yet achieved eventual consistency. For more information, see Grant token and Using a grant token in the Key Management Service Developer Guide.
" + }, + "DryRun":{ + "shape":"NullableBooleanType", + "documentation":"Checks if your request will succeed. DryRun is an optional parameter.
To learn more about how to use this parameter, see Testing your KMS API calls in the Key Management Service Developer Guide.
" } } }, diff --git a/botocore/data/mgn/2020-02-26/paginators-1.json b/botocore/data/mgn/2020-02-26/paginators-1.json index 44640baf55..7500df2e9c 100644 --- a/botocore/data/mgn/2020-02-26/paginators-1.json +++ b/botocore/data/mgn/2020-02-26/paginators-1.json @@ -83,6 +83,12 @@ "output_token": "nextToken", "limit_key": "maxResults", "result_key": "items" + }, + "ListManagedAccounts": { + "input_token": "nextToken", + "output_token": "nextToken", + "limit_key": "maxResults", + "result_key": "items" } } } diff --git a/botocore/data/mgn/2020-02-26/service-2.json b/botocore/data/mgn/2020-02-26/service-2.json index bb8325c55e..c5b77936da 100644 --- a/botocore/data/mgn/2020-02-26/service-2.json +++ b/botocore/data/mgn/2020-02-26/service-2.json @@ -562,6 +562,21 @@ ], "documentation":"List imports.
" }, + "ListManagedAccounts":{ + "name":"ListManagedAccounts", + "http":{ + "method":"POST", + "requestUri":"/ListManagedAccounts", + "responseCode":200 + }, + "input":{"shape":"ListManagedAccountsRequest"}, + "output":{"shape":"ListManagedAccountsResponse"}, + "errors":[ + {"shape":"UninitializedAccountException"}, + {"shape":"ValidationException"} + ], + "documentation":"List Managed Accounts.
" + }, "ListSourceServerActions":{ "name":"ListSourceServerActions", "http":{ @@ -640,6 +655,24 @@ ], "documentation":"Archives specific Source Servers by setting the SourceServer.isArchived property to true for specified SourceServers by ID. This command only works for SourceServers with a lifecycle. state which equals DISCONNECTED or CUTOVER.
" }, + "PauseReplication":{ + "name":"PauseReplication", + "http":{ + "method":"POST", + "requestUri":"/PauseReplication", + "responseCode":200 + }, + "input":{"shape":"PauseReplicationRequest"}, + "output":{"shape":"SourceServer"}, + "errors":[ + {"shape":"UninitializedAccountException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ValidationException"}, + {"shape":"ServiceQuotaExceededException"}, + {"shape":"ConflictException"} + ], + "documentation":"Pause Replication.
" + }, "PutSourceServerAction":{ "name":"PutSourceServerAction", "http":{ @@ -706,6 +739,24 @@ ], "documentation":"Remove template post migration custom action.
" }, + "ResumeReplication":{ + "name":"ResumeReplication", + "http":{ + "method":"POST", + "requestUri":"/ResumeReplication", + "responseCode":200 + }, + "input":{"shape":"ResumeReplicationRequest"}, + "output":{"shape":"SourceServer"}, + "errors":[ + {"shape":"UninitializedAccountException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ValidationException"}, + {"shape":"ServiceQuotaExceededException"}, + {"shape":"ConflictException"} + ], + "documentation":"Resume Replication.
" + }, "RetryDataReplication":{ "name":"RetryDataReplication", "http":{ @@ -806,6 +857,24 @@ ], "documentation":"Launches a Test Instance for specific Source Servers. This command starts a LAUNCH job whose initiatedBy property is StartTest and changes the SourceServer.lifeCycle.state property to TESTING.
" }, + "StopReplication":{ + "name":"StopReplication", + "http":{ + "method":"POST", + "requestUri":"/StopReplication", + "responseCode":200 + }, + "input":{"shape":"StopReplicationRequest"}, + "output":{"shape":"SourceServer"}, + "errors":[ + {"shape":"UninitializedAccountException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"ValidationException"}, + {"shape":"ServiceQuotaExceededException"}, + {"shape":"ConflictException"} + ], + "documentation":"Stop Replication.
" + }, "TagResource":{ "name":"TagResource", "http":{ @@ -1198,6 +1267,10 @@ "type":"structure", "required":["applicationID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationID":{ "shape":"ApplicationID", "documentation":"Application ID.
" @@ -1208,6 +1281,10 @@ "type":"structure", "required":["waveID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "waveID":{ "shape":"WaveID", "documentation":"Wave ID.
" @@ -1221,6 +1298,10 @@ "waveID" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationIDs":{ "shape":"ApplicationIDs", "documentation":"Application IDs list.
" @@ -1243,6 +1324,10 @@ "sourceServerIDs" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationID":{ "shape":"ApplicationID", "documentation":"Application ID.
" @@ -1264,6 +1349,11 @@ "members":{ } }, + "BandwidthThrottling":{ + "type":"long", + "max":10000, + "min":0 + }, "Boolean":{ "type":"boolean", "box":true @@ -1301,6 +1391,10 @@ "sourceServerID" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"The request to change the source server migration account ID.
" + }, "lifeCycle":{ "shape":"ChangeServerLifeCycleStateSourceServerLifecycle", "documentation":"The request to change the source server migration lifecycle state.
" @@ -1380,6 +1474,10 @@ "type":"structure", "required":["name"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "description":{ "shape":"ApplicationDescription", "documentation":"Application description.
" @@ -1473,7 +1571,7 @@ "documentation":"Request to associate the default Application Migration Service Security group with the Replication Settings template.
" }, "bandwidthThrottling":{ - "shape":"PositiveInteger", + "shape":"BandwidthThrottling", "documentation":"Request to configure bandwidth throttling during Replication Settings template creation.
" }, "createPublicIP":{ @@ -1519,6 +1617,10 @@ "useDedicatedReplicationServer":{ "shape":"Boolean", "documentation":"Request to use Dedicated Replication Servers during Replication Settings template creation.
" + }, + "useFipsEndpoint":{ + "shape":"Boolean", + "documentation":"Request to use Fips Endpoint during Replication Settings template creation.
" } } }, @@ -1526,6 +1628,10 @@ "type":"structure", "required":["name"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "description":{ "shape":"WaveDescription", "documentation":"Wave description.
" @@ -1724,6 +1830,10 @@ "type":"structure", "required":["applicationID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationID":{ "shape":"ApplicationID", "documentation":"Application ID.
" @@ -1739,6 +1849,10 @@ "type":"structure", "required":["jobID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to delete Job from service by Account ID.
" + }, "jobID":{ "shape":"JobID", "documentation":"Request to delete Job from service by Job ID.
" @@ -1784,6 +1898,10 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to delete Source Server from service by Account ID.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"Request to delete Source Server from service by Server ID.
" @@ -1809,6 +1927,10 @@ "type":"structure", "required":["waveID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "waveID":{ "shape":"WaveID", "documentation":"Wave ID.
" @@ -1824,6 +1946,10 @@ "type":"structure", "required":["jobID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to describe Job log Account ID.
" + }, "jobID":{ "shape":"JobID", "documentation":"Request to describe Job log job ID.
" @@ -1854,6 +1980,10 @@ "DescribeJobsRequest":{ "type":"structure", "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to describe job log items by Account ID.
" + }, "filters":{ "shape":"DescribeJobsRequestFilters", "documentation":"Request to describe Job log filters.
" @@ -1968,6 +2098,10 @@ "DescribeSourceServersRequest":{ "type":"structure", "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to filter Source Servers list by Accoun ID.
" + }, "filters":{ "shape":"DescribeSourceServersRequestFilters", "documentation":"Request to filter Source Servers list.
" @@ -2070,6 +2204,10 @@ "waveID" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationIDs":{ "shape":"ApplicationIDs", "documentation":"Application IDs list.
" @@ -2092,6 +2230,10 @@ "sourceServerIDs" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationID":{ "shape":"ApplicationID", "documentation":"Application ID.
" @@ -2117,6 +2259,10 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to disconnect Source Server from service by Account ID.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"Request to disconnect Source Server from service by Server ID.
" @@ -2297,6 +2443,10 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to finalize Cutover by Source Account ID.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"Request to finalize Cutover by Source Server ID.
" @@ -2320,6 +2470,10 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to get Launch Configuration information by Account ID.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"Request to get Launch Configuration information by Source Server ID.
" @@ -2330,6 +2484,10 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request to get Replication Configuration by Account ID.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"Request to get Replication Configuration by Source Server ID.
" @@ -2380,6 +2538,10 @@ "ImportErrorData":{ "type":"structure", "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Import error data source account ID.
" + }, "applicationID":{ "shape":"ApplicationID", "documentation":"Import error data application ID.
" @@ -2591,6 +2753,11 @@ "exception":true, "fault":true }, + "Iops":{ + "type":"long", + "max":64000, + "min":100 + }, "JmesPathString":{ "type":"string", "max":1011, @@ -2921,11 +3088,11 @@ "type":"structure", "members":{ "iops":{ - "shape":"PositiveInteger", + "shape":"Iops", "documentation":"Launch template disk iops configuration.
" }, "throughput":{ - "shape":"PositiveInteger", + "shape":"Throughput", "documentation":"Launch template disk throughput configuration.
" }, "volumeType":{ @@ -3125,6 +3292,10 @@ "ListApplicationsRequest":{ "type":"structure", "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Applications list Account ID.
" + }, "filters":{ "shape":"ListApplicationsRequestFilters", "documentation":"Applications list filters.
" @@ -3323,10 +3494,43 @@ }, "documentation":"List import response.
" }, + "ListManagedAccountsRequest":{ + "type":"structure", + "members":{ + "maxResults":{ + "shape":"MaxResultsType", + "documentation":"List managed accounts request max results.
" + }, + "nextToken":{ + "shape":"PaginationToken", + "documentation":"List managed accounts request next token.
" + } + }, + "documentation":"List managed accounts request.
" + }, + "ListManagedAccountsResponse":{ + "type":"structure", + "required":["items"], + "members":{ + "items":{ + "shape":"ManagedAccounts", + "documentation":"List managed accounts response items.
" + }, + "nextToken":{ + "shape":"PaginationToken", + "documentation":"List managed accounts response next token.
" + } + }, + "documentation":"List managed accounts response.
" + }, "ListSourceServerActionsRequest":{ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID to return when listing source server post migration custom actions.
" + }, "filters":{ "shape":"SourceServerActionsRequestFilters", "documentation":"Filters to apply when listing source server post migration custom actions.
" @@ -3417,6 +3621,10 @@ "ListWavesRequest":{ "type":"structure", "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Request account ID.
" + }, "filters":{ "shape":"ListWavesRequestFilters", "documentation":"Waves list filters.
" @@ -3458,10 +3666,30 @@ } } }, + "ManagedAccount":{ + "type":"structure", + "members":{ + "accountId":{ + "shape":"AccountID", + "documentation":"Managed account, account ID.
" + } + }, + "documentation":"Managed account.
" + }, + "ManagedAccounts":{ + "type":"list", + "member":{"shape":"ManagedAccount"}, + "max":1000, + "min":0 + }, "MarkAsArchivedRequest":{ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Mark as archived by Account ID.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"Mark as archived by Source Server ID.
" @@ -3548,6 +3776,20 @@ "type":"list", "member":{"shape":"ParticipatingServer"} }, + "PauseReplicationRequest":{ + "type":"structure", + "required":["sourceServerID"], + "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Pause Replication Request account ID.
" + }, + "sourceServerID":{ + "shape":"SourceServerID", + "documentation":"Pause Replication Request source server ID.
" + } + } + }, "PositiveInteger":{ "type":"long", "min":0 @@ -3622,6 +3864,10 @@ "sourceServerID" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Source server post migration custom account ID.
" + }, "actionID":{ "shape":"ActionID", "documentation":"Source server post migration custom action ID.
" @@ -3751,6 +3997,10 @@ "sourceServerID" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Source server post migration account ID.
" + }, "actionID":{ "shape":"ActionID", "documentation":"Source server post migration custom action ID to remove.
" @@ -3796,7 +4046,7 @@ "documentation":"Replication Configuration associate default Application Migration Service Security Group.
" }, "bandwidthThrottling":{ - "shape":"PositiveInteger", + "shape":"BandwidthThrottling", "documentation":"Replication Configuration set bandwidth throttling.
" }, "createPublicIP":{ @@ -3850,6 +4100,10 @@ "useDedicatedReplicationServer":{ "shape":"Boolean", "documentation":"Replication Configuration use Dedicated Replication Server.
" + }, + "useFipsEndpoint":{ + "shape":"Boolean", + "documentation":"Replication Configuration use Fips Endpoint.
" } } }, @@ -3933,7 +4187,7 @@ "documentation":"Replication Configuration template associate default Application Migration Service Security group.
" }, "bandwidthThrottling":{ - "shape":"PositiveInteger", + "shape":"BandwidthThrottling", "documentation":"Replication Configuration template bandwidth throttling.
" }, "createPublicIP":{ @@ -3983,6 +4237,10 @@ "useDedicatedReplicationServer":{ "shape":"Boolean", "documentation":"Replication Configuration template use Dedicated Replication Server.
" + }, + "useFipsEndpoint":{ + "shape":"Boolean", + "documentation":"Replication Configuration template use Fips Endpoint.
" } } }, @@ -4042,10 +4300,28 @@ }, "exception":true }, + "ResumeReplicationRequest":{ + "type":"structure", + "required":["sourceServerID"], + "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Resume Replication Request account ID.
" + }, + "sourceServerID":{ + "shape":"SourceServerID", + "documentation":"Resume Replication Request source server ID.
" + } + } + }, "RetryDataReplicationRequest":{ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Retry data replication for Account ID.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"Retry data replication for Source Server ID.
" @@ -4427,6 +4703,10 @@ "type":"structure", "required":["sourceServerIDs"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Start Cutover by Account IDs
" + }, "sourceServerIDs":{ "shape":"StartCutoverRequestSourceServerIDs", "documentation":"Start Cutover by Source Server IDs.
" @@ -4514,6 +4794,10 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID on which to start replication.
" + }, "sourceServerID":{ "shape":"SourceServerID", "documentation":"ID of source server on which to start replication.
" @@ -4524,6 +4808,10 @@ "type":"structure", "required":["sourceServerIDs"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Start Test for Account ID.
" + }, "sourceServerIDs":{ "shape":"StartTestRequestSourceServerIDs", "documentation":"Start Test for Source Server IDs.
" @@ -4549,6 +4837,20 @@ } } }, + "StopReplicationRequest":{ + "type":"structure", + "required":["sourceServerID"], + "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Stop Replication Request account ID.
" + }, + "sourceServerID":{ + "shape":"SourceServerID", + "documentation":"Stop Replication Request source server ID.
" + } + } + }, "StrictlyPositiveInteger":{ "type":"integer", "min":1 @@ -4597,6 +4899,8 @@ "type":"map", "key":{"shape":"TagKey"}, "value":{"shape":"TagValue"}, + "max":50, + "min":0, "sensitive":true }, "TargetInstanceTypeRightSizingMethod":{ @@ -4683,6 +4987,10 @@ "type":"structure", "required":["sourceServerIDs"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Terminate Target instance by Account ID
" + }, "sourceServerIDs":{ "shape":"TerminateTargetInstancesRequestSourceServerIDs", "documentation":"Terminate Target instance by Source Server IDs.
" @@ -4735,10 +5043,19 @@ }, "exception":true }, + "Throughput":{ + "type":"long", + "max":1000, + "min":125 + }, "UnarchiveApplicationRequest":{ "type":"structure", "required":["applicationID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationID":{ "shape":"ApplicationID", "documentation":"Application ID.
" @@ -4749,6 +5066,10 @@ "type":"structure", "required":["waveID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "waveID":{ "shape":"WaveID", "documentation":"Wave ID.
" @@ -4793,6 +5114,10 @@ "type":"structure", "required":["applicationID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "applicationID":{ "shape":"ApplicationID", "documentation":"Application ID.
" @@ -4811,6 +5136,10 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Update Launch configuration Account ID.
" + }, "bootMode":{ "shape":"BootMode", "documentation":"Update Launch configuration boot mode request.
" @@ -4917,12 +5246,16 @@ "type":"structure", "required":["sourceServerID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Update replication configuration Account ID request.
" + }, "associateDefaultSecurityGroup":{ "shape":"Boolean", "documentation":"Update replication configuration associate default Application Migration Service Security group request.
" }, "bandwidthThrottling":{ - "shape":"PositiveInteger", + "shape":"BandwidthThrottling", "documentation":"Update replication configuration bandwidth throttling request.
" }, "createPublicIP":{ @@ -4976,6 +5309,10 @@ "useDedicatedReplicationServer":{ "shape":"Boolean", "documentation":"Update replication configuration use dedicated Replication Server request.
" + }, + "useFipsEndpoint":{ + "shape":"Boolean", + "documentation":"Update replication configuration use Fips Endpoint.
" } } }, @@ -4992,7 +5329,7 @@ "documentation":"Update replication configuration template associate default Application Migration Service Security group request.
" }, "bandwidthThrottling":{ - "shape":"PositiveInteger", + "shape":"BandwidthThrottling", "documentation":"Update replication configuration template bandwidth throttling request.
" }, "createPublicIP":{ @@ -5038,6 +5375,10 @@ "useDedicatedReplicationServer":{ "shape":"Boolean", "documentation":"Update replication configuration template use dedicated Replication Server request.
" + }, + "useFipsEndpoint":{ + "shape":"Boolean", + "documentation":"Update replication configuration template use Fips Endpoint request.
" } } }, @@ -5048,6 +5389,10 @@ "sourceServerID" ], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID on which to update replication type.
" + }, "replicationType":{ "shape":"ReplicationType", "documentation":"Replication type to which to update source server.
" @@ -5062,6 +5407,10 @@ "type":"structure", "required":["waveID"], "members":{ + "accountID":{ + "shape":"AccountID", + "documentation":"Account ID.
" + }, "description":{ "shape":"WaveDescription", "documentation":"Wave description.
" diff --git a/botocore/data/securityhub/2018-10-26/service-2.json b/botocore/data/securityhub/2018-10-26/service-2.json index f2adc9ddd7..b6f2a5044c 100644 --- a/botocore/data/securityhub/2018-10-26/service-2.json +++ b/botocore/data/securityhub/2018-10-26/service-2.json @@ -1460,7 +1460,7 @@ "members":{ "Type":{ "shape":"AutomationRulesActionType", - "documentation":" Specifies that the rule action should update the Types finding field. The Types finding field provides one or more finding types in the format of namespace/category/classifier that classify a finding. For more information, see Types taxonomy for ASFF in the Security Hub User Guide.
Specifies that the rule action should update the Types finding field. The Types finding field classifies findings in the format of namespace/category/classifier. For more information, see Types taxonomy for ASFF in the Security Hub User Guide.
Whether the rule is active after it is created. If this parameter is equal to >ENABLED, Security Hub will apply the rule to findings and finding updates after the rule is created.
Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub starts applying the rule to findings and finding updates after the rule is created.
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding.
The default value of this field is false.
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding.
The default value of this field is false.
A set of Amazon Web Services Security Finding Format finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
" + "documentation":"A set of Amazon Web Services Security Finding Format finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
" }, "Actions":{ "shape":"ActionList", @@ -1540,31 +1540,31 @@ "Severity":{"shape":"SeverityUpdate"}, "VerificationState":{ "shape":"VerificationState", - "documentation":" The rule action will update the VerificationState field of a finding.
The rule action updates the VerificationState field of a finding.
The rule action will update the Confidence field of a finding.
The rule action updates the Confidence field of a finding.
The rule action will update the Criticality field of a finding.
The rule action updates the Criticality field of a finding.
The rule action will update the Types field of a finding.
The rule action updates the Types field of a finding.
The rule action will update the UserDefinedFields field of a finding.
The rule action updates the UserDefinedFields field of a finding.
A list of findings that are related to a finding.
" + "documentation":" The rule action updates the RelatedFindings field of a finding.
Identifies the finding fields that the automation rule action will update when a finding matches the defined criteria.
" + "documentation":"Identifies the finding fields that the automation rule action updates when a finding matches the defined criteria.
" }, "AutomationRulesFindingFilters":{ "type":"structure", @@ -1721,7 +1721,7 @@ }, "RuleStatus":{ "shape":"RuleStatus", - "documentation":" Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub will apply the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules.
Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules .
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding.
The default value of this field is false.
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding.
The default value of this field is false.
Whether the rule is active after it is created. If this parameter is equal to Enabled, Security Hub will apply the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules.
Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules .
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding. The default value of this field is false.
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. The default value of this field is false.
A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
" + "documentation":"A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
" }, "Actions":{ "shape":"ActionList", @@ -18127,7 +18127,7 @@ }, "SecurityControlStatus":{ "shape":"ControlStatus", - "documentation":"The status of a security control based on the compliance status of its findings. For more information about how control status is determined, see Determining the overall status of a control from its findings in the Security Hub User Guide.
" + "documentation":"The enablement status of a security control in a specific standard.
" } }, "documentation":"A security control in Security Hub describes a security best practice related to a specific resource.
" @@ -19116,7 +19116,7 @@ }, "RuleStatus":{ "shape":"RuleStatus", - "documentation":" Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub will apply the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules.
Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules .
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding.
The default value of this field is false.
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding.
The default value of this field is false.
A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
" + "documentation":"A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
" }, "Actions":{ "shape":"ActionList", diff --git a/docs/source/conf.py b/docs/source/conf.py index f3f65c0d47..d5863917e5 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -59,7 +59,7 @@ # The short X.Y version. version = '1.30' # The full version, including alpha/beta/rc tags. -release = '1.30.0' +release = '1.30.1' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/tests/functional/endpoint-rules/mgn/endpoint-tests-1.json b/tests/functional/endpoint-rules/mgn/endpoint-tests-1.json index fcda59beb3..9e52c48885 100644 --- a/tests/functional/endpoint-rules/mgn/endpoint-tests-1.json +++ b/tests/functional/endpoint-rules/mgn/endpoint-tests-1.json @@ -416,6 +416,17 @@ "UseDualStack": false } }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, { "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack disabled", "expect": { @@ -429,6 +440,17 @@ "UseDualStack": false } }, + { + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-iso-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, { "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack disabled", "expect": { @@ -442,6 +464,17 @@ "UseDualStack": false } }, + { + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": true, + "UseDualStack": true + } + }, { "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack disabled", "expect": { @@ -455,6 +488,17 @@ "UseDualStack": false } }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, { "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack disabled", "expect": { @@ -518,6 +562,12 @@ "UseDualStack": true, "Endpoint": "https://example.com" } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } } ], "version": "1.0"