lib/aws-sdk-securityhub/client.rb in aws-sdk-securityhub-1.96.0 vs lib/aws-sdk-securityhub/client.rb in aws-sdk-securityhub-1.97.0

- old
+ new

@@ -928,10 +928,19 @@ # resp.rules[0].criteria.note_updated_by[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" # resp.rules[0].criteria.user_defined_fields #=> Array # resp.rules[0].criteria.user_defined_fields[0].key #=> String # resp.rules[0].criteria.user_defined_fields[0].value #=> String # resp.rules[0].criteria.user_defined_fields[0].comparison #=> String, one of "EQUALS", "NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" + # resp.rules[0].criteria.resource_application_arn #=> Array + # resp.rules[0].criteria.resource_application_arn[0].value #=> String + # resp.rules[0].criteria.resource_application_arn[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" + # resp.rules[0].criteria.resource_application_name #=> Array + # resp.rules[0].criteria.resource_application_name[0].value #=> String + # resp.rules[0].criteria.resource_application_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" + # resp.rules[0].criteria.aws_account_name #=> Array + # resp.rules[0].criteria.aws_account_name[0].value #=> String + # resp.rules[0].criteria.aws_account_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" # resp.rules[0].actions #=> Array # resp.rules[0].actions[0].type #=> String, one of "FINDING_FIELDS_UPDATE" # resp.rules[0].actions[0].finding_fields_update.note.text #=> String # resp.rules[0].actions[0].finding_fields_update.note.updated_by #=> String # resp.rules[0].actions[0].finding_fields_update.severity.normalized #=> Integer @@ -963,10 +972,112 @@ def batch_get_automation_rules(params = {}, options = {}) req = build_request(:batch_get_automation_rules, params) req.send_request(options) end + # Returns associations between an Security Hub configuration and a batch + # of target accounts, organizational units, or the root. Only the + # Security Hub delegated administrator can invoke this operation from + # the home Region. A configuration can refer to a configuration policy + # or to a self-managed configuration. + # + # @option params [required, Array<Types::ConfigurationPolicyAssociation>] :configuration_policy_association_identifiers + # Specifies one or more target account IDs, organizational unit (OU) + # IDs, or the root ID to retrieve associations for. + # + # @return [Types::BatchGetConfigurationPolicyAssociationsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::BatchGetConfigurationPolicyAssociationsResponse#configuration_policy_associations #configuration_policy_associations} => Array&lt;Types::ConfigurationPolicyAssociationSummary&gt; + # * {Types::BatchGetConfigurationPolicyAssociationsResponse#unprocessed_configuration_policy_associations #unprocessed_configuration_policy_associations} => Array&lt;Types::UnprocessedConfigurationPolicyAssociation&gt; + # + # + # @example Example: To get configuration associations for a batch of targets + # + # # This operation provides details about configuration associations for a batch of target accounts, organizational units, + # # or the root. + # + # resp = client.batch_get_configuration_policy_associations({ + # configuration_policy_association_identifiers: [ + # { + # target: { + # account_id: "111122223333", + # }, + # }, + # { + # target: { + # root_id: "r-f6g7h8i9j0example", + # }, + # }, + # ], + # }) + # + # resp.to_h outputs the following: + # { + # configuration_policy_associations: [ + # { + # association_status: "SUCCESS", + # association_status_message: "This field is only populated for a failed association", + # association_type: "INHERITED", + # configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # target_id: "111122223333", + # target_type: "ACCOUNT", + # updated_at: Time.parse("2023-01-11T06:17:17.154Z"), + # }, + # ], + # unprocessed_configuration_policy_associations: [ + # { + # configuration_policy_association_identifiers: { + # target: { + # root_id: "r-f6g7h8i9j0example", + # }, + # }, + # error_code: "400", + # error_reason: "You do not have sufficient access to perform this action.", + # }, + # ], + # } + # + # @example Request syntax with placeholder values + # + # resp = client.batch_get_configuration_policy_associations({ + # configuration_policy_association_identifiers: [ # required + # { + # target: { + # account_id: "NonEmptyString", + # organizational_unit_id: "NonEmptyString", + # root_id: "NonEmptyString", + # }, + # }, + # ], + # }) + # + # @example Response structure + # + # resp.configuration_policy_associations #=> Array + # resp.configuration_policy_associations[0].configuration_policy_id #=> String + # resp.configuration_policy_associations[0].target_id #=> String + # resp.configuration_policy_associations[0].target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT" + # resp.configuration_policy_associations[0].association_type #=> String, one of "INHERITED", "APPLIED" + # resp.configuration_policy_associations[0].updated_at #=> Time + # resp.configuration_policy_associations[0].association_status #=> String, one of "PENDING", "SUCCESS", "FAILED" + # resp.configuration_policy_associations[0].association_status_message #=> String + # resp.unprocessed_configuration_policy_associations #=> Array + # resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.account_id #=> String + # resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.organizational_unit_id #=> String + # resp.unprocessed_configuration_policy_associations[0].configuration_policy_association_identifiers.target.root_id #=> String + # resp.unprocessed_configuration_policy_associations[0].error_code #=> String + # resp.unprocessed_configuration_policy_associations[0].error_reason #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/BatchGetConfigurationPolicyAssociations AWS API Documentation + # + # @overload batch_get_configuration_policy_associations(params = {}) + # @param [Hash] params ({}) + def batch_get_configuration_policy_associations(params = {}, options = {}) + req = build_request(:batch_get_configuration_policy_associations, params) + req.send_request(options) + end + # Provides details about a batch of security controls for the current # Amazon Web Services account and Amazon Web Services Region. # # @option params [required, Array<String>] :security_control_ids # A list of security controls (identified with `SecurityControlId`, @@ -1604,10 +1715,28 @@ # key: "NonEmptyString", # value: "NonEmptyString", # comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS # }, # ], + # resource_application_arn: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # aws_account_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], # }, # actions: [ # { # type: "FINDING_FIELDS_UPDATE", # accepts FINDING_FIELDS_UPDATE # finding_fields_update: { @@ -2033,11 +2162,11 @@ end # Creates an automation rule based on input parameters. # # @option params [Hash<String,String>] :tags - # User-defined tags that help you label the purpose of a rule. + # User-defined tags associated with an automation rule. # # @option params [String] :rule_status # Whether the rule is active after it is created. If this parameter is # equal to `ENABLED`, Security Hub starts applying the rule to findings # and finding updates after the rule is created. To change the value of @@ -2397,10 +2526,28 @@ # key: "NonEmptyString", # value: "NonEmptyString", # comparison: "EQUALS", # accepts EQUALS, NOT_EQUALS, CONTAINS, NOT_CONTAINS # }, # ], + # resource_application_arn: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # aws_account_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], # }, # actions: [ # required # { # type: "FINDING_FIELDS_UPDATE", # accepts FINDING_FIELDS_UPDATE # finding_fields_update: { @@ -2445,10 +2592,204 @@ def create_automation_rule(params = {}, options = {}) req = build_request(:create_automation_rule, params) req.send_request(options) end + # Creates a configuration policy with the defined configuration. Only + # the Security Hub delegated administrator can invoke this operation + # from the home Region. + # + # @option params [required, String] :name + # The name of the configuration policy. + # + # @option params [String] :description + # The description of the configuration policy. + # + # @option params [required, Types::Policy] :configuration_policy + # An object that defines how Security Hub is configured. It includes + # whether Security Hub is enabled or disabled, a list of enabled + # security standards, a list of enabled or disabled security controls, + # and a list of custom parameter values for specified controls. If you + # provide a list of security controls that are enabled in the + # configuration policy, Security Hub disables all other controls + # (including newly released controls). If you provide a list of security + # controls that are disabled in the configuration policy, Security Hub + # enables all other controls (including newly released controls). + # + # @option params [Hash<String,String>] :tags + # User-defined tags associated with a configuration policy. For more + # information, see [Tagging Security Hub resources][1] in the *Security + # Hub user guide*. + # + # + # + # [1]: https://docs.aws.amazon.com/securityhub/latest/userguide/tagging-resources.html + # + # @return [Types::CreateConfigurationPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::CreateConfigurationPolicyResponse#arn #arn} => String + # * {Types::CreateConfigurationPolicyResponse#id #id} => String + # * {Types::CreateConfigurationPolicyResponse#name #name} => String + # * {Types::CreateConfigurationPolicyResponse#description #description} => String + # * {Types::CreateConfigurationPolicyResponse#updated_at #updated_at} => Time + # * {Types::CreateConfigurationPolicyResponse#created_at #created_at} => Time + # * {Types::CreateConfigurationPolicyResponse#configuration_policy #configuration_policy} => Types::Policy + # + # + # @example Example: To create a configuration policy + # + # # This operation creates a configuration policy in Security Hub. + # + # resp = client.create_configuration_policy({ + # configuration_policy: { + # security_hub: { + # enabled_standard_identifiers: [ + # "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", + # "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + # ], + # security_controls_configuration: { + # disabled_security_control_identifiers: [ + # "CloudWatch.1", + # ], + # security_control_custom_parameters: [ + # { + # parameters: { + # "daysToExpiration" => { + # value: { + # integer: 14, + # }, + # value_type: "CUSTOM", + # }, + # }, + # security_control_id: "ACM.1", + # }, + # ], + # }, + # service_enabled: true, + # }, + # }, + # description: "Configuration policy for testing FSBP and CIS", + # name: "TestConfigurationPolicy", + # }) + # + # resp.to_h outputs the following: + # { + # arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # configuration_policy: { + # security_hub: { + # enabled_standard_identifiers: [ + # "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", + # "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + # ], + # security_controls_configuration: { + # disabled_security_control_identifiers: [ + # "CloudWatch.1", + # ], + # security_control_custom_parameters: [ + # { + # parameters: { + # "daysToExpiration" => { + # value: { + # integer: 14, + # }, + # value_type: "CUSTOM", + # }, + # }, + # security_control_id: "ACM.1", + # }, + # ], + # }, + # service_enabled: true, + # }, + # }, + # created_at: Time.parse("2023-01-11T06:17:17.154Z"), + # description: "Configuration policy for testing FSBP and CIS", + # id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # name: "TestConfigurationPolicy", + # updated_at: Time.parse("2023-01-11T06:17:17.154Z"), + # } + # + # @example Request syntax with placeholder values + # + # resp = client.create_configuration_policy({ + # name: "NonEmptyString", # required + # description: "NonEmptyString", + # configuration_policy: { # required + # security_hub: { + # service_enabled: false, + # enabled_standard_identifiers: ["NonEmptyString"], + # security_controls_configuration: { + # enabled_security_control_identifiers: ["NonEmptyString"], + # disabled_security_control_identifiers: ["NonEmptyString"], + # security_control_custom_parameters: [ + # { + # security_control_id: "NonEmptyString", + # parameters: { + # "NonEmptyString" => { + # value_type: "DEFAULT", # required, accepts DEFAULT, CUSTOM + # value: { + # integer: 1, + # integer_list: [1], + # double: 1.0, + # string: "NonEmptyString", + # string_list: ["NonEmptyString"], + # boolean: false, + # enum: "NonEmptyString", + # enum_list: ["NonEmptyString"], + # }, + # }, + # }, + # }, + # ], + # }, + # }, + # }, + # tags: { + # "TagKey" => "TagValue", + # }, + # }) + # + # @example Response structure + # + # resp.arn #=> String + # resp.id #=> String + # resp.name #=> String + # resp.description #=> String + # resp.updated_at #=> Time + # resp.created_at #=> Time + # resp.configuration_policy.security_hub.service_enabled #=> Boolean + # resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array + # resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM" + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/CreateConfigurationPolicy AWS API Documentation + # + # @overload create_configuration_policy(params = {}) + # @param [Hash] params ({}) + def create_configuration_policy(params = {}, options = {}) + req = build_request(:create_configuration_policy, params) + req.send_request(options) + end + # Used to enable finding aggregation. Must be called from the # aggregation Region. # # For more details about cross-Region replication, see [Configuring # finding aggregation][1] in the *Security Hub User Guide*. @@ -3281,10 +3622,28 @@ # { # value: "NonEmptyString", # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS # }, # ], + # aws_account_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_arn: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], # }, # group_by_attribute: "NonEmptyString", # required # }) # # @example Response structure @@ -3509,10 +3868,46 @@ def delete_action_target(params = {}, options = {}) req = build_request(:delete_action_target, params) req.send_request(options) end + # Deletes a configuration policy. Only the Security Hub delegated + # administrator can invoke this operation from the home Region. For the + # deletion to succeed, you must first disassociate a configuration + # policy from target accounts, organizational units, or the root by + # invoking the `StartConfigurationPolicyDisassociation` operation. + # + # @option params [required, String] :identifier + # The Amazon Resource Name (ARN) or universally unique identifier (UUID) + # of the configuration policy. + # + # @return [Struct] Returns an empty {Seahorse::Client::Response response}. + # + # + # @example Example: To delete a configuration policy + # + # # This operation deletes the specified configuration policy. + # + # resp = client.delete_configuration_policy({ + # identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # }) + # + # @example Request syntax with placeholder values + # + # resp = client.delete_configuration_policy({ + # identifier: "NonEmptyString", # required + # }) + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DeleteConfigurationPolicy AWS API Documentation + # + # @overload delete_configuration_policy(params = {}) + # @param [Hash] params ({}) + def delete_configuration_policy(params = {}, options = {}) + req = build_request(:delete_configuration_policy, params) + req.send_request(options) + end + # Deletes a finding aggregator. When you delete the finding aggregator, # you stop finding aggregation. # # When you stop finding aggregation, findings that were already # aggregated to the aggregation Region are still visible from the @@ -3828,40 +4223,49 @@ def describe_hub(params = {}, options = {}) req = build_request(:describe_hub, params) req.send_request(options) end - # Returns information about the Organizations configuration for Security - # Hub. Can only be called from a Security Hub administrator account. + # Returns information about the way your organization is configured in + # Security Hub. Only the Security Hub administrator account can invoke + # this operation. # # @return [Types::DescribeOrganizationConfigurationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeOrganizationConfigurationResponse#auto_enable #auto_enable} => Boolean # * {Types::DescribeOrganizationConfigurationResponse#member_account_limit_reached #member_account_limit_reached} => Boolean # * {Types::DescribeOrganizationConfigurationResponse#auto_enable_standards #auto_enable_standards} => String + # * {Types::DescribeOrganizationConfigurationResponse#organization_configuration #organization_configuration} => Types::OrganizationConfiguration # # - # @example Example: To get information about Organizations configuration + # @example Example: To get information about organization configuration # - # # The following example returns details about the way in which AWS Organizations is configured for a Security Hub account - # # that belongs to an organization. Only a Security Hub administrator account can call this operation. + # # This operation provides information about the way your organization is configured in Security Hub. Only a Security Hub + # # administrator account can invoke this operation. # # resp = client.describe_organization_configuration({ # }) # # resp.to_h outputs the following: # { - # auto_enable: true, - # auto_enable_standards: "DEFAULT", - # member_account_limit_reached: true, + # auto_enable: false, + # auto_enable_standards: "NONE", + # member_account_limit_reached: false, + # organization_configuration: { + # configuration_type: "CENTRAL", + # status: "ENABLED", + # }, # } # # @example Response structure # # resp.auto_enable #=> Boolean # resp.member_account_limit_reached #=> Boolean # resp.auto_enable_standards #=> String, one of "NONE", "DEFAULT" + # resp.organization_configuration.configuration_type #=> String, one of "CENTRAL", "LOCAL" + # resp.organization_configuration.status #=> String, one of "PENDING", "ENABLED", "FAILED" + # resp.organization_configuration.status_message #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/DescribeOrganizationConfiguration AWS API Documentation # # @overload describe_organization_configuration(params = {}) # @param [Hash] params ({}) @@ -4581,10 +4985,192 @@ def get_administrator_account(params = {}, options = {}) req = build_request(:get_administrator_account, params) req.send_request(options) end + # Provides information about a configuration policy. Only the Security + # Hub delegated administrator can invoke this operation from the home + # Region. + # + # @option params [required, String] :identifier + # The Amazon Resource Name (ARN) or universally unique identifier (UUID) + # of the configuration policy. + # + # @return [Types::GetConfigurationPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::GetConfigurationPolicyResponse#arn #arn} => String + # * {Types::GetConfigurationPolicyResponse#id #id} => String + # * {Types::GetConfigurationPolicyResponse#name #name} => String + # * {Types::GetConfigurationPolicyResponse#description #description} => String + # * {Types::GetConfigurationPolicyResponse#updated_at #updated_at} => Time + # * {Types::GetConfigurationPolicyResponse#created_at #created_at} => Time + # * {Types::GetConfigurationPolicyResponse#configuration_policy #configuration_policy} => Types::Policy + # + # + # @example Example: To get details about a configuration policy + # + # # This operation provides details about the specified configuration policy. + # + # resp = client.get_configuration_policy({ + # identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # }) + # + # resp.to_h outputs the following: + # { + # arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # configuration_policy: { + # security_hub: { + # enabled_standard_identifiers: [ + # "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", + # "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + # ], + # security_controls_configuration: { + # disabled_security_control_identifiers: [ + # "CloudWatch.1", + # ], + # security_control_custom_parameters: [ + # { + # parameters: { + # "daysToExpiration" => { + # value: { + # integer: 14, + # }, + # value_type: "CUSTOM", + # }, + # }, + # security_control_id: "ACM.1", + # }, + # ], + # }, + # service_enabled: true, + # }, + # }, + # created_at: Time.parse("2023-01-11T06:17:17.154Z"), + # description: "Configuration policy for testing FSBP and CIS", + # id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # name: "TestConfigurationPolicy", + # updated_at: Time.parse("2023-01-11T06:17:17.154Z"), + # } + # + # @example Request syntax with placeholder values + # + # resp = client.get_configuration_policy({ + # identifier: "NonEmptyString", # required + # }) + # + # @example Response structure + # + # resp.arn #=> String + # resp.id #=> String + # resp.name #=> String + # resp.description #=> String + # resp.updated_at #=> Time + # resp.created_at #=> Time + # resp.configuration_policy.security_hub.service_enabled #=> Boolean + # resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array + # resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM" + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicy AWS API Documentation + # + # @overload get_configuration_policy(params = {}) + # @param [Hash] params ({}) + def get_configuration_policy(params = {}, options = {}) + req = build_request(:get_configuration_policy, params) + req.send_request(options) + end + + # Returns the association between a configuration and a target account, + # organizational unit, or the root. The configuration can be a + # configuration policy or self-managed behavior. Only the Security Hub + # delegated administrator can invoke this operation from the home + # Region. + # + # @option params [required, Types::Target] :target + # The target account ID, organizational unit ID, or the root ID to + # retrieve the association for. + # + # @return [Types::GetConfigurationPolicyAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::GetConfigurationPolicyAssociationResponse#configuration_policy_id #configuration_policy_id} => String + # * {Types::GetConfigurationPolicyAssociationResponse#target_id #target_id} => String + # * {Types::GetConfigurationPolicyAssociationResponse#target_type #target_type} => String + # * {Types::GetConfigurationPolicyAssociationResponse#association_type #association_type} => String + # * {Types::GetConfigurationPolicyAssociationResponse#updated_at #updated_at} => Time + # * {Types::GetConfigurationPolicyAssociationResponse#association_status #association_status} => String + # * {Types::GetConfigurationPolicyAssociationResponse#association_status_message #association_status_message} => String + # + # + # @example Example: To get details about a configuration association + # + # # This operation provides details about configuration associations for a specific target account, organizational unit, or + # # the root. + # + # resp = client.get_configuration_policy_association({ + # target: { + # account_id: "111122223333", + # }, + # }) + # + # resp.to_h outputs the following: + # { + # association_status: "FAILED", + # association_status_message: "Configuration Policy a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 couldn\u2019t be applied to account 111122223333 in us-east-1 Region. Retry your request.", + # association_type: "INHERITED", + # configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # target_id: "111122223333", + # target_type: "ACCOUNT", + # updated_at: Time.parse("2023-01-11T06:17:17.154Z"), + # } + # + # @example Request syntax with placeholder values + # + # resp = client.get_configuration_policy_association({ + # target: { # required + # account_id: "NonEmptyString", + # organizational_unit_id: "NonEmptyString", + # root_id: "NonEmptyString", + # }, + # }) + # + # @example Response structure + # + # resp.configuration_policy_id #=> String + # resp.target_id #=> String + # resp.target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT" + # resp.association_type #=> String, one of "INHERITED", "APPLIED" + # resp.updated_at #=> Time + # resp.association_status #=> String, one of "PENDING", "SUCCESS", "FAILED" + # resp.association_status_message #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetConfigurationPolicyAssociation AWS API Documentation + # + # @overload get_configuration_policy_association(params = {}) + # @param [Hash] params ({}) + def get_configuration_policy_association(params = {}, options = {}) + req = build_request(:get_configuration_policy_association, params) + req.send_request(options) + end + # Returns a list of the standards that are currently enabled. # # @option params [Array<String>] :standards_subscription_arns # The list of the standards subscription ARNs for the standards to # retrieve. @@ -5693,10 +6279,28 @@ # { # value: "NonEmptyString", # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS # }, # ], + # aws_account_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_arn: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], # }, # sort_criteria: [ # { # field: "NonEmptyString", # sort_order: "asc", # accepts asc, desc @@ -6198,10 +6802,19 @@ # resp.insights[0].filters.compliance_security_control_parameters_name[0].value #=> String # resp.insights[0].filters.compliance_security_control_parameters_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" # resp.insights[0].filters.compliance_security_control_parameters_value #=> Array # resp.insights[0].filters.compliance_security_control_parameters_value[0].value #=> String # resp.insights[0].filters.compliance_security_control_parameters_value[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" + # resp.insights[0].filters.aws_account_name #=> Array + # resp.insights[0].filters.aws_account_name[0].value #=> String + # resp.insights[0].filters.aws_account_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" + # resp.insights[0].filters.resource_application_name #=> Array + # resp.insights[0].filters.resource_application_name[0].value #=> String + # resp.insights[0].filters.resource_application_name[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" + # resp.insights[0].filters.resource_application_arn #=> Array + # resp.insights[0].filters.resource_application_arn[0].value #=> String + # resp.insights[0].filters.resource_application_arn[0].comparison #=> String, one of "EQUALS", "PREFIX", "NOT_EQUALS", "PREFIX_NOT_EQUALS", "CONTAINS", "NOT_CONTAINS" # resp.insights[0].group_by_attribute #=> String # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetInsights AWS API Documentation # @@ -6615,10 +7228,189 @@ def list_automation_rules(params = {}, options = {}) req = build_request(:list_automation_rules, params) req.send_request(options) end + # Lists the configuration policies that the Security Hub delegated + # administrator has created for your organization. Only the delegated + # administrator can invoke this operation from the home Region. + # + # @option params [String] :next_token + # The NextToken value that's returned from a previous paginated + # `ListConfigurationPolicies` request where `MaxResults` was used but + # the results exceeded the value of that parameter. Pagination continues + # from the `MaxResults` was used but the results exceeded the value of + # that parameter. Pagination continues from the end of the previous + # response that returned the `NextToken` value. This value is `null` + # when there are no more results to return. + # + # @option params [Integer] :max_results + # The maximum number of results that's returned by + # `ListConfigurationPolicies` in each page of the response. When this + # parameter is used, `ListConfigurationPolicies` returns the specified + # number of results in a single page and a `NextToken` response element. + # You can see the remaining results of the initial request by sending + # another `ListConfigurationPolicies` request with the returned + # `NextToken` value. A valid range for `MaxResults` is between 1 and + # 100. + # + # @return [Types::ListConfigurationPoliciesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::ListConfigurationPoliciesResponse#configuration_policy_summaries #configuration_policy_summaries} => Array&lt;Types::ConfigurationPolicySummary&gt; + # * {Types::ListConfigurationPoliciesResponse#next_token #next_token} => String + # + # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. + # + # + # @example Example: To view a list of configuration policies + # + # # This operation provides a list of your configuration policies, including metadata for each policy. + # + # resp = client.list_configuration_policies({ + # max_results: 1, + # next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOhvw3o2JqjI86QDxdf", + # }) + # + # resp.to_h outputs the following: + # { + # configuration_policy_summaries: [ + # { + # arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # description: "Configuration policy for testing FSBP and CIS", + # id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # name: "TestConfigurationPolicy", + # service_enabled: true, + # updated_at: Time.parse("2023-01-11T06:17:17.154Z"), + # }, + # ], + # next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOfvw3o2JqjI86QDxef", + # } + # + # @example Request syntax with placeholder values + # + # resp = client.list_configuration_policies({ + # next_token: "NextToken", + # max_results: 1, + # }) + # + # @example Response structure + # + # resp.configuration_policy_summaries #=> Array + # resp.configuration_policy_summaries[0].arn #=> String + # resp.configuration_policy_summaries[0].id #=> String + # resp.configuration_policy_summaries[0].name #=> String + # resp.configuration_policy_summaries[0].description #=> String + # resp.configuration_policy_summaries[0].updated_at #=> Time + # resp.configuration_policy_summaries[0].service_enabled #=> Boolean + # resp.next_token #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPolicies AWS API Documentation + # + # @overload list_configuration_policies(params = {}) + # @param [Hash] params ({}) + def list_configuration_policies(params = {}, options = {}) + req = build_request(:list_configuration_policies, params) + req.send_request(options) + end + + # Provides information about the associations for your configuration + # policies and self-managed behavior. Only the Security Hub delegated + # administrator can invoke this operation from the home Region. + # + # @option params [String] :next_token + # The `NextToken` value that's returned from a previous paginated + # `ListConfigurationPolicyAssociations` request where `MaxResults` was + # used but the results exceeded the value of that parameter. Pagination + # continues from the end of the previous response that returned the + # `NextToken` value. This value is `null` when there are no more results + # to return. + # + # @option params [Integer] :max_results + # The maximum number of results that's returned by + # `ListConfigurationPolicies` in each page of the response. When this + # parameter is used, `ListConfigurationPolicyAssociations` returns the + # specified number of results in a single page and a `NextToken` + # response element. You can see the remaining results of the initial + # request by sending another `ListConfigurationPolicyAssociations` + # request with the returned `NextToken` value. A valid range for + # `MaxResults` is between 1 and 100. + # + # @option params [Types::AssociationFilters] :filters + # Options for filtering the `ListConfigurationPolicyAssociations` + # response. You can filter by the Amazon Resource Name (ARN) or + # universally unique identifier (UUID) of a configuration, + # `AssociationType`, or `AssociationStatus`. + # + # @return [Types::ListConfigurationPolicyAssociationsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::ListConfigurationPolicyAssociationsResponse#configuration_policy_association_summaries #configuration_policy_association_summaries} => Array&lt;Types::ConfigurationPolicyAssociationSummary&gt; + # * {Types::ListConfigurationPolicyAssociationsResponse#next_token #next_token} => String + # + # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. + # + # + # @example Example: To list configuration associations + # + # # This operation lists all of the associations between targets and configuration policies or self-managed behavior. + # # Targets can include accounts, organizational units, or the root. + # + # resp = client.list_configuration_policy_associations({ + # filters: { + # association_type: "APPLIED", + # }, + # max_results: 1, + # next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOhvw3o2JqjI86QDxdf", + # }) + # + # resp.to_h outputs the following: + # { + # configuration_policy_association_summaries: [ + # { + # association_status: "PENDING", + # association_type: "APPLIED", + # configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # target_id: "123456789012", + # target_type: "ACCOUNT", + # updated_at: Time.parse("2023-01-11T06:17:17.154Z"), + # }, + # ], + # next_token: "U1FsdGVkX19nBV2zoh+Gou9NgnulLJHWpn9xnG4hqSOfvw3o2JqjI86QDxef", + # } + # + # @example Request syntax with placeholder values + # + # resp = client.list_configuration_policy_associations({ + # next_token: "NextToken", + # max_results: 1, + # filters: { + # configuration_policy_id: "NonEmptyString", + # association_type: "INHERITED", # accepts INHERITED, APPLIED + # association_status: "PENDING", # accepts PENDING, SUCCESS, FAILED + # }, + # }) + # + # @example Response structure + # + # resp.configuration_policy_association_summaries #=> Array + # resp.configuration_policy_association_summaries[0].configuration_policy_id #=> String + # resp.configuration_policy_association_summaries[0].target_id #=> String + # resp.configuration_policy_association_summaries[0].target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT" + # resp.configuration_policy_association_summaries[0].association_type #=> String, one of "INHERITED", "APPLIED" + # resp.configuration_policy_association_summaries[0].updated_at #=> Time + # resp.configuration_policy_association_summaries[0].association_status #=> String, one of "PENDING", "SUCCESS", "FAILED" + # resp.configuration_policy_association_summaries[0].association_status_message #=> String + # resp.next_token #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/ListConfigurationPolicyAssociations AWS API Documentation + # + # @overload list_configuration_policy_associations(params = {}) + # @param [Hash] params ({}) + def list_configuration_policy_associations(params = {}, options = {}) + req = build_request(:list_configuration_policy_associations, params) + req.send_request(options) + end + # Lists all findings-generating solutions (products) that you are # subscribed to receive findings from in Security Hub. # # @option params [String] :next_token # The token that is required for pagination. On your first call to the @@ -7249,10 +8041,140 @@ def list_tags_for_resource(params = {}, options = {}) req = build_request(:list_tags_for_resource, params) req.send_request(options) end + # Associates a target account, organizational unit, or the root with a + # specified configuration. The target can be associated with a + # configuration policy or self-managed behavior. Only the Security Hub + # delegated administrator can invoke this operation from the home + # Region. + # + # @option params [required, String] :configuration_policy_identifier + # The Amazon Resource Name (ARN) or universally unique identifier (UUID) + # of the configuration policy. + # + # @option params [required, Types::Target] :target + # The identifier of the target account, organizational unit, or the root + # to associate with the specified configuration. + # + # @return [Types::StartConfigurationPolicyAssociationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::StartConfigurationPolicyAssociationResponse#configuration_policy_id #configuration_policy_id} => String + # * {Types::StartConfigurationPolicyAssociationResponse#target_id #target_id} => String + # * {Types::StartConfigurationPolicyAssociationResponse#target_type #target_type} => String + # * {Types::StartConfigurationPolicyAssociationResponse#association_type #association_type} => String + # * {Types::StartConfigurationPolicyAssociationResponse#updated_at #updated_at} => Time + # * {Types::StartConfigurationPolicyAssociationResponse#association_status #association_status} => String + # * {Types::StartConfigurationPolicyAssociationResponse#association_status_message #association_status_message} => String + # + # + # @example Example: To associate a configuration with a target + # + # # This operation associates a configuration policy or self-managed behavior with the target account, organizational unit, + # # or the root. + # + # resp = client.start_configuration_policy_association({ + # configuration_policy_identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # target: { + # account_id: "111122223333", + # }, + # }) + # + # resp.to_h outputs the following: + # { + # association_status: "SUCCESS", + # association_status_message: "This field is populated only if the association fails", + # association_type: "APPLIED", + # configuration_policy_id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # target_id: "111122223333", + # target_type: "ACCOUNT", + # updated_at: Time.parse("2023-01-11T06:17:17.154Z"), + # } + # + # @example Request syntax with placeholder values + # + # resp = client.start_configuration_policy_association({ + # configuration_policy_identifier: "NonEmptyString", # required + # target: { # required + # account_id: "NonEmptyString", + # organizational_unit_id: "NonEmptyString", + # root_id: "NonEmptyString", + # }, + # }) + # + # @example Response structure + # + # resp.configuration_policy_id #=> String + # resp.target_id #=> String + # resp.target_type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT" + # resp.association_type #=> String, one of "INHERITED", "APPLIED" + # resp.updated_at #=> Time + # resp.association_status #=> String, one of "PENDING", "SUCCESS", "FAILED" + # resp.association_status_message #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyAssociation AWS API Documentation + # + # @overload start_configuration_policy_association(params = {}) + # @param [Hash] params ({}) + def start_configuration_policy_association(params = {}, options = {}) + req = build_request(:start_configuration_policy_association, params) + req.send_request(options) + end + + # Disassociates a target account, organizational unit, or the root from + # a specified configuration. When you disassociate a configuration from + # its target, the target inherits the configuration of the closest + # parent. If there’s no configuration to inherit, the target retains its + # settings but becomes a self-managed account. A target can be + # disassociated from a configuration policy or self-managed behavior. + # Only the Security Hub delegated administrator can invoke this + # operation from the home Region. + # + # @option params [Types::Target] :target + # The identifier of the target account, organizational unit, or the root + # to disassociate from the specified configuration. + # + # @option params [required, String] :configuration_policy_identifier + # The Amazon Resource Name (ARN) or universally unique identifier (UUID) + # of the configuration policy. + # + # @return [Struct] Returns an empty {Seahorse::Client::Response response}. + # + # + # @example Example: To disassociate a configuration from a target + # + # # This operation disassociates a configuration policy or self-managed behavior from the target account, organizational + # # unit, or the root. + # + # resp = client.start_configuration_policy_disassociation({ + # configuration_policy_identifier: "SELF_MANAGED_SECURITY_HUB", + # target: { + # root_id: "r-f6g7h8i9j0example", + # }, + # }) + # + # @example Request syntax with placeholder values + # + # resp = client.start_configuration_policy_disassociation({ + # target: { + # account_id: "NonEmptyString", + # organizational_unit_id: "NonEmptyString", + # root_id: "NonEmptyString", + # }, + # configuration_policy_identifier: "NonEmptyString", # required + # }) + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/StartConfigurationPolicyDisassociation AWS API Documentation + # + # @overload start_configuration_policy_disassociation(params = {}) + # @param [Hash] params ({}) + def start_configuration_policy_disassociation(params = {}, options = {}) + req = build_request(:start_configuration_policy_disassociation, params) + req.send_request(options) + end + # Adds one or more tags to a resource. # # @option params [required, String] :resource_arn # The ARN of the resource to apply the tags to. # @@ -7374,10 +8296,209 @@ def update_action_target(params = {}, options = {}) req = build_request(:update_action_target, params) req.send_request(options) end + # Updates a configuration policy. Only the Security Hub delegated + # administrator can invoke this operation from the home Region. + # + # @option params [required, String] :identifier + # The Amazon Resource Name (ARN) or universally unique identifier (UUID) + # of the configuration policy. + # + # @option params [String] :name + # The name of the configuration policy. + # + # @option params [String] :description + # The description of the configuration policy. + # + # @option params [String] :updated_reason + # The reason for updating the configuration policy. + # + # @option params [Types::Policy] :configuration_policy + # An object that defines how Security Hub is configured. It includes + # whether Security Hub is enabled or disabled, a list of enabled + # security standards, a list of enabled or disabled security controls, + # and a list of custom parameter values for specified controls. If you + # provide a list of security controls that are enabled in the + # configuration policy, Security Hub disables all other controls + # (including newly released controls). If you provide a list of security + # controls that are disabled in the configuration policy, Security Hub + # enables all other controls (including newly released controls). + # + # When updating a configuration policy, provide a complete list of + # standards that you want to enable and a complete list of controls that + # you want to enable or disable. The updated configuration replaces the + # current configuration. + # + # @return [Types::UpdateConfigurationPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: + # + # * {Types::UpdateConfigurationPolicyResponse#arn #arn} => String + # * {Types::UpdateConfigurationPolicyResponse#id #id} => String + # * {Types::UpdateConfigurationPolicyResponse#name #name} => String + # * {Types::UpdateConfigurationPolicyResponse#description #description} => String + # * {Types::UpdateConfigurationPolicyResponse#updated_at #updated_at} => Time + # * {Types::UpdateConfigurationPolicyResponse#created_at #created_at} => Time + # * {Types::UpdateConfigurationPolicyResponse#configuration_policy #configuration_policy} => Types::Policy + # + # + # @example Example: To update a configuration policy + # + # # This operation updates the specified configuration policy. + # + # resp = client.update_configuration_policy({ + # configuration_policy: { + # security_hub: { + # enabled_standard_identifiers: [ + # "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", + # "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + # ], + # security_controls_configuration: { + # disabled_security_control_identifiers: [ + # "CloudWatch.1", + # "CloudWatch.2", + # ], + # security_control_custom_parameters: [ + # { + # parameters: { + # "daysToExpiration" => { + # value: { + # integer: 21, + # }, + # value_type: "CUSTOM", + # }, + # }, + # security_control_id: "ACM.1", + # }, + # ], + # }, + # service_enabled: true, + # }, + # }, + # description: "Updated configuration policy for testing FSBP and CIS", + # identifier: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # name: "TestConfigurationPolicy", + # updated_reason: "Enabling ACM.2", + # }) + # + # resp.to_h outputs the following: + # { + # arn: "arn:aws:securityhub:us-east-1:123456789012:configuration-policy/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # configuration_policy: { + # security_hub: { + # enabled_standard_identifiers: [ + # "arn:aws:securityhub:us-east-1::standards/aws-foundational-security-best-practices/v/1.0.0", + # "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + # ], + # security_controls_configuration: { + # disabled_security_control_identifiers: [ + # "CloudWatch.1", + # "CloudWatch.2", + # ], + # security_control_custom_parameters: [ + # { + # parameters: { + # "daysToExpiration" => { + # value: { + # integer: 21, + # }, + # value_type: "CUSTOM", + # }, + # }, + # security_control_id: "ACM.1", + # }, + # ], + # }, + # service_enabled: true, + # }, + # }, + # created_at: Time.parse("2023-01-11T06:17:17.154Z"), + # description: "Updated configuration policy for testing FSBP and CIS", + # id: "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + # name: "TestConfigurationPolicy", + # updated_at: Time.parse("2023-01-12T06:17:17.154Z"), + # } + # + # @example Request syntax with placeholder values + # + # resp = client.update_configuration_policy({ + # identifier: "NonEmptyString", # required + # name: "NonEmptyString", + # description: "NonEmptyString", + # updated_reason: "NonEmptyString", + # configuration_policy: { + # security_hub: { + # service_enabled: false, + # enabled_standard_identifiers: ["NonEmptyString"], + # security_controls_configuration: { + # enabled_security_control_identifiers: ["NonEmptyString"], + # disabled_security_control_identifiers: ["NonEmptyString"], + # security_control_custom_parameters: [ + # { + # security_control_id: "NonEmptyString", + # parameters: { + # "NonEmptyString" => { + # value_type: "DEFAULT", # required, accepts DEFAULT, CUSTOM + # value: { + # integer: 1, + # integer_list: [1], + # double: 1.0, + # string: "NonEmptyString", + # string_list: ["NonEmptyString"], + # boolean: false, + # enum: "NonEmptyString", + # enum_list: ["NonEmptyString"], + # }, + # }, + # }, + # }, + # ], + # }, + # }, + # }, + # }) + # + # @example Response structure + # + # resp.arn #=> String + # resp.id #=> String + # resp.name #=> String + # resp.description #=> String + # resp.updated_at #=> Time + # resp.created_at #=> Time + # resp.configuration_policy.security_hub.service_enabled #=> Boolean + # resp.configuration_policy.security_hub.enabled_standard_identifiers #=> Array + # resp.configuration_policy.security_hub.enabled_standard_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.enabled_security_control_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.disabled_security_control_identifiers[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].security_control_id #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters #=> Hash + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value_type #=> String, one of "DEFAULT", "CUSTOM" + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer #=> Integer + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.integer_list[0] #=> Integer + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.double #=> Float + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.string_list[0] #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.boolean #=> Boolean + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum #=> String + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list #=> Array + # resp.configuration_policy.security_hub.security_controls_configuration.security_control_custom_parameters[0].parameters["NonEmptyString"].value.enum_list[0] #=> String + # + # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateConfigurationPolicy AWS API Documentation + # + # @overload update_configuration_policy(params = {}) + # @param [Hash] params ({}) + def update_configuration_policy(params = {}, options = {}) + req = build_request(:update_configuration_policy, params) + req.send_request(options) + end + # Updates the finding aggregation configuration. Used to update the # Region linking mode and the list of included or excluded Regions. You # cannot use `UpdateFindingAggregator` to change the aggregation Region. # # You must run `UpdateFindingAggregator` from the current aggregation @@ -8178,10 +9299,28 @@ # { # value: "NonEmptyString", # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS # }, # ], + # aws_account_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_arn: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], # }, # note: { # text: "NonEmptyString", # required # updated_by: "NonEmptyString", # required # }, @@ -8918,10 +10057,28 @@ # { # value: "NonEmptyString", # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS # }, # ], + # aws_account_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_name: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], + # resource_application_arn: [ + # { + # value: "NonEmptyString", + # comparison: "EQUALS", # accepts EQUALS, PREFIX, NOT_EQUALS, PREFIX_NOT_EQUALS, CONTAINS, NOT_CONTAINS + # }, + # ], # }, # group_by_attribute: "NonEmptyString", # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateInsight AWS API Documentation @@ -8931,55 +10088,79 @@ def update_insight(params = {}, options = {}) req = build_request(:update_insight, params) req.send_request(options) end - # Used to update the configuration related to Organizations. Can only be - # called from a Security Hub administrator account. + # Updates the configuration of your organization in Security Hub. Only + # the Security Hub administrator account can invoke this operation. # # @option params [required, Boolean] :auto_enable - # Whether to automatically enable Security Hub for new accounts in the - # organization. + # Whether to automatically enable Security Hub in new member accounts + # when they join the organization. # - # By default, this is `false`, and new accounts are not added - # automatically. + # If set to `true`, then Security Hub is automatically enabled in new + # accounts. If set to `false`, then Security Hub isn't enabled in new + # accounts automatically. The default value is `false`. # - # To automatically enable Security Hub for new accounts, set this to - # `true`. + # If the `ConfigurationType` of your organization is set to `CENTRAL`, + # then this field is set to `false` and can't be changed in the home + # Region and linked Regions. However, in that case, the delegated + # administrator can create a configuration policy in which Security Hub + # is enabled and associate the policy with new organization accounts. # # @option params [String] :auto_enable_standards - # Whether to automatically enable Security Hub [default standards][1] - # for new member accounts in the organization. + # Whether to automatically enable Security Hub [default standards][1] in + # new member accounts when they join the organization. # - # By default, this parameter is equal to `DEFAULT`, and new member - # accounts are automatically enabled with default Security Hub - # standards. + # The default value of this parameter is equal to `DEFAULT`. # - # To opt out of enabling default standards for new member accounts, set - # this parameter equal to `NONE`. + # If equal to `DEFAULT`, then Security Hub default standards are + # automatically enabled for new member accounts. If equal to `NONE`, + # then default standards are not automatically enabled for new member + # accounts. # + # If the `ConfigurationType` of your organization is set to `CENTRAL`, + # then this field is set to `NONE` and can't be changed in the home + # Region and linked Regions. However, in that case, the delegated + # administrator can create a configuration policy in which specific + # security standards are enabled and associate the policy with new + # organization accounts. # # + # # [1]: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html # + # @option params [Types::OrganizationConfiguration] :organization_configuration + # Provides information about the way an organization is configured in + # Security Hub. + # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To update organization configuration # - # # The following example updates the configuration for an organization so that Security Hub is automatically activated for - # # new member accounts. Only the Security Hub administrator account can call this operation. + # # This operation updates the way your organization is configured in Security Hub. Only a Security Hub administrator + # # account can invoke this operation. # # resp = client.update_organization_configuration({ - # auto_enable: true, + # auto_enable: false, + # auto_enable_standards: "NONE", + # organization_configuration: { + # configuration_type: "CENTRAL", + # }, # }) # # @example Request syntax with placeholder values # # resp = client.update_organization_configuration({ # auto_enable: false, # required # auto_enable_standards: "NONE", # accepts NONE, DEFAULT + # organization_configuration: { + # configuration_type: "CENTRAL", # accepts CENTRAL, LOCAL + # status: "PENDING", # accepts PENDING, ENABLED, FAILED + # status_message: "NonEmptyString", + # }, # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateOrganizationConfiguration AWS API Documentation # # @overload update_organization_configuration(params = {}) @@ -9163,10 +10344,10 @@ operation: config.api.operation(operation_name), client: self, params: params, config: config) context[:gem_name] = 'aws-sdk-securityhub' - context[:gem_version] = '1.96.0' + context[:gem_version] = '1.97.0' Seahorse::Client::Request.new(handlers, context) end # @api private # @deprecated