diff --git a/CHANGELOG.md b/CHANGELOG.md index 77d90929448..4c648062234 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +Release v1.49.22 (2024-01-16) +=== + +### Service Client Updates +* `service/iot`: Updates service API + * Revert release of LogTargetTypes +* `service/iotfleetwise`: Updates service API and documentation +* `service/macie2`: Updates service API and documentation +* `service/payment-cryptography`: Updates service API and documentation +* `service/personalize`: Updates service documentation +* `service/personalize-runtime`: Updates service documentation +* `service/rekognition`: Updates service API and documentation + * This release adds ContentType and TaxonomyLevel attributes to DetectModerationLabels and GetMediaAnalysisJob API responses. +* `service/securityhub`: Updates service documentation + Release v1.49.21 (2024-01-14) === diff --git a/aws/endpoints/defaults.go b/aws/endpoints/defaults.go index 69418ba1c7f..d8ee8b14ef2 100644 --- a/aws/endpoints/defaults.go +++ b/aws/endpoints/defaults.go @@ -21758,6 +21758,14 @@ var awsPartition = partition{ Region: "il-central-1", }, }, + endpointKey{ + Region: "me-central-1", + }: endpoint{ + Hostname: "oidc.me-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "me-central-1", + }, + }, endpointKey{ Region: "me-south-1", }: endpoint{ diff --git a/aws/version.go b/aws/version.go index fc9a2e5040c..8f8370e8ad9 100644 --- a/aws/version.go +++ b/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.49.21" +const SDKVersion = "1.49.22" diff --git a/models/apis/iot/2015-05-28/api-2.json b/models/apis/iot/2015-05-28/api-2.json index 26cf45d713a..e19ba06561c 100644 --- a/models/apis/iot/2015-05-28/api-2.json +++ b/models/apis/iot/2015-05-28/api-2.json @@ -11406,9 +11406,7 @@ "THING_GROUP", "CLIENT_ID", "SOURCE_IP", - "PRINCIPAL_ID", - "EVENT_TYPE", - "DEVICE_DEFENDER" + "PRINCIPAL_ID" ] }, "LoggingOptionsPayload":{ diff --git a/models/apis/iotfleetwise/2021-06-17/api-2.json b/models/apis/iotfleetwise/2021-06-17/api-2.json index 3cd00c74c5b..076c111cdee 100644 --- a/models/apis/iotfleetwise/2021-06-17/api-2.json +++ b/models/apis/iotfleetwise/2021-06-17/api-2.json @@ -2085,7 +2085,8 @@ "members":{ "name":{"shape":"resourceName"}, "nextToken":{"shape":"nextToken"}, - "maxResults":{"shape":"maxResults"} + "maxResults":{"shape":"maxResults"}, + "signalNodeType":{"shape":"SignalNodeType"} } }, "ListSignalCatalogNodesResponse":{ @@ -2667,6 +2668,17 @@ "max":1000, "min":0 }, + "SignalNodeType":{ + "type":"string", + "enum":[ + "SENSOR", + "ACTUATOR", + "ATTRIBUTE", + "BRANCH", + "CUSTOM_STRUCT", + "CUSTOM_PROPERTY" + ] + }, "SpoolingMode":{ "type":"string", "enum":[ @@ -3152,7 +3164,8 @@ "modelManifestArn":{"shape":"arn"}, "decoderManifestArn":{"shape":"arn"}, "creationTime":{"shape":"timestamp"}, - "lastModificationTime":{"shape":"timestamp"} + "lastModificationTime":{"shape":"timestamp"}, + "attributes":{"shape":"attributesMap"} } }, "arn":{"type":"string"}, diff --git a/models/apis/iotfleetwise/2021-06-17/docs-2.json b/models/apis/iotfleetwise/2021-06-17/docs-2.json index 21e7c230ef9..baa420c9b64 100644 --- a/models/apis/iotfleetwise/2021-06-17/docs-2.json +++ b/models/apis/iotfleetwise/2021-06-17/docs-2.json @@ -1138,6 +1138,12 @@ "GetCampaignResponse$signalsToCollect": "

Information about a list of signals to collect data on.

" } }, + "SignalNodeType": { + "base": null, + "refs": { + "ListSignalCatalogNodesRequest$signalNodeType": "

The type of node in the signal catalog.

" + } + }, "SpoolingMode": { "base": null, "refs": { @@ -1578,7 +1584,8 @@ "CreateVehicleRequestItem$attributes": "

Static information about a vehicle in a key-value pair. For example: \"engine Type\" : \"v6\"

", "GetVehicleResponse$attributes": "

Static information about a vehicle in a key-value pair. For example:

\"engineType\" : \"1.3 L R2\"

", "UpdateVehicleRequest$attributes": "

Static information about a vehicle in a key-value pair. For example:

\"engineType\" : \"1.3 L R2\"

", - "UpdateVehicleRequestItem$attributes": "

Static information about a vehicle in a key-value pair. For example:

\"engineType\" : \"1.3 L R2\"

" + "UpdateVehicleRequestItem$attributes": "

Static information about a vehicle in a key-value pair. For example:

\"engineType\" : \"1.3 L R2\"

", + "VehicleSummary$attributes": "

Static information about a vehicle in a key-value pair. For example:

\"engineType\" : \"1.3 L R2\"

" } }, "campaignName": { @@ -1696,7 +1703,7 @@ "eventExpression": { "base": null, "refs": { - "ConditionBasedCollectionScheme$expression": "

The logical expression used to recognize what data to collect. For example, $variable.Vehicle.OutsideAirTemperature >= 105.0.

" + "ConditionBasedCollectionScheme$expression": "

The logical expression used to recognize what data to collect. For example, $variable.`Vehicle.OutsideAirTemperature` >= 105.0.

" } }, "fleetId": { diff --git a/models/apis/macie2/2020-01-01/api-2.json b/models/apis/macie2/2020-01-01/api-2.json index fd5bffdbb9d..13f41c0df5f 100644 --- a/models/apis/macie2/2020-01-01/api-2.json +++ b/models/apis/macie2/2020-01-01/api-2.json @@ -4452,7 +4452,8 @@ "NONE", "AES256", "aws:kms", - "UNKNOWN" + "UNKNOWN", + "aws:kms:dsse" ] }, "ErrorCode": { @@ -7703,7 +7704,8 @@ "enum": [ "NONE", "AES256", - "aws:kms" + "aws:kms", + "aws:kms:dsse" ] }, "UnavailabilityReasonCode": { @@ -8632,4 +8634,4 @@ "timestampFormat": "unixTimestamp" } } -} \ No newline at end of file +} diff --git a/models/apis/macie2/2020-01-01/docs-2.json b/models/apis/macie2/2020-01-01/docs-2.json index 350485fcb7b..2ee200211c2 100644 --- a/models/apis/macie2/2020-01-01/docs-2.json +++ b/models/apis/macie2/2020-01-01/docs-2.json @@ -1241,13 +1241,13 @@ "base" : "

Provides information about the access method and settings that are used to retrieve occurrences of sensitive data reported by findings.

", "refs" : { "GetRevealConfigurationResponse$RetrievalConfiguration" : "

The access method and settings that are used to retrieve the sensitive data.

", - "UpdateRevealConfigurationResponse$RetrievalConfiguration" : "

The access method and settings to use to retrieve the sensitive data.

" + "UpdateRevealConfigurationResponse$RetrievalConfiguration" : "

The access method and settings to use when retrieving the sensitive data.

" } }, "RetrievalMode" : { "base" : "

The access method to use when retrieving occurrences of sensitive data reported by findings. Valid values are:

", "refs" : { - "RetrievalConfiguration$RetrievalMode" : "

The access method that's used when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.

", + "RetrievalConfiguration$RetrievalMode" : "

The access method that's used to retrieve sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie (roleName); and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data.

", "UpdateRetrievalConfiguration$RetrievalMode" : "

The access method to use when retrieving sensitive data from affected S3 objects. Valid values are: ASSUME_ROLE, assume an IAM role that is in the affected Amazon Web Services account and delegates access to Amazon Macie; and, CALLER_CREDENTIALS, use the credentials of the IAM user who requests the sensitive data. If you specify ASSUME_ROLE, also specify the name of an existing IAM role for Macie to assume (roleName).

If you change this value from ASSUME_ROLE to CALLER_CREDENTIALS for an existing configuration, Macie permanently deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.

" } }, @@ -1268,7 +1268,7 @@ "RevealStatus" : { "base" : "

The status of the configuration for retrieving occurrences of sensitive data reported by findings. Valid values are:

", "refs" : { - "RevealConfiguration$Status" : "

The status of the configuration for the Amazon Macie account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account.

" + "RevealConfiguration$Status" : "

The status of the configuration for the Amazon Macie account. In a response, possible values are: ENABLED, the configuration is currently enabled for the account; and, DISABLED, the configuration is currently disabled for the account. In a request, valid values are: ENABLED, enable the configuration for the account; and, DISABLED, disable the configuration for the account.

If you disable the configuration, you also permanently delete current settings that specify how to access affected S3 objects. If your current access method is ASSUME_ROLE, Macie also deletes the external ID and role name currently specified for the configuration. These settings can't be recovered after they're deleted.

" } }, "S3Bucket" : { @@ -1699,7 +1699,7 @@ "Type" : { "base" : null, "refs" : { - "BucketServerSideEncryption$Type" : "

The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:

" + "BucketServerSideEncryption$Type" : "

The server-side encryption algorithm that's used by default to encrypt objects that are added to the bucket. Possible values are:

" } }, "UnavailabilityReasonCode" : { @@ -1777,13 +1777,13 @@ "refs" : { } }, "UpdateRetrievalConfiguration" : { - "base" : "

Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume when retrieving the sensitive data, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see Retrieving sensitive data samples with findings in the Amazon Macie User Guide.

", + "base" : "

Specifies the access method and settings to use when retrieving occurrences of sensitive data reported by findings. If your request specifies an Identity and Access Management (IAM) role to assume, Amazon Macie verifies that the role exists and the attached policies are configured correctly. If there's an issue, Macie returns an error. For information about addressing the issue, see Configuration options and requirements for retrieving sensitive data samples in the Amazon Macie User Guide.

", "refs" : { - "UpdateRevealConfigurationRequest$RetrievalConfiguration" : "

The access method and settings to use to retrieve the sensitive data.

" + "UpdateRevealConfigurationRequest$RetrievalConfiguration" : "

The access method and settings to use when retrieving the sensitive data.

" } }, "UpdateRevealConfigurationRequest" : { - "base" : "

Specifies configuration settings for retrieving occurrences of sensitive data reported by findings, and the status of the configuration for an Amazon Macie account. If you don't specify retrievalConfiguration values for an existing configuration, Macie sets the access method to CALLER_CREDENTIALS. If your current access method is ASSUME_ROLE, Macie also deletes the external ID and role name currently specified for the configuration. To keep these settings for an existing configuration, specify the current retrievalConfiguration values in your request.

", + "base" : "

Specifies configuration settings for retrieving occurrences of sensitive data reported by findings, and the status of the configuration for an Amazon Macie account. If you don't specify retrievalConfiguration settings for an existing configuration, Macie sets the access method to CALLER_CREDENTIALS. If your current access method is ASSUME_ROLE, Macie also deletes the external ID and role name currently specified for the configuration. To keep these settings for an existing configuration, specify your current retrievalConfiguration settings in your request.

", "refs" : { } }, "UpdateRevealConfigurationResponse" : { @@ -2140,7 +2140,7 @@ "__listOfUnavailabilityReasonCode" : { "base" : null, "refs" : { - "GetSensitiveDataOccurrencesAvailabilityResponse$Reasons" : "

Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:

This value is null if sensitive data can be retrieved for the finding.

" + "GetSensitiveDataOccurrencesAvailabilityResponse$Reasons" : "

Specifies why occurrences of sensitive data can't be retrieved for the finding. Possible values are:

This value is null if sensitive data can be retrieved for the finding.

" } }, "__listOfUnprocessedAccount" : { @@ -2222,7 +2222,7 @@ "BucketCountByEffectivePermission$PubliclyReadable" : "

The total number of buckets that allow the general public to have read access to the bucket.

", "BucketCountByEffectivePermission$PubliclyWritable" : "

The total number of buckets that allow the general public to have write access to the bucket.

", "BucketCountByEffectivePermission$Unknown" : "

The total number of buckets that Amazon Macie wasn't able to evaluate permissions settings for. Macie can't determine whether these buckets are publicly accessible.

", - "BucketCountByEncryptionType$KmsManaged" : "

The total number of buckets whose default encryption settings are configured to encrypt new objects with an Amazon Web Services managed KMS key or a customer managed KMS key. By default, these buckets encrypt new objects automatically using SSE-KMS encryption.

", + "BucketCountByEncryptionType$KmsManaged" : "

The total number of buckets whose default encryption settings are configured to encrypt new objects with an KMS key, either an Amazon Web Services managed key or a customer managed key. By default, these buckets encrypt new objects automatically using DSSE-KMS or SSE-KMS encryption.

", "BucketCountByEncryptionType$S3Managed" : "

The total number of buckets whose default encryption settings are configured to encrypt new objects with an Amazon S3 managed key. By default, these buckets encrypt new objects automatically using SSE-S3 encryption.

", "BucketCountByEncryptionType$Unencrypted" : "

The total number of buckets that don't specify default server-side encryption behavior for new objects. Default encryption settings aren't configured for these buckets.

", "BucketCountByEncryptionType$Unknown" : "

The total number of buckets that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the default encryption settings for these buckets.

", @@ -2267,9 +2267,9 @@ "MatchingBucket$ObjectCount" : "

The total number of objects in the bucket.

", "MatchingBucket$SizeInBytes" : "

The total storage size, in bytes, of the bucket.

If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each object in the bucket. This value doesn't reflect the storage size of all versions of each object in the bucket.

", "MatchingBucket$SizeInBytesCompressed" : "

The total storage size, in bytes, of the objects that are compressed (.gz, .gzip, .zip) files in the bucket.

If versioning is enabled for the bucket, Amazon Macie calculates this value based on the size of the latest version of each applicable object in the bucket. This value doesn't reflect the storage size of all versions of each applicable object in the bucket.

", - "ObjectCountByEncryptionType$CustomerManaged" : "

The total number of objects that are encrypted with a customer-provided key. The objects use customer-provided server-side encryption (SSE-C).

", - "ObjectCountByEncryptionType$KmsManaged" : "

The total number of objects that are encrypted with an KMS key, either an Amazon Web Services managed key or a customer managed key. The objects use KMS encryption (SSE-KMS).

", - "ObjectCountByEncryptionType$S3Managed" : "

The total number of objects that are encrypted with an Amazon S3 managed key. The objects use Amazon S3 managed encryption (SSE-S3).

", + "ObjectCountByEncryptionType$CustomerManaged" : "

The total number of objects that are encrypted with customer-provided keys. The objects use server-side encryption with customer-provided keys (SSE-C).

", + "ObjectCountByEncryptionType$KmsManaged" : "

The total number of objects that are encrypted with KMS keys, either Amazon Web Services managed keys or customer managed keys. The objects use dual-layer server-side encryption or server-side encryption with KMS keys (DSSE-KMS or SSE-KMS).

", + "ObjectCountByEncryptionType$S3Managed" : "

The total number of objects that are encrypted with Amazon S3 managed keys. The objects use server-side encryption with Amazon S3 managed keys (SSE-S3).

", "ObjectCountByEncryptionType$Unencrypted" : "

The total number of objects that use client-side encryption or aren't encrypted.

", "ObjectCountByEncryptionType$Unknown" : "

The total number of objects that Amazon Macie doesn't have current encryption metadata for. Macie can't provide current data about the encryption settings for these objects.

", "ObjectLevelStatistics$FileType" : "

The total storage size (in bytes) or number of objects that Amazon Macie can't analyze because the objects don't have a file name extension for a supported file or storage format.

", @@ -2465,7 +2465,7 @@ "ResourceNotFoundException$Message" : "

The explanation of the error that occurred.

", "ResourceProfileArtifact$Arn" : "

The Amazon Resource Name (ARN) of the object.

", "ResourceProfileArtifact$ClassificationResultStatus" : "

The status of the analysis. Possible values are:

", - "RetrievalConfiguration$ExternalId" : "

The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). The trust policy must include an sts:ExternalId condition that requires this ID.

This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume a role. This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

", + "RetrievalConfiguration$ExternalId" : "

The external ID to specify in the trust policy for the IAM role to assume when retrieving sensitive data from affected S3 objects (roleName). This value is null if the value for retrievalMode is CALLER_CREDENTIALS.

This ID is a unique alphanumeric string that Amazon Macie generates automatically after you configure it to assume an IAM role. For a Macie administrator to retrieve sensitive data from an affected S3 object for a member account, the trust policy for the role in the member account must include an sts:ExternalId condition that requires this ID.

", "S3Bucket$Arn" : "

The Amazon Resource Name (ARN) of the bucket.

", "S3Bucket$Name" : "

The name of the bucket.

", "S3BucketDefinitionForJob$AccountId" : "

The unique identifier for the Amazon Web Services account that owns the buckets.

", @@ -2504,7 +2504,7 @@ "TestCustomDataIdentifierRequest$Regex" : "

The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters.

", "TestCustomDataIdentifierRequest$SampleText" : "

The sample text to inspect by using the custom data identifier. The text can contain as many as 1,000 characters.

", "ThrottlingException$Message" : "

The explanation of the error that occurred.

", - "UnprocessableEntityException$Message" : "

The type of error that occurred and prevented Amazon Macie from retrieving occurrences of sensitive data reported by the finding. Possible values are:

", + "UnprocessableEntityException$Message" : "

The type of error that occurred and prevented Amazon Macie from retrieving occurrences of sensitive data reported by the finding. Possible values are:

", "UnprocessedAccount$AccountId" : "

The Amazon Web Services account ID for the account that the request applies to.

", "UnprocessedAccount$ErrorMessage" : "

The reason why the request hasn't been processed.

", "UpdateFindingsFilterRequest$ClientToken" : "

A unique, case-sensitive token that you provide to ensure the idempotency of the request.

", diff --git a/models/apis/payment-cryptography/2021-09-14/api-2.json b/models/apis/payment-cryptography/2021-09-14/api-2.json index e9bb9b2a876..7326c64690d 100644 --- a/models/apis/payment-cryptography/2021-09-14/api-2.json +++ b/models/apis/payment-cryptography/2021-09-14/api-2.json @@ -507,6 +507,18 @@ "KeySerialNumber":{"shape":"HexLength20Or24"} } }, + "ExportKeyCryptogram":{ + "type":"structure", + "required":[ + "CertificateAuthorityPublicKeyIdentifier", + "WrappingKeyCertificate" + ], + "members":{ + "CertificateAuthorityPublicKeyIdentifier":{"shape":"KeyArnOrKeyAliasType"}, + "WrappingKeyCertificate":{"shape":"CertificateType"}, + "WrappingSpec":{"shape":"WrappingKeySpec"} + } + }, "ExportKeyInput":{ "type":"structure", "required":[ @@ -522,6 +534,7 @@ "ExportKeyMaterial":{ "type":"structure", "members":{ + "KeyCryptogram":{"shape":"ExportKeyCryptogram"}, "Tr31KeyBlock":{"shape":"ExportTr31KeyBlock"}, "Tr34KeyBlock":{"shape":"ExportTr34KeyBlock"} }, @@ -674,6 +687,22 @@ "min":20, "pattern":"^[0-9A-F]{20}$|^[0-9A-F]{24}$" }, + "ImportKeyCryptogram":{ + "type":"structure", + "required":[ + "Exportable", + "ImportToken", + "KeyAttributes", + "WrappedKeyCryptogram" + ], + "members":{ + "Exportable":{"shape":"Boolean"}, + "ImportToken":{"shape":"ImportTokenId"}, + "KeyAttributes":{"shape":"KeyAttributes"}, + "WrappedKeyCryptogram":{"shape":"WrappedKeyCryptogram"}, + "WrappingSpec":{"shape":"WrappingKeySpec"} + } + }, "ImportKeyInput":{ "type":"structure", "required":["KeyMaterial"], @@ -687,6 +716,7 @@ "ImportKeyMaterial":{ "type":"structure", "members":{ + "KeyCryptogram":{"shape":"ImportKeyCryptogram"}, "RootCertificatePublicKey":{"shape":"RootCertificatePublicKey"}, "Tr31KeyBlock":{"shape":"ImportTr31KeyBlock"}, "Tr34KeyBlock":{"shape":"ImportTr34KeyBlock"}, @@ -845,7 +875,8 @@ "TR34_KEY_BLOCK", "TR31_KEY_BLOCK", "ROOT_PUBLIC_KEY_CERTIFICATE", - "TRUSTED_PUBLIC_KEY_CERTIFICATE" + "TRUSTED_PUBLIC_KEY_CERTIFICATE", + "KEY_CRYPTOGRAM" ] }, "KeyModesOfUse":{ @@ -918,6 +949,7 @@ "TR31_K1_KEY_BLOCK_PROTECTION_KEY", "TR31_K3_ASYMMETRIC_KEY_FOR_KEY_AGREEMENT", "TR31_M3_ISO_9797_3_MAC_KEY", + "TR31_M1_ISO_9797_1_MAC_KEY", "TR31_M6_ISO_9797_5_CMAC_KEY", "TR31_M7_HMAC_KEY", "TR31_P0_PIN_ENCRYPTION_KEY", @@ -1206,6 +1238,12 @@ "WrappingKeyArn":{"shape":"KeyArn"} } }, + "WrappedKeyCryptogram":{ + "type":"string", + "max":4096, + "min":16, + "pattern":"^[0-9A-F]+$" + }, "WrappedKeyMaterialFormat":{ "type":"string", "enum":[ @@ -1213,6 +1251,13 @@ "TR31_KEY_BLOCK", "TR34_KEY_BLOCK" ] + }, + "WrappingKeySpec":{ + "type":"string", + "enum":[ + "RSA_OAEP_SHA_256", + "RSA_OAEP_SHA_512" + ] } } } diff --git a/models/apis/payment-cryptography/2021-09-14/docs-2.json b/models/apis/payment-cryptography/2021-09-14/docs-2.json index a20ad1a284f..451a3f79a8e 100644 --- a/models/apis/payment-cryptography/2021-09-14/docs-2.json +++ b/models/apis/payment-cryptography/2021-09-14/docs-2.json @@ -6,13 +6,13 @@ "CreateKey": "

Creates an Amazon Web Services Payment Cryptography key, a logical representation of a cryptographic key, that is unique in your account and Amazon Web Services Region. You use keys for cryptographic functions such as encryption and decryption.

In addition to the key material used in cryptographic operations, an Amazon Web Services Payment Cryptography key includes metadata such as the key ARN, key usage, key origin, creation date, description, and key state.

When you create a key, you specify both immutable and mutable data about the key. The immutable data contains key attributes that define the scope and cryptographic operations that you can perform using the key, for example key class (example: SYMMETRIC_KEY), key algorithm (example: TDES_2KEY), key usage (example: TR31_P0_PIN_ENCRYPTION_KEY) and key modes of use (example: Encrypt). For information about valid combinations of key attributes, see Understanding key attributes in the Amazon Web Services Payment Cryptography User Guide. The mutable data contained within a key includes usage timestamp and key deletion timestamp and can be modified after creation.

Amazon Web Services Payment Cryptography binds key attributes to keys using key blocks when you store or export them. Amazon Web Services Payment Cryptography stores the key contents wrapped and never stores or transmits them in the clear.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "DeleteAlias": "

Deletes the alias, but doesn't affect the underlying key.

Each key can have multiple aliases. To get the aliases of all keys, use the ListAliases operation. To change the alias of a key, first use DeleteAlias to delete the current alias and then use CreateAlias to create a new alias. To associate an existing alias with a different key, call UpdateAlias.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "DeleteKey": "

Deletes the key material and metadata associated with Amazon Web Services Payment Cryptography key.

Key deletion is irreversible. After a key is deleted, you can't perform cryptographic operations using the key. For example, you can't decrypt data that was encrypted by a deleted Amazon Web Services Payment Cryptography key, and the data may become unrecoverable. Because key deletion is destructive, Amazon Web Services Payment Cryptography has a safety mechanism to prevent accidental deletion of a key. When you call this operation, Amazon Web Services Payment Cryptography disables the specified key but doesn't delete it until after a waiting period set using DeleteKeyInDays. The default waiting period is 7 days. During the waiting period, the KeyState is DELETE_PENDING. After the key is deleted, the KeyState is DELETE_COMPLETE.

You should delete a key only when you are sure that you don't need to use it anymore and no other parties are utilizing this key. If you aren't sure, consider deactivating it instead by calling StopKeyUsage.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", - "ExportKey": "

Exports a key from Amazon Web Services Payment Cryptography.

Amazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ExportKey you can export symmetric keys using either symmetric and asymmetric key exchange mechanisms. Using this operation, you can share your Amazon Web Services Payment Cryptography generated keys with other service partners to perform cryptographic operations outside of Amazon Web Services Payment Cryptography

For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm . Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK). After which you can export working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.

The TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block.

You can also use ExportKey functionality to generate and export an IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment Cryptography using either TR-31 or TR-34 export key exchange. IPEK is generated from BDK (Base Derivation Key) and ExportDukptInitialKey attribute KSN (KeySerialNumber). The generated IPEK does not persist within Amazon Web Services Payment Cryptography and has to be re-generated each time during export.

To export KEK or IPEK using TR-34

Using this operation, you can export initial key using TR-34 asymmetric key exchange. You can only export KEK generated within Amazon Web Services Payment Cryptography. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During key export process, KDH is Amazon Web Services Payment Cryptography which initiates key export and KRD is the user receiving the key.

To initiate TR-34 key export, the KRD must obtain an export token by calling GetParametersForExport. This operation also generates a key pair for the purpose of key export, signs the key and returns back the signing public key certificate (also known as KDH signing certificate) and root certificate chain. The KDH uses the private key to sign the the export payload and the signing public key certificate is provided to KRD to verify the signature. The KRD can import the root certificate into its Hardware Security Module (HSM), as required. The export token and the associated KDH signing certificate expires after 7 days.

Next the KRD generates a key pair for the the purpose of encrypting the KDH key and provides the public key cerificate (also known as KRD wrapping certificate) back to KDH. The KRD will also import the root cerificate chain into Amazon Web Services Payment Cryptography by calling ImportKey for RootCertificatePublicKey. The KDH, Amazon Web Services Payment Cryptography, will use the KRD wrapping cerificate to encrypt (wrap) the key under export and signs it with signing private key to generate a TR-34 WrappedKeyBlock. For more information on TR-34 key export, see section Exporting symmetric keys in the Amazon Web Services Payment Cryptography User Guide.

Set the following parameters:

When this operation is successful, Amazon Web Services Payment Cryptography returns the KEK or IPEK as a TR-34 WrappedKeyBlock.

To export WK (Working Key) or IPEK using TR-31

Using this operation, you can export working keys or IPEK using TR-31 symmetric key exchange. In TR-31, you must use an initial key such as KEK to encrypt or wrap the key under export. To establish a KEK, you can use CreateKey or ImportKey.

Set the following parameters:

When this operation is successful, Amazon Web Services Payment Cryptography returns the WK or IPEK as a TR-31 WrappedKeyBlock.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "ExportKey": "

Exports a key from Amazon Web Services Payment Cryptography.

Amazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ExportKey you can export symmetric keys using either symmetric and asymmetric key exchange mechanisms. Using this operation, you can share your Amazon Web Services Payment Cryptography generated keys with other service partners to perform cryptographic operations outside of Amazon Web Services Payment Cryptography

For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange mechanism. Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK). After which you can export working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.

The TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block. With RSA wrap and unwrap, you can exchange both 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram format and you will need to specify the key attributes during import.

You can also use ExportKey functionality to generate and export an IPEK (Initial Pin Encryption Key) from Amazon Web Services Payment Cryptography using either TR-31 or TR-34 export key exchange. IPEK is generated from BDK (Base Derivation Key) and ExportDukptInitialKey attribute KSN (KeySerialNumber). The generated IPEK does not persist within Amazon Web Services Payment Cryptography and has to be re-generated each time during export.

To export initial keys (KEK) or IPEK using TR-34

Using this operation, you can export initial key using TR-34 asymmetric key exchange. You can only export KEK generated within Amazon Web Services Payment Cryptography. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During key export process, KDH is Amazon Web Services Payment Cryptography which initiates key export and KRD is the user receiving the key.

To initiate TR-34 key export, the KRD must obtain an export token by calling GetParametersForExport. This operation also generates a key pair for the purpose of key export, signs the key and returns back the signing public key certificate (also known as KDH signing certificate) and root certificate chain. The KDH uses the private key to sign the the export payload and the signing public key certificate is provided to KRD to verify the signature. The KRD can import the root certificate into its Hardware Security Module (HSM), as required. The export token and the associated KDH signing certificate expires after 7 days.

Next the KRD generates a key pair for the the purpose of encrypting the KDH key and provides the public key cerificate (also known as KRD wrapping certificate) back to KDH. The KRD will also import the root cerificate chain into Amazon Web Services Payment Cryptography by calling ImportKey for RootCertificatePublicKey. The KDH, Amazon Web Services Payment Cryptography, will use the KRD wrapping cerificate to encrypt (wrap) the key under export and signs it with signing private key to generate a TR-34 WrappedKeyBlock. For more information on TR-34 key export, see section Exporting symmetric keys in the Amazon Web Services Payment Cryptography User Guide.

Set the following parameters:

When this operation is successful, Amazon Web Services Payment Cryptography returns the KEK or IPEK as a TR-34 WrappedKeyBlock.

To export initial keys (KEK) or IPEK using RSA Wrap and Unwrap

Using this operation, you can export initial key using asymmetric RSA wrap and unwrap key exchange method. To initiate export, generate an asymmetric key pair on the receiving HSM and obtain the public key certificate in PEM format (base64 encoded) for the purpose of wrapping and the root certifiate chain. Import the root certificate into Amazon Web Services Payment Cryptography by calling ImportKey for RootCertificatePublicKey.

Next call ExportKey and set the following parameters:

When this operation is successful, Amazon Web Services Payment Cryptography returns the WrappedKeyCryptogram.

To export working keys or IPEK using TR-31

Using this operation, you can export working keys or IPEK using TR-31 symmetric key exchange. In TR-31, you must use an initial key such as KEK to encrypt or wrap the key under export. To establish a KEK, you can use CreateKey or ImportKey.

Set the following parameters:

When this operation is successful, Amazon Web Services Payment Cryptography returns the working key or IPEK as a TR-31 WrappedKeyBlock.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "GetAlias": "

Gets the Amazon Web Services Payment Cryptography key associated with the alias.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "GetKey": "

Gets the key material for an Amazon Web Services Payment Cryptography key, including the immutable and mutable data specified when the key was created.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "GetParametersForExport": "

Gets the export token and the signing key certificate to initiate a TR-34 key export from Amazon Web Services Payment Cryptography.

The signing key certificate signs the wrapped key under export within the TR-34 key payload. The export token and signing key certificate must be in place and operational before calling ExportKey. The export token expires in 7 days. You can use the same export token to export multiple keys from your service account.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", - "GetParametersForImport": "

Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock.

The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling ImportKey. The import token expires in 7 days. You can use the same import token to import multiple keys into your service account.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "GetParametersForImport": "

Gets the import token and the wrapping key certificate in PEM format (base64 encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram import into Amazon Web Services Payment Cryptography.

The wrapping key certificate wraps the key under import. The import token and wrapping key certificate must be in place and operational before calling ImportKey. The import token expires in 7 days. You can use the same import token to import multiple keys into your service account.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "GetPublicKeyCertificate": "

Gets the public key certificate of the asymmetric key pair that exists within Amazon Web Services Payment Cryptography.

Unlike the private key of an asymmetric key, which never leaves Amazon Web Services Payment Cryptography unencrypted, callers with GetPublicKeyCertificate permission can download the public key certificate of the asymmetric key. You can share the public key certificate to allow others to encrypt messages and verify signatures outside of Amazon Web Services Payment Cryptography

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

", - "ImportKey": "

Imports symmetric keys and public key certificates in PEM format (base64 encoded) into Amazon Web Services Payment Cryptography.

Amazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ImportKey you can import symmetric keys using either symmetric and asymmetric key exchange mechanisms.

For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm . Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK) or Zone Master Key (ZMK). After which you can import working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.

The TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block.

You can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.

To import a public root key certificate

You can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.

To import a public root key certificate

Using this operation, you can import the public component (in PEM cerificate format) of your private root key. You can use the imported public root key certificate for digital signatures, for example signing wrapping key or signing key in TR-34, within your Amazon Web Services Payment Cryptography account.

Set the following parameters:

To import a trusted public key certificate

The root public key certificate must be in place and operational before you import a trusted public key certificate. Set the following parameters:

To import KEK or ZMK using TR-34

Using this operation, you can import initial key using TR-34 asymmetric key exchange. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During the key import process, KDH is the user who initiates the key import and KRD is Amazon Web Services Payment Cryptography who receives the key.

To initiate TR-34 key import, the KDH must obtain an import token by calling GetParametersForImport. This operation generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate (also known as KRD wrapping certificate) and the root certificate chain. The KDH must trust and install the KRD wrapping certificate on its HSM and use it to encrypt (wrap) the KDH key during TR-34 WrappedKeyBlock generation. The import token and associated KRD wrapping certificate expires after 7 days.

Next the KDH generates a key pair for the purpose of signing the encrypted KDH key and provides the public certificate of the signing key to Amazon Web Services Payment Cryptography. The KDH will also need to import the root certificate chain of the KDH signing certificate by calling ImportKey for RootCertificatePublicKey. For more information on TR-34 key import, see section Importing symmetric keys in the Amazon Web Services Payment Cryptography User Guide.

Set the following parameters:

To import WK (Working Key) using TR-31

Amazon Web Services Payment Cryptography uses TR-31 symmetric key exchange norm to import working keys. A KEK must be established within Amazon Web Services Payment Cryptography by using TR-34 key import or by using CreateKey. To initiate a TR-31 key import, set the following parameters:

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "ImportKey": "

Imports symmetric keys and public key certificates in PEM format (base64 encoded) into Amazon Web Services Payment Cryptography.

Amazon Web Services Payment Cryptography simplifies key exchange by replacing the existing paper-based approach with a modern electronic approach. With ImportKey you can import symmetric keys using either symmetric and asymmetric key exchange mechanisms.

For symmetric key exchange, Amazon Web Services Payment Cryptography uses the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 norm and RSA wrap and unwrap key exchange mechanisms. Asymmetric key exchange methods are typically used to establish bi-directional trust between the two parties exhanging keys and are used for initial key exchange such as Key Encryption Key (KEK) or Zone Master Key (ZMK). After which you can import working keys using symmetric method to perform various cryptographic operations within Amazon Web Services Payment Cryptography.

The TR-34 norm is intended for exchanging 3DES keys only and keys are imported in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, KeyModesOfUse, Exportability) are contained within the key block. With RSA wrap and unwrap, you can exchange both 3DES and AES-128 keys. The keys are imported in a WrappedKeyCryptogram format and you will need to specify the key attributes during import.

You can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.

To import a public root key certificate

You can also import a root public key certificate, used to sign other public key certificates, or a trusted public key certificate under an already established root public key certificate.

To import a public root key certificate

Using this operation, you can import the public component (in PEM cerificate format) of your private root key. You can use the imported public root key certificate for digital signatures, for example signing wrapping key or signing key in TR-34, within your Amazon Web Services Payment Cryptography account.

Set the following parameters:

To import a trusted public key certificate

The root public key certificate must be in place and operational before you import a trusted public key certificate. Set the following parameters:

To import initial keys (KEK or ZMK or similar) using TR-34

Using this operation, you can import initial key using TR-34 asymmetric key exchange. In TR-34 terminology, the sending party of the key is called Key Distribution Host (KDH) and the receiving party of the key is called Key Receiving Device (KRD). During the key import process, KDH is the user who initiates the key import and KRD is Amazon Web Services Payment Cryptography who receives the key.

To initiate TR-34 key import, the KDH must obtain an import token by calling GetParametersForImport. This operation generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate (also known as KRD wrapping certificate) and the root certificate chain. The KDH must trust and install the KRD wrapping certificate on its HSM and use it to encrypt (wrap) the KDH key during TR-34 WrappedKeyBlock generation. The import token and associated KRD wrapping certificate expires after 7 days.

Next the KDH generates a key pair for the purpose of signing the encrypted KDH key and provides the public certificate of the signing key to Amazon Web Services Payment Cryptography. The KDH will also need to import the root certificate chain of the KDH signing certificate by calling ImportKey for RootCertificatePublicKey. For more information on TR-34 key import, see section Importing symmetric keys in the Amazon Web Services Payment Cryptography User Guide.

Set the following parameters:

To import initial keys (KEK or ZMK or similar) using RSA Wrap and Unwrap

Using this operation, you can import initial key using asymmetric RSA wrap and unwrap key exchange method. To initiate import, call GetParametersForImport with KeyMaterial set to KEY_CRYPTOGRAM to generate an import token. This operation also generates an encryption keypair for the purpose of key import, signs the key and returns back the wrapping key certificate in PEM format (base64 encoded) and its root certificate chain. The import token and associated KRD wrapping certificate expires after 7 days.

You must trust and install the wrapping certificate and its certificate chain on the sending HSM and use it to wrap the key under export for WrappedKeyCryptogram generation. Next call ImportKey with KeyMaterial set to KEY_CRYPTOGRAM and provide the ImportToken and KeyAttributes for the key under import.

To import working keys using TR-31

Amazon Web Services Payment Cryptography uses TR-31 symmetric key exchange norm to import working keys. A KEK must be established within Amazon Web Services Payment Cryptography by using TR-34 key import or by using CreateKey. To initiate a TR-31 key import, set the following parameters:

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "ListAliases": "

Lists the aliases for all keys in the caller's Amazon Web Services account and Amazon Web Services Region. You can filter the list of aliases. For more information, see Using aliases in the Amazon Web Services Payment Cryptography User Guide.

This is a paginated operation, which means that each response might contain only a subset of all the aliases. When the response contains only a subset of aliases, it includes a NextToken value. Use this value in a subsequent ListAliases request to get more aliases. When you receive a response with no NextToken (or an empty or null value), that means there are no more aliases to get.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "ListKeys": "

Lists the keys in the caller's Amazon Web Services account and Amazon Web Services Region. You can filter the list of keys.

This is a paginated operation, which means that each response might contain only a subset of all the keys. When the response contains only a subset of keys, it includes a NextToken value. Use this value in a subsequent ListKeys request to get more keys. When you receive a response with no NextToken (or an empty or null value), that means there are no more keys to get.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "ListTagsForResource": "

Lists the tags for an Amazon Web Services resource.

This is a paginated operation, which means that each response might contain only a subset of all the tags. When the response contains only a subset of tags, it includes a NextToken value. Use this value in a subsequent ListTagsForResource request to get more tags. When you receive a response with no NextToken (or an empty or null value), that means there are no more tags to get.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", @@ -59,6 +59,7 @@ "refs": { "CreateKeyInput$Enabled": "

Specifies whether to enable the key. If the key is enabled, it is activated for use within the service. If the key is not enabled, then it is created but not activated. The default value is enabled.

", "CreateKeyInput$Exportable": "

Specifies whether the key is exportable from the service.

", + "ImportKeyCryptogram$Exportable": "

Specifies whether the key is exportable from the service.

", "ImportKeyInput$Enabled": "

Specifies whether import key is enabled.

", "Key$Enabled": "

Specifies whether the key is enabled.

", "Key$Exportable": "

Specifies whether the key is exportable. This data is immutable after the key is created.

", @@ -69,6 +70,7 @@ "CertificateType": { "base": null, "refs": { + "ExportKeyCryptogram$WrappingKeyCertificate": "

The wrapping key certificate in PEM format (base64 encoded). Amazon Web Services Payment Cryptography uses this certificate to wrap the key under export.

", "ExportTr34KeyBlock$WrappingKeyCertificate": "

The KeyARN of the wrapping key certificate. Amazon Web Services Payment Cryptography uses this certificate to wrap the key under export.

", "GetParametersForExportOutput$SigningKeyCertificate": "

The signing key certificate in PEM format (base64 encoded) of the public key for signature within the TR-34 key block. The certificate expires after 7 days.

", "GetParametersForExportOutput$SigningKeyCertificateChain": "

The root certificate authority (CA) that signed the signing key certificate in PEM format (base64 encoded).

", @@ -144,13 +146,19 @@ "ExportAttributes$ExportDukptInitialKey": "

Parameter information for IPEK export.

" } }, + "ExportKeyCryptogram": { + "base": "

Parameter information for key material export using asymmetric RSA wrap and unwrap key exchange method.

", + "refs": { + "ExportKeyMaterial$KeyCryptogram": "

Parameter information for key material export using asymmetric RSA wrap and unwrap key exchange method

" + } + }, "ExportKeyInput": { "base": null, "refs": { } }, "ExportKeyMaterial": { - "base": "

Parameter information for key material export from Amazon Web Services Payment Cryptography using TR-31 or TR-34 key exchange method.

", + "base": "

Parameter information for key material export from Amazon Web Services Payment Cryptography using TR-31 or TR-34 or RSA wrap and unwrap key exchange method.

", "refs": { "ExportKeyInput$KeyMaterial": "

The key block format type, for example, TR-34 or TR-31, to use during key material export.

" } @@ -242,13 +250,19 @@ "ExportDukptInitialKey$KeySerialNumber": "

The KSN for IPEK generation using DUKPT.

KSN must be padded before sending to Amazon Web Services Payment Cryptography. KSN hex length should be 20 for a TDES_2KEY key or 24 for an AES key.

" } }, + "ImportKeyCryptogram": { + "base": "

Parameter information for key material import using asymmetric RSA wrap and unwrap key exchange method.

", + "refs": { + "ImportKeyMaterial$KeyCryptogram": "

Parameter information for key material import using asymmetric RSA wrap and unwrap key exchange method.

" + } + }, "ImportKeyInput": { "base": null, "refs": { } }, "ImportKeyMaterial": { - "base": "

Parameter information for key material import into Amazon Web Services Payment Cryptography using TR-31 or TR-34 key exchange method.

", + "base": "

Parameter information for key material import into Amazon Web Services Payment Cryptography using TR-31 or TR-34 or RSA wrap and unwrap key exchange method.

", "refs": { "ImportKeyInput$KeyMaterial": "

The key or public key certificate type to use during key material import, for example TR-34 or RootCertificatePublicKey.

" } @@ -262,6 +276,7 @@ "base": null, "refs": { "GetParametersForImportOutput$ImportToken": "

The import token to initiate key import into Amazon Web Services Payment Cryptography. The import token expires after 7 days. You can use the same import token to import multiple keys to the same service account.

", + "ImportKeyCryptogram$ImportToken": "

The import token that initiates key import using the asymmetric RSA wrap and unwrap key exchange method into AWS Payment Cryptography. It expires after 7 days. You can use the same import token to import multiple keys to the same service account.

", "ImportTr34KeyBlock$ImportToken": "

The import token that initiates key import using the asymmetric TR-34 key exchange method into Amazon Web Services Payment Cryptography. It expires after 7 days. You can use the same import token to import multiple keys to the same service account.

" } }, @@ -299,8 +314,8 @@ "refs": { "GetParametersForExportInput$SigningKeyAlgorithm": "

The signing key algorithm to generate a signing key certificate. This certificate signs the wrapped key under export within the TR-34 key block. RSA_2048 is the only signing key algorithm allowed.

", "GetParametersForExportOutput$SigningKeyAlgorithm": "

The algorithm of the signing key certificate for use in TR-34 key block generation. RSA_2048 is the only signing key algorithm allowed.

", - "GetParametersForImportInput$WrappingKeyAlgorithm": "

The wrapping key algorithm to generate a wrapping key certificate. This certificate wraps the key under import.

At this time, RSA_2048, RSA_3072, RSA_4096 are the only allowed algorithms for TR-34 WrappedKeyBlock import.

", - "GetParametersForImportOutput$WrappingKeyAlgorithm": "

The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock.

", + "GetParametersForImportInput$WrappingKeyAlgorithm": "

The wrapping key algorithm to generate a wrapping key certificate. This certificate wraps the key under import.

At this time, RSA_2048 is the allowed algorithm for TR-34 WrappedKeyBlock import. Additionally, RSA_2048, RSA_3072, RSA_4096 are the allowed algorithms for RSA WrappedKeyCryptogram import.

", + "GetParametersForImportOutput$WrappingKeyAlgorithm": "

The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock or RSA WrappedKeyCryptogram.

", "KeyAttributes$KeyAlgorithm": "

The key algorithm to be use during creation of an Amazon Web Services Payment Cryptography key.

For symmetric keys, Amazon Web Services Payment Cryptography supports AES and TDES algorithms. For asymmetric keys, Amazon Web Services Payment Cryptography supports RSA and ECC_NIST algorithms.

" } }, @@ -319,6 +334,7 @@ "base": null, "refs": { "DeleteKeyInput$KeyIdentifier": "

The KeyARN of the key that is scheduled for deletion.

", + "ExportKeyCryptogram$CertificateAuthorityPublicKeyIdentifier": "

The KeyARN of the certificate chain that signs the wrapping key certificate during RSA wrap and unwrap key export.

", "ExportKeyInput$ExportKeyIdentifier": "

The KeyARN of the key under export from Amazon Web Services Payment Cryptography.

", "ExportTr31KeyBlock$WrappingKeyIdentifier": "

The KeyARN of the the wrapping key. This key encrypts or wraps the key under export for TR-31 key block generation.

", "ExportTr34KeyBlock$CertificateAuthorityPublicKeyIdentifier": "

The KeyARN of the certificate chain that signs the wrapping key certificate during TR-34 key export.

", @@ -336,6 +352,7 @@ "base": "

The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the key is created.

", "refs": { "CreateKeyInput$KeyAttributes": "

The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the key is created.

", + "ImportKeyCryptogram$KeyAttributes": null, "Key$KeyAttributes": "

The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the key is created.

", "KeySummary$KeyAttributes": "

The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the key is created.

", "RootCertificatePublicKey$KeyAttributes": "

The role of the key, the algorithm it supports, and the cryptographic operations allowed with the key. This data is immutable after the root public key is imported.

", @@ -376,7 +393,7 @@ "base": null, "refs": { "GetParametersForExportInput$KeyMaterialType": "

The key block format type (for example, TR-34 or TR-31) to use during key material export. Export token is only required for a TR-34 key export, TR34_KEY_BLOCK. Export token is not required for TR-31 key export.

", - "GetParametersForImportInput$KeyMaterialType": "

The method to use for key material import. Import token is only required for TR-34 WrappedKeyBlock (TR34_KEY_BLOCK).

Import token is not required for TR-31, root public key cerificate or trusted public key certificate.

" + "GetParametersForImportInput$KeyMaterialType": "

The method to use for key material import. Import token is only required for TR-34 WrappedKeyBlock (TR34_KEY_BLOCK) and RSA WrappedKeyCryptogram (KEY_CRYPTOGRAM).

Import token is not required for TR-31, root public key cerificate or trusted public key certificate.

" } }, "KeyModesOfUse": { @@ -666,7 +683,13 @@ "WrappedKey": { "base": "

Parameter information for generating a WrappedKeyBlock for key exchange.

", "refs": { - "ExportKeyOutput$WrappedKey": "

The key material under export as a TR-34 WrappedKeyBlock or a TR-31 WrappedKeyBlock.

" + "ExportKeyOutput$WrappedKey": "

The key material under export as a TR-34 WrappedKeyBlock or a TR-31 WrappedKeyBlock. or a RSA WrappedKeyCryptogram.

" + } + }, + "WrappedKeyCryptogram": { + "base": null, + "refs": { + "ImportKeyCryptogram$WrappedKeyCryptogram": "

The RSA wrapped key cryptogram under import.

" } }, "WrappedKeyMaterialFormat": { @@ -674,6 +697,13 @@ "refs": { "WrappedKey$WrappedKeyMaterialFormat": "

The key block format of a wrapped key.

" } + }, + "WrappingKeySpec": { + "base": null, + "refs": { + "ExportKeyCryptogram$WrappingSpec": "

The wrapping spec for the key under export.

", + "ImportKeyCryptogram$WrappingSpec": "

The wrapping spec for the wrapped key cryptogram.

" + } } } } diff --git a/models/apis/personalize-runtime/2018-05-22/docs-2.json b/models/apis/personalize-runtime/2018-05-22/docs-2.json index 3e2ee50730a..34e8b6bda72 100644 --- a/models/apis/personalize-runtime/2018-05-22/docs-2.json +++ b/models/apis/personalize-runtime/2018-05-22/docs-2.json @@ -169,8 +169,8 @@ "MetadataColumns": { "base": null, "refs": { - "GetPersonalizedRankingRequest$metadataColumns": "

If you enabled metadata in recommendations when you created or updated the campaign, specify metadata columns from your Items dataset to include in the personalized ranking. The map key is ITEMS and the value is a list of column names from your Items dataset. The maximum number of columns you can provide is 10.

For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.

", - "GetRecommendationsRequest$metadataColumns": "

If you enabled metadata in recommendations when you created or updated the campaign or recommender, specify the metadata columns from your Items dataset to include in item recommendations. The map key is ITEMS and the value is a list of column names from your Items dataset. The maximum number of columns you can provide is 10.

For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign. For information about enabling metadata for a recommender, see Enabling metadata in recommendations for a recommender.

" + "GetPersonalizedRankingRequest$metadataColumns": "

If you enabled metadata in recommendations when you created or updated the campaign, specify metadata columns from your Items dataset to include in the personalized ranking. The map key is ITEMS and the value is a list of column names from your Items dataset. The maximum number of columns you can provide is 10.

For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.

", + "GetRecommendationsRequest$metadataColumns": "

If you enabled metadata in recommendations when you created or updated the campaign or recommender, specify the metadata columns from your Items dataset to include in item recommendations. The map key is ITEMS and the value is a list of column names from your Items dataset. The maximum number of columns you can provide is 10.

For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign. For information about enabling metadata for a recommender, see Enabling metadata in recommendations for a recommender.

" } }, "Name": { diff --git a/models/apis/personalize/2018-05-22/docs-2.json b/models/apis/personalize/2018-05-22/docs-2.json index 7c192e333fc..2d084869c2e 100644 --- a/models/apis/personalize/2018-05-22/docs-2.json +++ b/models/apis/personalize/2018-05-22/docs-2.json @@ -4,7 +4,7 @@ "operations": { "CreateBatchInferenceJob": "

Generates batch recommendations based on a list of items or users stored in Amazon S3 and exports the recommendations to an Amazon S3 bucket.

To generate batch recommendations, specify the ARN of a solution version and an Amazon S3 URI for the input and output data. For user personalization, popular items, and personalized ranking solutions, the batch inference job generates a list of recommended items for each user ID in the input file. For related items solutions, the job generates a list of recommended items for each item ID in the input file.

For more information, see Creating a batch inference job .

If you use the Similar-Items recipe, Amazon Personalize can add descriptive themes to batch recommendations. To generate themes, set the job's mode to THEME_GENERATION and specify the name of the field that contains item names in the input data.

For more information about generating themes, see Batch recommendations with themes from Content Generator .

You can't get batch recommendations with the Trending-Now or Next-Best-Action recipes.

", "CreateBatchSegmentJob": "

Creates a batch segment job. The operation can handle up to 50 million records and the input file must be in JSON format. For more information, see Getting batch recommendations and user segments.

", - "CreateCampaign": "

Creates a campaign that deploys a solution version. When a client calls the GetRecommendations and GetPersonalizedRanking APIs, a campaign is specified in the request.

Minimum Provisioned TPS and Auto-Scaling

A high minProvisionedTPS will increase your bill. We recommend starting with 1 for minProvisionedTPS (the default). Track your usage using Amazon CloudWatch metrics, and increase the minProvisionedTPS as necessary.

A transaction is a single GetRecommendations or GetPersonalizedRanking call. Transactions per second (TPS) is the throughput and unit of billing for Amazon Personalize. The minimum provisioned TPS (minProvisionedTPS) specifies the baseline throughput provisioned by Amazon Personalize, and thus, the minimum billing charge.

If your TPS increases beyond minProvisionedTPS, Amazon Personalize auto-scales the provisioned capacity up and down, but never below minProvisionedTPS. There's a short time delay while the capacity is increased that might cause loss of transactions.

The actual TPS used is calculated as the average requests/second within a 5-minute window. You pay for maximum of either the minimum provisioned TPS or the actual TPS. We recommend starting with a low minProvisionedTPS, track your usage using Amazon CloudWatch metrics, and then increase the minProvisionedTPS as necessary.

Status

A campaign can be in one of the following states:

To get the campaign status, call DescribeCampaign.

Wait until the status of the campaign is ACTIVE before asking the campaign for recommendations.

Related APIs

", + "CreateCampaign": "

Creates a campaign that deploys a solution version. When a client calls the GetRecommendations and GetPersonalizedRanking APIs, a campaign is specified in the request.

Minimum Provisioned TPS and Auto-Scaling

A high minProvisionedTPS will increase your cost. We recommend starting with 1 for minProvisionedTPS (the default). Track your usage using Amazon CloudWatch metrics, and increase the minProvisionedTPS as necessary.

When you create an Amazon Personalize campaign, you can specify the minimum provisioned transactions per second (minProvisionedTPS) for the campaign. This is the baseline transaction throughput for the campaign provisioned by Amazon Personalize. It sets the minimum billing charge for the campaign while it is active. A transaction is a single GetRecommendations or GetPersonalizedRanking request. The default minProvisionedTPS is 1.

If your TPS increases beyond the minProvisionedTPS, Amazon Personalize auto-scales the provisioned capacity up and down, but never below minProvisionedTPS. There's a short time delay while the capacity is increased that might cause loss of transactions. When your traffic reduces, capacity returns to the minProvisionedTPS.

You are charged for the the minimum provisioned TPS or, if your requests exceed the minProvisionedTPS, the actual TPS. The actual TPS is the total number of recommendation requests you make. We recommend starting with a low minProvisionedTPS, track your usage using Amazon CloudWatch metrics, and then increase the minProvisionedTPS as necessary.

For more information about campaign costs, see Amazon Personalize pricing.

Status

A campaign can be in one of the following states:

To get the campaign status, call DescribeCampaign.

Wait until the status of the campaign is ACTIVE before asking the campaign for recommendations.

Related APIs

", "CreateDataset": "

Creates an empty dataset and adds it to the specified dataset group. Use CreateDatasetImportJob to import your training data to a dataset.

There are 5 types of datasets:

Each dataset type has an associated schema with required field types. Only the Item interactions dataset is required in order to train a model (also referred to as creating a solution).

A dataset can be in one of the following states:

To get the status of the dataset, call DescribeDataset.

Related APIs

", "CreateDatasetExportJob": "

Creates a job that exports data from your dataset to an Amazon S3 bucket. To allow Amazon Personalize to export the training data, you must specify an service-linked IAM role that gives Amazon Personalize PutObject permissions for your Amazon S3 bucket. For information, see Exporting a dataset in the Amazon Personalize developer guide.

Status

A dataset export job can be in one of the following states:

To get the status of the export job, call DescribeDatasetExportJob, and specify the Amazon Resource Name (ARN) of the dataset export job. The dataset export is complete when the status shows as ACTIVE. If the status shows as CREATE FAILED, the response includes a failureReason key, which describes why the job failed.

", "CreateDatasetGroup": "

Creates an empty dataset group. A dataset group is a container for Amazon Personalize resources. A dataset group can contain at most three datasets, one for each type of dataset:

A dataset group can be a Domain dataset group, where you specify a domain and use pre-configured resources like recommenders, or a Custom dataset group, where you use custom resources, such as a solution with a solution version, that you deploy with a campaign. If you start with a Domain dataset group, you can still add custom resources such as solutions and solution versions trained with recipes for custom use cases and deployed with campaigns.

A dataset group can be in one of the following states:

To get the status of the dataset group, call DescribeDatasetGroup. If the status shows as CREATE FAILED, the response includes a failureReason key, which describes why the creation failed.

You must wait until the status of the dataset group is ACTIVE before adding a dataset to the group.

You can specify an Key Management Service (KMS) key to encrypt the datasets in the group. If you specify a KMS key, you must also include an Identity and Access Management (IAM) role that has permission to access the key.

APIs that require a dataset group ARN in the request

Related APIs

", @@ -136,7 +136,7 @@ "CreateRecommenderRequest$recipeArn": "

The Amazon Resource Name (ARN) of the recipe that the recommender will use. For a recommender, a recipe is a Domain dataset group use case. Only Domain dataset group use cases can be used to create a recommender. For information about use cases see Choosing recommender use cases.

", "CreateRecommenderResponse$recommenderArn": "

The Amazon Resource Name (ARN) of the recommender.

", "CreateSchemaResponse$schemaArn": "

The Amazon Resource Name (ARN) of the created schema.

", - "CreateSolutionRequest$recipeArn": "

The ARN of the recipe to use for model training. This is required when performAutoML is false.

", + "CreateSolutionRequest$recipeArn": "

The Amazon Resource Name (ARN) of the recipe to use for model training. This is required when performAutoML is false. For information about different Amazon Personalize recipes and their ARNs, see Choosing a recipe.

", "CreateSolutionRequest$datasetGroupArn": "

The Amazon Resource Name (ARN) of the dataset group that provides the training data.

", "CreateSolutionResponse$solutionArn": "

The ARN of the solution.

", "CreateSolutionVersionRequest$solutionArn": "

The Amazon Resource Name (ARN) of the solution containing the training configuration information.

", @@ -357,11 +357,11 @@ "Boolean": { "base": null, "refs": { - "CampaignConfig$enableMetadataWithRecommendations": "

Whether metadata with recommendations is enabled for the campaign. If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response.

If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.

", + "CampaignConfig$enableMetadataWithRecommendations": "

Whether metadata with recommendations is enabled for the campaign. If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response. For information about enabling metadata for a campaign, see Enabling metadata in recommendations for a campaign.

If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.

", "CreateDatasetImportJobRequest$publishAttributionMetricsToS3": "

If you created a metric attribution, specify whether to publish metrics for this import job to Amazon S3

", "CreateSolutionRequest$performHPO": "

Whether to perform hyperparameter optimization (HPO) on the specified or selected recipe. The default is false.

When performing AutoML, this parameter is always true and you should not set it to false.

", "DatasetImportJob$publishAttributionMetricsToS3": "

Whether the job publishes metrics to Amazon S3 for a metric attribution.

", - "RecommenderConfig$enableMetadataWithRecommendations": "

Whether metadata with recommendations is enabled for the recommender. If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response.

If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.

" + "RecommenderConfig$enableMetadataWithRecommendations": "

Whether metadata with recommendations is enabled for the recommender. If enabled, you can specify the columns from your Items dataset in your request for recommendations. Amazon Personalize returns this data for each item in the recommendation response. For information about enabling metadata for a recommender, see Enabling metadata in recommendations for a recommender.

If you enable metadata in recommendations, you will incur additional costs. For more information, see Amazon Personalize pricing.

" } }, "Campaign": { @@ -1736,7 +1736,7 @@ "PerformAutoML": { "base": null, "refs": { - "CreateSolutionRequest$performAutoML": "

We don't recommend enabling automated machine learning. Instead, match your use case to the available Amazon Personalize recipes. For more information, see Determining your use case.

Whether to perform automated machine learning (AutoML). The default is false. For this case, you must specify recipeArn.

When set to true, Amazon Personalize analyzes your training data and selects the optimal USER_PERSONALIZATION recipe and hyperparameters. In this case, you must omit recipeArn. Amazon Personalize determines the optimal recipe by running tests with different values for the hyperparameters. AutoML lengthens the training process as compared to selecting a specific recipe.

", + "CreateSolutionRequest$performAutoML": "

We don't recommend enabling automated machine learning. Instead, match your use case to the available Amazon Personalize recipes. For more information, see Choosing a recipe.

Whether to perform automated machine learning (AutoML). The default is false. For this case, you must specify recipeArn.

When set to true, Amazon Personalize analyzes your training data and selects the optimal USER_PERSONALIZATION recipe and hyperparameters. In this case, you must omit recipeArn. Amazon Personalize determines the optimal recipe by running tests with different values for the hyperparameters. AutoML lengthens the training process as compared to selecting a specific recipe.

", "Solution$performAutoML": "

We don't recommend enabling automated machine learning. Instead, match your use case to the available Amazon Personalize recipes. For more information, see Determining your use case.

When true, Amazon Personalize performs a search for the best USER_PERSONALIZATION recipe from the list specified in the solution configuration (recipeArn must not be specified). When false (the default), Amazon Personalize uses recipeArn for training.

", "SolutionVersion$performAutoML": "

When true, Amazon Personalize searches for the most optimal recipe according to the solution configuration. When false (the default), Amazon Personalize uses recipeArn.

" } diff --git a/models/apis/rekognition/2016-06-27/api-2.json b/models/apis/rekognition/2016-06-27/api-2.json index 0f7bf58a706..28fe66077b9 100644 --- a/models/apis/rekognition/2016-06-27/api-2.json +++ b/models/apis/rekognition/2016-06-27/api-2.json @@ -1775,6 +1775,19 @@ "TIMESTAMP" ] }, + "ContentType":{ + "type":"structure", + "members":{ + "Confidence":{"shape":"Percent"}, + "Name":{"shape":"String"} + } + }, + "ContentTypes":{ + "type":"list", + "member":{"shape":"ContentType"}, + "max":50, + "min":0 + }, "CopyProjectVersionRequest":{ "type":"structure", "required":[ @@ -2455,7 +2468,8 @@ "ModerationLabels":{"shape":"ModerationLabels"}, "ModerationModelVersion":{"shape":"String"}, "HumanLoopActivationOutput":{"shape":"HumanLoopActivationOutput"}, - "ProjectVersion":{"shape":"ProjectVersionId"} + "ProjectVersion":{"shape":"ProjectVersionId"}, + "ContentTypes":{"shape":"ContentTypes"} } }, "DetectProtectiveEquipmentRequest":{ @@ -3818,6 +3832,12 @@ "S3Object":{"shape":"S3Object"} } }, + "MediaAnalysisModelVersions":{ + "type":"structure", + "members":{ + "Moderation":{"shape":"String"} + } + }, "MediaAnalysisOperationsConfig":{ "type":"structure", "members":{ @@ -3835,7 +3855,8 @@ "MediaAnalysisResults":{ "type":"structure", "members":{ - "S3Object":{"shape":"S3Object"} + "S3Object":{"shape":"S3Object"}, + "ModelVersions":{"shape":"MediaAnalysisModelVersions"} } }, "MediaAnalysisS3KeyPrefix":{ @@ -3853,7 +3874,8 @@ "members":{ "Confidence":{"shape":"Percent"}, "Name":{"shape":"String"}, - "ParentName":{"shape":"String"} + "ParentName":{"shape":"String"}, + "TaxonomyLevel":{"shape":"UInteger"} } }, "ModerationLabels":{ diff --git a/models/apis/rekognition/2016-06-27/docs-2.json b/models/apis/rekognition/2016-06-27/docs-2.json index 8b26c05f867..efbcc7d7584 100644 --- a/models/apis/rekognition/2016-06-27/docs-2.json +++ b/models/apis/rekognition/2016-06-27/docs-2.json @@ -1,6 +1,6 @@ { "version": "2.0", - "service": "

This is the API Reference for Amazon Rekognition Image, Amazon Rekognition Custom Labels, Amazon Rekognition Stored Video, Amazon Rekognition Streaming Video. It provides descriptions of actions, data types, common parameters, and common errors.

Amazon Rekognition Image

Amazon Rekognition Custom Labels

Amazon Rekognition Video Stored Video

Amazon Rekognition Video Streaming Video

", + "service": "

This is the API Reference for Amazon Rekognition Image, Amazon Rekognition Custom Labels, Amazon Rekognition Stored Video, Amazon Rekognition Streaming Video. It provides descriptions of actions, data types, common parameters, and common errors.

Amazon Rekognition Image

Amazon Rekognition Custom Labels

Amazon Rekognition Video Stored Video

Amazon Rekognition Video Streaming Video

", "operations": { "AssociateFaces": "

Associates one or more faces with an existing UserID. Takes an array of FaceIds. Each FaceId that are present in the FaceIds list is associated with the provided UserID. The maximum number of total FaceIds per UserID is 100.

The UserMatchThreshold parameter specifies the minimum user match confidence required for the face to be associated with a UserID that has at least one FaceID already associated. This ensures that the FaceIds are associated with the right UserID. The value ranges from 0-100 and default value is 75.

If successful, an array of AssociatedFace objects containing the associated FaceIds is returned. If a given face is already associated with the given UserID, it will be ignored and will not be returned in the response. If a given face is already associated to a different UserID, isn't found in the collection, doesn’t meet the UserMatchThreshold, or there are already 100 faces associated with the UserID, it will be returned as part of an array of UnsuccessfulFaceAssociations.

The UserStatus reflects the status of an operation which updates a UserID representation with a list of given faces. The UserStatus can be:

", "CompareFaces": "

Compares a face in the source input image with each of the 100 largest faces detected in the target input image.

If the source image contains multiple faces, the service detects the largest face and compares it with each face detected in the target image.

CompareFaces uses machine learning algorithms, which are probabilistic. A false negative is an incorrect prediction that a face in the target image has a low similarity confidence score when compared to the face in the source image. To reduce the probability of false negatives, we recommend that you compare the target image against multiple source images. If you plan to use CompareFaces to make a decision that impacts an individual's rights, privacy, or access to services, we recommend that you pass the result to a human for review and further validation before taking action.

You pass the input and target images either as base64-encoded image bytes or as references to images in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing image bytes isn't supported. The image must be formatted as a PNG or JPEG file.

In response, the operation returns an array of face matches ordered by similarity score in descending order. For each face match, the response provides a bounding box of the face, facial landmarks, pose details (pitch, roll, and yaw), quality (brightness and sharpness), and confidence value (indicating the level of confidence that the bounding box contains a face). The response also provides a similarity score, which indicates how closely the faces match.

By default, only faces with a similarity score of greater than or equal to 80% are returned in the response. You can change this value by specifying the SimilarityThreshold parameter.

CompareFaces also returns an array of faces that don't match the source image. For each face, it returns a bounding box, confidence value, landmarks, pose details, and quality. The response also returns information about the face in the source image, including the bounding box of the face and confidence value.

The QualityFilter input parameter allows you to filter out detected faces that don’t meet a required quality bar. The quality bar is based on a variety of common use cases. Use QualityFilter to set the quality bar by specifying LOW, MEDIUM, or HIGH. If you do not want to filter detected faces, specify NONE. The default value is NONE.

If the image doesn't contain Exif metadata, CompareFaces returns orientation information for the source and target images. Use these values to display the images with the correct image orientation.

If no faces are detected in the source or target images, CompareFaces returns an InvalidParameterException error.

This is a stateless API operation. That is, data returned by this operation doesn't persist.

For an example, see Comparing Faces in Images in the Amazon Rekognition Developer Guide.

This operation requires permissions to perform the rekognition:CompareFaces action.

", @@ -25,7 +25,7 @@ "DescribeProjectVersions": "

Lists and describes the versions of an Amazon Rekognition project. You can specify up to 10 model or adapter versions in ProjectVersionArns. If you don't specify a value, descriptions for all model/adapter versions in the project are returned.

This operation requires permissions to perform the rekognition:DescribeProjectVersions action.

", "DescribeProjects": "

Gets information about your Rekognition projects.

This operation requires permissions to perform the rekognition:DescribeProjects action.

", "DescribeStreamProcessor": "

Provides information about a stream processor created by CreateStreamProcessor. You can get information about the input and output streams, the input parameters for the face recognition being performed, and the current status of the stream processor.

", - "DetectCustomLabels": "

This operation applies only to Amazon Rekognition Custom Labels.

Detects custom labels in a supplied image by using an Amazon Rekognition Custom Labels model.

You specify which version of a model version to use by using the ProjectVersionArn input parameter.

You pass the input image as base64-encoded image bytes or as a reference to an image in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing image bytes is not supported. The image must be either a PNG or JPEG formatted file.

For each object that the model version detects on an image, the API returns a (CustomLabel) object in an array (CustomLabels). Each CustomLabel object provides the label name (Name), the level of confidence that the image contains the object (Confidence), and object location information, if it exists, for the label on the image (Geometry).

To filter labels that are returned, specify a value for MinConfidence. DetectCustomLabelsLabels only returns labels with a confidence that's higher than the specified value. The value of MinConfidence maps to the assumed threshold values created during training. For more information, see Assumed threshold in the Amazon Rekognition Custom Labels Developer Guide. Amazon Rekognition Custom Labels metrics expresses an assumed threshold as a floating point value between 0-1. The range of MinConfidence normalizes the threshold value to a percentage value (0-100). Confidence responses from DetectCustomLabels are also returned as a percentage. You can use MinConfidence to change the precision and recall or your model. For more information, see Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.

If you don't specify a value for MinConfidence, DetectCustomLabels returns labels based on the assumed threshold of each label.

This is a stateless API operation. That is, the operation does not persist any data.

This operation requires permissions to perform the rekognition:DetectCustomLabels action.

For more information, see Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.

", + "DetectCustomLabels": "

This operation applies only to Amazon Rekognition Custom Labels.

Detects custom labels in a supplied image by using an Amazon Rekognition Custom Labels model.

You specify which version of a model version to use by using the ProjectVersionArn input parameter.

You pass the input image as base64-encoded image bytes or as a reference to an image in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing image bytes is not supported. The image must be either a PNG or JPEG formatted file.

For each object that the model version detects on an image, the API returns a (CustomLabel) object in an array (CustomLabels). Each CustomLabel object provides the label name (Name), the level of confidence that the image contains the object (Confidence), and object location information, if it exists, for the label on the image (Geometry). Note that for the DetectCustomLabelsLabels operation, Polygons are not returned in the Geometry section of the response.

To filter labels that are returned, specify a value for MinConfidence. DetectCustomLabelsLabels only returns labels with a confidence that's higher than the specified value. The value of MinConfidence maps to the assumed threshold values created during training. For more information, see Assumed threshold in the Amazon Rekognition Custom Labels Developer Guide. Amazon Rekognition Custom Labels metrics expresses an assumed threshold as a floating point value between 0-1. The range of MinConfidence normalizes the threshold value to a percentage value (0-100). Confidence responses from DetectCustomLabels are also returned as a percentage. You can use MinConfidence to change the precision and recall or your model. For more information, see Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.

If you don't specify a value for MinConfidence, DetectCustomLabels returns labels based on the assumed threshold of each label.

This is a stateless API operation. That is, the operation does not persist any data.

This operation requires permissions to perform the rekognition:DetectCustomLabels action.

For more information, see Analyzing an image in the Amazon Rekognition Custom Labels Developer Guide.

", "DetectFaces": "

Detects faces within an image that is provided as input.

DetectFaces detects the 100 largest faces in the image. For each face detected, the operation returns face details. These details include a bounding box of the face, a confidence value (that the bounding box contains a face), and a fixed set of attributes such as facial landmarks (for example, coordinates of eye and mouth), pose, presence of facial occlusion, and so on.

The face-detection algorithm is most effective on frontal faces. For non-frontal or obscured faces, the algorithm might not detect the faces or might detect faces with lower confidence.

You pass the input image either as base64-encoded image bytes or as a reference to an image in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing image bytes is not supported. The image must be either a PNG or JPEG formatted file.

This is a stateless API operation. That is, the operation does not persist any data.

This operation requires permissions to perform the rekognition:DetectFaces action.

", "DetectLabels": "

Detects instances of real-world entities within an image (JPEG or PNG) provided as input. This includes objects like flower, tree, and table; events like wedding, graduation, and birthday party; and concepts like landscape, evening, and nature.

For an example, see Analyzing images stored in an Amazon S3 bucket in the Amazon Rekognition Developer Guide.

You pass the input image as base64-encoded image bytes or as a reference to an image in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing image bytes is not supported. The image must be either a PNG or JPEG formatted file.

Optional Parameters

You can specify one or both of the GENERAL_LABELS and IMAGE_PROPERTIES feature types when calling the DetectLabels API. Including GENERAL_LABELS will ensure the response includes the labels detected in the input image, while including IMAGE_PROPERTIES will ensure the response includes information about the image quality and color.

When using GENERAL_LABELS and/or IMAGE_PROPERTIES you can provide filtering criteria to the Settings parameter. You can filter with sets of individual labels or with label categories. You can specify inclusive filters, exclusive filters, or a combination of inclusive and exclusive filters. For more information on filtering see Detecting Labels in an Image.

When getting labels, you can specify MinConfidence to control the confidence threshold for the labels returned. The default is 55%. You can also add the MaxLabels parameter to limit the number of labels returned. The default and upper limit is 1000 labels. These arguments are only valid when supplying GENERAL_LABELS as a feature type.

Response Elements

For each object, scene, and concept the API returns one or more labels. The API returns the following types of information about labels:

The API returns the following information regarding the image, as part of the ImageProperties structure:

The list of returned labels will include at least one label for every detected object, along with information about that label. In the following example, suppose the input image has a lighthouse, the sea, and a rock. The response includes all three labels, one for each object, as well as the confidence in the label:

{Name: lighthouse, Confidence: 98.4629}

{Name: rock,Confidence: 79.2097}

{Name: sea,Confidence: 75.061}

The list of labels can include multiple labels for the same object. For example, if the input image shows a flower (for example, a tulip), the operation might return the following three labels.

{Name: flower,Confidence: 99.0562}

{Name: plant,Confidence: 99.0562}

{Name: tulip,Confidence: 99.0562}

In this example, the detection algorithm more precisely identifies the flower as a tulip.

If the object detected is a person, the operation doesn't provide the same facial details that the DetectFaces operation provides.

This is a stateless API operation that doesn't return any data.

This operation requires permissions to perform the rekognition:DetectLabels action.

", "DetectModerationLabels": "

Detects unsafe content in a specified JPEG or PNG format image. Use DetectModerationLabels to moderate images depending on your requirements. For example, you might want to filter images that contain nudity, but not images containing suggestive content.

To filter images, use the labels returned by DetectModerationLabels to determine which types of content are appropriate.

For information about moderation labels, see Detecting Unsafe Content in the Amazon Rekognition Developer Guide.

You pass the input image either as base64-encoded image bytes or as a reference to an image in an Amazon S3 bucket. If you use the AWS CLI to call Amazon Rekognition operations, passing image bytes is not supported. The image must be either a PNG or JPEG formatted file.

You can specify an adapter to use when retrieving label predictions by providing a ProjectVersionArn to the ProjectVersion argument.

", @@ -123,7 +123,7 @@ "AssociatedFacesList": { "base": null, "refs": { - "AssociateFacesResponse$AssociatedFaces": "

An array of AssociatedFace objects containing FaceIDs that are successfully associated with the UserID is returned. Returned if the AssociateFaces action is successful.

" + "AssociateFacesResponse$AssociatedFaces": "

An array of AssociatedFace objects containing FaceIDs that have been successfully associated with the UserID. Returned if the AssociateFaces action is successful.

" } }, "Attribute": { @@ -441,6 +441,18 @@ "GetContentModerationRequestMetadata$SortBy": "

The sorting method chosen for a GetContentModeration request.

" } }, + "ContentType": { + "base": "

Contains information regarding the confidence and name of a detected content type.

", + "refs": { + "ContentTypes$member": null + } + }, + "ContentTypes": { + "base": null, + "refs": { + "DetectModerationLabelsResponse$ContentTypes": "

A list of predicted results for the type of content an image contains. For example, the image content might be from animation, sports, or a video game.

" + } + }, "CopyProjectVersionRequest": { "base": null, "refs": { @@ -2119,6 +2131,12 @@ "MediaAnalysisJobDescription$ManifestSummary": "

Provides statistics on input manifest and errors identified in the input manifest.

" } }, + "MediaAnalysisModelVersions": { + "base": "

Object containing information about the model versions of selected features in a given job.

", + "refs": { + "MediaAnalysisResults$ModelVersions": "

Information about the model versions for the features selected in a given job.

" + } + }, "MediaAnalysisOperationsConfig": { "base": "

Configuration options for a media analysis job. Configuration is operation-specific.

", "refs": { @@ -2271,6 +2289,7 @@ "ComparedSourceImageFace$Confidence": "

Confidence level that the selected bounding box contains a face.

", "ConnectedHomeSettings$MinConfidence": "

The minimum confidence required to label an object in the video.

", "ConnectedHomeSettingsForUpdate$MinConfidence": "

The minimum confidence required to label an object in the video.

", + "ContentType$Confidence": "

The confidence level of the label given

", "CoversBodyPart$Confidence": "

The confidence that Amazon Rekognition has in the value of Value.

", "CustomLabel$Confidence": "

The confidence that the model has in the detection of the custom label. The range is 0-100. A higher value indicates a higher confidence.

", "CustomizationFeatureContentModerationConfig$ConfidenceThreshold": "

The confidence level you plan to use to identify if unsafe content is present during inference.

", @@ -3158,6 +3177,7 @@ "AudioMetadata$Codec": "

The audio codec used to encode or decode the audio stream.

", "Celebrity$Name": "

The name of the celebrity.

", "CelebrityDetail$Name": "

The name of the celebrity.

", + "ContentType$Name": "

The name of the label

", "CreateCollectionResponse$CollectionArn": "

Amazon Resource Name (ARN) of the collection. You can use this to manage permissions on your resources.

", "CreateCollectionResponse$FaceModelVersion": "

Version number of the face detection model associated with the collection you are creating.

", "CustomLabel$Name": "

The name of the custom label.

", @@ -3186,6 +3206,7 @@ "ListFacesResponse$NextToken": "

If the response is truncated, Amazon Rekognition returns this token that you can use in the subsequent request to retrieve the next set of faces.

", "ListFacesResponse$FaceModelVersion": "

Version number of the face detection model associated with the input collection (CollectionId).

", "MediaAnalysisJobFailureDetails$Message": "

Human readable error message.

", + "MediaAnalysisModelVersions$Moderation": "

The Moderation base model version.

", "ModerationLabel$Name": "

The label name for the type of unsafe content detected in the image.

", "ModerationLabel$ParentName": "

The name for the parent label. Labels at the top level of the hierarchy have the parent label \"\".

", "Parent$Name": "

The name of the parent label.

", @@ -3368,6 +3389,7 @@ "DominantColor$Red": "

The Red RGB value for a dominant color.

", "DominantColor$Blue": "

The Blue RGB value for a dominant color.

", "DominantColor$Green": "

The Green RGB value for a dominant color.

", + "ModerationLabel$TaxonomyLevel": "

The level of the moderation label with regard to its taxonomy, from 1 to 3.

", "ProtectiveEquipmentPerson$Id": "

The identifier for the detected person. The identifier is only unique for a single call to DetectProtectiveEquipment.

", "ProtectiveEquipmentPersonIds$member": null, "TextDetection$Id": "

The identifier for the detected text. The identifier is only unique for a single call to DetectText.

", diff --git a/models/apis/securityhub/2018-10-26/docs-2.json b/models/apis/securityhub/2018-10-26/docs-2.json index 275c5e967d7..10d13207f36 100644 --- a/models/apis/securityhub/2018-10-26/docs-2.json +++ b/models/apis/securityhub/2018-10-26/docs-2.json @@ -1,6 +1,6 @@ { "version": "2.0", - "service": "

Security Hub provides you with a comprehensive view of the security state of your Amazon Web Services environment and resources. It also provides you with the readiness status of your environment based on controls from supported security standards. Security Hub collects security data from Amazon Web Services accounts, services, and integrated third-party products and helps you analyze security trends in your environment to identify the highest priority security issues. For more information about Security Hub, see the Security Hub User Guide .

When you use operations in the Security Hub API, the requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, run the same command for each Region in which you want to apply the change.

For example, if your Region is set to us-west-2, when you use CreateMembers to add a member account to Security Hub, the association of the member account with the administrator account is created only in the us-west-2 Region. Security Hub must be enabled for the member account in the same Region that the invitation was sent from.

The following throttling limits apply to using Security Hub API operations.

", + "service": "

Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry standards and best practices.

Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices.

In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services, such as Amazon GuardDuty and Amazon Inspector, and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Services and supported third-party products.

Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings.

This guide, the Security Hub API Reference, provides information about the Security Hub API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Security Hub, you might find it helpful to also review the Security Hub User Guide . The user guide explains key concepts and provides procedures that demonstrate how to use Security Hub features. It also provides information about topics such as integrating Security Hub with other Amazon Web Services.

In addition to interacting with Security Hub by making calls to the Security Hub API, you can use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Services . They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools and SDKs, see Tools to Build on Amazon Web Services.

With the exception of operations that are related to central configuration, Security Hub API requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, API requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of central configuration operations, see the Central configuration terms and concepts section of the Security Hub User Guide.

The following throttling limits apply to Security Hub API operations.

", "operations": { "AcceptAdministratorInvitation": "

Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from.

This operation is only used by member accounts that are not added through Organizations.

When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.

", "AcceptInvitation": "

This method is deprecated. Instead, use AcceptAdministratorInvitation.

The Security Hub console continues to use AcceptInvitation. It will eventually change to use AcceptAdministratorInvitation. Any IAM policies that specifically control access to this function must continue to use AcceptInvitation. You should also add AcceptAdministratorInvitation to your policies to ensure that the correct permissions are in place after the console begins to use AcceptAdministratorInvitation.

Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from.

This operation is only used by member accounts that are not added through Organizations.

When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account.

", @@ -8089,7 +8089,7 @@ "AwsLambdaFunctionDetails$Architectures": "

The instruction set architecture that the function uses. Valid values are x86_64 or arm64.

", "AwsLambdaFunctionVpcConfig$SecurityGroupIds": "

A list of VPC security groups IDs.

", "AwsLambdaFunctionVpcConfig$SubnetIds": "

A list of VPC subnet IDs.

", - "AwsLambdaLayerVersionDetails$CompatibleRuntimes": "

The layer's compatible runtimes. Maximum number of five items.

Valid values: nodejs10.x | nodejs12.x | java8 | java11 | python2.7 | python3.6 | python3.7 | python3.8 | dotnetcore1.0 | dotnetcore2.1 | go1.x | ruby2.5 | provided

", + "AwsLambdaLayerVersionDetails$CompatibleRuntimes": "

The layer's compatible function runtimes.

The following list includes deprecated runtimes. For more information, see Runtime deprecation policy in the Lambda Developer Guide.

Array Members: Maximum number of 5 items.

Valid Values: nodejs | nodejs4.3 | nodejs6.10 | nodejs8.10 | nodejs10.x | nodejs12.x | nodejs14.x | nodejs16.x | java8 | java8.al2 | java11 | python2.7 | python3.6 | python3.7 | python3.8 | python3.9 | dotnetcore1.0 | dotnetcore2.0 | dotnetcore2.1 | dotnetcore3.1 | dotnet6 | nodejs4.3-edge | go1.x | ruby2.5 | ruby2.7 | provided | provided.al2 | nodejs18.x | python3.10 | java17 | ruby3.2 | python3.11 | nodejs20.x | provided.al2023 | python3.12 | java21

", "AwsOpenSearchServiceDomainVpcOptionsDetails$SecurityGroupIds": "

The list of security group IDs that are associated with the VPC endpoints for the domain.

", "AwsOpenSearchServiceDomainVpcOptionsDetails$SubnetIds": "

A list of subnet IDs that are associated with the VPC endpoints for the domain.

", "AwsRdsDbClusterSnapshotDbClusterSnapshotAttribute$AttributeValues": "

The value(s) for the manual DB cluster snapshot attribute. If the AttributeName field is set to restore, then this element returns a list of IDs of the Amazon Web Services accounts that are authorized to copy or restore the manual DB cluster snapshot. If a value of all is in the list, then the manual DB cluster snapshot is public and available for any Amazon Web Services account to copy or restore.

", diff --git a/models/endpoints/endpoints.json b/models/endpoints/endpoints.json index 56197ac1668..1d0ff98ced9 100644 --- a/models/endpoints/endpoints.json +++ b/models/endpoints/endpoints.json @@ -12585,6 +12585,12 @@ }, "hostname" : "oidc.il-central-1.amazonaws.com" }, + "me-central-1" : { + "credentialScope" : { + "region" : "me-central-1" + }, + "hostname" : "oidc.me-central-1.amazonaws.com" + }, "me-south-1" : { "credentialScope" : { "region" : "me-south-1" diff --git a/service/iot/api.go b/service/iot/api.go index 3103d8a4c69..9c3c5fabed5 100644 --- a/service/iot/api.go +++ b/service/iot/api.go @@ -74603,12 +74603,6 @@ const ( // LogTargetTypePrincipalId is a LogTargetType enum value LogTargetTypePrincipalId = "PRINCIPAL_ID" - - // LogTargetTypeEventType is a LogTargetType enum value - LogTargetTypeEventType = "EVENT_TYPE" - - // LogTargetTypeDeviceDefender is a LogTargetType enum value - LogTargetTypeDeviceDefender = "DEVICE_DEFENDER" ) // LogTargetType_Values returns all elements of the LogTargetType enum @@ -74619,8 +74613,6 @@ func LogTargetType_Values() []string { LogTargetTypeClientId, LogTargetTypeSourceIp, LogTargetTypePrincipalId, - LogTargetTypeEventType, - LogTargetTypeDeviceDefender, } } diff --git a/service/iotfleetwise/api.go b/service/iotfleetwise/api.go index df921e9ba75..2143d7c95ab 100644 --- a/service/iotfleetwise/api.go +++ b/service/iotfleetwise/api.go @@ -7129,7 +7129,7 @@ type ConditionBasedCollectionScheme struct { ConditionLanguageVersion *int64 `locationName:"conditionLanguageVersion" min:"1" type:"integer"` // The logical expression used to recognize what data to collect. For example, - // $variable.Vehicle.OutsideAirTemperature >= 105.0. + // $variable.`Vehicle.OutsideAirTemperature` >= 105.0. // // Expression is a required field Expression *string `locationName:"expression" min:"1" type:"string" required:"true"` @@ -12916,6 +12916,9 @@ type ListSignalCatalogNodesInput struct { // token. When all results have been returned, the response does not contain // a pagination token value. NextToken *string `locationName:"nextToken" min:"1" type:"string"` + + // The type of node in the signal catalog. + SignalNodeType *string `locationName:"signalNodeType" type:"string" enum:"SignalNodeType"` } // String returns the string representation. @@ -12976,6 +12979,12 @@ func (s *ListSignalCatalogNodesInput) SetNextToken(v string) *ListSignalCatalogN return s } +// SetSignalNodeType sets the SignalNodeType field's value. +func (s *ListSignalCatalogNodesInput) SetSignalNodeType(v string) *ListSignalCatalogNodesInput { + s.SignalNodeType = &v + return s +} + type ListSignalCatalogNodesOutput struct { _ struct{} `type:"structure"` @@ -17502,6 +17511,11 @@ type VehicleSummary struct { // Arn is a required field Arn *string `locationName:"arn" type:"string" required:"true"` + // Static information about a vehicle in a key-value pair. For example: + // + // "engineType" : "1.3 L R2" + Attributes map[string]*string `locationName:"attributes" type:"map"` + // The time the vehicle was created in seconds since epoch (January 1, 1970 // at midnight UTC time). // @@ -17554,6 +17568,12 @@ func (s *VehicleSummary) SetArn(v string) *VehicleSummary { return s } +// SetAttributes sets the Attributes field's value. +func (s *VehicleSummary) SetAttributes(v map[string]*string) *VehicleSummary { + s.Attributes = v + return s +} + // SetCreationTime sets the CreationTime field's value. func (s *VehicleSummary) SetCreationTime(v time.Time) *VehicleSummary { s.CreationTime = &v @@ -18104,6 +18124,38 @@ func SignalDecoderType_Values() []string { } } +const ( + // SignalNodeTypeSensor is a SignalNodeType enum value + SignalNodeTypeSensor = "SENSOR" + + // SignalNodeTypeActuator is a SignalNodeType enum value + SignalNodeTypeActuator = "ACTUATOR" + + // SignalNodeTypeAttribute is a SignalNodeType enum value + SignalNodeTypeAttribute = "ATTRIBUTE" + + // SignalNodeTypeBranch is a SignalNodeType enum value + SignalNodeTypeBranch = "BRANCH" + + // SignalNodeTypeCustomStruct is a SignalNodeType enum value + SignalNodeTypeCustomStruct = "CUSTOM_STRUCT" + + // SignalNodeTypeCustomProperty is a SignalNodeType enum value + SignalNodeTypeCustomProperty = "CUSTOM_PROPERTY" +) + +// SignalNodeType_Values returns all elements of the SignalNodeType enum +func SignalNodeType_Values() []string { + return []string{ + SignalNodeTypeSensor, + SignalNodeTypeActuator, + SignalNodeTypeAttribute, + SignalNodeTypeBranch, + SignalNodeTypeCustomStruct, + SignalNodeTypeCustomProperty, + } +} + const ( // SpoolingModeOff is a SpoolingMode enum value SpoolingModeOff = "OFF" diff --git a/service/macie2/api.go b/service/macie2/api.go index 488e66159b9..8ad699282ee 100644 --- a/service/macie2/api.go +++ b/service/macie2/api.go @@ -23901,11 +23901,11 @@ func (s UpdateResourceProfileOutput) GoString() string { // Specifies the access method and settings to use when retrieving occurrences // of sensitive data reported by findings. If your request specifies an Identity -// and Access Management (IAM) role to assume when retrieving the sensitive -// data, Amazon Macie verifies that the role exists and the attached policies -// are configured correctly. If there's an issue, Macie returns an error. For -// information about addressing the issue, see Retrieving sensitive data samples -// with findings (https://docs.aws.amazon.com/macie/latest/user/findings-retrieve-sd.html) +// and Access Management (IAM) role to assume, Amazon Macie verifies that the +// role exists and the attached policies are configured correctly. If there's +// an issue, Macie returns an error. For information about addressing the issue, +// see Configuration options and requirements for retrieving sensitive data +// samples (https://docs.aws.amazon.com/macie/latest/user/findings-retrieve-sd-options.html) // in the Amazon Macie User Guide. type UpdateRetrievalConfiguration struct { _ struct{} `type:"structure"` @@ -23967,12 +23967,12 @@ func (s *UpdateRetrievalConfiguration) SetRoleName(v string) *UpdateRetrievalCon // Specifies configuration settings for retrieving occurrences of sensitive // data reported by findings, and the status of the configuration for an Amazon -// Macie account. If you don't specify retrievalConfiguration values for an +// Macie account. If you don't specify retrievalConfiguration settings for an // existing configuration, Macie sets the access method to CALLER_CREDENTIALS. // If your current access method is ASSUME_ROLE, Macie also deletes the external // ID and role name currently specified for the configuration. To keep these -// settings for an existing configuration, specify the current retrievalConfiguration -// values in your request. +// settings for an existing configuration, specify your current retrievalConfiguration +// settings in your request. type UpdateRevealConfigurationInput struct { _ struct{} `type:"structure"` @@ -23987,11 +23987,11 @@ type UpdateRevealConfigurationInput struct { // Specifies the access method and settings to use when retrieving occurrences // of sensitive data reported by findings. If your request specifies an Identity - // and Access Management (IAM) role to assume when retrieving the sensitive - // data, Amazon Macie verifies that the role exists and the attached policies - // are configured correctly. If there's an issue, Macie returns an error. For - // information about addressing the issue, see Retrieving sensitive data samples - // with findings (https://docs.aws.amazon.com/macie/latest/user/findings-retrieve-sd.html) + // and Access Management (IAM) role to assume, Amazon Macie verifies that the + // role exists and the attached policies are configured correctly. If there's + // an issue, Macie returns an error. For information about addressing the issue, + // see Configuration options and requirements for retrieving sensitive data + // samples (https://docs.aws.amazon.com/macie/latest/user/findings-retrieve-sd-options.html) // in the Amazon Macie User Guide. RetrievalConfiguration *UpdateRetrievalConfiguration `locationName:"retrievalConfiguration" type:"structure"` } @@ -25044,6 +25044,9 @@ const ( // EncryptionTypeUnknown is a EncryptionType enum value EncryptionTypeUnknown = "UNKNOWN" + + // EncryptionTypeAwsKmsDsse is a EncryptionType enum value + EncryptionTypeAwsKmsDsse = "aws:kms:dsse" ) // EncryptionType_Values returns all elements of the EncryptionType enum @@ -25053,6 +25056,7 @@ func EncryptionType_Values() []string { EncryptionTypeAes256, EncryptionTypeAwsKms, EncryptionTypeUnknown, + EncryptionTypeAwsKmsDsse, } } @@ -25913,6 +25917,9 @@ const ( // TypeAwsKms is a Type enum value TypeAwsKms = "aws:kms" + + // TypeAwsKmsDsse is a Type enum value + TypeAwsKmsDsse = "aws:kms:dsse" ) // Type_Values returns all elements of the Type enum @@ -25921,6 +25928,7 @@ func Type_Values() []string { TypeNone, TypeAes256, TypeAwsKms, + TypeAwsKmsDsse, } } diff --git a/service/paymentcryptography/api.go b/service/paymentcryptography/api.go index 2e489559552..48bb579be67 100644 --- a/service/paymentcryptography/api.go +++ b/service/paymentcryptography/api.go @@ -573,15 +573,19 @@ func (c *PaymentCryptography) ExportKeyRequest(input *ExportKeyInput) (req *requ // For symmetric key exchange, Amazon Web Services Payment Cryptography uses // the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric // key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 -// norm . Asymmetric key exchange methods are typically used to establish bi-directional -// trust between the two parties exhanging keys and are used for initial key -// exchange such as Key Encryption Key (KEK). After which you can export working -// keys using symmetric method to perform various cryptographic operations within -// Amazon Web Services Payment Cryptography. +// norm and RSA wrap and unwrap key exchange mechanism. Asymmetric key exchange +// methods are typically used to establish bi-directional trust between the +// two parties exhanging keys and are used for initial key exchange such as +// Key Encryption Key (KEK). After which you can export working keys using symmetric +// method to perform various cryptographic operations within Amazon Web Services +// Payment Cryptography. // // The TR-34 norm is intended for exchanging 3DES keys only and keys are imported // in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, -// KeyModesOfUse, Exportability) are contained within the key block. +// KeyModesOfUse, Exportability) are contained within the key block. With RSA +// wrap and unwrap, you can exchange both 3DES and AES-128 keys. The keys are +// imported in a WrappedKeyCryptogram format and you will need to specify the +// key attributes during import. // // You can also use ExportKey functionality to generate and export an IPEK (Initial // Pin Encryption Key) from Amazon Web Services Payment Cryptography using either @@ -590,7 +594,7 @@ func (c *PaymentCryptography) ExportKeyRequest(input *ExportKeyInput) (req *requ // IPEK does not persist within Amazon Web Services Payment Cryptography and // has to be re-generated each time during export. // -// # To export KEK or IPEK using TR-34 +// # To export initial keys (KEK) or IPEK using TR-34 // // Using this operation, you can export initial key using TR-34 asymmetric key // exchange. You can only export KEK generated within Amazon Web Services Payment @@ -644,7 +648,32 @@ func (c *PaymentCryptography) ExportKeyRequest(input *ExportKeyInput) (req *requ // When this operation is successful, Amazon Web Services Payment Cryptography // returns the KEK or IPEK as a TR-34 WrappedKeyBlock. // -// # To export WK (Working Key) or IPEK using TR-31 +// # To export initial keys (KEK) or IPEK using RSA Wrap and Unwrap +// +// Using this operation, you can export initial key using asymmetric RSA wrap +// and unwrap key exchange method. To initiate export, generate an asymmetric +// key pair on the receiving HSM and obtain the public key certificate in PEM +// format (base64 encoded) for the purpose of wrapping and the root certifiate +// chain. Import the root certificate into Amazon Web Services Payment Cryptography +// by calling ImportKey for RootCertificatePublicKey. +// +// Next call ExportKey and set the following parameters: +// +// - CertificateAuthorityPublicKeyIdentifier: The KeyARN of the certificate +// chain that signed wrapping key certificate. +// +// - KeyMaterial: Set to KeyCryptogram. +// +// - WrappingKeyCertificate: The public key certificate in PEM format (base64 +// encoded) obtained by the receiving HSM and signed by the root certificate +// (CertificateAuthorityPublicKeyIdentifier) imported into Amazon Web Services +// Payment Cryptography. The receiving HSM uses its private key component +// to unwrap the WrappedKeyCryptogram. +// +// When this operation is successful, Amazon Web Services Payment Cryptography +// returns the WrappedKeyCryptogram. +// +// # To export working keys or IPEK using TR-31 // // Using this operation, you can export working keys or IPEK using TR-31 symmetric // key exchange. In TR-31, you must use an initial key such as KEK to encrypt @@ -662,7 +691,7 @@ func (c *PaymentCryptography) ExportKeyRequest(input *ExportKeyInput) (req *requ // - KeyMaterial: Use Tr31KeyBlock parameters. // // When this operation is successful, Amazon Web Services Payment Cryptography -// returns the WK or IPEK as a TR-31 WrappedKeyBlock. +// returns the working key or IPEK as a TR-31 WrappedKeyBlock. // // Cross-account use: This operation can't be used across different Amazon Web // Services accounts. @@ -1103,7 +1132,8 @@ func (c *PaymentCryptography) GetParametersForImportRequest(input *GetParameters // GetParametersForImport API operation for Payment Cryptography Control Plane. // // Gets the import token and the wrapping key certificate in PEM format (base64 -// encoded) to initiate a TR-34 WrappedKeyBlock. +// encoded) to initiate a TR-34 WrappedKeyBlock or a RSA WrappedKeyCryptogram +// import into Amazon Web Services Payment Cryptography. // // The wrapping key certificate wraps the key under import. The import token // and wrapping key certificate must be in place and operational before calling @@ -1334,15 +1364,19 @@ func (c *PaymentCryptography) ImportKeyRequest(input *ImportKeyInput) (req *requ // For symmetric key exchange, Amazon Web Services Payment Cryptography uses // the ANSI X9 TR-31 norm in accordance with PCI PIN guidelines. And for asymmetric // key exchange, Amazon Web Services Payment Cryptography supports ANSI X9 TR-34 -// norm . Asymmetric key exchange methods are typically used to establish bi-directional -// trust between the two parties exhanging keys and are used for initial key -// exchange such as Key Encryption Key (KEK) or Zone Master Key (ZMK). After -// which you can import working keys using symmetric method to perform various -// cryptographic operations within Amazon Web Services Payment Cryptography. +// norm and RSA wrap and unwrap key exchange mechanisms. Asymmetric key exchange +// methods are typically used to establish bi-directional trust between the +// two parties exhanging keys and are used for initial key exchange such as +// Key Encryption Key (KEK) or Zone Master Key (ZMK). After which you can import +// working keys using symmetric method to perform various cryptographic operations +// within Amazon Web Services Payment Cryptography. // // The TR-34 norm is intended for exchanging 3DES keys only and keys are imported // in a WrappedKeyBlock format. Key attributes (such as KeyUsage, KeyAlgorithm, -// KeyModesOfUse, Exportability) are contained within the key block. +// KeyModesOfUse, Exportability) are contained within the key block. With RSA +// wrap and unwrap, you can exchange both 3DES and AES-128 keys. The keys are +// imported in a WrappedKeyCryptogram format and you will need to specify the +// key attributes during import. // // You can also import a root public key certificate, used to sign other public // key certificates, or a trusted public key certificate under an already established @@ -1390,7 +1424,7 @@ func (c *PaymentCryptography) ImportKeyRequest(input *ImportKeyInput) (req *requ // - PublicKeyCertificate: The trusted public key certificate in PEM format // (base64 encoded) under import. // -// # To import KEK or ZMK using TR-34 +// # To import initial keys (KEK or ZMK or similar) using TR-34 // // Using this operation, you can import initial key using TR-34 asymmetric key // exchange. In TR-34 terminology, the sending party of the key is called Key @@ -1435,7 +1469,22 @@ func (c *PaymentCryptography) ImportKeyRequest(input *ImportKeyInput) (req *requ // encoded) of the KDH signing key generated under the root certificate (CertificateAuthorityPublicKeyIdentifier) // imported in Amazon Web Services Payment Cryptography. // -// # To import WK (Working Key) using TR-31 +// # To import initial keys (KEK or ZMK or similar) using RSA Wrap and Unwrap +// +// Using this operation, you can import initial key using asymmetric RSA wrap +// and unwrap key exchange method. To initiate import, call GetParametersForImport +// with KeyMaterial set to KEY_CRYPTOGRAM to generate an import token. This +// operation also generates an encryption keypair for the purpose of key import, +// signs the key and returns back the wrapping key certificate in PEM format +// (base64 encoded) and its root certificate chain. The import token and associated +// KRD wrapping certificate expires after 7 days. +// +// You must trust and install the wrapping certificate and its certificate chain +// on the sending HSM and use it to wrap the key under export for WrappedKeyCryptogram +// generation. Next call ImportKey with KeyMaterial set to KEY_CRYPTOGRAM and +// provide the ImportToken and KeyAttributes for the key under import. +// +// # To import working keys using TR-31 // // Amazon Web Services Payment Cryptography uses TR-31 symmetric key exchange // norm to import working keys. A KEK must be established within Amazon Web @@ -3431,6 +3480,89 @@ func (s *ExportDukptInitialKey) SetKeySerialNumber(v string) *ExportDukptInitial return s } +// Parameter information for key material export using asymmetric RSA wrap and +// unwrap key exchange method. +type ExportKeyCryptogram struct { + _ struct{} `type:"structure"` + + // The KeyARN of the certificate chain that signs the wrapping key certificate + // during RSA wrap and unwrap key export. + // + // CertificateAuthorityPublicKeyIdentifier is a required field + CertificateAuthorityPublicKeyIdentifier *string `min:"7" type:"string" required:"true"` + + // The wrapping key certificate in PEM format (base64 encoded). Amazon Web Services + // Payment Cryptography uses this certificate to wrap the key under export. + // + // WrappingKeyCertificate is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by ExportKeyCryptogram's + // String and GoString methods. + // + // WrappingKeyCertificate is a required field + WrappingKeyCertificate *string `min:"1" type:"string" required:"true" sensitive:"true"` + + // The wrapping spec for the key under export. + WrappingSpec *string `type:"string" enum:"WrappingKeySpec"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ExportKeyCryptogram) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ExportKeyCryptogram) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ExportKeyCryptogram) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ExportKeyCryptogram"} + if s.CertificateAuthorityPublicKeyIdentifier == nil { + invalidParams.Add(request.NewErrParamRequired("CertificateAuthorityPublicKeyIdentifier")) + } + if s.CertificateAuthorityPublicKeyIdentifier != nil && len(*s.CertificateAuthorityPublicKeyIdentifier) < 7 { + invalidParams.Add(request.NewErrParamMinLen("CertificateAuthorityPublicKeyIdentifier", 7)) + } + if s.WrappingKeyCertificate == nil { + invalidParams.Add(request.NewErrParamRequired("WrappingKeyCertificate")) + } + if s.WrappingKeyCertificate != nil && len(*s.WrappingKeyCertificate) < 1 { + invalidParams.Add(request.NewErrParamMinLen("WrappingKeyCertificate", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCertificateAuthorityPublicKeyIdentifier sets the CertificateAuthorityPublicKeyIdentifier field's value. +func (s *ExportKeyCryptogram) SetCertificateAuthorityPublicKeyIdentifier(v string) *ExportKeyCryptogram { + s.CertificateAuthorityPublicKeyIdentifier = &v + return s +} + +// SetWrappingKeyCertificate sets the WrappingKeyCertificate field's value. +func (s *ExportKeyCryptogram) SetWrappingKeyCertificate(v string) *ExportKeyCryptogram { + s.WrappingKeyCertificate = &v + return s +} + +// SetWrappingSpec sets the WrappingSpec field's value. +func (s *ExportKeyCryptogram) SetWrappingSpec(v string) *ExportKeyCryptogram { + s.WrappingSpec = &v + return s +} + type ExportKeyInput struct { _ struct{} `type:"structure"` @@ -3515,10 +3647,14 @@ func (s *ExportKeyInput) SetKeyMaterial(v *ExportKeyMaterial) *ExportKeyInput { } // Parameter information for key material export from Amazon Web Services Payment -// Cryptography using TR-31 or TR-34 key exchange method. +// Cryptography using TR-31 or TR-34 or RSA wrap and unwrap key exchange method. type ExportKeyMaterial struct { _ struct{} `type:"structure"` + // Parameter information for key material export using asymmetric RSA wrap and + // unwrap key exchange method + KeyCryptogram *ExportKeyCryptogram `type:"structure"` + // Parameter information for key material export using symmetric TR-31 key exchange // method. Tr31KeyBlock *ExportTr31KeyBlock `type:"structure"` @@ -3549,6 +3685,11 @@ func (s ExportKeyMaterial) GoString() string { // Validate inspects the fields of the type to determine if they are valid. func (s *ExportKeyMaterial) Validate() error { invalidParams := request.ErrInvalidParams{Context: "ExportKeyMaterial"} + if s.KeyCryptogram != nil { + if err := s.KeyCryptogram.Validate(); err != nil { + invalidParams.AddNested("KeyCryptogram", err.(request.ErrInvalidParams)) + } + } if s.Tr31KeyBlock != nil { if err := s.Tr31KeyBlock.Validate(); err != nil { invalidParams.AddNested("Tr31KeyBlock", err.(request.ErrInvalidParams)) @@ -3566,6 +3707,12 @@ func (s *ExportKeyMaterial) Validate() error { return nil } +// SetKeyCryptogram sets the KeyCryptogram field's value. +func (s *ExportKeyMaterial) SetKeyCryptogram(v *ExportKeyCryptogram) *ExportKeyMaterial { + s.KeyCryptogram = v + return s +} + // SetTr31KeyBlock sets the Tr31KeyBlock field's value. func (s *ExportKeyMaterial) SetTr31KeyBlock(v *ExportTr31KeyBlock) *ExportKeyMaterial { s.Tr31KeyBlock = v @@ -3582,6 +3729,7 @@ type ExportKeyOutput struct { _ struct{} `type:"structure"` // The key material under export as a TR-34 WrappedKeyBlock or a TR-31 WrappedKeyBlock. + // or a RSA WrappedKeyCryptogram. WrappedKey *WrappedKey `type:"structure"` } @@ -4105,7 +4253,7 @@ type GetParametersForImportInput struct { _ struct{} `type:"structure"` // The method to use for key material import. Import token is only required - // for TR-34 WrappedKeyBlock (TR34_KEY_BLOCK). + // for TR-34 WrappedKeyBlock (TR34_KEY_BLOCK) and RSA WrappedKeyCryptogram (KEY_CRYPTOGRAM). // // Import token is not required for TR-31, root public key cerificate or trusted // public key certificate. @@ -4116,8 +4264,9 @@ type GetParametersForImportInput struct { // The wrapping key algorithm to generate a wrapping key certificate. This certificate // wraps the key under import. // - // At this time, RSA_2048, RSA_3072, RSA_4096 are the only allowed algorithms - // for TR-34 WrappedKeyBlock import. + // At this time, RSA_2048 is the allowed algorithm for TR-34 WrappedKeyBlock + // import. Additionally, RSA_2048, RSA_3072, RSA_4096 are the allowed algorithms + // for RSA WrappedKeyCryptogram import. // // WrappingKeyAlgorithm is a required field WrappingKeyAlgorithm *string `type:"string" required:"true" enum:"KeyAlgorithm"` @@ -4184,7 +4333,8 @@ type GetParametersForImportOutput struct { // ParametersValidUntilTimestamp is a required field ParametersValidUntilTimestamp *time.Time `type:"timestamp" required:"true"` - // The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock. + // The algorithm of the wrapping key for use within TR-34 WrappedKeyBlock or + // RSA WrappedKeyCryptogram. // // WrappingKeyAlgorithm is a required field WrappingKeyAlgorithm *string `type:"string" required:"true" enum:"KeyAlgorithm"` @@ -4362,6 +4512,117 @@ func (s *GetPublicKeyCertificateOutput) SetKeyCertificateChain(v string) *GetPub return s } +// Parameter information for key material import using asymmetric RSA wrap and +// unwrap key exchange method. +type ImportKeyCryptogram struct { + _ struct{} `type:"structure"` + + // Specifies whether the key is exportable from the service. + // + // Exportable is a required field + Exportable *bool `type:"boolean" required:"true"` + + // The import token that initiates key import using the asymmetric RSA wrap + // and unwrap key exchange method into AWS Payment Cryptography. It expires + // after 7 days. You can use the same import token to import multiple keys to + // the same service account. + // + // ImportToken is a required field + ImportToken *string `type:"string" required:"true"` + + // The role of the key, the algorithm it supports, and the cryptographic operations + // allowed with the key. This data is immutable after the key is created. + // + // KeyAttributes is a required field + KeyAttributes *KeyAttributes `type:"structure" required:"true"` + + // The RSA wrapped key cryptogram under import. + // + // WrappedKeyCryptogram is a required field + WrappedKeyCryptogram *string `min:"16" type:"string" required:"true"` + + // The wrapping spec for the wrapped key cryptogram. + WrappingSpec *string `type:"string" enum:"WrappingKeySpec"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ImportKeyCryptogram) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ImportKeyCryptogram) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ImportKeyCryptogram) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ImportKeyCryptogram"} + if s.Exportable == nil { + invalidParams.Add(request.NewErrParamRequired("Exportable")) + } + if s.ImportToken == nil { + invalidParams.Add(request.NewErrParamRequired("ImportToken")) + } + if s.KeyAttributes == nil { + invalidParams.Add(request.NewErrParamRequired("KeyAttributes")) + } + if s.WrappedKeyCryptogram == nil { + invalidParams.Add(request.NewErrParamRequired("WrappedKeyCryptogram")) + } + if s.WrappedKeyCryptogram != nil && len(*s.WrappedKeyCryptogram) < 16 { + invalidParams.Add(request.NewErrParamMinLen("WrappedKeyCryptogram", 16)) + } + if s.KeyAttributes != nil { + if err := s.KeyAttributes.Validate(); err != nil { + invalidParams.AddNested("KeyAttributes", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetExportable sets the Exportable field's value. +func (s *ImportKeyCryptogram) SetExportable(v bool) *ImportKeyCryptogram { + s.Exportable = &v + return s +} + +// SetImportToken sets the ImportToken field's value. +func (s *ImportKeyCryptogram) SetImportToken(v string) *ImportKeyCryptogram { + s.ImportToken = &v + return s +} + +// SetKeyAttributes sets the KeyAttributes field's value. +func (s *ImportKeyCryptogram) SetKeyAttributes(v *KeyAttributes) *ImportKeyCryptogram { + s.KeyAttributes = v + return s +} + +// SetWrappedKeyCryptogram sets the WrappedKeyCryptogram field's value. +func (s *ImportKeyCryptogram) SetWrappedKeyCryptogram(v string) *ImportKeyCryptogram { + s.WrappedKeyCryptogram = &v + return s +} + +// SetWrappingSpec sets the WrappingSpec field's value. +func (s *ImportKeyCryptogram) SetWrappingSpec(v string) *ImportKeyCryptogram { + s.WrappingSpec = &v + return s +} + type ImportKeyInput struct { _ struct{} `type:"structure"` @@ -4474,10 +4735,14 @@ func (s *ImportKeyInput) SetTags(v []*Tag) *ImportKeyInput { } // Parameter information for key material import into Amazon Web Services Payment -// Cryptography using TR-31 or TR-34 key exchange method. +// Cryptography using TR-31 or TR-34 or RSA wrap and unwrap key exchange method. type ImportKeyMaterial struct { _ struct{} `type:"structure"` + // Parameter information for key material import using asymmetric RSA wrap and + // unwrap key exchange method. + KeyCryptogram *ImportKeyCryptogram `type:"structure"` + // Parameter information for root public key certificate import. RootCertificatePublicKey *RootCertificatePublicKey `type:"structure"` @@ -4514,6 +4779,11 @@ func (s ImportKeyMaterial) GoString() string { // Validate inspects the fields of the type to determine if they are valid. func (s *ImportKeyMaterial) Validate() error { invalidParams := request.ErrInvalidParams{Context: "ImportKeyMaterial"} + if s.KeyCryptogram != nil { + if err := s.KeyCryptogram.Validate(); err != nil { + invalidParams.AddNested("KeyCryptogram", err.(request.ErrInvalidParams)) + } + } if s.RootCertificatePublicKey != nil { if err := s.RootCertificatePublicKey.Validate(); err != nil { invalidParams.AddNested("RootCertificatePublicKey", err.(request.ErrInvalidParams)) @@ -4541,6 +4811,12 @@ func (s *ImportKeyMaterial) Validate() error { return nil } +// SetKeyCryptogram sets the KeyCryptogram field's value. +func (s *ImportKeyMaterial) SetKeyCryptogram(v *ImportKeyCryptogram) *ImportKeyMaterial { + s.KeyCryptogram = v + return s +} + // SetRootCertificatePublicKey sets the RootCertificatePublicKey field's value. func (s *ImportKeyMaterial) SetRootCertificatePublicKey(v *RootCertificatePublicKey) *ImportKeyMaterial { s.RootCertificatePublicKey = v @@ -6966,6 +7242,9 @@ const ( // KeyMaterialTypeTrustedPublicKeyCertificate is a KeyMaterialType enum value KeyMaterialTypeTrustedPublicKeyCertificate = "TRUSTED_PUBLIC_KEY_CERTIFICATE" + + // KeyMaterialTypeKeyCryptogram is a KeyMaterialType enum value + KeyMaterialTypeKeyCryptogram = "KEY_CRYPTOGRAM" ) // KeyMaterialType_Values returns all elements of the KeyMaterialType enum @@ -6975,6 +7254,7 @@ func KeyMaterialType_Values() []string { KeyMaterialTypeTr31KeyBlock, KeyMaterialTypeRootPublicKeyCertificate, KeyMaterialTypeTrustedPublicKeyCertificate, + KeyMaterialTypeKeyCryptogram, } } @@ -7063,6 +7343,9 @@ const ( // KeyUsageTr31M3Iso97973MacKey is a KeyUsage enum value KeyUsageTr31M3Iso97973MacKey = "TR31_M3_ISO_9797_3_MAC_KEY" + // KeyUsageTr31M1Iso97971MacKey is a KeyUsage enum value + KeyUsageTr31M1Iso97971MacKey = "TR31_M1_ISO_9797_1_MAC_KEY" + // KeyUsageTr31M6Iso97975CmacKey is a KeyUsage enum value KeyUsageTr31M6Iso97975CmacKey = "TR31_M6_ISO_9797_5_CMAC_KEY" @@ -7105,6 +7388,7 @@ func KeyUsage_Values() []string { KeyUsageTr31K1KeyBlockProtectionKey, KeyUsageTr31K3AsymmetricKeyForKeyAgreement, KeyUsageTr31M3Iso97973MacKey, + KeyUsageTr31M1Iso97971MacKey, KeyUsageTr31M6Iso97975CmacKey, KeyUsageTr31M7HmacKey, KeyUsageTr31P0PinEncryptionKey, @@ -7147,3 +7431,19 @@ func WrappedKeyMaterialFormat_Values() []string { WrappedKeyMaterialFormatTr34KeyBlock, } } + +const ( + // WrappingKeySpecRsaOaepSha256 is a WrappingKeySpec enum value + WrappingKeySpecRsaOaepSha256 = "RSA_OAEP_SHA_256" + + // WrappingKeySpecRsaOaepSha512 is a WrappingKeySpec enum value + WrappingKeySpecRsaOaepSha512 = "RSA_OAEP_SHA_512" +) + +// WrappingKeySpec_Values returns all elements of the WrappingKeySpec enum +func WrappingKeySpec_Values() []string { + return []string{ + WrappingKeySpecRsaOaepSha256, + WrappingKeySpecRsaOaepSha512, + } +} diff --git a/service/personalize/api.go b/service/personalize/api.go index d66b174f316..8f6b1477b4e 100644 --- a/service/personalize/api.go +++ b/service/personalize/api.go @@ -274,26 +274,31 @@ func (c *Personalize) CreateCampaignRequest(input *CreateCampaignInput) (req *re // // # Minimum Provisioned TPS and Auto-Scaling // -// A high minProvisionedTPS will increase your bill. We recommend starting with +// A high minProvisionedTPS will increase your cost. We recommend starting with // 1 for minProvisionedTPS (the default). Track your usage using Amazon CloudWatch // metrics, and increase the minProvisionedTPS as necessary. // -// A transaction is a single GetRecommendations or GetPersonalizedRanking call. -// Transactions per second (TPS) is the throughput and unit of billing for Amazon -// Personalize. The minimum provisioned TPS (minProvisionedTPS) specifies the -// baseline throughput provisioned by Amazon Personalize, and thus, the minimum -// billing charge. +// When you create an Amazon Personalize campaign, you can specify the minimum +// provisioned transactions per second (minProvisionedTPS) for the campaign. +// This is the baseline transaction throughput for the campaign provisioned +// by Amazon Personalize. It sets the minimum billing charge for the campaign +// while it is active. A transaction is a single GetRecommendations or GetPersonalizedRanking +// request. The default minProvisionedTPS is 1. // -// If your TPS increases beyond minProvisionedTPS, Amazon Personalize auto-scales +// If your TPS increases beyond the minProvisionedTPS, Amazon Personalize auto-scales // the provisioned capacity up and down, but never below minProvisionedTPS. // There's a short time delay while the capacity is increased that might cause -// loss of transactions. +// loss of transactions. When your traffic reduces, capacity returns to the +// minProvisionedTPS. // -// The actual TPS used is calculated as the average requests/second within a -// 5-minute window. You pay for maximum of either the minimum provisioned TPS -// or the actual TPS. We recommend starting with a low minProvisionedTPS, track -// your usage using Amazon CloudWatch metrics, and then increase the minProvisionedTPS -// as necessary. +// You are charged for the the minimum provisioned TPS or, if your requests +// exceed the minProvisionedTPS, the actual TPS. The actual TPS is the total +// number of recommendation requests you make. We recommend starting with a +// low minProvisionedTPS, track your usage using Amazon CloudWatch metrics, +// and then increase the minProvisionedTPS as necessary. +// +// For more information about campaign costs, see Amazon Personalize pricing +// (https://aws.amazon.com/personalize/pricing/). // // # Status // @@ -8335,7 +8340,8 @@ type CampaignConfig struct { // Whether metadata with recommendations is enabled for the campaign. If enabled, // you can specify the columns from your Items dataset in your request for recommendations. // Amazon Personalize returns this data for each item in the recommendation - // response. + // response. For information about enabling metadata for a campaign, see Enabling + // metadata in recommendations for a campaign (https://docs.aws.amazon.com/personalize/latest/dg/campaigns.html#create-campaign-return-metadata). // // If you enable metadata in recommendations, you will incur additional costs. // For more information, see Amazon Personalize pricing (https://aws.amazon.com/personalize/pricing/). @@ -10531,7 +10537,7 @@ type CreateSolutionInput struct { // // We don't recommend enabling automated machine learning. Instead, match your // use case to the available Amazon Personalize recipes. For more information, - // see Determining your use case. (https://docs.aws.amazon.com/personalize/latest/dg/determining-use-case.html) + // see Choosing a recipe (https://docs.aws.amazon.com/personalize/latest/dg/working-with-predefined-recipes.html). // // Whether to perform automated machine learning (AutoML). The default is false. // For this case, you must specify recipeArn. @@ -10550,8 +10556,9 @@ type CreateSolutionInput struct { // set it to false. PerformHPO *bool `locationName:"performHPO" type:"boolean"` - // The ARN of the recipe to use for model training. This is required when performAutoML - // is false. + // The Amazon Resource Name (ARN) of the recipe to use for model training. This + // is required when performAutoML is false. For information about different + // Amazon Personalize recipes and their ARNs, see Choosing a recipe (https://docs.aws.amazon.com/personalize/latest/dg/working-with-predefined-recipes.html). RecipeArn *string `locationName:"recipeArn" type:"string"` // The configuration to use with the solution. When performAutoML is set to @@ -17716,7 +17723,9 @@ type RecommenderConfig struct { // Whether metadata with recommendations is enabled for the recommender. If // enabled, you can specify the columns from your Items dataset in your request // for recommendations. Amazon Personalize returns this data for each item in - // the recommendation response. + // the recommendation response. For information about enabling metadata for + // a recommender, see Enabling metadata in recommendations for a recommender + // (https://docs.aws.amazon.com/personalize/latest/dg/creating-recommenders.html#create-recommender-return-metadata). // // If you enable metadata in recommendations, you will incur additional costs. // For more information, see Amazon Personalize pricing (https://aws.amazon.com/personalize/pricing/). diff --git a/service/personalizeruntime/api.go b/service/personalizeruntime/api.go index 78ed214dc75..73c2133bcc5 100644 --- a/service/personalizeruntime/api.go +++ b/service/personalizeruntime/api.go @@ -455,7 +455,7 @@ type GetPersonalizedRankingInput struct { // provide is 10. // // For information about enabling metadata for a campaign, see Enabling metadata - // in recommendations for a campaign (https://docs.aws.amazon.com/personalize/latest/dg/create-campaign-return-metadata.html). + // in recommendations for a campaign (https://docs.aws.amazon.com/personalize/latest/dg/campaigns.html#create-campaign-return-metadata). MetadataColumns map[string][]*string `locationName:"metadataColumns" type:"map"` // The user for which you want the campaign to provide a personalized ranking. @@ -627,9 +627,9 @@ type GetRecommendationsInput struct { // you can provide is 10. // // For information about enabling metadata for a campaign, see Enabling metadata - // in recommendations for a campaign (https://docs.aws.amazon.com/personalize/latest/dg/create-campaign-return-metadata.html). + // in recommendations for a campaign (https://docs.aws.amazon.com/personalize/latest/dg/campaigns.html#create-campaign-return-metadata). // For information about enabling metadata for a recommender, see Enabling metadata - // in recommendations for a recommender (https://docs.aws.amazon.com/personalize/latest/dg/create-recommender-return-metadata.html). + // in recommendations for a recommender (https://docs.aws.amazon.com/personalize/latest/dg/creating-recommenders.html#create-recommender-return-metadata). MetadataColumns map[string][]*string `locationName:"metadataColumns" type:"map"` // The number of results to return. The default is 25. If you are including diff --git a/service/rekognition/api.go b/service/rekognition/api.go index d233bdcc53f..fb85ef32fab 100644 --- a/service/rekognition/api.go +++ b/service/rekognition/api.go @@ -2782,7 +2782,8 @@ func (c *Rekognition) DetectCustomLabelsRequest(input *DetectCustomLabelsInput) // a (CustomLabel) object in an array (CustomLabels). Each CustomLabel object // provides the label name (Name), the level of confidence that the image contains // the object (Confidence), and object location information, if it exists, for -// the label on the image (Geometry). +// the label on the image (Geometry). Note that for the DetectCustomLabelsLabels +// operation, Polygons are not returned in the Geometry section of the response. // // To filter labels that are returned, specify a value for MinConfidence. DetectCustomLabelsLabels // only returns labels with a confidence that's higher than the specified value. @@ -10221,9 +10222,8 @@ func (s *AssociateFacesInput) SetUserMatchThreshold(v float64) *AssociateFacesIn type AssociateFacesOutput struct { _ struct{} `type:"structure"` - // An array of AssociatedFace objects containing FaceIDs that are successfully - // associated with the UserID is returned. Returned if the AssociateFaces action - // is successful. + // An array of AssociatedFace objects containing FaceIDs that have been successfully + // associated with the UserID. Returned if the AssociateFaces action is successful. AssociatedFaces []*AssociatedFace `type:"list"` // An array of UnsuccessfulAssociation objects containing FaceIDs that are not @@ -11496,6 +11496,48 @@ func (s *ContentModerationDetection) SetTimestamp(v int64) *ContentModerationDet return s } +// Contains information regarding the confidence and name of a detected content +// type. +type ContentType struct { + _ struct{} `type:"structure"` + + // The confidence level of the label given + Confidence *float64 `type:"float"` + + // The name of the label + Name *string `type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ContentType) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ContentType) GoString() string { + return s.String() +} + +// SetConfidence sets the Confidence field's value. +func (s *ContentType) SetConfidence(v float64) *ContentType { + s.Confidence = &v + return s +} + +// SetName sets the Name field's value. +func (s *ContentType) SetName(v string) *ContentType { + s.Name = &v + return s +} + type CopyProjectVersionInput struct { _ struct{} `type:"structure"` @@ -15562,6 +15604,10 @@ func (s *DetectModerationLabelsInput) SetProjectVersion(v string) *DetectModerat type DetectModerationLabelsOutput struct { _ struct{} `type:"structure"` + // A list of predicted results for the type of content an image contains. For + // example, the image content might be from animation, sports, or a video game. + ContentTypes []*ContentType `type:"list"` + // Shows the results of the human in the loop evaluation. HumanLoopActivationOutput *HumanLoopActivationOutput `type:"structure"` @@ -15597,6 +15643,12 @@ func (s DetectModerationLabelsOutput) GoString() string { return s.String() } +// SetContentTypes sets the ContentTypes field's value. +func (s *DetectModerationLabelsOutput) SetContentTypes(v []*ContentType) *DetectModerationLabelsOutput { + s.ContentTypes = v + return s +} + // SetHumanLoopActivationOutput sets the HumanLoopActivationOutput field's value. func (s *DetectModerationLabelsOutput) SetHumanLoopActivationOutput(v *HumanLoopActivationOutput) *DetectModerationLabelsOutput { s.HumanLoopActivationOutput = v @@ -22805,6 +22857,39 @@ func (s *MediaAnalysisManifestSummary) SetS3Object(v *S3Object) *MediaAnalysisMa return s } +// Object containing information about the model versions of selected features +// in a given job. +type MediaAnalysisModelVersions struct { + _ struct{} `type:"structure"` + + // The Moderation base model version. + Moderation *string `type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s MediaAnalysisModelVersions) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s MediaAnalysisModelVersions) GoString() string { + return s.String() +} + +// SetModeration sets the Moderation field's value. +func (s *MediaAnalysisModelVersions) SetModeration(v string) *MediaAnalysisModelVersions { + s.Moderation = &v + return s +} + // Configuration options for a media analysis job. Configuration is operation-specific. type MediaAnalysisOperationsConfig struct { _ struct{} `type:"structure"` @@ -22917,6 +23002,10 @@ func (s *MediaAnalysisOutputConfig) SetS3KeyPrefix(v string) *MediaAnalysisOutpu type MediaAnalysisResults struct { _ struct{} `type:"structure"` + // Information about the model versions for the features selected in a given + // job. + ModelVersions *MediaAnalysisModelVersions `type:"structure"` + // Provides the S3 bucket name and object name. // // The region for the S3 bucket containing the S3 object must match the region @@ -22946,6 +23035,12 @@ func (s MediaAnalysisResults) GoString() string { return s.String() } +// SetModelVersions sets the ModelVersions field's value. +func (s *MediaAnalysisResults) SetModelVersions(v *MediaAnalysisModelVersions) *MediaAnalysisResults { + s.ModelVersions = v + return s +} + // SetS3Object sets the S3Object field's value. func (s *MediaAnalysisResults) SetS3Object(v *S3Object) *MediaAnalysisResults { s.S3Object = v @@ -22973,6 +23068,10 @@ type ModerationLabel struct { // The name for the parent label. Labels at the top level of the hierarchy have // the parent label "". ParentName *string `type:"string"` + + // The level of the moderation label with regard to its taxonomy, from 1 to + // 3. + TaxonomyLevel *int64 `type:"integer"` } // String returns the string representation. @@ -23011,6 +23110,12 @@ func (s *ModerationLabel) SetParentName(v string) *ModerationLabel { return s } +// SetTaxonomyLevel sets the TaxonomyLevel field's value. +func (s *ModerationLabel) SetTaxonomyLevel(v int64) *ModerationLabel { + s.TaxonomyLevel = &v + return s +} + // Indicates whether or not the mouth on the face is open, and the confidence // level in the determination. type MouthOpen struct { diff --git a/service/rekognition/doc.go b/service/rekognition/doc.go index a49ae5762e7..fd5248000b5 100644 --- a/service/rekognition/doc.go +++ b/service/rekognition/doc.go @@ -42,10 +42,14 @@ // // - GetCelebrityInfo (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_GetCelebrityInfo.html) // +// - GetMediaAnalysisJob (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_GetMediaAnalysisJob.html) +// // - IndexFaces (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_IndexFaces.html) // // - ListCollections (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_ListCollections.html) // +// - ListMediaAnalysisJob (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_ListMediaAnalysisJob.html) +// // - ListFaces (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_ListFaces.html) // // - ListUsers (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_ListFaces.html) @@ -60,6 +64,8 @@ // // - SearchUsersByImage (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_SearchUsersByImage.html) // +// - StartMediaAnalysisJob (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_StartMediaAnalysisJob.html) +// // Amazon Rekognition Custom Labels // // - CopyProjectVersion (https://docs.aws.amazon.com/rekognition/latest/APIReference/API_CopyProjectVersion.html) diff --git a/service/securityhub/api.go b/service/securityhub/api.go index 25a4b3128e8..27826fa7f84 100644 --- a/service/securityhub/api.go +++ b/service/securityhub/api.go @@ -34009,11 +34009,20 @@ func (s *AwsLambdaFunctionVpcConfig) SetVpcId(v string) *AwsLambdaFunctionVpcCon type AwsLambdaLayerVersionDetails struct { _ struct{} `type:"structure"` - // The layer's compatible runtimes. Maximum number of five items. + // The layer's compatible function runtimes (https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html). // - // Valid values: nodejs10.x | nodejs12.x | java8 | java11 | python2.7 | python3.6 - // | python3.7 | python3.8 | dotnetcore1.0 | dotnetcore2.1 | go1.x | ruby2.5 - // | provided + // The following list includes deprecated runtimes. For more information, see + // Runtime deprecation policy (https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html#runtime-support-policy) + // in the Lambda Developer Guide. + // + // Array Members: Maximum number of 5 items. + // + // Valid Values: nodejs | nodejs4.3 | nodejs6.10 | nodejs8.10 | nodejs10.x | + // nodejs12.x | nodejs14.x | nodejs16.x | java8 | java8.al2 | java11 | python2.7 + // | python3.6 | python3.7 | python3.8 | python3.9 | dotnetcore1.0 | dotnetcore2.0 + // | dotnetcore2.1 | dotnetcore3.1 | dotnet6 | nodejs4.3-edge | go1.x | ruby2.5 + // | ruby2.7 | provided | provided.al2 | nodejs18.x | python3.10 | java17 | + // ruby3.2 | python3.11 | nodejs20.x | provided.al2023 | python3.12 | java21 CompatibleRuntimes []*string `type:"list"` // Indicates when the version was created. diff --git a/service/securityhub/doc.go b/service/securityhub/doc.go index f5499c8a0cd..79a3a8673ae 100644 --- a/service/securityhub/doc.go +++ b/service/securityhub/doc.go @@ -3,29 +3,68 @@ // Package securityhub provides the client and types for making API // requests to AWS SecurityHub. // -// Security Hub provides you with a comprehensive view of the security state -// of your Amazon Web Services environment and resources. It also provides you -// with the readiness status of your environment based on controls from supported -// security standards. Security Hub collects security data from Amazon Web Services -// accounts, services, and integrated third-party products and helps you analyze -// security trends in your environment to identify the highest priority security -// issues. For more information about Security Hub, see the Security Hub User -// Guide (https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html). -// -// When you use operations in the Security Hub API, the requests are executed -// only in the Amazon Web Services Region that is currently active or in the -// specific Amazon Web Services Region that you specify in your request. Any -// configuration or settings change that results from the operation is applied -// only to that Region. To make the same change in other Regions, run the same -// command for each Region in which you want to apply the change. -// -// For example, if your Region is set to us-west-2, when you use CreateMembers -// to add a member account to Security Hub, the association of the member account -// with the administrator account is created only in the us-west-2 Region. Security -// Hub must be enabled for the member account in the same Region that the invitation -// was sent from. -// -// The following throttling limits apply to using Security Hub API operations. +// Security Hub provides you with a comprehensive view of your security state +// in Amazon Web Services and helps you assess your Amazon Web Services environment +// against security industry standards and best practices. +// +// Security Hub collects security data across Amazon Web Services accounts, +// Amazon Web Services, and supported third-party products and helps you analyze +// your security trends and identify the highest priority security issues. +// +// To help you manage the security state of your organization, Security Hub +// supports multiple security standards. These include the Amazon Web Services +// Foundational Security Best Practices (FSBP) standard developed by Amazon +// Web Services, and external compliance frameworks such as the Center for Internet +// Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), +// and the National Institute of Standards and Technology (NIST). Each standard +// includes several security controls, each of which represents a security best +// practice. Security Hub runs checks against security controls and generates +// control findings to help you assess your compliance against security best +// practices. +// +// In addition to generating control findings, Security Hub also receives findings +// from other Amazon Web Services, such as Amazon GuardDuty and Amazon Inspector, +// and supported third-party products. This gives you a single pane of glass +// into a variety of security-related issues. You can also send Security Hub +// findings to other Amazon Web Services and supported third-party products. +// +// Security Hub offers automation features that help you triage and remediate +// security issues. For example, you can use automation rules to automatically +// update critical findings when a security check fails. You can also leverage +// the integration with Amazon EventBridge to trigger automatic responses to +// specific findings. +// +// This guide, the Security Hub API Reference, provides information about the +// Security Hub API. This includes supported resources, HTTP methods, parameters, +// and schemas. If you're new to Security Hub, you might find it helpful to +// also review the Security Hub User Guide (https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html). +// The user guide explains key concepts and provides procedures that demonstrate +// how to use Security Hub features. It also provides information about topics +// such as integrating Security Hub with other Amazon Web Services. +// +// In addition to interacting with Security Hub by making calls to the Security +// Hub API, you can use a current version of an Amazon Web Services command +// line tool or SDK. Amazon Web Services provides tools and SDKs that consist +// of libraries and sample code for various languages and platforms, such as +// PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide +// convenient, programmatic access to Security Hub and other Amazon Web Services +// . They also handle tasks such as signing requests, managing errors, and retrying +// requests automatically. For information about installing and using the Amazon +// Web Services tools and SDKs, see Tools to Build on Amazon Web Services (http://aws.amazon.com/developer/tools/). +// +// With the exception of operations that are related to central configuration, +// Security Hub API requests are executed only in the Amazon Web Services Region +// that is currently active or in the specific Amazon Web Services Region that +// you specify in your request. Any configuration or settings change that results +// from the operation is applied only to that Region. To make the same change +// in other Regions, call the same API operation in each Region in which you +// want to apply the change. When you use central configuration, API requests +// for enabling Security Hub, standards, and controls are executed in the home +// Region and all linked Regions. For a list of central configuration operations, +// see the Central configuration terms and concepts (https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html#central-configuration-concepts) +// section of the Security Hub User Guide. +// +// The following throttling limits apply to Security Hub API operations. // // - BatchEnableStandards - RateLimit of 1 request per second. BurstLimit // of 1 request per second.